title: Getting an EBS account to link with its corresponding OID entry link: https://onemoretech.wordpress.com/2008/04/01/getting-an-ebs-account-to-link-with-its-corresponding-oid-entry/ author: lembobro description: post_id: 548 created: 2008/04/01 03:33:53 created_gmt: 2008/04/01 03:33:53 comment_status: open post_name: getting-an-ebs-account-to-link-with-its-corresponding-oid-entry status: publish post_type: post

Getting an EBS account to link with its corresponding OID entry

Unless you’re actually looking for the answer this article provides, you probably won’t have any idea what I’m talking about.

Here’s the situation. You’ve put up an Oracle 10g infrastructure, complete with it’s own Oracle Internet Directory (OID). By some unknown magic, your 10g infrastructure (including OID and Single Sign-on, SSO) has just been integrated with an existing Oracle Enteprise Business Suite (EBS) Applications instance.

Part of the integration involves setting up automatic provisioning of user accounts in EBS from entries created in OID. You create a new user in OID, and voila! the user gets an account (albeit one with limited access) in EBS.

But your DBAs, developers, consultants, admins and just about everyone who can draw a breath have been haphazardly creating and deleting accounts in both OID and EBS both before and after the integration. Ugh. Oh yeah, and then they decide to clone the whole EBS app tier out from under you.

As expected the accounts on EBS and OID are now hopelessly out of sync. No matter how hard you try, you can’t seem to get SSO to log you into EBS. The OID entry won’t link to the EBS account because the there is already a USER_GUID in the user’s FND_USER record on EBS that doesn’t match the matching OID entry’s orclguid value.

Instead of jumping up and down screaming, calm down. Here’s what you do.

(Note that for any of the following to work your the user name on OID — designated by the “cn” attribute — and EBS user name must match EXACTLY, case-sensitively)

Get onto EBS as an admin somehow. If the DBA’s have created a SYSADMIN account, use that. Otherwise, bribe another admin to get you in.

Next, go up to Profiles ->System and make sure that “Applications SSO Auto Link User” is set to “Enabled”.

Finally, get into a terminal session and fire up sqlplus as the EBS system user and connect to the EBS database as the “APPS” user.

sqlplus APPS/{appspw]@[dbname]

Now follow the following procedure:

SQL> SELECT USER_GUID FROM FND_USER SQL> WHERE USER_NAME='[EBS User ID]';

Where ‘USERID’ is the ID of the user account you need to fix. This will show you if the account already has a USER_GUID value. If it does, do the following:

SQL> UPDATE FND_USER SQL> SET USER_GUID = '' SQL> WHERE USER_NAME = '[EBS User ID]'; ... SQL> COMMIT; ... SQL> quit

What this does is null out the USER_GUID value in the EBS account for the user.

Now try logging in again through SSO. This time Auto Linking should do it’s thing and put you into your EBS home page.

What you’ll also find is that the system has added the user’s OID dn to a special group and added a child entry named with that same orclguid value, registering the guid so it can be used in synching changes in the account between OID and EBS.

The special node for this registration is:

cn=ACCOUNTS,cn=subscription_data,cn=subscriptions, orclApplicationCommonName=[EBS instance name],cn=EBusiness cn=Products,cn=OracleContext,dc=[realm name],dc=com

The cn=ACCOUNTS object is, among other things, an LDAP group. Auto Linking will add the dn of the user being registered to this group. Additionally it will create a orclOwnerGUID object named for the user’s OID orclguid under cn=ACCOUNTS. This will look something like:

dn: orclOwnerGUID=67EF4FB9BA053DA0E050A8C0255D7240, cn=ACCOUNTS,cn=subsciption_data,cn=subscriptions, orclApplicationCommonName=[EBS instance name],cn=EBusiness cn=Products,cn=OracleContext,dc=[realm name],dc=com objectclass: top objectclass: orclReferenceObject objectclass: orclServiceSubscriptionDetail orclOwnerGUID: 67EF4FB9BA053DA0E050A8C0255D7240

Finally, Auto Linking will also change the value in the corresponding EBS account USER_GUID to the value in the OID entry’s orclguid (it will fail to do so if a value already exists there, thus the need to make sure it is null beforehand).

Note: To get the value of the user’s orclguid attribute on OID:

ldapsearch -h [OID Host] -D "cn=orcladmin" -w [OID passwd] -b [realm, like "dc=example,dc=com"] -s sub "cn=[User OID Name]" orclguid

You would need this if you wanted to go completely manual and bypass Auto Linking (not recommended, but possible).

Copyright 2004-2019 Phil Lembo