Performing the Postconfiguration Tasks for the Microsoft Active Directory User Management Connector

4 Performing the Postconfiguration Tasks for the Microsoft Active Directory User Management Connector

These are the tasks that you must perform after creating an application in Oracle Identity Governance.

4.1 Configuring Oracle Identity Governance

During application creation, if you did not choose to create a default form, then you must create a UI form for the application that you created by using the connector.

Note:

Perform the procedures described in this section only if you did not choose to create the default form during creating the application.

The following topics describe the procedures to configure Oracle Identity Governance:

4.1.1 Creating and Activating a Sandbox

You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.

See Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.1.2 Creating a New UI Form

You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms.

See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance.

While creating the UI form, ensure that you select the resource object corresponding to the newly created application that you want to associate the form with. In addition, select the Generate Entitlement Forms check box.

4.1.3 Publishing a Sandbox

Before publishing a sandbox, perform this procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published.

In Identity System Administration, deactivate the sandbox.
Log out of Identity System Administration.
Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.
In the Catalog, ensure that the application instance form for your resource appears with correct fields.
Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.1.4 Updating an Existing Application Instance with a New Form

For any changes that you do in the schema of your application in Identity Self Service, you must create a new UI form and update the changes in an application instance.

To update an existing application instance with a new form:

Create and activate a sandbox.
Create a new UI form for the resource.
Open the existing application instance.
In the Form field, select the new UI form that you created.
Save the application instance.
Publish the sandbox.

4.2 Configuring the IT Resource for the Target System

If you have used the target system, then you must configure values for the parameters of the Active Directory IT resource.

If you are using the connector for group management or organizational unit management, then you must configure values for the parameters of the Active Directory IT resource.

After you create the application for your target system, the connector creates a default IT resource for the target system. The name of this default IT resource is Active Directory.

In Oracle Identity System Administration, search for and edit the Active Directory IT resource to specify values for the parameters of IT resource listed in Table 4-1. For more information about searching for IT resources and updating its parameters, see Managing IT Resources in Oracle Fusion Middleware Administering Oracle Identity Governance.

Table 4-1 Parameters of the Active Directory IT Resource for the Target System

Parameter	Description
ADLDSPort	Enter the number of the port at which Microsoft AD LDS is listening. Sample value: `50001` Note: Do not enter a value for this parameter if you are using Microsoft ActiveDirectory as the target system.
BDCHostNames	Enter the host name of the backup domain controller to which Oracle Identity Governance must switch to if the primary domain controller becomes unavailable. Sample value: `mydc1;mydc2;mydc3` Note: Multiple backup domain controllers must be separated by semicolon (;).
Configuration Lookup	This parameter holds the name of the lookup definition that stores configuration information used during reconciliation and provisioning. If you have configured your target system as a target resource, then enter `Lookup.Configuration.ActiveDirectory.` If you have configured your target system as a trusted source, then enter `Lookup.Configuration.ActiveDirectory.Trusted.` Default value: `Lookup.Configuration.ActiveDirectory`
Connector Server Name	Name of the IT resource of the type "Connector Server." Note: Enter a value for this parameter only if you have deployed the Active Directory User Management connector in the Connector Server. Default value: `Active Directory Connector Server`
Container	Enter the fully qualified domain name of the user container into or from which users must be provisioned or reconciled into Oracle Identity Governance, respectively. Sample value: `DC=example,DC=com`
DirectoryAdminName	Enter the user name of account that you create by performing the procedure described in Creating a Target System User Account for Connector Operations. Enter the value for this parameter in the following format: `DOMAIN_NAME\USER_NAME` Sample value: `mydomain\admin` Note: If you are using AD LDS as the target system and this machine belongs to a workgroup, enter the username of the account created in Creating a Target System User Account for Connector Operations. Enter a value for this parameter in the following format: `USER_NAME` Sample value: `admin`
DirectoryAdminPassword	Enter the password of the user account that you create by performing the procedure described in Creating a Target System User Account for Connector Operations.
DomainName	Enter the domain name for the Microsoft Active Directory domain controller on which the connector is being installed. Sample value: `example.com` Note: This is a mandatory parameter if you are using Microsoft Active Directory as the target system.
isADLDS	Enter `yes` to specify that the target system is Microsoft AD LDS. Enter `no` to specify that the target system is Microsoft Active Directory.
LDAPHostName	Enter the host name, IP address, or domain name of the Microsoft Windows computer (target system host computer) on which Microsoft Active Directory is installed. Note: If you do not specify a value for this parameter and the BDCHostNames parameter (discussed earlier in this table), then a serverless bind is used. The connector leverages ADSI for determining the domain controller in the domain and then creates the directory entry. Therefore, all interactions with the target system are not specific to a domain controller. To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field. Sample values: `w2khost` `172.20.55.120` `example.com`
SyncDomainController	Enter the name of the domain controller from which user accounts must be reconciled. Note: The value specified in this parameter is used if the value of the SearchChildDomains lookup entry is set to `no.` If no value is specified for the SyncDomainController parameter and the SearchChildDomains lookup entry is set to `no,` then the connector automatically finds a domain controller for the target system and reconciles users from it. Sample value: `mynewdc`
SyncGlobalCatalogServer	Enter the host on which the global catalog server is located. Note: The value specified in this parameter is used if the value of the SearchChildDomains lookup entry is set to `yes.` If no value is specified for the SyncGlobalCatalogServer parameter and the SearchChildDomains lookup entry is set to `yes,` then the connector automatically finds a global catalog server for the target system, and then reconciles user accounts from the domain controller on which the global catalog server is running. It is strongly recommended to provide a value for this parameter if you have set the SearchChildDomains lookup entry to `yes.` Sample value: `myglobalcatalogdc`
UseSSL	Enter `yes` if the target system has been configured for SSL. This enables secure communication between the Connector Server and target system. Otherwise, enter `no.` Default value: `no` Note: For resetting user password during provisioning operations, the communication with the target system must be secure. The default communication between the .NET Connector Server and Microsoft Active Directory is secure. Therefore, even if you set the value of this parameter to `no,` it is possible to reset user passwords during provisioning operations because the default communication is secure. The default communication between the .NET Connect Configuring SSL for Microsoft Active Directory and Microsoft AD LDS or Server and Microsoft AD LDS is not secure. Therefore, for enabling password reset provisioning operations, you must set the value of this parameter to `yes` to secure communication with Microsoft AD LDS. See Configuring SSL for Microsoft Active Directory and Microsoft AD LDS for more information about configuring SSL.

4.3 Configuring the IT Resource for the Connector Server

If you have used the Connector Server, then you must configure values for the parameters of the Connector Server IT resource.

After you create the application for your target system, the connector creates a default IT resource for the target system. The name of this default IT resource is Active Directory Connector Server.

In Oracle Identity System Administration, search for and edit the Active Directory Connector Server IT resource to specify values for the parameters of IT resource listed in Table 4-2. For more information about searching for IT resources and updating its parameters, see Managing IT Resources in Oracle Fusion Middleware Administering Oracle Identity Governance.

Table 4-2 Parameters of the Active Directory Connector Server IT Resource

Parameter	Description
Host	Enter the host name or IP address of the computer hosting the connector server. Sample value: `myhost.com`
Key	Enter the key for the connector server.
Port	Enter the number of the port at which the connector server is listening. Default value: `8759`
Timeout	Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Governance times out. Sample value: `0` A value of 0 means that the connection never times out.
UseSSL	Enter `true` to specify that you will configure SSL between Oracle Identity Governance and the Connector Server. Otherwise, enter `false.` Default value: `false` Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL between Oracle Identity Governance and Connector Server, see Configuring SSL Between Oracle Identity Governance and Connector Server.

4.4 Harvesting Entitlements and Sync Catalog

You can populate Entitlement schema from child process form table, and harvest roles, application instances, and entitlements into catalog. You can also load catalog metadata.

To harvest entitlements and sync catalog:

Run the scheduled jobs for lookup field synchronization listed in Scheduled Jobs for Lookup Field Synchronization
Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table.
Run the Catalog Synchronization Job scheduled job.

4.5 Enabling Logging for Microsoft Active Directory User Management Connector

The Active Directory User Management connector uses the built-in logging mechanism of the .NET framework. Logging for the Active Directory User Management connector is not integrated with Oracle Identity Governance. The log level is set in the .NET Connector Server configuration file (ConnectorServer.exe.config).

To enable logging for the Active Directory User Management connector, perform the following procedure:

Go to the directory where the ConnectorServer.exe.config file is installed. The default directory is C:\Program Files\Identity Connectors\Connector Server.

The ConnectorServer.exe.config file must be present in this directory.
In the ConnectorServer.exe.config file, add the lines shown in bold text:
```
<system.diagnostics>
  <trace autoflush="true" indentsize="4">
    <listeners>
      <remove name="Default" />
      <add name="myListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\connectorserver2.log" traceOutputOptions="DateTime">
        <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information" />
      </add>
    </listeners>
  </trace>
  <switches>
    <add name="ActiveDirectorySwitch" value="4" />
  </switches>
</system.diagnostics>
```
The value="4" sets the log level to Verbose. This value can be set as any one of the following log levels:
- value="4" or value="Verbose"
  
  This value sets the log level to the "Verbose" level. It is most granular
- value="3" or value="Information"
  
  This value sets the log level to the "Information" level.
- value="2" or value="Warning"
  
  This value sets the log level to the "Warning" level
- value="1" or value="Error"
  
  This value sets the log level to the "Error" level
- value="0"
  
  Logging is not configured when the value is set to "0".
However, remember that the logging level has a direct effect on the performance of the .NET Connector Server.
After you make the configuration change, stop and then restart the .NET Connector Server service. Or, you can also restart the .NET Connector Server using the following command:
```
ConnectorServer.exe /run
```

4.5.1 Configuring Log File Rotation

Information about events that occur during the course of reconciliation and provisioning operations are stored in a log file. As you use the connector over a period time, the amount of information written to a log file increases. If no rotation is performed, then log files become huge.

To avoid such a scenario, perform the procedure described in this section to configure rotation of the log file.

To configure rotation of a log file on a daily basis:

Log in to the computer that is hosting the Connector Server.
Stop the Connector Server.
Back up the ConnectorServer.exe.config file. The default location of this file is C:\Program Files\Identity Connectors\Connector Server.
In a text editor, open the ConnectorServer.exe.config file for editing.

Search for the <listeners> and </listeners> elements and replace the text between these elements with the following:

<remove name="Default" />
<add name="FileLog" type="Microsoft.VisualBasic.Logging.FileLogTraceListener,Microsoft.VisualBasic,Version=8.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
initializeData="FileLogWriter"
traceOutputOptions="DateTime"
BaseFileName="ConnectorServerDaily"
Location="Custom"
CustomLocation="C:\ConnectorServerLog\"
LogFileCreationSchedule="Daily">
<filter type="System.Diagnostics.EventTypeFilter" initializeData="Information"/>
</add>

Save the file and close it.
Start the Connector Server.

4.6 Localizing Field Labels in UI Forms

You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. The resource bundles are available in the connector installation package.

To localize field label that you add to in UI forms:

Log in to Oracle Enterprise Governance.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive (oracle.iam.console.identity.sysadmin.ear_V2.0_metadata.zip) to the local computer.
Extract the contents of the archive, and open the following file in a text editor:

SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf

Note:
You will not be able to view the BizEditorBundle.xlf unless you complete creating the application for your target system or perform any customization such as creating a UDF.

Edit the BizEditorBundle.xlf file in the following manner:

Search for the following text:

<file source-language="en"  
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Replace with the following text:

<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:

<file source-language="en" target-language="ja"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Search for the application instance code. This procedure shows a sample edit for Microsoft Active Directory application instance. The original code is:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.<Field_Name>__c_description']}">
<source><Field_Label></source>
<target/>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.<UI_Form_NaME>EO.<Field_Name>__c_LABEL">
<source><Field_Label></source>
<target/>
</trans-unit>

The sample edit of the code is as follows:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ADUSER_FULLNAME__c_description']}">
<source>Full Name</source>
<target/>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.ad11EO.UD_ADUSER_FULLNAME__c_LABEL">
<source>Full Name</source>
<target/>
</trans-unit>

Open the resource file from the connector package, for example ActiveDirectoryIdC_ja.properties, and get the value of the attribute from the file, for example, global.udf.UD_ADUSER_FULLNAME=\u6C0F\u540D.

Replace the original code shown in Step 6.c with the following:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_<Field_Name>__c_description']}">
<source>< Field_Label></source>
<target>global.udf.<UD_<Field_Name></target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.<UI_Form_Name>.entity. <UI_Form_Name>EO.UD_<Field_Name>__c_LABEL">
<source><Field_Label></source>
<target><global.udf.UD_Field_Name></target>
</trans-unit>

As an example, the code for Full Name is as follows:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ADUSER_FULLNAME__c_description']}">
<source>Full Name</source>
<target>\u6C0F\u540D</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.ad11EO.UD_ADUSER_FULLNAME__c_LABEL">
<source>Full Name</source>
<target>\u6C0F\u540D</target>
</trans-unit>

Repeat Steps 6.a through 6.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

Sample file name: BizEditorBundle_ja.xlf.

Repackage the ZIP file and import it into MDS.

See Also:

Deploying and Undeploying Customizations in Developing and Customizing Applications for Oracle Identity Governance, for more information about exporting and importing metadata files
Log out of and log in to Oracle Identity Governance.

4.7 Configuring the Connector for Provisioning Organizations

Perform the procedure described in this section if you intend to provision organizations to a root DN.

Before you provision organizations to a root DN, you must add the DN to the Lookup.ActiveDirectory.OrganizationalUnits lookup definition as follows:

Log in to the Design Console.
Expand Administration and then double-click Lookup Definition.
Search for and open the Lookup.ActiveDirectory.OrganizationalUnits lookup definition.
Add an entry for the root DN. The following is a sample value for the Code Key and Decode values:

Code Key: 150~DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com

Decode: SamAD~DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com
Click Save.

4.8 Enabling and Disabling the Passwords Must Meet Complexity Requirements Policy setting

In Microsoft Active Directory, the "Passwords must meet complexity requirements" policy setting is used to enable or disable password policies.

The procedure that you must perform depends on whether or not you want to achieve either or both of the following objectives:

Enable password policies
Configure SSL between Oracle Identity Governance and the target system

Note:

The procedure to configure SSL is discussed later in this guide.

If you configure SSL and you want to enable both the default Microsoft Windows password policy and a custom password policy, then you must enable the "Passwords must meet complexity requirements" policy setting.

Note:

If you install Microsoft ADAM in a domain controller then it acquires all the policies of Microsoft Active Directory installed in the same domain controller. If you install Microsoft ADAM in a workgroup, then the local system policies are applied.

To enable or disable the "Passwords must meet complexity requirements" policy setting, check the password policy setting and select Enabled if you want to enable password policies or Disabled if you do not want to disable password policies.

For detailed information on enabling and disabling the "Passwords must meet complexity requirements" policy, see the Microsoft Active Directory User Management documentation.

4.9 Configuring SSL for Microsoft Active Directory and Microsoft AD LDS

This section discusses the following topics to configure SSL communication between Oracle Identity Governance and the target system:

Note:

In this section, Microsoft ADAM and Microsoft AD LDS have both been referred to as Microsoft AD LDS.
If you are using Microsoft AD LDS, then you must configure SSL for all connector operations to work as expected.
For detailed instructions of the procedures, see the Microsoft Active Directory User Management documentation.

4.9.1 Prerequisites

Public key certificates are used for determining the identity and authenticity of clients in software security systems. Certificate Services create and manage public key certificates. This ensures that organizations have a reliable and secure way to create, manage, and distribute these certificates.

Note:

Before you begin installing Active Directory Certificate Services (AD CS), you must ensure that Internet Information Services (IIS) is installed on the computer hosting the target system.
For detailed steps to install Certificate Services on the corresponding Windows Server, refer to the Microsoft documentation.

If you are installing Certificate Services on Windows Server 2008, ensure to add the following features using the Server Manager console on the computer which is running the Connector Server:

Remote Server Administration Tools
Role Administration Tools
Active Directory Certificate Services Tools
AD DS and AD LDS Tools

4.9.2 Configuring SSL Between Connector Server and Microsoft Active Directory

You can configure SSL between Connector Server and Microsoft Active Directory by ensuring that the computer hosting Microsoft Active Directory has LDAP enabled over SSL (LDAPS).

Note:

To configure SSL, the computer hosting the target system and the computer on which the Connector Server is running must be in the same domain.

To enable LDAPS, request a new certificate using the Automatic Certificate Request Setup Wizard.

4.9.3 Configuring SSL Between Connector Server and Microsoft AD LDS

To configure SSL between Connector Server and Microsoft AD LDS, ensure that ADAM is SSL-enabled.

To configure SSL between Connector Server and Microsoft AD LDS, perform the following procedures:

Request a certificate when Microsoft AD LDS is deployed within the connector domain or used as a standalone deployment.
Note:
- This procedure can be performed either on the computer on which the Connector Server is running or on the computer hosting the target system.
- Before you begin generating the certificate, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.
Issue the certificate that you requested earlier when Microsoft AD LDS was deployed within the connector domain in the Microsoft Active Directory Certificate Services window.
In the Microsoft Management Console, add the certificate to the personal store of the Microsoft AD LDS service.
Assign permissions to the MachineKeys folder that contains the certificate key. To do so, add the following groups and users and then provide full Control permission:
- Administrators
- Everyone
- NETWORK SERVICE
- The user name of the account used to install Microsoft ADAM
- SYSTEM
Note that the path to th MachineKeys folder is similar to the following:
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Assign the same groups and users to the certificate.
Restart the Microsoft AD LDS instance for the changes to take effect.
Test the certificate from the AD LDS Tools Command Prompt window. If SSL is successfully configured, then status messages about the connection are displayed on the LDAPS window.

4.9.4 Configuring SSL Between Oracle Identity Governance and Connector Server

The following sections provide information about configuring SSL between Oracle Identity Governance and Connector Server:

4.9.4.1 Exporting the Certificate

Note:

Perform this procedure on the computer hosting the connector server.

To export the certificate requested and issued from the Microsoft Management console, navigate to and open the Certificate Export Wizard. Ensure to export the certificate in the Base-64 encoded X.509(.CER) file format.

4.9.4.2 Configuring the Connector Server for SSL

Note:

Perform this procedure on the computer hosting the connector server.
Connector Server 12c (12.2.1.3.0) can be used with older versions of connectors.

See Configuring the .NET Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for detailed instructions to configure the Connector Server for SSL.

4.9.4.3 Configuring Oracle Identity Governance for SSL

The following is the procedure to configure Oracle Identity Governance for SSL:

Copy the certificate generated in Exporting the Certificate to the computer on which Oracle Identity Governance is running.
Import the target system certificate into the JDK used by Oracle Identity Governance (running on Oracle WebLogic Application Server) by running the following command:
keytool -import -keystore MY_CACERTS -file CERT_FILE_NAME -storepass PASSWORD

In this command:
- MY_CACERTS is the full path and name of the certificate store (the default is cacerts).
- CERT_FILE_NAME is the full path and name of the certificate file.
- PASSWORD is the password of the keystore.
The following is a sample command:

keytool -import -keystore /home/testoc4j/OIM/jrockit_160_14_R27.6.5-32/jre/lib/security/cacerts -file /home/ADSSLCer.cer -storepass sample_password
Import the target system certificate into the keystore of the application server by running the following command:
keytool -import -keystore MY_CACERTS -file CERT_FILE_NAME -storepass PASSWORD

In this command:
- MY_CACERTS is the full path and name of the certificate store (the default is WEBLOGIC_HOME/server/lib/DemoTrust.jks)
- CERT_FILE_NAME is the full path and name of the certificate file.
- PASSWORD is the password of the keystore.
The following is a sample command:

keytool -import -keystore WEBLOGIC_HOME/server/lib/DemoTrust.jks -file /home/ADSSLCer.cer -storepass DemoTrustKeyStorePassPhrase
Set the value of the UseSSL parameter in Basic Configuration Parameters to true.

4.10 Setting Up the Lookup Definition for the Ignore Event API

This section discusses the following topics:

4.10.1 Understanding the Ignore Event Disabled Entry

You can add the 'Ignore Event Disabled' entry to the Configuration lookup definition (Lookup.Configuration.ActiveDirectory.Trusted and Lookup.Configuration.ActiveDirectory for trusted source and target resource modes, respectively) to specify whether reconciliation events must be created for target system records that already exist in Oracle Identity Manager.

If you set the value of the Ignore Event Disabled entry to true, then reconciliation events are created for all records being fetched from the target system, irrespective of their presence in Oracle Identity Manager. If you set the value of this entry to false, then reconciliation events for target system records that are already present in Oracle Identity Manager are not created.

4.10.2 Adding the Ignore Event Disabled Entry

You add the 'Ignore Event Disabled' entry to specify whether reconciliation events must be created for target system records that already exist in Oracle Identity Manager. To do so:

Log in to the Design Console.
Expand Administration, and then double-click Lookup Definition.
Search for and open one of the following lookup definitions:

For the trusted source mode: Lookup.Configuration.ActiveDirectory.Trusted

For target resource mode: Lookup.Configuration.ActiveDirectory
On the Lookup Code Information tab, click Add.

A new row is added.
In the Code Key column of the new row, enter Ignore Event Disabled.
In the Decode column of the new row, depending on your requirement, enter true or false.
Click the Save icon.

Note:

If you are are adding the Ignore Event Disabled entry in the AOB installation setup, then open the Advanced Settings section and perform step 4 onwards only.