IDM Driver Walkthrough: GroupWise (Part 1 of 4)



By: dgersic

March 17, 2010 12:32 pm

Reads: 290

Comments:0

Rating:0

Introduction

Novell’s GroupWise is an interesting product. It integrates with eDirectory, or at least appears to on the surface, but under the hood it actually maintains its own database of Users (Mailboxes), Groups (Distribution Lists), and other objects. Its management interface (ConsoleOne + GroupWise Snap Ins) combines updates to the eDirectory object with updates to the GroupWise databases, making this appear to be seemless. In order to fully manage GroupWise from Identity Manager, the GroupWise driver must also update eDirectory and GroupWise. To the GroupWise administrator, it appears that everything is done the same way it always has been. Internally, the GroupWise driver gives us policy based access to almost every facet of GroupWise administration.

As with all Identity Manager drivers, the default configuration described here is just a starting point. Your system may require customizations, especially in the Subscriber Creation and Subscriber Placement rules. The Event Transform may also require customization, depending on how (or if) you want the driver to be scoped.

In this, part 1 of 4, the Policy Sets of the Subscriber Channel Event Transform are covered. See also parts 2 (Subscriber Add Processor), 3 (Subscriber Command Transform, Filter, Schema Mapping), and 4 (Input and Output Transforms, Publisher Channel) for more.

Subscriber Channel

Event Transform

Policy Set: sub-etp-DefaultEventPolicies

Rule: Check Source Location

Purpose: This rule uses the Global Configuration Value idv.dit.data.users to Scope the driver. Only objects in the “Active Users” container will be processed by this driver.

Rule: Reject Group if not configured for Group synchronization

Purpose: Another Scoping rule, this one checks to see if the object being processed is a Group. If so, it checks, using Global Configuration Value driver.gw.Groups, to see if the driver has been configured to synchronize Group objects to GroupWise. If not, then the event is dropped via a veto().

Rule: Reject GroupWise Distribution List if not configured for GroupWise Distribution List synchronization

Purpose: Another Scoping rule, this one checks to see if the object being processed is a GroupWise Distribution List. If so, it checks, using Global Configuration Value driver.driver.gw.DistributionLists, to see if the driver has been configured to synchronize Distribution List objects to GroupWise. If not, then the event is dropped via a veto().

Rule: Reject GroupWise External Entity if not configured for GroupWise External Entity synchronization

Purpose: Another Scoping rule, this one uses Global Configuration Value driver.gw.syncExternalEntity to accept or reject GroupWise External Entity objects.

Rule: Reject eDirectory Organizational Unit if not configured for GroupWise External Post Office Synchronization

Purpose: Another Scoping rule, this time looking at the Global Configuration Value driver.gw.syncOUtoGWPO and either accepting or rejecting Organizational Unit objects.

Rule: Add identification to <sync> command

Purpose: When a Sync event is being processed, either from an initial migration, or during a driver resync, this rule tacks an operation-data element to the current event and a “from-sync=true” value so that the event can later be identified. This will be used on the Subscriber Create Rule, in the sub-cp-DefaultCreatePolicies policy set.

Rule: Remove GroupWise External Entity from all Dist Lists

Purpose: When a GroupWise External Entity object is deleted or disabled, and depending on the Global Configuration Values (driver.gw.RemoveDLonGWExternalEntityDisable, driver.gw.GWExternalEntityDelete, driver.gw.RemoveDLonGWExternalEntityExpire, driver.gw.GWExternalEntityDisable) that are used to configure the driver’s behaviour, an event is crafted to clear the Distribution List memberships for the External Entity.

Rule: Disable GroupWise External Entity on eDirectory GroupWise External Entity Delete

Purpose: If a GroupWise External Entity is deleted in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDelete being set to “disable”, then the associated object in GroupWise will be disabled. The Modify that is submitted to the driver shim will also be tagged with information that this Modify was created from a Delete event. The original Delete event is then blocked by a veto() to keep the External Entity from being removed from the GroupWise system.

Rule: Expire GroupWise External Entity on eDirectory GroupWise External Entity Delete

Purpose: If a GroupWise External Entity is deleted in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDelete being set to “expire”, then the associated object in GroupWise will be expired. The Modify that is submitted to the driver shim will also be tagged with information that this Modify was created from a Delete event. The original Delete event is then blocked by a veto() to keep the External Entity from being removed from the GroupWise system.

Rule: Disable and Expire GroupWise External Entity on eDirectory GroupWise External Entity Delete

Purpose: A combination of the previous two rules, if a GroupWise External Entity is deleted in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDelete being set to “dispire”, then the associated object in GroupWise will be disabled and expired. The Modify that is submitted to the driver shim will also be tagged with information that this Modify was created from a Delete event. The original Delete event is then blocked by a veto() to keep the External Entity from being removed from the GroupWise system.

Rule: Expire GroupWise External Entity on eDirectory GroupWise External Entity Disable

Purpose: When a GroupWise External Entity is disabled (Login Disabled is set to True) in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDisable being set to “expire”, then the associated object in GroupWise will be expired.

Rule: Unexpire GroupWise External Entity on eDirectory GroupWise External Entity Enable

Purpose: The converse of the previous rule, when a GroupWise External Entity is enabled (Login Disabled is set to False) in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDisable being set to “expire”, then the associated object in GroupWise will have their expiration removed.

Note: There is a bug here (https://bugzilla.novell.com/show_bug.cgi?id=585163). In eDirectory, the Login Disabled attribute can have one of three states. It can be True, False, or missing. If it is missing, it is considered to be the same as being set to False (ie: it is Not True). This rule should be modified to account for the third possible state, where Login Disabled is removed from the eDirectory object, and the GroupWise object then has its expiration removed.

Rule: Disable and Expire GroupWise External Entity on eDirectory GroupWise External Entity Disable

Purpose: When a GroupWise External Entity is disabled (Login Disabled is set to True) in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDisable being set to “dispire”, then the associated object in GroupWise will be disabled and expired.

Note: The difference between Expired and Disabled is that an Expired mailbox can still receive messages, it just can no longer log in. A Disabled mailbox can no longer receive messages, and it cannot log in.

Rule: Enable and Unexpire GroupWise External Entity on eDirectory GroupWise External Entity Enable

Purpose: When a GroupWise External Entity is enabled (Login Disabled is set to False) in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDisable being set to “dispire”, then the associated object in GroupWise will be enabled and its expiration will be removed.

Note: As above, this rule has a bug in it in that it does not handle the case of Login Disabled being removed from the object.

Rule: Rename GroupWise External Entity Login Expiration Time Attribute

Purpose: When a GroupWise External Entity is expired in eDirectory, this rule modifies the event to use the GroupWise attribute name instead of the eDirectory name.

Note: Why isn’t this done in the Schema Map where it belongs?
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment