Blocking and Undoing User Renames in Identity Manager



By: bstumpp

December 26, 2007 6:25 pm

Reads: 181

Comments:0

Rating:0

Problem

You need to block and undo a rename of a user within Identity Manager. This is necessary to enforce the user account naming from an eDirectory tree used for LDAP authentication and Active Directory with the Identity Vault.

Solution

For eDirectory, the process is to parse out the name from the “old-src-dn”, rename the source object, and veto the original rename. The name is stored in a local variable to have it available to do any event notifications.

For Active Directory the process is a bit more complex. Because Active Directory cannot tell the difference between a rename and a move, a rename and a move event are both created whenever either occurs. With this in mind, a check must be made to ensure that the rename event is truly a rename. Therefore, a parse of the DirXML-ADContext is made to get the old name, which is set into a local variable. Then a parse of the SourceDN is used to get the new name, which is also stored in a local variable. These two values are compared. If they are NOT equal, then a rename of the source object is issued; then the original rename event is then vetoed. Note: the compare of the local variables uses a special feature that was added in IDM 3.5 – the ability to reference a local variable, when you normally cannot reference a local variable. To make this reference you must surround the local variable with the ‘$’, as shown in the example rules listed below.

Example

For eDirectory, place this in the Subscriber’s Command Transformation Policy Set on the ‘application’ side of the driver.


  <description>Reset a user rename</description>
  <comment xml:space="preserve">Block a rename, and reset the rename in the source.</comment>
  <conditions>
    <and>
      <if-class-name mode="nocase" op="equal">User</if-class-name>
      <if-operation mode="nocase" op="equal">rename</if-operation>
    </and>
  </conditions>
  <actions>
    <do-set-local-variable name="lv-rename-reset" scope="policy">
      <arg-string>
        <token-parse-dn length="1" start="-1">
          <token-xpath expression="@old-src-dn"/>
        </token-parse-dn>
      </arg-string>
    </do-set-local-variable>
    <do-rename-src-object>
      <arg-string>
        <token-local-variable name="lv-rename-reset"/>
      </arg-string>
    </do-rename-src-object>
    <do-veto/>
  </actions>
</rule>

For Active Directory, place this in with the Publisher Event Policies.

<rule>
<description>Process Rename Event</description>
<comment xml:space="preserve">The driver shim cannot tell the difference between a move and a rename in Active Directory so publishes both. This rule will check to see if the Rename event really is a Rename.</comment>
<conditions>
  <and>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
    <if-operation mode="nocase" op="equal">rename</if-operation>
  </and>
</conditions>
<actions>
  <do-set-local-variable name="lv-current-name" scope="policy">
    <arg-string>
      <token-parse-dn start="-1">
        <token-dest-attr name="DirXML-ADContext"/>
      </token-parse-dn>
    </arg-string>
  </do-set-local-variable>
  <do-set-local-variable name="lv-new-name" scope="policy">
    <arg-string>
      <token-src-dn convert="true" start="-1"/>
    </arg-string>
  </do-set-local-variable> 
  <do-if>
    <arg-conditions>
      <and>
        <if-local-variable mode="nocase" name="lv-current-name" op="not-equal">$lv-new-name$</if-local-variable>
      </and>
    </arg-conditions>
    <arg-actions>
      <do-rename-src-object>
    <arg-string>
      <token-local-variable name="lv-current-name"/>
    </arg-string>
      </do-rename-src-object>
    </arg-actions>
    <arg-actions/>
  </do-if>
  <do-veto/>
</actions>
</rule>

Environment

Designed with eDirectory 8.8.2, Identity Manager 3.5.1, Active Directory 2003

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment