Monday, January 5, 2015

Synchronize Deletion from AD to OID

Synchronize Deletion from AD to OID


Steps to be performed for the use case when the entry is deleted from AD, the corresponding entry in OID gets deleted using DIP
Resolution:
1.  isDeleted=TRUE should be added to the searchfilter.
For example, you may be using:
searchfilter=(|(objectclass=group)(objectclass=organizationalunit)(&(objectclass=user)(!(objectclass=computer))))
However, Deleted entries will fail. To correct this, modify the filter as follows:
searchfilter=(|(objectclass=group)(objectclass=organizationalunit)(&(objectclass=user)(!(objectclass=computer)))(isDeleted=TRUE))
login EM -> Farm -> Identity and Access -> right click on DIP -> select Administration: Synchronization profile from popup menu -> select the profile you are using -> click Edit -> click Filtering tab


2. Ensure the user that DIP is binding to AD has permissions to read the Deleted Objects container: cn=Deleted Objects,<domain name>
• For the DirSync approach:
The AD user must belong to the Domain Administrators group, cn=Administrators, cn=builtins,dc=domain,dc=com, or be explicitly granted permissions to
replicate directory changes.

• For the USNChanged approach:
The AD user must have “List Content” and “Read Properties” permissions to the cn=Deleted Objects container.


ForgeRock IAM : OpenDS (Open Directory Server). Importing LDIF files

The most efficient method of importing LDIF data is to take the OpenDJ server offline. Alternatively, you can schedule a task to import the ...