IDM Driver Walkthrough: GroupWise (Part 3 of 4)



By: dgersic

March 25, 2010 10:36 am

Reads: 288

Comments:0

Rating:0

Introduction

In this, part 3 of 4, the Subscriber Command Transform, Filter, Schema Mapping are covered.

Subscriber Command Transform

Policy Set: sub-ctp-EntitlementsImpl

Rule: DL Entitlement: add or remove DL memberships

Purpose: This rule transforms changes to the list of GroupWise Distribution Lists the user is entitled to in to events to implement those changes in GroupWise.

Rule: Account Entitlement: Enable or Disable account

Purpose: If the driver has been configured (driver.gw.ent.account.remove = disable) to disable the GroupWise mailbox when the associated User object is deleted, and if the user’s entitlement to a GroupWise mailbox (gwAccount) is changing, then this rule transforms the change in entitlements in to events to implement the entitlement. The mailbox will be enabled or disabled based on the user’s entitlement to it.

Note: See the notes above on Disabled and Expired and what they mean to GroupWise.

Rule: Account Entitlement: Expire or Unexpire account

Purpose: If the driver has been configured (driver.gw.ent.account.remove = expire) to expire the GroupWise mailbox when the associated User object is deleted, and if the user’s entitlement to a GroupWise mailbox (gwAccount) is changing, then this rule transforms the change in entitlements in to events to implement the entitlement. The mailbox will be expired or unexpired based on the user’s entitlement to it.

Rule: Account Entitlement: Enable/Unexpire or Disable/Expire account

Purpose: If the driver has been configured (driver.gw.ent.account.remove = dispire) to disable and expire the GroupWise mailbox when the associated User object is deleted, and if the user’s entitlement to a GroupWise mailbox (gwAccount) is changing, then this rule transforms the change in entitlements in to events to implement the entitlement. The mailbox will be expired and disabled or unexpired and enabled based on the user’s entitlement to it.

Rule: Account Entitlement remove: Delete account

Purpose: If the driver has been configured (driver.gw.ent.account.remove = delete) to remove the GroupWise mailbox when the associated User object is deleted, and if the user’s entitlement to a GroupWise mailbox (gwAccount) is changing, then this rule transforms the change in entitlements in to events to implement the entitlement. The mailbox will be deleted because the user is no longer entitlement to it.

Note:Additionally, XML attribute gw:original-event on the Delete is set to “modify” here. Why?

Policy Set: sub-ctp-Audit-TagEvent

Rule: User gwAccount Entitlement change (Delete Option)

Purpose: This rule checks two Global Configuration Values (drv.entitlement.GWAccount and driver.gw.ent.account.remove) to see if it should activate. This rule is used to handle the GroupWise driver being configured to Create or Delete the GW mailbox when the entitlement is changed. It then also checks to see if the object being processed is a User, if the event is an Add or Modify, and to see if the gwAccount entitlement is what is changing (the reason that this User is being added or modified). If all of these conditions are true, then several Operation Properties are added to the current event. These contain data

  • accountAction – why this object is being processed
  • sourceDN – the DN of the object
  • assocation – the association value for this object
  • guid – the eDirectory GUID of the object
  • objectClass – User

This data is then forwarded to the configured audit platform agent.

Rule: User gwAccount Entitlement change (Disable Option)

Purpose: This rule checks two Global Configuration Values (drv.entitlement.GWAccount and driver.gw.ent.account.remove) to see if it should activate. This rule is used to handle the GroupWise driver being configured to Expire/Unexpire or Enable/Disable the GW mailbox when the entitlement is changed. It then also checks to see if the object being processed is a User, if the event is an Add or Modify, and to see if the gwAccount entitlement is what is changing (the reason that this User is being added or modified). If all of these conditions are true, then several Operation Properties are added to the current event. These contain data

  • accountAction – why this object is being processed
  • sourceDN – the DN of the object
  • assocation – the association value for this object
  • guid – the eDirectory GUID of the object
  • objectClass – User

This data is then forwarded to the configured audit platform agent.

Rule: User gwAccount Entitlement remove (Delete Option)

Purpose: This rule checks two Global Configuration Values (drv.entitlement.GWAccount and driver.gw.ent.account.remove) to see if it should activate. This rule is used to handle the GroupWise driver being configured to Create or Delete the GW mailbox when the entitlement is changed. It then also checks to see if the object being processed is a User, if the event is an Delete, and to see if the gwAccount entitlement is what is changing (the reason that this User is being deleted from GroupWise). If all of these conditions are true, then several Operation Properties are added to the current event. These contain data

  • accountAction – why this object is being processed
  • sourceDN – the DN of the object
  • assocation – the association value for this object
  • guid – the eDirectory GUID of the object
  • objectClass – User

This data is then forwarded to the configured audit platform agent.

Note: Bug (https://bugzilla.novell.com/show_bug.cgi?id=585166) report – the comments on the rules in this policy set all refer to Active Directory. This is the GroupWise driver!

Note: The accountAction operation data is used later on the Publisher channel (lib-AuditSendEntitlementEvents-itp-V1) to send entitlement updates to the auditing system.

Policy Set: sub-ctp-TransformDistributionPassword

Rule: Convert add nspmDistributionPassword attribute to a modify-password operation

Purpose: This is one of the standard Universal Password password synchronization policies. It transforms the nspmDistributionPassword in an <add> document to a <modify-password> event, if the driver has been configured for password synchronization (password subscribe).

Rule: Convert modify nspmDistributionPassword attribute to a modify-password operation

Purpose: This is the second of the standard Universal Password password synchronization policies. It transforms the nspmDistributionPassword in an <modify> document to a <modify-password> event, if the driver has been configured for password synchronization (password subscribe).

Rule: Block empty modify operations

Purpose: The third of three standard Universal Password rules. If nothing remains of the <modify> document, this rule strips it. So if all that changed in the original modify is the password value, the modify-password event replaces it, otherwise, other changes in the document will be processed because the document is non-empty.

Filter

This is a standard Filter, containing the object classes and attributes that this driver is going to process on the Subscriber and Publisher channels. By default, User, GroupWise External Entity, GroupWise Distribution List, GroupWise Post Office, GroupWise Resource, Group, and Organizational Unit objects will be processed. Configuration, via Global Configuration Values, is used to control what this driver actually does.

Schema Mapping

smp-DefaultSchemaMap

This is a standard IDM schema map, containing eDirectory and GroupWise object and attribute values.

Policy Set: smp-ExtendedSchemaMap

Note: This is a rather unusual place to find a policy set. Normally only schema mapping is done in the Schema Map.

Rule: Strip nspmDistributionPassword

Purpose: This rule unconditionally removes nspmDistributionPassword from all documents. Normally this is done in the Command Transform by one of the standard Universal Password password synchronization rules.

Rule: GW 6.5+ from eDir

Purpose: This rule checks to see if the driver is configured to work with a GroupWise 5.50 or a GroupWise 6.00 system. If not, it assumes then that the driver is working with a GroupWise 6.5 or newer system. It then checks to see if the event being processed is coming from eDirectory (ie: on the Subscriber) via local variable fromNDS (equal to ‘true’). Then, if the object being processed is a User, it fiddles with some attribute names to map eDirectory to GroupWise. This would normally be done by the schema map, but it appears that some of the GroupWise attribute names have changed between versions, so this bit of policy handles the conditional mapping needed to have one driver preconfig work with multiple versions of GroupWise.

Note: This rule shows two interesting things. First, that you can actually put Policy Builder script in the Schema Mapping, and second, that the local variable fromNDS is maintained by the engine (http://www.novell.com/documentation/idm36/policy/?page=/documentation/idm36/policy/data/policyvariables.html) so that it is possible to use it in policies that need to work in both directions.

Rule: GW 6.5+ from GW

Purpose: This rule checks to see if the driver is configured to work with a GroupWise 5.50 or a GroupWise 6.00 system. If not, it assumes then that the driver is working with a GroupWise 6.5 or newer system. It then checks to see if the event being processed is coming from GroupWise (ie: on the Publisher) via local variable fromNDS (equal to ‘false’). Then, if the object being processed is a User, it fiddles with some attribute names to map eDirectory to GroupWise. This would normally be done by the schema map, but it appears that some of the GroupWise attribute names have changed between versions, so this bit of policy handles the conditional mapping needed to have one driver preconfig work with multiple versions of GroupWise.

Rule: GW 5.5/6.0 from eDir

Purpose: This rule checks to see if the driver is configured to work with a GroupWise 5.50 or a GroupWise 6.00 system. If so, it then checks to see if the event being processed is coming from eDirectory (ie: on the Subscriber) via local variable fromNDS (equal to ‘true’). Then, if the object being processed is a User or External Entity, it fiddles with some attribute names to map eDirectory to GroupWise. This would normally be done by the schema map, but it appears that some of the GroupWise attribute names have changed between versions, so this bit of policy handles the conditional mapping needed to have one driver preconfig work with multiple versions of GroupWise.

Rule: GW 5.5/6.0 from GW

Purpose: This rule checks to see if the driver is configured to work with a GroupWise 5.50 or a GroupWise 6.00 system. If so, it then checks to see if the event being processed is coming from GroupWise (ie: on the Publisher) via local variable fromNDS (equal to ‘false’). Then, if the object being processed is a User or External Entity, it fiddles with some attribute names to map eDirectory to GroupWise. This would normally be done by the schema map, but it appears that some of the GroupWise attribute names have changed between versions, so this bit of policy handles the conditional mapping needed to have one driver preconfig work with multiple versions of GroupWise.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment