IDM Driver Walkthrough: GroupWise (Part 2 of 4)



By: dgersic

March 19, 2010 1:52 pm

Reads: 222

Comments:4

Rating:0

Introduction

In this, part 2 of 4, the Subscriber Channel Add Processing Rules are covered.

Subscriber Matching Rule

Policy Set: sub-mp-DefaultMatchingPolicy

Rule: Account Entitlements: Veto if not present

Purpose: This is another Scoping rule. By putting it on the Matching Rule Policy Set, it will only be applied to Add events. It checks Global Configuration Value drv.entitlement.GWAccount to see if it is True, and if so, will then check to see if the User object is entitled to a GroupWise account. If the driver is configured to process entitlements, and if the entitlement is not found, then the Add event of the User object is blocked by a veto().

Rule: User Matching Rule

Purpose: When an Add is being processed by the driver, if the NGW: GroupWise ID attribute value is available, then the driver will use it to search the GroupWise system in an attempt to match up the eDirectory object that is currently being processed with its GroupWise Mailbox. This will be helpful if an existing GroupWise system is being automated via the Identity Manager driver, or if Users are still being created manually in GroupWise via ConsoleOne and its GroupWise Snapins.

Rule: Group Matching Rule

Purpose: If the driver has been configured via Global Configuration Value driver.gw.Groups to synchronize Group objects from eDirectory to GroupWise, and if the NGW: Mailbox ID attribute value is available, then this rule will search GroupWise in an attempt to match up an existing Group in eDirectory with its already existing Group in GroupWise.

Rule: GroupWise Distribution List Matching Rule

Purpose: If the driver has been configured via Global Configuration Value driver.driver.gw.DistributionLists to synchronize Distribution List objects from eDirectory to GroupWise, and if the NGW: Mailbox ID attribute value is available, then this rule will search GroupWise in an attempt to match up an existing Distribution List object in eDirectory with its already existing Distirbution List in GroupWise.

Rule: GroupWise External Entity Matching Rule

Purpose: If the driver has been configured via Global Configuration Value driver.gw.syncExternalEntity to synchronize External Entity objects from eDirectory to GroupWise, and if the NGW: Mailbox ID attribute value is available, then this rule will search GroupWise in an attempt to match up an existing External Entity object in eDirectory with its already existing mailbox in GroupWise.

Subscriber Create Rule

Policy Set: sub-cp-DefaultCreatePolicies

Rule: Is <Add> result of a <sync>

Purpose: This rule checks the operation-data for the “from-sync=true” set by the Subscriber Event Transform. If it is found, then Global Configuration Value driver.gw.createOnMigrate is checked to see if the driver has been configured to add new mailboxes when a <sync> event is being processed. Generally this would be used to control the effects of a Migration operation from iManager. If driver.gw.createOnMigrate is set to False, then only objects that already have a GroupWise mailbox will be processed, which sets up their association values. Objects that do not have a GroupWise mailbox already will be blocked by this rule.

Rule: User Required Attributes

Purpose: This rule checks User objects to see if they have the minimum required data in order to have a GroupWise mailbox created.

Note: Possible bug: this only happens if the GW entitlement is true. If the driver has not been configured to use entitlements, then this rule is bypassed, which could then lead to errors if the User does not have the required attributes. But since the default check is for CN and Surname, which must exist for a User object in eDirectory, this rule actually does nothing useful. But be wary of modifying the list of required attributes and expecting them to be enforced if you are not using entitlements.

Rule: Account Initial Password

Purpose: If a User mailbox is being created, and if the Global Configuration Value pwdsync.set-initial-password is true, then the mailbox initial password is set to a string concatenating the Surname and CN. Since an eDirectory User object cannot be created without these two attributes, this will always work, though it may not be the best possible password to use. You may want to customize the driver here to use something better.

Note: If the driver is configured for password synchronization via the Universal Password, then the initial mailbox password will almost immediately be overwritten by the user’s Universal Password (nspmDistributionPassword) value as soon as eDirectory gets the password change after the initial object completion.

Rule: Account Entitlement: Enabled

Purpose: This rule checks Global Configuration Value driver.gw.ent.account.add for the value “enable”. If found, the driver will retrieve the entitlement values for gwDistLists and will then add the user to their entitled Distribution Lists. Second, the driver will set Login Disabled on the destination mailbox object to False, enabling the mailbox.

Rule: Account Entitlement: Disabled

Purpose: This rule checks Global Configuration Value driver.gw.ent.account.add for the value “disable”. If found, the driver will retrieve the entitlement values for gwDistLists and will then add the user to their entitled Distribution Lists. Second, the driver will set Login Disabled on the destination mailbox object to True, disabling the mailbox.

Note: This seems to be a rather strange entitlement. This rule says that the user is entitled to a disabled mailbox (ie: one that they cannot use), but it also happily subscribes them to entitled Distribution Lists. The result of that will be that mail sent to the Distribution List will bounced on attempted delivery to this user’s mailbox. Why would anybody want this?

Rule: Signal the need to check group entitlements after the add

Purpose: This rule checks to see if the user has entitlements to Distribution Lists, and if so, sets an operation property (“check-distribution-list-entitlements”) to true.

Note: Why? This operation property does not seem to be used anywhere else in this driver.

Rule: Group Required Attributes

Purpose: If the driver has been configured to synchronize Group objects via Global Configuration Value driver.gw.Groups, then this rule checks to see that the Group object contains the necessary attributes before allowing the Add event to be submitted to GroupWise.

This rule checks for the Group to have a CN. Since an eDirectory Group object cannot exist without a CN, this rule effectively does nothing. It may be intended for further customization if other attributes are to be used to decide which Groups are synchronized to GroupWise and which are not.

Rule: GroupWise Distribution List Required Attributes

Purpose: If the driver has been configured to synchronize Distribution List objects via Global Configuration Value driver.driver.gw.DistributionLists, then this rule checks to see that the Distribution List object contains the necessary attributes before allowing the Add event to be submitted to GroupWise.

Again, as with Group objects in the rule above, this rule actually accomplishes nothing, since a Distribution List object in eDirectory cannot exist without a CN.

Rule: GroupWise External Entity Required Attributes

Purpose: If the driver has been configured to synchronize External Entity objects via Global Configuration Value driver.gw.syncExternalEntity, then this rule checks to see that the External Entity object contains the necessary attributes before allowing the Add event to be submitted to GroupWise.

External Entity objects are functionally similar to User objects, so Surname and CN are required. Additionally, GroupWise attributes NGW: External Net ID and NGW: Post Office are required.

Rule: GroupWise External Post Office Required Attributes

Purpose: If the driver has been configured to synchronize eDirectory Organizational Unit objects to GroupWise as External Post Offices via Global Configuration Value driver.gw.syncOUtoGWPO, then this rule checks to see that the Organizational Unit object contains the necessary attributes before allowing the Add event to be submitted to GroupWise.

Note: Unlike the Group and Distribution List rules, this rule actually does something, because an Organizational Unit can exist without the rule required OU attribute. This may or may not be the intent of this rule (it could also be a bug).

Subscriber Placement Rule

Policy Set: sub-pp-DefaultPlacementPolicies

Rule: Set Local Variables for OrgUnit to Post Office User Placement

Purpose: For User and External Entity objects, if the driver has been configured to map Organizational Units to Post Offices via Global Configuration Value driver.gw.syncOUtoGWPO, then several local variables are built here to make placement decisions later.

  • dom-po-name – This variable is constructed from Global Configuration Value driver.gw.SyncOU2GWEPODomainName plus the User’s (or External Entity’s) parent container name.
  • parent-dn – This variable is set to the object’s parent container, parsed from the object’s DN
  • return-assoc – This variable is set to the association value(s) of the object’s parent container.
  • association-count – This variable is set to the count (number of values) in the return-assoc nodeset.
  • ou2po-association – This variable is set to the returned values in the parent containers associations list from nodeset return-assoc. This is useful because the return-assoc nodeset will have the <instance> in it from the search.

Rule: OrgUnit to Post Office User Placement

Purpose: For User and External Entity objects, if the driver has been configured to map Organizational Units to Post Offices via Global Configuration Value driver.gw.syncOUtoGWPO, then this rule attempts to generate a Post Office placement using the variables from the rule above. Users and External Entities will be placed in the Domain specified by driver.gw.SyncOU2GWEPODomain and the Post Office named the same as their parent container in eDirectory.

If this rule fires, a break() stops any further processing of the rules in this policy set.

Note: This rule will only fire if the association-count is ’1′, so if for some reason an Organizational Unit has more than one Association value, this rule will not work. This may be a intentional, to keep an Organizational Unit from being associated with more than one GroupWise driver, but the side effect is that if the Organizational Unit is associated with any other driver, then this rule will fail to run correctly.

Note: This rule also adds an XML attribute to the Add operation with the value “external”. It does this for User and External Entity objects. It is not known yet what this XML attribute does.

Rule: User Placement

Purpose: A simple User object placement strategy: get the value of Global Configuration Value driver.gw.SubSyncDestLocation and use it to specify the Post Office this User object’s mailbox is to be created in.

Rule: Group Placement

Purpose: A simple Group object placement strategy: get the value of Global Configuration Value driver.gw.SubSyncDestLocation and use it to specify the Post Office this Group object is to be created in.

Rule: GroupWise Distribution List Placement

Purpose: A simple Distribution List object placement strategy: get the value of Global Configuration Value driver.gw.SubSyncDestLocation and use it to specify the Post Office this Distribution List is to be created in.

Rule: GroupWise External Entity Placement

Purpose: A simple object placement strategy for External Entity objects. But External Entities require more for placement than Groups, so two Global Configuration Values are used here. One (driver.gw.SyncGWEEDomainName) specifies the Domain to place the External Entity in, the other (driver.gw.SyncGWEEPOName) specifies the Post Office.

Note: This rule sets the XML attribute “gw:classification=external” on the Add event. This is used to signal to the shim that an External Entity is being processed. (http://www.novell.com/documentation/idm36drivers/groupwise/?page=/documentation/idm36drivers/groupwise/data/adsti96.html)

Rule: GroupWise External Post Office Placement

Purpose: If configured to synchronize Organizational Unit objects in eDirectory to GroupWise Post Offices, a new Post Office is to be created in the Domain specified by the Global Configuration Value driver.gw.SyncOU2GWEPODomainName.

Note: Again, the XML attribute “gw:classification=external” is used here.
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

4 Comments

  1. By:geoffc

    You wrote:

    Note: This rule also adds an XML attribute to the Add operation with the value “external”. It does this for User and External Entity objects. It is not known yet what this XML attribute does.

    In order to make an external entity, there is no special object class, rather there is an XML attr that indicates this to be true. (The namespace needs to be set as well).

    For more details see:
    http://www.novell.com/communities/node/8437/troubleshooting-groupwise-driver-external-user-creation

  2. By:johngallagher

    Hi Geoff you said that there is a bug with the “Rule: User Required Attributes”. We are not using GroupWise entitlements and as stated this rule is ignored, wanting the Given Name and Full Name attributes to be a requirement. Is there a work around to this bug short of enabling entitlements? Thanks

    • By:dgersic

      Geoff who? ;-)

      Personally, I’d build a new policy with your requirements in it. Or you could edit this one to remove the entitlements check, then add your own requirements. Either way should work.

    • By:geoffc

      John,
      I shall plead the fifth on this one. I write so much, I have no idea what you are referring too.

      Do you recall where I wrote this? I use the Internet as external memory storage. (Rather than bother to remember all the details, I write them down, get them published, and search for it, when I need to retrieve it).

      Looking at an IDM4 packaged version of the GW driver, I see in Sub-Create, NOVLGRPWB-sub-cp-DefaultCreatePolicies policy object, a rule User Required Attribites that has a condition, if entitlement gwAccount available, then it requires Surname and CN.

      So looks like the issue is still there in Packaged IDM4 drivers. Be nice to report this one.

      anyway, workaround is trivial. If using Packages, make your own, add and link in a rule that does a veto if op attr Surname is not available. Or whatever you want. Then it works fine, and does not break entitlements.

Comment