IDM Driver Walkthrough: GroupWise (Part 4 of 4)



By: dgersic

April 2, 2010 10:37 am

Reads: 298

Comments:0

Rating:0

Introduction

In this, part 4 of 4, the Input and Output Transforms, and the other policy sets on the Publisher Channel are covered.

Input / Output Transforms

Output Transform

Policy Set: sub-otp-EntitlementPolicySub

Rule: Convert Entitlement DN from dot to slash format

Purpose: Despite its name, this does not convert the DN of an Entitlement, it converts the DN of any Distribution Lists in the current event.

Policy Set: lib-AccountTracking-Subscribe-otp-V1

Rule: AccountTracking – disregard if disabled or wrong object class

Purpose: This rule checks to see if this driver is configured for account tracking (Global Configuration Value drv.acctTrk.enable is equal to ‘true’). If so, then it checks to see what object classes have been configured for tracking (Global Configuration Value drv.acctTrk.objectClasss). If the class name of the current operation is found in the list of configured object classes to track it sets local variable ‘pass’ equal to ‘true’. If the driver is configured for account tracking, but the current object class is not in the list of object classes to track, then a break() aborts any further processing in this policy set.

Rule: AccountTracking – include desired attribute values in operation-data

Purpose: For the configured operations (add, modify, delete, rename, or move), an operation data element is added to the current operation, and a collection of operation properties are added to the operation data.

  • AccountTracking-Operation – contains the current operation in this document (add, modify, delete, rename, or move).
  • AccountTracking-(Identifiers) – a driver configured for account tracking has a list of account identifiers. This part of the rule loops through the list of configured identifiers in Global Configuration Value drv.acctTrk.identifiers, and adds them to the operation data. For LDAP systems, the LDAP DN of the object will be added. For other systems, like GroupWise, it may be another attribute. In the GroupWise driver, the object CN is added as the identifier. Local variable addObjectDN is then set to ‘true’.
  • AccountTracking-ObjectDN – The eDirectory object DN will be added to the operation data in this property. Source DN is always available because the source is eDirectory, and addObjectDN is set to ‘true’ by the previous block that deals with AccountTracking-(Identifiers).
  • AccountTracking-AccountStatusChanged – This property will be added with value “true” if the large ‘if’ block above it ends up setting local variable var-accountStatusChanged to ‘true’. This, then, relies on Global Configuration Value drv.acctTrk.statusAttr being available in the current document. For GroupWise, this is 50058 (Login Disabled in eDirectory).
  • AccountTracking-IdvAccountStatus – This property will always contain “-”.
  • AccountTracking-AppAccountStatus – This property will always contain “-”.

Rule: AccountTracking – StripAccountTrackingStatus Attribute

Purpose: As the name says, if operation attribute AccountTrackingAccountStatus is found in the current document, it will be stripped by this rule.

Note: This policy set comes from Library object "Library".

Input Transform

Policy Set: lib-AccountTracking-Publish-itp-V1

Rule: AccountTracking – disregard if disabled or wrong object class

Purpose: This rule first checks to see if Account Tracking is enabled. If not, it aborts with a break() immediately. If it is configured, then it checks to see if the current event’s object class is one that is configured for Account Tracking (via Global Configuration Value drv.acctTrk.objectClass). Since this GCV is a list, this rule loops through the list and if the current event’s object class is anywhere in the list, the other rules in the policy can be applied. Otherwise, if the current event’s object class is not found in the list, a break() aborts further processing.

Rule: AccountTracking – on add-association sync the operation-properties to status operations

Purpose: This rule only operates on add-association event documents. It first copies the association value in to operation data as operation property AccountTracking-association, then it clones this in to the status document as operation data as well. Local variable ‘eventId’ is set to the value of the event-id on the current event, but this variable doesn’t seem to be used anywhere else.

Rule: AccountTracking – Query for destination DN using Association

Purpose: For modify, delete, move, and rename events, this rule uses the association to get the associated object’s DN and squirrels it away in operation data / operation property AccountTracking-ObjectDN.

Rule: AccountTracking – add interested properties to current doc for future use

Purpose: For add, modify, delete, rename, move, and status operation documents, this rule adds the AccountTracking-(Identifiers) operation property, similar to the rule on the Output Transform that does the same thing. In this case, the object’s CN and Association values will be added as operation properties AccountTracking-CN and AccountTracking-association.

Rule: AccountTracking – Initialize status properties on published events

Purpose: For add, modify, delete, rename, and move events, this rule adds three operation properties.

  • AccountTracking-AccountStatusChanged – This property will be set to ‘true’ if the configured account status attribute (50058 / Login Disabled) is present in the current event document.
  • AccountTracking-IdvAccountStatus – This property will always contain “-”.
  • AccountTracking-AppAccountStatus – This property be set to “A”, “I”, or “U”, to denote an [A]ctive, [I]nactive, or [U]nknown application account status. For Add events, this property will be set to a default status code from the Global Configuration Value drv.acctTrk.idvDefaultStatus. For GroupWise, this is set to [A]ctive.
Note: This policy set comes from Library object "Library".

Policy Set: pub-itp-EntitlementPolicyPub

Rule: Check target of add-association for group membership entitlements that need to be granted

Purpose: If the operation is an <add-association>, indicating a newly created GW mailbox, then this rule checks to see if it is supposed to verify Distribution List membership, and if any configured Distribution Lists are set up as Entitlements. If these conditions are met, then it generates events to add the mailbox (User) to the configured entitled Distribution Lists in GroupWise.

Rule: account tracking stuff

Purpose: If the operation is <remove-association>, then this rule checks to see how the driver has been configured for entitlement delete handling, and whether it can get the NGW: Account ID attribute from GroupWise. If so, it builds account tracking operation data AccountTracking-ObjectDN with the eDirectory object distinguished name, and accountAction (accountDeleteByEntitlementRevoke).

Note: Bug #585977 (https://bugzilla.novell.com/show_bug.cgi?id=585977) entered for this rule. The rule works, but the name could be better.

Policy Set: lib-AccountTracking-WriteAccounts-itp-V1

Rule: AccountTracking – disregard if disabled

Purpose: If this driver is not configured for Account Tracking via Global Configuration Value drv.acctTrk.enable, then this rule aborts further processing via a break().

Rule: AccountTracking – query DirXML-Accounts Attribute

Purpose: This rule checks for operation data / operation property AccountTracking-ObjectDN to be available. If it is, then nodeset variable AccountIdentifiers is built by querying eDirectory for the DirXML-Accounts attribute value using DN AccountTracking-ObjectDN.

Rule: AccountTracking – remove DirXML-Account values on delete operation

Purpose: If the operation being processed is a <delete> or a <remove-association>, or if the operation is a <status>, and if operation property AccountTracking-ObjectDN is available as well (for <status> it also needs operation data AccountTracking-Operation), then if this driver’s GUID is in the AccountIdenfiers variable (from the rule above), it generates a <modify> operation to remove this driver’s GUID from the DirXML-Accounts attribute on the current object.

Rule: AccountTracking – update DirXML-Accounts Attribute

Purpose: This policy loops through the values of the Global Configuration Value drv.acctTrk.identifiers, and updates the object’s DirXML-Accounts attribute with the appropriate values, based on the configurations for Account Tracking. It then removes the operational properties used from the current document.

Note: This policy set comes from Library object "Library".

Policy Set: lib-Audit-SendEntitlementsEvents-itp-V1

Rule: 00031200 – Account Create By Entitlement Grant

Purpose: If the event is a <status> and the operation property accountAction is "accountCreateByEntitlementGrant" (this comes from the rules in policy set sub-ctp-Audit-TagEvent), then local variable auditEventID is set to value 1200.

Rule: 00031201 – Account Delete By Entitlement Revoke

Purpose: If the event is a <status> and either operation data "entitlement-impl" has a state attribute of 0, or the operation property accountAction is "accountDeleteByEntitlementRevoke" (this comes from the rules in policy set sub-ctp-Audit-TagEvent), then local variable auditEventID is set to value 1201. After this rule, if accountDeleteByEntitlementRevoke was not in the operation data, it will be added.

Rule: 00031202 – Account Disable By Entitlement Revoke

Purpose: If the event is a <status> and the operation property accountAction is "accountDisableByEntitlementRevoke" (this comes from the rules in policy set sub-ctp-Audit-TagEvent), then local variable auditEventID is set to value 1202.

Rule: 00031203 – Account Enable By Entitlement Grant

Purpose: If the event is a <status> and the operation property accountAction is "accountEnableByEntitlementGrant" (this comes from the rules in policy set sub-ctp-Audit-TagEvent), then local variable auditEventID is set to value 1203.

Rule: Generate Audit Event

Purpose: If the event is a <status> and variable auditEventID is available from one of the previous rules in this policy set, then an Auditing event is crafted and sent to the auditing system.

Note: This policy set comes from Library object "Library".

Publisher Channel

Event Transform

Empty

Publisher Matching Rule

Empty

Publisher Create Rule

Empty

Publisher Placement Rule

Policy Set: pub-pp-DefaultPlacement

Rule: Default Resource Owner

Purpose: This rules sets the operation’s destination DN to a converted value of the source DN. Ordinarily, new eDirectory User objects would not be created from objects in the GroupWise database, but given this rule’s name, I am assuming that this has something to do with creating a new object to be the owner of a Resource if the resource owner has been deleted. This preserves consistancy in the GW system.

Publisher Command Transformation

Policy Set: lib-AccountTracking-WriteAccountsOnAdds-pub-ctp-V1

Rule: AccountTracking – disregard policy if disabled

Purpose: If this driver is not configured for account tracking, abort further processing with a break().

Rule: AccountTracking – on add operation add DirXML-Accounts

Purpose: If an object is being added by the Publisher (unlikely except for possibly the default resource owner, as noted above in the Publisher Placement Rule), then the DirXML-Identity object class is added, and the driver’s configured list of identifiers is used to add values to the DirXML-Accounts attribute on the destination object.

Note: This policy set comes from Library object "Library".
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment