How to disable LDAP Synchronisation in Oracle Identity Manager 11gR2
"Ganesh Kamble" in "OIM" on 2014-08-10
With the release of Oracle Identity Manager 11gR2, Oracle has simplified the process of disabling the LDAP Synchronisation feature. In this post, we will discuss how to disable LDAPSync in an OIM server.
The whole process basically consists of deleting EventHandler from metadata and disabling a set of schedulers which are responsible for synchronisation of OIM entities with LDAP.
The earlier versions of OIM (11gR1 series) came with a few scripts with which we were able to manage the OIM metadata such as weblogicExportMetadata.sh, weblogicImportMetadata.sh, weblogicDeleteMetadata.sh etc. These scripts are still available in 11gR2.
Now let us dive into how we can disable LDAPSync in OIM 11gR2.
Delete EventHandler Metadata
We will be using Oracle Enterprise Manager to delete specific files from the metadata store (MDS).
- Login to Oracle Enterprise Manager with an administrator user
- Select the oim application under Identity and Access > OIM. Click on Oracle Identity Manager and select System MBean Browser
- Under System MBean Browser, navigate to oracle.mds.lcm > Server: oim_server1 > Application: OIMMetadata > MDSAppRuntime > MDSAppRuntime. You will need to scroll down a long way and since the results are loaded lazily, you will not be able to find it using ctrl/command+f in the first attempt
- On the right hand side panel, select first deleteMetadata option under Operations tab
- You can see that the operation takes several input parameters. Click on the pencil icon in values column of docs parameter
- Click on Add button and enter /db/ldapMetadata/EventHandlers.xml. Click Ok
- Make sure the name of the document to be deleted is correct. Click on the Invoke button to execute the deleteMetadata operation
You will see Operation executed successfully confirmation box
Disable Scheduler Jobs
The provisioning of users, roles, role memberships and role hierarchy to LDAP is achieved by four predefined scheduler jobs. These jobs need to be disabled in order to stop the LDAPSync.
LDAPSync Post Enable Provision Users to LDAP
LDAPSync Post Enable Provision Roles to LDAP
LDAPSync Post Enable Provision Role Memberships to LDAP
LDAPSync Post Enable Provision Role Hierarchy to LDAP
Although you have played with OIM metadata in this post, you are not required to restart the server to bring the changes in effect. So that is it. Any changes you make to resources in OIM, they are not propagated to the LDAP server which was configured during LDAPSync configuration.