I5osdrv: adding attributes to the publisher channel


I have built quite a few drivers over the years using DirXML (IDM). I
have been recently tasked with attaching our identity vault to our main
frame. The issue I have is in finding any documentation on how to add
attributes to the publisher channel on the mainframe. Any direction
would be greatly appreciated. An example would be even better.

I am specifically wanting to get out intruder attempts and last login.


--
stuartbyrnes
------------------------------------------------------------------------
stuartbyrnes's Profile: https://forums.netiq.com/member.php?userid=1312
View this thread: https://forums.netiq.com/showthread.php?t=51760

  • On Tue, 16 Sep 2014 13:55:25 0000, stuartbyrnes wrote:

    > I have built quite a few drivers over the years using DirXML (IDM). I
    > have been recently tasked with attaching our identity vault to our main
    > frame. The issue I have is in finding any documentation on how to add
    > attributes to the publisher channel on the mainframe.


    Does the connected system support the attributes you're trying to get? Is
    this a question of how to get the shim to do so?


    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Knowledge Partner http://forums.netiq.com

    Please post questions in the forums. No support provided via email.
    If you find this post helpful, please click on the star below.
  • On 9/16/2014 9:55 AM, stuartbyrnes wrote:
    >
    > I have built quite a few drivers over the years using DirXML (IDM). I
    > have been recently tasked with attaching our identity vault to our main
    > frame. The issue I have is in finding any documentation on how to add
    > attributes to the publisher channel on the mainframe. Any direction
    > would be greatly appreciated. An example would be even better.
    >
    > I am specifically wanting to get out intruder attempts and last login.


    Side note: i5os - aka AS400 aka IBM something or other series is a Midrange.

    RACF, Top Secret, and ACF2 are the security frameworks (each with their
    own custom driver) that are commonly known as mainframes.

    So step 1, are you on the right driver? :)

    If you look at schema after you extend it with the file from the
    AS400/i5os driver, you will see a ton of DirXML-i5osXXXXXXX atributes.

    In principle those are the known set of AS400 side attributes you can
    pick out of AS400. You will need to know their name on teh AS400 side
    of course.


  • Thanks for the reply!

    The attributes do not exist. I need to add them. I need to know how to
    get at the shim to do so. Specifically, I need to get out last login and
    intruder attempts.


    --
    stuartbyrnes
    ------------------------------------------------------------------------
    stuartbyrnes's Profile: https://forums.netiq.com/member.php?userid=1312
    View this thread: https://forums.netiq.com/showthread.php?t=51760

  • On 9/16/2014 1:45 PM, stuartbyrnes wrote:
    >
    > Thanks for the reply!
    >
    > The attributes do not exist. I need to add them. I need to know how to
    > get at the shim to do so. Specifically, I need to get out last login and
    > intruder attempts.


    So the way IDM works is, the source system has to have the data.

    Does AS400 have the data?

    If not, how do you expect to get something the system does not contain?

    Now, having said all that, it is nice if you understand how the AS400
    driver works. It is basically a Scripting driver for AS400, I think
    using the CL command language.

    So... Do you have an AS400 resource? Does he know AS400 well enough to
    figure out how to get the data you want? If so, he can look at the CL
    Scripts and modify them to generate the attributes if the shim asks for
    them.



  • I am using the iseries driver connected to iseries (midrange). The
    driver is up and connected and working with built in attributes out of
    the box. I just need a bit more information out of the iseries side.
    specifically I need intruder attempts and last login.


    --
    stuartbyrnes
    ------------------------------------------------------------------------
    stuartbyrnes's Profile: https://forums.netiq.com/member.php?userid=1312
    View this thread: https://forums.netiq.com/showthread.php?t=51760


  • Thanks for replying!

    The data is there and I already have some queries written by our
    resource to get it out. I just can't find where the CL scripts are that
    need editing. I can find the CL scripts for the subsciber, but not the
    publisher. I assume it works by polling for changes, but I could be
    wrong.


    --
    stuartbyrnes
    ------------------------------------------------------------------------
    stuartbyrnes's Profile: https://forums.netiq.com/member.php?userid=1312
    View this thread: https://forums.netiq.com/showthread.php?t=51760


  • stuartbyrnes;248740 Wrote:
    > I have built quite a few drivers over the years using DirXML (IDM). I
    > have been recently tasked with attaching our identity vault to our main
    > frame. The issue I have is in finding any documentation on how to add
    > attributes to the publisher channel on the mainframe. Any direction
    > would be greatly appreciated. An example would be even better.
    >
    > I am specifically wanting to get out intruder attempts and last login.


    Hi,

    The i5os Driver leverages the QIDM_QSY_CHG_PROFILE exit point to capture
    i5os Profile changes for the Publisher channel. Unfortunately, the
    driver's implementation has a hard-coded list of attributes that it
    listens for, and Last Login and Intruder Attempts are not in that list.
    The list was chosen for attributes that can be synchronized
    bidirectionally. There wouldn't be any scripts that you could modify to
    plug-in to this process and the changelog functionality does not have a
    public interface.

    I would recommend you open an enhancement request at bugzilla.novell.com
    and request additional attributes be added to the Exit implementation.

    Thanks,
    -Jeremy


    --
    jgrieshop
    ------------------------------------------------------------------------
    jgrieshop's Profile: https://forums.netiq.com/member.php?userid=483
    View this thread: https://forums.netiq.com/showthread.php?t=51760

  • On 9/17/14, 9:57 PM, jgrieshop wrote:
    >
    > stuartbyrnes;248740 Wrote:
    >> I have built quite a few drivers over the years using DirXML (IDM). I
    >> have been recently tasked with attaching our identity vault to our main
    >> frame. The issue I have is in finding any documentation on how to add
    >> attributes to the publisher channel on the mainframe. Any direction
    >> would be greatly appreciated. An example would be even better.
    >>
    >> I am specifically wanting to get out intruder attempts and last login.

    >
    > Hi,
    >
    > The i5os Driver leverages the QIDM_QSY_CHG_PROFILE exit point to capture
    > i5os Profile changes for the Publisher channel. Unfortunately, the
    > driver's implementation has a hard-coded list of attributes that it
    > listens for, and Last Login and Intruder Attempts are not in that list.
    > The list was chosen for attributes that can be synchronized
    > bidirectionally. There wouldn't be any scripts that you could modify to
    > plug-in to this process and the changelog functionality does not have a
    > public interface.
    >
    > I would recommend you open an enhancement request at bugzilla.novell.com
    > and request additional attributes be added to the Exit implementation.
    >
    > Thanks,
    > -Jeremy


    For enhancement requests please use https://www.novell.com/rms

    Casper


  • jgrieshop;248822 Wrote:
    > Hi,
    >
    > The i5os Driver leverages the QIDM_QSY_CHG_PROFILE exit point to capture
    > i5os Profile changes for the Publisher channel. Unfortunately, the
    > driver's implementation has a hard-coded list of attributes that it
    > listens for, and Last Login and Intruder Attempts are not in that list.
    > The list was chosen for attributes that can be synchronized
    > bidirectionally. There wouldn't be any scripts that you could modify to
    > plug-in to this process and the changelog functionality does not have a
    > public interface.
    >
    > I would recommend you open an enhancement request at bugzilla.novell.com
    > and request additional attributes be added to the Exit implementation.
    >
    > Thanks,
    > -Jeremy


    Thanks for the info. I will figure out a work around for now and put in
    an enhancement request.


    --
    stuartbyrnes
    ------------------------------------------------------------------------
    stuartbyrnes's Profile: https://forums.netiq.com/member.php?userid=1312
    View this thread: https://forums.netiq.com/showthread.php?t=51760

  • On 9/18/2014 1:55 PM, stuartbyrnes wrote:
    >
    > jgrieshop;248822 Wrote:
    >> Hi,
    >>
    >> The i5os Driver leverages the QIDM_QSY_CHG_PROFILE exit point to capture
    >> i5os Profile changes for the Publisher channel. Unfortunately, the
    >> driver's implementation has a hard-coded list of attributes that it
    >> listens for, and Last Login and Intruder Attempts are not in that list.
    >> The list was chosen for attributes that can be synchronized
    >> bidirectionally. There wouldn't be any scripts that you could modify to
    >> plug-in to this process and the changelog functionality does not have a
    >> public interface.
    >>
    >> I would recommend you open an enhancement request at bugzilla.novell.com
    >> and request additional attributes be added to the Exit implementation.
    >>
    >> Thanks,
    >> -Jeremy

    >
    > Thanks for the info. I will figure out a work around for now and put in
    > an enhancement request.


    Do let us know if you do figure out a way.

    Perhaps the developers could consider the case of 'reading' the
    attribute on demand, versus 'eventing' on the change of the attribute.
    If that would be of value. You could poll for it, if that was important
    as a workaround?