Home

Results 1 to 9 of 9

Thread: Force delete on unassociated user objects

Hybrid View

  1. #1
    Join Date
    Feb 2009
    Posts
    5

    Force delete on unassociated user objects


    Hi,

    I wonder if following is possible. Lets say IDM is informed that an
    account is created on a Linux server (using sentinel starting a
    workflow).
    After checking that this account exists and has a Linux driver Account
    entitlement the user must be deleted on the linux server (so the user
    might not exist in the ID Vault or it might not have a Linux driver
    Account entitlement). Is it possible to send this delete command to the
    linux driver (or windows scripting driver if the target system is a
    windows machine) and how?

    Thanks in advance

    Kind regards
    Bart


    --
    bartden
    ------------------------------------------------------------------------
    bartden's Profile: http://forums.novell.com/member.php?userid=43521
    View this thread: http://forums.novell.com/showthread.php?t=448988


  2. #2
    Join Date
    Dec 2007
    Location
    Brooklyn, NY
    Posts
    6,213

    Re: Force delete on unassociated user objects

    On 12/1/2011 10:56 AM, bartden wrote:
    >
    > Hi,
    >
    > I wonder if following is possible. Lets say IDM is informed that an
    > account is created on a Linux server (using sentinel starting a
    > workflow).
    > After checking that this account exists and has a Linux driver Account
    > entitlement the user must be deleted on the linux server (so the user


    I think you meant, does NOT have a Linux Account entitlement, so
    Sentinel is catching an illegal out of band create.

    > might not exist in the ID Vault or it might not have a Linux driver
    > Account entitlement). Is it possible to send this delete command to the
    > linux driver (or windows scripting driver if the target system is a
    > windows machine) and how?


    You could probably do it via this approach:
    http://www.novell.com/communities/no...nnected-system

    Inject a query into another driver. So in principle you ought to be
    able to send a <delete> event in. never tried it though.

    Have you considered doing it in the Linux driver itself instead? That
    is a Pub channel create, without an entitlement means delete in source?

  3. #3

    Re: Force delete on unassociated user objects

    On Thu, 01 Dec 2011 15:56:02 +0000, bartden wrote:

    > I wonder if following is possible. Lets say IDM is informed that an
    > account is created on a Linux server (using sentinel starting a
    > workflow).
    > After checking that this account exists and has a Linux driver Account
    > entitlement the user must be deleted on the linux server (so the user
    > might not exist in the ID Vault or it might not have a Linux driver
    > Account entitlement). Is it possible to send this delete command to the
    > linux driver (or windows scripting driver if the target system is a
    > windows machine) and how?


    I don't understand what you're trying to do here. Could you elaborate?


    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Novell Knowledge Partner http://forums.novell.com

    Please post questions in the forums. No support provided via email.


  4. #4
    Join Date
    Feb 2009
    Posts
    5

    Re: Force delete on unassociated user objects


    Thanks for the reply.

    @geoffc,
    Yes i meant that. Does there exist a fan-out bi directional driver for
    windows and linux? Because i need to manage local accounts on both
    systems (could be up to 100 windows/linux systems), and i want a general
    solution for this problem.

    @David,

    In general i'm trying to build a system that deletes ungranted local
    accounts (or ungranted local rights) on windows and linux. If a IDM
    provisioned linux admin creates a local account without using IDM, it
    has to be deleted.

    Best Regards
    Bart


    --
    bartden
    ------------------------------------------------------------------------
    bartden's Profile: http://forums.novell.com/member.php?userid=43521
    View this thread: http://forums.novell.com/showthread.php?t=448988


  5. #5
    jgrieshop is offline Micro Focus Employee - Ultra Contributor
    Join Date
    Feb 2008
    Posts
    12

    Re: Force delete on unassociated user objects


    Linux, you have an option of fan-out or bidirectional driver. Windows,
    you're only way to manage local accounts is through the scripting driver
    with the local account extension scripts:

    http://www.novell.com/developer/ndk/..._accounts.html

    bartden;2158099 Wrote:
    > Thanks for the reply.
    >
    > @geoffc,
    > Yes i meant that. Does there exist a fan-out bi directional driver for
    > windows and linux? Because i need to manage local accounts on both
    > systems (could be up to 100 windows/linux systems), and i want a general
    > solution for this problem.
    >
    > @David,
    >
    > In general i'm trying to build a system that deletes ungranted local
    > accounts (or ungranted local rights) on windows and linux. If a IDM
    > provisioned linux admin creates a local account without using IDM, it
    > has to be deleted.
    >
    > Best Regards
    > Bart



    --
    jgrieshop
    ------------------------------------------------------------------------
    jgrieshop's Profile: http://forums.novell.com/member.php?userid=5538
    View this thread: http://forums.novell.com/showthread.php?t=448988


  6. #6
    Join Date
    Dec 2007
    Location
    Brooklyn, NY
    Posts
    6,213

    Re: Force delete on unassociated user objects

    On 12/2/2011 9:36 AM, jgrieshop wrote:
    >
    > Linux, you have an option of fan-out or bidirectional driver. Windows,
    > you're only way to manage local accounts is through the scripting driver
    > with the local account extension scripts:
    >
    > http://www.novell.com/developer/ndk/..._accounts.html



    So in general, the approach is you get your 100 linux boxes to use NIS,
    NIS+, LDAP, etc.

    Then you use one of those NIS/NIS+ servers with a single bidirectional
    driver.

    Your model sounds like you are using the Fan Out driver, and want to
    prevent Linux side creates. Since the Fan out driver does not have much
    of a Pub channel, I guess, you cannot get the event on the driver, like
    you could in the BiDir driver.

    Can you send a delete into the Fanout driver?

    If so, perhaps you could have some monitoring object. (Driver object
    itself?) and have your Sentinel workflow just add an attribute to the
    object (Custom attribute) with the name of the object to delete.

    Then have the driver monitor that object for that attribute and if it
    changes, send a delete of that object into the Sub channel.

    I do not know the Fanout driver well enough to know if you can send a
    delete that way or not though.



    > bartden;2158099 Wrote:
    >> Thanks for the reply.
    >>
    >> @geoffc,
    >> Yes i meant that. Does there exist a fan-out bi directional driver for
    >> windows and linux? Because i need to manage local accounts on both
    >> systems (could be up to 100 windows/linux systems), and i want a general
    >> solution for this problem.
    >>
    >> @David,
    >>
    >> In general i'm trying to build a system that deletes ungranted local
    >> accounts (or ungranted local rights) on windows and linux. If a IDM
    >> provisioned linux admin creates a local account without using IDM, it
    >> has to be deleted.
    >>
    >> Best Regards
    >> Bart

    >
    >



  7. #7

    Re: Force delete on unassociated user objects

    On Fri, 02 Dec 2011 08:36:02 +0000, bartden wrote:

    > In general i'm trying to build a system that deletes ungranted local
    > accounts (or ungranted local rights) on windows and linux. If a IDM
    > provisioned linux admin creates a local account without using IDM, it
    > has to be deleted.


    So on the Publisher channel, Event Transform, watch for <add> events. If
    you find one, a delete source object should take care of your problem.
    Yes? Or are you looking for something more complicated?


    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Novell Knowledge Partner http://forums.novell.com

    Please post questions in the forums. No support provided via email.


  8. #8
    Join Date
    Dec 2007
    Location
    Brooklyn, NY
    Posts
    6,213

    Re: Force delete on unassociated user objects

    On 12/2/2011 12:00 PM, David Gersic wrote:
    > On Fri, 02 Dec 2011 08:36:02 +0000, bartden wrote:
    >
    >> In general i'm trying to build a system that deletes ungranted local
    >> accounts (or ungranted local rights) on windows and linux. If a IDM
    >> provisioned linux admin creates a local account without using IDM, it
    >> has to be deleted.

    >
    > So on the Publisher channel, Event Transform, watch for<add> events. If
    > you find one, a delete source object should take care of your problem.
    > Yes? Or are you looking for something more complicated?


    I think his issue is that he is using the Fanout driver and may not be
    getting such events on the Pub channel. You have fanout at NIU right?
    Is that possible?



  9. #9

    Re: Force delete on unassociated user objects

    On Fri, 02 Dec 2011 17:12:27 +0000, Geoffrey Carman wrote:

    > On 12/2/2011 12:00 PM, David Gersic wrote:
    >> On Fri, 02 Dec 2011 08:36:02 +0000, bartden wrote:
    >>
    >>> In general i'm trying to build a system that deletes ungranted local
    >>> accounts (or ungranted local rights) on windows and linux. If a IDM
    >>> provisioned linux admin creates a local account without using IDM, it
    >>> has to be deleted.

    >>
    >> So on the Publisher channel, Event Transform, watch for<add> events.
    >> If you find one, a delete source object should take care of your
    >> problem. Yes? Or are you looking for something more complicated?

    >
    > I think his issue is that he is using the Fanout driver and may not be
    > getting such events on the Pub channel.


    Ah, that would be a key detail then. Sorry if I've introduced any
    confusion.


    > You have fanout at NIU right?


    Not so far, no.



    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Novell Knowledge Partner http://forums.novell.com

    Please post questions in the forums. No support provided via email.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •