Home

Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: AD driver

  1. #1
    Join Date
    Feb 2011
    Posts
    241

    AD driver


    I am successfully synching edir accounts to AD, but the question I have
    is for every account that I synch...........the IDM AD driver on it's
    polling cycle is seeing a rename of the account. I of course have the
    dirxmlADcontexts and names setup, but why is the driver seeing a rename
    for the account everytime it runs it's scheduled polling of AD. This
    driver is setup so that all attributes on the publisher channel in the
    filter are set to ignore, because we do not want any changes synching
    from this domain into eDir.

    It is doing this for every account I synch to AD while testing, and I
    really don't want to migrate all of my users to this domain until this
    is figured out.

    Thank you,


    --
    wferguson
    ------------------------------------------------------------------------
    wferguson's Profile: https://forums.netiq.com/member.php?userid=360
    View this thread: https://forums.netiq.com/showthread.php?t=53997


  2. #2

    Re: AD driver

    As always, post the full trace.

    MAD does not share with IDM whether a rename or move is happening, so
    instead when one or the other is detected( because they are the same
    operation coming from MAD) the shim sends both through and it is up to the
    engine to figure this out.

    You're reporting a rename, so it would seem that perhaps something about
    your creation process is causing that to happen; maybe a create happens
    and something in the logic immediately renames the object, which MAD then
    sends back and is likely then optimized out (the name is already changed
    in the vault). A trace will probably reveal all.


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3
    Join Date
    Feb 2011
    Posts
    241

    Re: AD driver


    Thank you for the response! The attachment is a level 3 trace of what
    the vault receives from the RL when the driver polling occurs. Which i
    am not only interested in the RL not sending it to the vault but I would
    prefer to not have AD doing this on the RL server either, so basically
    how can I prevent this all-together. Thanks a million


    +----------------------------------------------------------------------+
    |Filename: trace080715.txt |
    |Download: https://forums.netiq.com/attachment....tachmentid=322 |
    +----------------------------------------------------------------------+

    --
    wferguson
    ------------------------------------------------------------------------
    wferguson's Profile: https://forums.netiq.com/member.php?userid=360
    View this thread: https://forums.netiq.com/showthread.php?t=53997


  4. #4
    Join Date
    Feb 2011
    Posts
    241

    Re: AD driver


    This is a copy of the html in my creation policy

    <?xml version="1.0" encoding="UTF-8"?><policy>
    <rule>
    <description>Break if not a User</description>
    <conditions>
    <and>
    <if-class-name mode="nocase" op="not-equal">User</if-class-name>
    </and>
    </conditions>
    <actions>
    <do-break/>
    </actions>
    </rule>
    <rule>
    <description>xxx</description>
    <conditions>
    <or>
    <if-attr mode="regex" name="Type" op="equal">xxx</if-attr>
    <if-attr mode="regex" name="Category" op="equal">xxx</if-attr>
    </or>
    </conditions>
    <actions>
    <do-veto/>
    </actions>
    </rule>
    <rule>
    <description>Veto if IDMx status is NOT active</description>
    <comment xml:space="preserve"></comment>
    <conditions>
    <and>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
    <if-attr mode="nocase" name="xxx" op="not-equal">active</if-attr>
    <if-attr mode="nocase" name="xxx" op="not-equal">active</if-attr>
    <if-attr mode="nocase" name="xxx" op="not-equal">active</if-attr>
    </and>
    </conditions>
    <actions>
    <do-veto/>
    </actions>
    </rule>
    <rule>
    <description>Veto if nspmDistributionPassword is not
    available</description>
    <conditions>
    <and>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
    </and>
    </conditions>
    <actions>
    <do-veto-if-op-attr-not-available name="nspmDistributionPassword"/>
    </actions>
    </rule>
    <rule>
    <description>Escape object name</description>
    <comment xml:space="preserve">Removes irregular characters in the
    account name.</comment>
    <conditions>
    <or>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
    </or>
    </conditions>
    <actions>
    <do-set-local-variable name="object-name" scope="policy">
    <arg-string>
    <token-replace-all
    regex="^a-zA-Z0-9\x21\x23-\x29\x2d\x2e\x40\x5e-\x60\x7b\x7d\x7e\xc0-\xf6\xf8-\xff\x410-\x44f"
    replace-with="">
    <token-src-name/>
    </token-replace-all>
    </arg-string>
    </do-set-local-variable>
    </actions>
    </rule>
    <rule>
    <description>Map CN to Active Directory user logon name</description>
    <comment xml:space="preserve"></comment>
    <conditions>
    <and>
    <if-global-variable name="UpnMap"
    op="equal">edir-name-auth</if-global-variable>
    </and>
    </conditions>
    <actions>
    <do-set-dest-attr-value name="DirXML-ADAliasName">
    <arg-value type="string">
    <token-local-variable name="object-name"/>
    <token-text xml:space="preserve">@</token-text>
    <token-text xml:space="preserve">xxx.xxx</token-text>
    </arg-value>
    </do-set-dest-attr-value>
    <do-add-src-attr-value class-name="User" name="Object Class">
    <arg-value type="string">
    <token-text
    xml:space="preserve">DirXML-ApplicationAttrs-plural</token-text>
    </arg-value>
    </do-add-src-attr-value>
    <do-for-each>
    <arg-node-set>
    <token-src-attr name="DirXML-ADAliasNames"/>
    </arg-node-set>
    <arg-actions>
    <do-if>
    <arg-conditions>
    <and>
    <if-xpath
    op="true">$current-node/component[@name='volume']="~dirxml.auto.driverdn~"</if-xpath>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-remove-src-attr-value name="DirXML-ADAliasNames">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-xpath
    expression='$current-node/component[@name="nameSpace"]'/>
    </arg-component>
    <arg-component name="volume">
    <token-xpath
    expression='$current-node/component[@name="volume"]'/>
    </arg-component>
    <arg-component name="path">
    <token-xpath
    expression='$current-node/component[@name="path"]'/>
    </arg-component>
    </arg-value>
    </do-remove-src-attr-value>
    </arg-actions>
    <arg-actions/>
    </do-if>
    </arg-actions>
    </do-for-each>
    <do-add-src-attr-value name="DirXML-ADAliasNames">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-time format="!CTIME" tz="UTC"/>
    </arg-component>
    <arg-component name="volume">
    <token-global-variable name="dirxml.auto.driverdn"/>
    </arg-component>
    <arg-component name="path">
    <token-local-variable name="object-name"/>
    <token-text xml:space="preserve">@</token-text>
    <token-text xml:space="preserve">xxx.xxxA</token-text>
    </arg-component>
    </arg-value>
    </do-add-src-attr-value>
    </actions>
    </rule>
    <rule>
    <description>Map CN to Active Directory user logon name (pre-Windows
    2000)</description>
    <comment xml:space="preserve">Logon name policy: Keep destination
    sAMAccountName in sync with source object name.</comment>
    <conditions>
    <and>
    <if-global-variable mode="case" name="LogonNameMap"
    op="equal">true</if-global-variable>
    </and>
    </conditions>
    <actions>
    <do-set-dest-attr-value name="CN">
    <arg-value>
    <token-substring length="20">
    <token-local-variable name="object-name"/>
    </token-substring>
    </arg-value>
    </do-set-dest-attr-value>
    </actions>
    </rule>
    <rule>
    <description>Identity Vault accounts are enabled if Login Disabled
    does not exist</description>
    <comment xml:space="preserve">If LoginDisabled does not exist, then
    make sure the destination attribute Login Disabled is false.</comment>
    <conditions>
    <and>
    <if-op-attr name="Login Disabled" op="not-available"/>
    </and>
    </conditions>
    <actions>
    <do-set-dest-attr-value name="Login Disabled">
    <arg-value type="string">
    <token-text xml:space="preserve">false</token-text>
    </arg-value>
    </do-set-dest-attr-value>
    </actions>
    </rule>
    </policy>


    --
    wferguson
    ------------------------------------------------------------------------
    wferguson's Profile: https://forums.netiq.com/member.php?userid=360
    View this thread: https://forums.netiq.com/showthread.php?t=53997


  5. #5
    Join Date
    Feb 2011
    Posts
    241

    Re: AD driver


    Here is the html copy of our PP policy, where we are stripping the
    fullname and composing it in order to take into consideration preferred
    given and surname

    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
    "policy-builder-dtd" "C:\Program Files
    (x86)\Novell\Designer\plugins\com.novell.idm.polic ybuilder_4.0.0.201206110753\DTD\dirxmlscript3.6.1. dtd"><policy>
    <rule>
    <description>Set full name (displayname)</description>
    <comment xml:space="preserve">We are stripping the full name, then
    composing it in the order of SurnamePref > Surname and then
    GivenNamePref > GivenName, putting that value back into attribute Full
    Name, and then checking to make sure there isn't a match. If there is a
    match, add a 01 to the end of the Full Name and check again, if another
    match is found, add 02 and check again etc. until a match is not
    found.</comment>
    <conditions>
    <and>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
    </and>
    </conditions>
    <actions>
    <do-strip-op-attr name="Full Name"/>
    <do-if>
    <arg-conditions>
    <and>
    <if-attr name="Initials" op="available"/>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-set-local-variable name="appfullname" scope="policy">
    <arg-string>
    <token-replace-all regex="\s+$" replace-with="">
    <token-attr name="Surname"/>
    </token-replace-all>
    <token-text xml:space="preserve">, </token-text>
    <token-replace-all regex="\s+$" replace-with="">
    <token-attr name="Given Name"/>
    </token-replace-all>
    <token-text xml:space="preserve"> </token-text>
    <token-substring length="1">
    <token-attr name="Initials"/>
    </token-substring>
    <token-text xml:space="preserve">.</token-text>
    </arg-string>
    </do-set-local-variable>
    </arg-actions>
    <arg-actions>
    <do-set-local-variable name="appfullname" scope="policy">
    <arg-string>
    <token-replace-all regex="\s+$" replace-with="">
    <token-attr name="Surname"/>
    </token-replace-all>
    <token-text xml:space="preserve">, </token-text>
    <token-replace-all regex="\s+$" replace-with="">
    <token-attr name="Given Name"/>
    </token-replace-all>
    </arg-string>
    </do-set-local-variable>
    </arg-actions>
    </do-if>
    <do-add-dest-attr-value name="Full Name">
    <arg-value type="string">
    <token-unique-name counter-digits="2" counter-pattern="last"
    counter-start="1" counter-use="fallback" name="Full Name"
    on-unavailable="error" scope="subtree">
    <arg-dn>
    <token-global-variable name="xxx"/>
    </arg-dn>
    <arg-string>
    <token-local-variable name="appfullname"/>
    </arg-string>
    </token-unique-name>
    </arg-value>
    </do-add-dest-attr-value>
    </actions>
    </rule>
    <rule>
    <description>set dest context</description>
    <conditions>
    <and>
    <if-class-name op="equal">User</if-class-name>
    </and>
    </conditions>
    <actions>
    <do-if>
    <arg-conditions>
    <and>
    <if-attr mode="nocase" name="xxx" op="equal">active</if-attr>
    </and>
    <and>
    <if-attr mode="nocase" name="xxx" op="equal">active</if-attr>
    </and>
    <and>
    <if-attr mode="nocase" name="xxx" op="equal">active</if-attr>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-if>
    <arg-conditions>
    <or>
    <if-attr mode="regex" name="xxx" op="not-equal">xxx</if-attr>
    <if-attr mode="regex" name="xxx" op="not-equal">xxx</if-attr>
    </or>
    </arg-conditions>
    <arg-actions>
    <do-set-local-variable name="NewContext" scope="policy">
    <arg-string>
    <token-text
    xml:space="preserve">OU=xxx,DC=xxx,DC=xxx,DC=xxx</token-text>
    </arg-string>
    </do-set-local-variable>
    </arg-actions>
    <arg-actions>
    <do-set-local-variable name="NewContext" scope="policy">
    <arg-string>
    <token-text
    xml:space="preserve">OU=xxx,DC=xxx,DC=xxx,DC=xxx</token-text>
    </arg-string>
    </do-set-local-variable>
    </arg-actions>
    </do-if>
    </arg-actions>
    <arg-actions>
    <do-set-local-variable name="NewContext" scope="policy">
    <arg-string>
    <token-text
    xml:space="preserve">OU=xxx,DC=xxx,DC=xxx,DC=xxx</token-text>
    </arg-string>
    </do-set-local-variable>
    </arg-actions>
    </do-if>
    </actions>
    </rule>
    <rule>
    <description>Set User DN</description>
    <comment xml:space="preserve">When User Full Name mapping is enabled,
    the destination object name is set to the Full Name attribute. The
    account will also be placed in the OU mentioned in the action
    below.</comment>
    <conditions>
    <and>
    <if-class-name op="equal">User</if-class-name>
    <if-global-variable mode="case" name="FullNameMap"
    op="equal">true</if-global-variable>
    <if-op-attr mode="nocase" name="Full Name" op="not-equal"/>
    <if-local-variable mode="nocase" name="destcontext"
    op="not-equal"/>
    </and>
    </conditions>
    <actions>
    <do-set-op-dest-dn>
    <arg-dn>
    <token-text xml:space="preserve">cn=</token-text>
    <token-escape-for-dest-dn>
    <token-op-attr name="Full Name"/>
    </token-escape-for-dest-dn>
    <token-text xml:space="preserve">,</token-text>
    <token-local-variable name="NewContext"/>
    </arg-dn>
    </do-set-op-dest-dn>
    </actions>
    </rule>
    </policy>


    --
    wferguson
    ------------------------------------------------------------------------
    wferguson's Profile: https://forums.netiq.com/member.php?userid=360
    View this thread: https://forums.netiq.com/showthread.php?t=53997


  6. #6
    Join Date
    Jan 2009
    Location
    Stavanger, Norway
    Posts
    1,729

    Re: AD driver

    wferguson <wferguson@no-mx.forums.microfocus.com> wrote:
    > Here is the html copy of our PP policy, where we are stripping the
    > fullname and composing it in order to take into consideration preferred
    > given and surname
    >


    I would not re-create full name op-attr here. I would use a local variable
    (if you need the composite full name here).

    Generally I advise customers to avoid using a naming scheme in AD where CN
    is based on full name. Makes maintenance far simpler and the only people
    who really see the CN are techie / help desk types.

    That said, what you want to do is technically possible, but you should look
    at the way it is done in the standard AD driver packages and go from there
    rather than trying to diverge so much.




    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...

  7. #7

    Re: AD driver

    This trace does not show the create. Maybe I was not clear, and if so I
    apologize. I want to see the create coming from the vault into MAD, as
    well as (up to a minute later by default) the response that you see here
    in this trace. The reason is that if the vault is sending a rename, we'll
    see it earlier, and then have our reason for the rename coming back from
    MAD. If not, you need to find what is causing the rename in MAD, or just
    ignore it (or veto it explicitly).


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  8. #8
    Join Date
    Feb 2011
    Posts
    241

    Re: AD driver


    Can I just do a veto if operation = rename in my ITP? Would that cause a
    problem or prevent the adcontexts from being set. I am not allowing
    renames from AD to eDir anyways.


    --
    wferguson
    ------------------------------------------------------------------------
    wferguson's Profile: https://forums.netiq.com/member.php?userid=360
    View this thread: https://forums.netiq.com/showthread.php?t=53997


  9. #9
    Join Date
    Feb 2011
    Posts
    241

    Re: AD driver


    Attached in this message is the trace of an account add. The post from
    earlier is the response that I get back from the driver after that
    default of 1 minutes. Thank you so much.


    +----------------------------------------------------------------------+
    |Filename: trace on add080715.txt |
    |Download: https://forums.netiq.com/attachment....tachmentid=323 |
    +----------------------------------------------------------------------+

    --
    wferguson
    ------------------------------------------------------------------------
    wferguson's Profile: https://forums.netiq.com/member.php?userid=360
    View this thread: https://forums.netiq.com/showthread.php?t=53997


  10. #10

    Re: AD driver

    Silly notes: in the future do not get traces via ndstrace or iMonitor, but
    instead please write them directly from a driver config object ("Trace
    File Name"). This increases reliability of the trace (especially when in
    a busy system), avoids overlapping drivers (which makes traces impossible
    to read), and also preserves formatting that makes reading these easier.

    You're sending a move from your policy. If you do not want to see that
    loop back, don't send it to MAD in the first place:

    Code:
    16:35:30 CCEE940 Drvrs: Driver ST: Evaluating selection criteria for rule
    'Move Account'.
    16:35:30 CCEE940 Drvrs: Driver ST: (if-local-variable 'destcontext'
    available) = TRUE.
    16:35:30 CCEE940 Drvrs: Driver ST: (if-local-variable 'NewContext'
    available) = TRUE.
    16:35:30 CCEE940 Drvrs: Driver ST: Expanded variable reference
    '$NewContext$' to 'OU=ACTIVE,DC=xxx,DC=xxx,DC=xxx'.
    16:35:30 CCEE940 Drvrs: Driver ST: (if-local-variable 'destcontext'
    not-equal "$NewContext$") = TRUE.
    16:35:30 CCEE940 Drvrs: Driver ST: Rule selected.
    16:35:30 CCEE940 Drvrs: Driver ST: Applying rule 'Move Account'.
    16:35:30 CCEE940 Drvrs: Driver ST: Action:
    do-move-dest-object(when="after",arg-dn(token-local-variable("NewContext"))).
    16:35:30 CCEE940 Drvrs: Driver ST: arg-dn(token-local-variable("NewContext"))
    16:35:30 CCEE940 Drvrs: Driver ST: token-local-variable("NewContext")
    16:35:30 CCEE940 Drvrs: Driver ST: Token Value:
    "OU=ACTIVE,DC=xxx,DC=xxx,DC=xxx".
    16:35:30 CCEE940 Drvrs: Driver ST: Arg Value:
    "OU=ACTIVE,DC=xxx,DC=xxx,DC=xxx".
    This policy is, I believe, in the Command Transformation Policyset.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •