IDM – Reconciliation for AD

  • This document describes the setup and configuration for performing reconciliation against the AD system.

  • Both the IDM AD and Null drivers are used.

  • Testing of the AD reconciliation was performed on the following setup:

    • IDM engine on SLES10 VM – 1GB memory

    • AD driver (RL) on Windows 2003 server VM – 1GB memory

    • Query results limit set to 50
      per query

    • 100,000 users in AD

    • Time taken: approximately 1 hour

    • CPU utilization on the Windows 2003 VM stayed below 5% most of the time, with occasional spikes to about 20%.

  • The setup and configuration will need to be tested for other target systems.

IDVault setup

  1. This process works only for IDM drivers/target systems that support the query-ex function.

  2. A new effective object class was created in the IDVault, with the following attributes:

width="100%">
width="90*">

Class name

ReconMark

Inherit from class

Top

Can be contained by

O

OU

DirXML-Driver

DirXML-DriverSet

Attributes

CN

Naming, mandatory

ReconStart

Case insensitive string, single-valued

A change in this attribute will start the reconciliation
process.

ReconCont

Case insensitive string, single-valued

A change in this attribute will indicate that query-ex is not
completed.

ReconContTemp

Case insensitive string, single-valued

Temporary holding attribute, to workaround the loop-back detection constraint.

ReconContToken

Case insensitive string, single-valued

This attribute holds the query-token that is used to continue the query-ex.

ReconComplete

Boolean

Indicates if the reconciliation process has been completed.

ReconResults

Case insensitive string, multi-valued

Holds the source-DN for all users in that target system that are not associated in the IDVault.

  1. A new ReconMark-class object is created for each target system that:

    1. has an IDM driver

    2. will have reconciliation performed against it

  2. In the test environment, the .ADRecon.system object was created.

  3. A screenshot of the LDAP view of the ADRecon object is shown below.

IDM AD Driver Modifications

  1. AD driver filter

    1. Modified to allow the object
      class “ReconMark” and associated attributes.

    2. See screen capture below for
      details.

  1. Subscriber Event Transform

    1. The “TriggerTokenQuery” policy is added to the AD Subscriber Event Transform.

    2. Two rules are contained in “TriggerTokenQuery”:

      1. TriggerTokenQuery

        1. Starts the reconciliation process by inserting a “query” event, when a change in the “ReconStart” attribute of the ADRecon object is detected.

        2. A specific event-id is created for the query event.

        3. Sets the ReconComplete attribute of the ADRecon object to “0” (false).

        4. Clears the ReconResults attribute values of the ADRecon object.

      2. ContinueTokenQuery

        1. Detects a change in the “ReconCont” attribute, and inserts a “query-ex” to continue the query
          operation, using the “ReconContToken” attribute value.

  1. Publisher Input Transform

    1. The “QueryExReturn” rule is added to the AD Publisher Input Transform.

    2. This policy is triggered only for events that have the specific event-id the AD reconciliation
      process will have.

      1. The query-results will always have this event-id.

    3. The rule will set a local variable “dredge-complete” to false.

    4. The query results are processed, with each node being processed as follows:

      1. For every query-result instance:

        1. If the user object is associated in the IDVault, veto the instance. No further action is required.

        2. If the user object is NOT associated in the IDVault, write the user object source-DN into the ReconResults attribute of the ADRecon object, then veto the instance.

      2. If a “query-token” node is found, this indicates that the query-ex operation is not complete, and more results are expected. The following action will be taken:

        1. Write the query-token value to the ReconContToken attribute of the ADRecon object.

          • This value will be used to indicate which query-ex operation is being continued.

        2. Set the ReconContTemp attribute of the ADRecon object to the current time, in milliseconds
          since 1 January 1970.

          • This is used to workaround the loop-back detection of the IDM engine/driver.

          • Milliseconds is used to ensure that there will be changes to the value.

        3. Set the local variable “dredge-complete” to “false”, to indicate the query-ex process has not
          been completed.

      3. The last node in the results will always be “query-status”.

        1. If the local variable “dredge-complete” is “true”, then set the “ReconComplete” attribute of the ADRecon object to “true”.

        2. Else take no action.

IDM Null Driver Modifications

  1. Null driver filter

    1. Modified to allow the object class “ReconMark” and associated attributes.

    2. See screen capture below for details.

  1. Subscriber Event Transform

    1. The policy “ContinueDredge” is added to the Subscriber Event Transform.

    2. The rule “ContinueDredge” is added to the policy, and performs the following:

      1. If the attribute “ReconContTemp” value is changing for the ADRecon object, then write the value into the “ReconCont” attribute of the ADRecon object.

Work to be completed

  1. Configure a workflow to initiate the reconciliation process, with the following proposed functionality (may not implement all):

    1. User can select the target system to perform the reconciliation process against, from a drop-down
      list.

      1. This will require the ReconMark objects to be created for each target system.

    2. User can specify the date/time to start the reconciliation process (schedule).

    3. User can specify who to send the reconciliation results to.

    4. The workflow will create the necessary work order/job to schedule the reconciliation.

    5. Upon initiation, the workflow should watch for completion of the reconciliation process, by monitoring the ReconComplete attribute of the specific ReconMark object.
      You can sleep for 1 minute and check the the completion attribute value, if it is done already, you can actually retrieve the recon result and display on the page for next action

    6. Upon completion of the reconciliation process, query the ReconResults attribute for the un-associated user objects, and return the results to the designated recipient.


0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

Leave a Comment

By: wushilin
May 9, 2008
9:00 am
Reads:
1,146
Score:
Unrated