Monday, January 5, 2015

Synchronize Deletion from AD to OID

Synchronize Deletion from AD to OID


Steps to be performed for the use case when the entry is deleted from AD, the corresponding entry in OID gets deleted using DIP
Resolution:
1.  isDeleted=TRUE should be added to the searchfilter.
For example, you may be using:
searchfilter=(|(objectclass=group)(objectclass=organizationalunit)(&(objectclass=user)(!(objectclass=computer))))
However, Deleted entries will fail. To correct this, modify the filter as follows:
searchfilter=(|(objectclass=group)(objectclass=organizationalunit)(&(objectclass=user)(!(objectclass=computer)))(isDeleted=TRUE))
login EM -> Farm -> Identity and Access -> right click on DIP -> select Administration: Synchronization profile from popup menu -> select the profile you are using -> click Edit -> click Filtering tab


2. Ensure the user that DIP is binding to AD has permissions to read the Deleted Objects container: cn=Deleted Objects,<domain name>
• For the DirSync approach:
The AD user must belong to the Domain Administrators group, cn=Administrators, cn=builtins,dc=domain,dc=com, or be explicitly granted permissions to
replicate directory changes.

• For the USNChanged approach:
The AD user must have “List Content” and “Read Properties” permissions to the cn=Deleted Objects container.


No comments:

Post a Comment

SOA Cloud 12c GIT Repository

When a project is created, you can choose to initialize the project with one project Git repository for the project. A Maven repository is a...