It's all about IAM

Identity And Access Management - Rajiv Dewan

AD Connector Bug

I was working AD Connector with OIM and I found that whenever we run Target Reconciliation, it doesn't update the last modify timestamp.


It comes when you create multiple jobs for AD Target Reconciliation schedulers.


I did debugging and found that AD Connector contains one method called updateMTS( ) which is responsible for updating the Time Stamp attribute of that Schedule Job.

In this method, developers did a search based on Schedule Task Attribute Name (ADCS TimeStamp). It returns a resultset. 
Developed iterated the resultset and whatever schedule job comes first in the resultset, they update that Schedule job (First Schedule Job in the ResultSet).

This issue comes when you create multiple jobs for that Schedule Task because if you have only one job then resultset will return only one row and code will work fine.


  1. It has a huge impact on performance and size of database because if you have multiple jobs for multiple AD Servers then it will do FULL RECONCILIATION every time. It will impact server performance as well as OIM Database.
  2. Every time it is updating the first job which is coming in resultset. Suppose you are running job1 now but it updates the Time Stamp for Job2. When Job2 will run, it will pick the users who got modified after that updated timestamp (of Job1) which means Job2 will miss all the updates from AD for that period which leads to an Audit issue.
 Multiple threads are there on Metalink but those threads were different from my issue.