If you have ever needed to perform to perform a resync on a IDM driver you have probably used the “Migrate from Identity Vault” function in iManager, or if you are a more advanced user maybe you have used the great DA Modifier tool, an LDIF file or a dynamic group and a subscriber channel trigger.
Each way have its pros and cons. iManager is great since it’s a supported administration tool and everything IDM related is integrated in it. It works great when you want to resync a couple of objects or an entire OU. But what if you have a need for resyncing an exact amount of users that fulfill a special criteria? You could use iManager and perform an Advanced Search – it works pretty good for that but now comes the downside to using iManager – if your search criteria produces a lot of results, several thousand entries, then you’re out of luck. You can only select 500 entries at a time (last time I checked) and the more entries you select the longer it takes for iManager to add them to the resync list, basically it becomes very tedious to use iManager at this point.
Some of you have probably used DA Modifier at this point and so have I. But soon you will run into a couple of limitations here as well. Those are:
The third way I have performed resyncs is by creating a dynamic group which basically is an LDAP filter. On the driver where I wanted to perform the resync I have created a subscriber channel trigger that I’ve connected to this dynamic group and then on the subscriber event transformation I have created a policy that converts<trigger> events to <sync> events, works very nice but it’s a lot of work for just a resync.
That is when I decided that I would write my own tool to perform the resync operation, it’s called Console2 (Funny name ;-)).
In C2 you select the driver on which you want the perform the resync and you enter an LDAP filter that gets the objects you want to resync. The LDAP filter can be from any LDAP browser, for example you can use Apache Directory Studio, build and test your filter and then paste that filter into C2 and click on a button and you’re done!
Now on to the instructions.
First download and extract the files from this page:
C2 requires Java 1.6.20 or newer.
Start the app by doubleclicking on the ldapmu_upc.jar file in the dist folder. If that doesn’t work run it from the command line with:
java -jar ldapmu_upc.jar
You should see a window that looks like this:
You need to enter the connection information for your Identity Vault.
User: DN of a user (in LDAP format) that has enough rights to change the DirXML-Associations attribute, e.g. admin.
Pass: The password of the user entered in the User field.
IP: The IP-address or hostname of your eDirectory server.
Port: The LDAP port you want to connect to, usually 636 if you want to use SSL and 389 if you don’t want to use SSL.
When you have entered this information you can save it as a profile that can be reused next time you start C2.
You can do this by entering a profile name in the Profile field and clicking “Save profile”.
You will be prompted to enter a profile password, this password is used to encrypt the password entered in the “Pass” field.
When loading the profile you will be prompted to enter this profile password in order to set the password value in the “Pass” field.
Click “Connect” to connect to your IDV server.
You should get some connection information in the “Results” text area.
To perform a resync click on the IDM menu item and then click on “Migrate from IDV”.
You will see a lot of fields and buttons and checkboxes etc.
Fill out the “LDAP Filter” with your LDAP query.
You don’t have to change the “Base” and “Scope” settings if you don’t want to.
The “Method” dropdown is interesting, but you don’t have to change it. There you can choose how C2 will perform the LDAP query against eDirectory.
If you select “Simple Paged Results” then C2 will fetch the amount of objects entered into the “Pagesize” field, default 300 at a time, process them, then fetch another 300 and so on. You will get a nice progress bar showing you the percentage of the completed operation.
Be aware that some LDAP queries using Simple Paged Results method will cause eDirectory to sometimes return double or triple results for one object, e.g. (&(directReports=*)(manager=*)) will cause incorrect search results to be returned by eDirectory.
If you select the “Asynchronous” method C2 will start processing objects right away but you won’t get any progress bar since it doesn’t know how many objects eDirectory will return.
If you select the “Synchronous” method and “Blocking” C2 will wait for eDirectory to return all the search results from eDirectory before starting processing, and you will see a progress bar. If you uncheck “Blocking” you will get almost the same thing as when running the “Asynchronous” method, i.e. no progress bar.
If you are unsure just use “Simple Paged Results” method.
You can also tell C2 to resync only those objects that are already associated, only unassociated or both (default).
You can also tell C2 to delete the association value before resync, in most cases you don’t want to do this.
Another feature C2 has when resyncing is that you can tell it to pause for a couple of seconds after it has processed a certain amount of entries. This is useful when you want to allow all other changes to have a chance to enter the queue and sync instead of them having to wait until the resync queue is empty.
When you are ready to perform the resync just click on the “Trigger Migrate” button and wait.
When C2 is done you will see the “Done!” dialog showing you how many entries C2 processed, how long it took and how many it thinks it could resync per hour.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.