Thursday, July 9, 2015

OIM / OID : Referential Integrity for referenced group memberships on change username

Use Case 
Change Username (typically via OIM APIs) doesn't update group memberships. When we change username, the cn of the user changes. Since the dn comprises of cn and the dc, the referenced group memberships are orphaned.
This is because, by default, "Referential Integrity" is turned OFF in OID and OIM. 

"Because the CN changed, Oracle Identity Manager attempts a modify operation (modrdn) in the directory resulting in DN change. Because of this unintended DN change, the group membership DN becomes stale resulting in the user loosing membership in that group. This subsequently results in authorization failure. This happens when referential integrity is turned off in the LDAP server, and therefore, the referenced groups are not updated when the RDN of the user changes. Therefore, referential integrity must be turned on in the target LDAP server. Otherwise, the group memberships become stale. The referential integrity issue is also applicable to roles. Groups are also members of other groups and any RDN changes must be reflected as well."

Please see table in link for scenarios when this property is not consistent in OIM and OID.
  • Turn on Referential Integrity Check in OID : 
Change orclRIEnabled to 2 within cn=dsaconfig,cn=configsets,cn=oracle internet directory [Default value is 0]
  • In OIM, modify System property : XL.IsReferentialIntegrityEnabled to TRUE
The above will make sure change username is seamless and doesn't cause any data corruption issues. Obviously, we need to have LDAP Sync turned on between OIM and OID to make sure that this works as expected.