- Q. Why can't users log in to IDM with their existing passwords once they have been synced from DS?
- Q. How do I resolve the FOUND_ALREADY_LINKED situation for source objects?
- Q. Can you configure IDM reconciliation to continue implicit synchronization even when a failure occurs?
- Q. How do I configure IDM to handle large data sets for reconciliation?
- Q. What is the purpose of the lastSync attribute?
A. When users are synced from DS, the users will exist in IDM but cannot log in until their password has been changed. This is because user passwords in DS are one-way encrypted and cannot be retrieved until a password change has occurred. Additionally, you must use the Passthrough authentication method. See PASSTHROUGH for further information.
You can configure a password policy to force users to change their password when they next log in. See Enforcing Password Policy for further information.
A. See How do I resolve the Found Already Linked situation in Identity Cloud or IDM (All versions)? for further information.
Q. Can you configure IDM reconciliation to continue implicit synchronization even when a failure occurs?
A. No, IDM performs implicit synchronization on an all or nothing basis according to the failure compensation configuration. There is no way to have implicit synchronization occur on specific objects within a mapping but not others.
A. IDM supports reconciliation paging, which breaks down extremely large data sets into chunks. See Tuning Reconciliation Performance for further information on this and other approaches to improve reconciliation performance.
See How do I identify reconciliation performance issues in IDM (All versions)? for further information on troubleshooting reconciliation performance.
A. The lastSync attribute is used as the state in a managed object to remember what assignments were pushed to the target resources, on a per mapping basis. This attribute prevents divergences between the source and target assignment, especially when
removeFromTarget strategies are used.
You must not remove this attribute as it could cause future upgrades to fail.