Working with the new Driver for eDirectory I found some things, which are worth to talk about, since they are a kind of special.

In my article Bidirectional Driver for eDirectory – Some hints and workarounds it was pointing out that the driver filter could cause some trouble. I want to stress what is to be done when working with DN attributes like group membership.

In a current project I had to manage a couple of groups in the connected eDirectory without really syncing the groups. Meaning, depending on certain attribute values in the IDM directory, a user should be added or removed from a group in the managed system. Since at the beginning we were only talking about one or two groups, we determined not to use group entitlements with the driver.

Since the driver uses LDAP on the subscriber channel, we configured some rules to set the corresponding attributes on the group and user and made sure those attributes were mapped correctly in the driver’s schema mapping. We although ensured that the values of the four attributes (Member, Equivalent To Me, Group Membership and Security Equals) used the LDAP syntax of the corresponding objects in the managed eDirectory. But this did not work out. The engine automatically removed all four attributes values from the operation because of missing association references.

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.5">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20140821122735.464Z" class-name="User" event-id="idm-ds01#20140821122735#1#1:c80858b5-d811-4387-ee9d-b55808c811d8" qualified-src-dn="O=corp\OU=Data\OU=User\OU=active\CN=ar29jyfa" src-dn="\IDMS-DEV\tu-darmstadt\Data\User\active\ar29jyfa" src-entry-id="367904" timestamp="0#0">
<association state="associated">F9ED5620995BEB40CD88F9ED5620995B</association>
<modify-attr attr-name="idmUserPolicyAcceptedDfnShib">
<remove-value>
<value timestamp="1408623146#1" type="string">20130709</value>
</remove-value>
</modify-attr>
</modify>
<modify class-name="Group" dest-dn="cn=service-dfnshib-user,ou=USER,o=corp" event-id="idm-ds01#20140821122735#1#1:c80858b5-d811-4387-ee9d-b55808c811d8">
<modify-attr attr-name="Member">
<remove-value>
<value type="dn">cn=ar,ou=user,o=corp</value>
</remove-value>
</modify-attr>
<modify-attr attr-name="Equivalent To Me">
<remove-value>
<value type="dn">cn=ar,ou=user,o=corp</value>
</remove-value>
</modify-attr>
</modify>
<modify class-name="User" event-id="idm-ds01#20140821122735#1#1:c80858b5-d811-4387-ee9d-b55808c811d8" qualified-src-dn="O=corp\OU=Data\OU=User\OU=active\CN=ar" src-dn="\IDMS-DEV\corp\Data\User\active\ar" src-entry-id="367904">
<association>F9ED5620995BEB40CD88F9ED5620995B</association>
<modify-attr attr-name="Group Membership">
<remove-value>
<value type="dn">cn=service-dfnshib-user,ou=USER,o=corp/value>
</remove-value>
</modify-attr>
<modify-attr attr-name="Security Equals">
<remove-value>
<value type="dn">cn=service-dfnshib-user,ou=USER,o=corp</value>
</remove-value>
</modify-attr>
</modify>
</input>
</nds>
[08/21/14 14:27:35.744]:TU-ID ST:Filtering out notification-only attributes.
[08/21/14 14:27:35.745]:TU-ID ST: Filtered out <modify-attr attr-name='idmUserPolicyAcceptedDfnShib'>.
[08/21/14 14:27:35.745]:TU-ID ST: Filtered out <modify class-name='User'>.
[08/21/14 14:27:35.746]:TU-ID ST:Fixing up association references.
[08/21/14 14:27:35.749]:TU-ID ST:
DirXML Log Event -------------------
Driver: \IDMS-DEV\tu-darmstadt\res\DriverSet\TU-ID
Channel: Subscriber
Object: \IDMS-DEV\tu-darmstadt\Data\User\active\ar29jyfa
Status: Warning
Message: Code(-8003) Unable to synchronize reference to cn=ar,ou=user,o=tu from attribute Member.

The solution can be found in the policy representing the entitlement implementation for groups. The following rules show how to add an association-ref xlm attribute to each value of the group and user attributes in the managed system. It uses the attribute “idmUserPolicyAccepted” as a trigger to provision the group in the managed eDirectory.

 <rule>
 <description>handle DFN-AAI Group</description>
 <comment xml:space="preserve">If attribute idmUserPolicyAcceptedDfnShib contains a value the user should be added to the DFN-AAI group. If all values are removed from this attribute the user must be removed from the group as well.</comment>
 <conditions>
 <and>
 <if-operation mode="regex" op="equal">sync|modify</if-operation>
 <if-class-name mode="nocase" op="equal">User</if-class-name>
 <if-op-attr name="idmUserPolicyAcceptedDfnShib" op="changing"/>
 </and>
 </conditions>
 <actions>
 <do-set-local-variable name="lv.UserDestDN" scope="policy">
 <arg-string>
 <token-resolve datastore="dest">
 <arg-association>
 <token-association/>
 </arg-association>
 </token-resolve>
 </arg-string>
 </do-set-local-variable>
 <do-set-local-variable name="lv.GroupDestAsspciation" scope="policy">
 <arg-string>
 <token-resolve datastore="dest">
 <arg-dn>
 <token-global-variable name="gcDr.DfnGrp"/>
 </arg-dn>
 </token-resolve>
 </arg-string>
 </do-set-local-variable>
 <do-if>
 <arg-conditions>
 <and>
 <if-op-attr name="idmUserPolicyAcceptedDfnShib" op="available"/>
 </and>
 </arg-conditions>
 <arg-actions>
 <do-add-dest-attr-value class-name="Group" name="Member">
 <arg-association>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-association>
 <arg-value type="dn">
 <token-local-variable name="lv.UserDestDN"/>
 </arg-value>
 </do-add-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-association/>
 </arg-string>
 </do-set-xml-attr>
 <do-add-dest-attr-value class-name="Group" name="Equivalent To Me">
 <arg-association>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-association>
 <arg-value type="dn">
 <token-local-variable name="lv.UserDestDN"/>
 </arg-value>
 </do-add-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-association/>
 </arg-string>
 </do-set-xml-attr>
 <do-add-dest-attr-value class-name="User" name="Group Membership">
 <arg-value type="dn">
 <token-global-variable name="gcDr.DfnGrp"/>
 </arg-value>
 </do-add-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-string>
 </do-set-xml-attr>
 <do-add-dest-attr-value class-name="User" name="Security Equals">
 <arg-value type="dn">
 <token-global-variable name="gcDr.DfnGrp"/>
 </arg-value>
 </do-add-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-string>
 </do-set-xml-attr>
 </arg-actions>
 <arg-actions>
 <do-remove-dest-attr-value class-name="Group" name="Member">
 <arg-association>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-association>
 <arg-value type="dn">
 <token-local-variable name="lv.UserDestDN"/>
 </arg-value>
 </do-remove-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/remove-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-association/>
 </arg-string>
 </do-set-xml-attr>
 <do-remove-dest-attr-value class-name="Group" name="Equivalent To Me">
 <arg-association>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-association>
 <arg-value type="dn">
 <token-local-variable name="lv.UserDestDN"/>
 </arg-value>
 </do-remove-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/remove-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-association/>
 </arg-string>
 </do-set-xml-attr>
 <do-remove-dest-attr-value class-name="User" name="Group Membership">
 <arg-value type="dn">
 <token-global-variable name="gcDr.DfnGrp"/>
 </arg-value>
 </do-remove-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/remove-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-string>
 </do-set-xml-attr>
 <do-remove-dest-attr-value class-name="User" name="Security Equals">
 <arg-value type="dn">
 <token-global-variable name="gcDr.DfnGrp"/>
 </arg-value>
 </do-remove-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/remove-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-string>
 </do-set-xml-attr>
 </arg-actions>
 </do-if>
 </actions>
 </rule>

With both the association reference and the value in the LDAP-Syntax the DN attributes can be managed as usual.

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
tschloesser
Sep 8, 2014
2:05 am
Reads:
2,254
Score:
5
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow