Dynamic Groups and the RBE Driver

0 Likes
over 14 years ago

Problem



A Forum reader recently asked:



"I would like to start deploying some "Dynamic Groups" in eDirectory to associate users based on department and or specific attributes, then have those groups, and the users associated synchronize to Active Directory. The desired outcome is to create the user and group in Active Directory and maintain the membership.



I have read that entitlements can help with this, but I am not confortable enough with it to re-design our ID vault and AD driver. Is there a way I can do this without entitlements ?"



And here's the response from Father Ramon ...



Solution



Using dynamic groups for anything related to IDM is extremely problematic because of how dynamic groups work. In particular:



1. There is no notification from eDirectory when a User becomes a member or ceases to be a member of a dynamic group.

2. You cannot tell if a User is a member of a dynamic group by querying the Group Membership attribute of a User.

3. Querying the effective value of the Member attribute of the dynamic group is recalculated every time it is read.



What this means is that for a driver to use dynamic groups to do anything, it has to monitor all the User attributes that could affect membership in the dynamic groups and recheck everything any time any of those attributes changes. This is something that is going to be
extremely difficult to get right, but also happens to be exactly what the RBE driver does.



One way to use RBE to accomplish what you want without directly affecting your existing driver is not use dynamic groups but rather to use static groups, whose membership is controlled by RBE and an entitlement on a loopback driver (see configuration below). Then you will have
static groups that can be synchronized in any of your other drivers, but whose membership is kept up to date by RBE, based on dynamic criteria.



<driver-configuration dn="GroupEntitlementLoopback.DriverSet.novell" 
driver-set-dn="DriverSet.novell" name="GroupEntitlementLoopback">
<attributes>
<application-schema>
<schema-def/>
</application-schema>
<configuration-manifest>
<manifest>
<capability name="entitlements"/>
</manifest>
</configuration-manifest>
<global-config-values>
<configuration-values>
<definitions/>
</configuration-values>
</global-config-values>
<driver-filter-xml>
<filter>
<filter-class class-name="User" publisher="sync"
publisher-create-homedir="true" publisher-track-template-member="false"
subscriber="sync">
<filter-attr attr-name="DirXML-EntitlementRef"
from-all-classes="true" merge-authority="edir" publisher="ignore"
publisher-optimize-modify="true" subscriber="notify"/>
</filter-class>
</filter>
</driver-filter-xml>
<java-module
value="com.novell.nds.dirxml.driver.loopback.LoopbackDriverShim"/>
<driver-start-option value="1"/>
<driver-cache-limit value="0"/>
<shim-config-info-xml/>
<driver-password-query/>
<shim-auth-password-query/>
</attributes>
<children>
<publisher name="Publisher">
<attributes/>
<children/>
</publisher>
<subscriber name="Subscriber">
<attributes>
<command-transformation-rule
dn="EntitlementsCommandTransformation.Subscriber.GroupEntitlementLoopback.DriverSet.novell"/>
<event-transformation-rule
dn="EventTransformation.Subscriber.GroupEntitlementLoopback.DriverSet.novell"/>
</attributes>
<children>
<rule name="EntitlementsCommandTransformation">
<policy>
<rule>
<description>Check for group membership being granted or
revoked</description>
<conditions>
<or>
<if-operation op="equal">add</if-operation>
<if-operation op="equal">modify</if-operation>
</or>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-removed-entitlement name="Groups"/>
</arg-node-set>
<arg-actions>
<do-remove-src-attr-value name="Group Membership">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-remove-src-attr-value>
<do-remove-src-attr-value name="Security Equals">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-remove-src-attr-value>
</arg-actions>
</do-for-each>
<do-for-each>
<arg-node-set>
<token-added-entitlement name="Groups"/>
</arg-node-set>
<arg-actions>
<do-add-src-attr-value name="Group Membership">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>
<do-add-src-attr-value name="Security Equals">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>
</arg-actions>
</do-for-each>
<do-veto/>
</actions>
</rule>
</policy>
</rule>
<rule name="EventTransformation">
<policy>
<rule>
<description>Veto any operation but add, modify, and
sync</description>
<conditions>
<and>
<if-operation op="not-equal">add</if-operation>
<if-operation op="not-equal">modify</if-operation>
<if-operation op="not-equal">sync</if-operation>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>
<rule>
<description>Manufacture association of none available</description>
<conditions>
<and>
<if-association op="not-available"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="assoc">
<arg-string>
<token-src-attr name="GUID"/>
</arg-string>
</do-set-local-variable>
<do-add-association>
<arg-dn>
<token-src-dn/>
</arg-dn>
<arg-association>
<token-local-variable name="assoc"/>
</arg-association>
</do-add-association>
<do-set-op-association>
<arg-association>
<token-local-variable name="assoc"/>
</arg-association>
</do-set-op-association>
</actions>
</rule>
</policy>
</rule>
</children>
</subscriber>
<entitlement-definition name="Groups">
<entitlement conflict-resolution="union" description="Groups in
Identity Vault" display-name="Identity Vault Groups" name="Group">
<values>
<query-app>
<query-xml>
<nds dtd-version="2.0">
<input>
<query class-name="Group" scope="subtree">
<search-class class-name="Group"/>
<read-attr attr-name="Description"/>
<read-attr attr-name="CN"/>
</query>
</input>
</nds>
</query-xml>
<result-set>
<display-name>
<token-attr attr-name="CN"/>
</display-name>
<description>
<token-attr attr-name="Description"/>
</description>
<ent-value>
<token-src-dn/>
</ent-value>
</result-set>
</query-app>
</values>
</entitlement>
</entitlement-definition>
</children>
<global-config-values>
<configuration-values>
<definitions/>
</configuration-values>
</global-config-values>
</driver-configuration>

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended