Related Tips & Info

Bidirectional Driver for eDirectory - Working with DN Attributes

tschloesser
0 Likes
Working with the new Driver for eDirectory I found some things, which are worth to talk about, since they are a kind of special.

In my article Bidirectional Driver for eDirectory – Some hints and workarounds it was pointing out that the driver filter could cause some trouble. I want to stress what is to be done when working with DN attributes like group membership.

In a current project I had to manage a couple of groups in the connected eDirectory without really syncing the groups. Meaning, depending on certain attribute values in the IDM directory, a user should be added or removed from a group in the managed system. Since at the beginning we were only talking about one or two groups, we determined not to use group entitlements with the driver.

Since the driver uses LDAP on the subscriber channel, we configured some rules to set the corresponding attributes on the group and user and made sure those attributes were mapped correctly in the driver’s schema mapping. We although ensured that the values of the four attributes (Member, Equivalent To Me, Group Membership and Security Equals) used the LDAP syntax of the corresponding objects in the managed eDirectory. But this did not work out. The engine automatically removed all four attributes values from the operation because of missing association references. 
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.5">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20140821122735.464Z" class-name="User" event-id="idm-ds01#20140821122735#1#1:c80858b5-d811-4387-ee9d-b55808c811d8" qualified-src-dn="O=corp\OU=Data\OU=User\OU=active\CN=ar29jyfa" src-dn="\IDMS-DEV\tu-darmstadt\Data\User\active\ar29jyfa" src-entry-id="367904" timestamp="0#0">
<association state="associated">F9ED5620995BEB40CD88F9ED5620995B</association>
<modify-attr attr-name="idmUserPolicyAcceptedDfnShib">
<remove-value>
<value timestamp="1408623146#1" type="string">20130709</value>
</remove-value>
</modify-attr>
</modify>
<modify class-name="Group" dest-dn="cn=service-dfnshib-user,ou=USER,o=corp" event-id="idm-ds01#20140821122735#1#1:c80858b5-d811-4387-ee9d-b55808c811d8">
<modify-attr attr-name="Member">
<remove-value>
<value type="dn">cn=ar,ou=user,o=corp</value>
</remove-value>
</modify-attr>
<modify-attr attr-name="Equivalent To Me">
<remove-value>
<value type="dn">cn=ar,ou=user,o=corp</value>
</remove-value>
</modify-attr>
</modify>
<modify class-name="User" event-id="idm-ds01#20140821122735#1#1:c80858b5-d811-4387-ee9d-b55808c811d8" qualified-src-dn="O=corp\OU=Data\OU=User\OU=active\CN=ar" src-dn="\IDMS-DEV\corp\Data\User\active\ar" src-entry-id="367904">
<association>F9ED5620995BEB40CD88F9ED5620995B</association>
<modify-attr attr-name="Group Membership">
<remove-value>
<value type="dn">cn=service-dfnshib-user,ou=USER,o=corp/value>
</remove-value>
</modify-attr>
<modify-attr attr-name="Security Equals">
<remove-value>
<value type="dn">cn=service-dfnshib-user,ou=USER,o=corp</value>
</remove-value>
</modify-attr>
</modify>
</input>
</nds>
[08/21/14 14:27:35.744]:TU-ID ST:Filtering out notification-only attributes.
[08/21/14 14:27:35.745]:TU-ID ST: Filtered out <modify-attr attr-name='idmUserPolicyAcceptedDfnShib'>.
[08/21/14 14:27:35.745]:TU-ID ST: Filtered out <modify class-name='User'>.
[08/21/14 14:27:35.746]:TU-ID ST:Fixing up association references.
[08/21/14 14:27:35.749]:TU-ID ST:
DirXML Log Event -------------------
Driver: \IDMS-DEV\tu-darmstadt\res\DriverSet\TU-ID
Channel: Subscriber
Object: \IDMS-DEV\tu-darmstadt\Data\User\active\ar29jyfa
Status: Warning
Message: Code(-8003) Unable to synchronize reference to cn=ar,ou=user,o=tu from attribute Member.


The solution can be found in the policy representing the entitlement implementation for groups. The following rules show how to add an association-ref xlm attribute to each value of the group and user attributes in the managed system. It uses the attribute "idmUserPolicyAccepted" as a trigger to provision the group in the managed eDirectory. 

 <rule>
 <description>handle DFN-AAI Group</description>
 <comment xml:space="preserve">If attribute idmUserPolicyAcceptedDfnShib contains a value the user should be added to the DFN-AAI group. If all values are removed from this attribute the user must be removed from the group as well.</comment>
 <conditions>
 <and>
 <if-operation mode="regex" op="equal">sync|modify</if-operation>
 <if-class-name mode="nocase" op="equal">User</if-class-name>
 <if-op-attr name="idmUserPolicyAcceptedDfnShib" op="changing"/>
 </and>
 </conditions>
 <actions>
 <do-set-local-variable name="lv.UserDestDN" scope="policy">
 <arg-string>
 <token-resolve datastore="dest">
 <arg-association>
 <token-association/>
 </arg-association>
 </token-resolve>
 </arg-string>
 </do-set-local-variable>
 <do-set-local-variable name="lv.GroupDestAsspciation" scope="policy">
 <arg-string>
 <token-resolve datastore="dest">
 <arg-dn>
 <token-global-variable name="gcDr.DfnGrp"/>
 </arg-dn>
 </token-resolve>
 </arg-string>
 </do-set-local-variable>
 <do-if>
 <arg-conditions>
 <and>
 <if-op-attr name="idmUserPolicyAcceptedDfnShib" op="available"/>
 </and>
 </arg-conditions>
 <arg-actions>
 <do-add-dest-attr-value class-name="Group" name="Member">
 <arg-association>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-association>
 <arg-value type="dn">
 <token-local-variable name="lv.UserDestDN"/>
 </arg-value>
 </do-add-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-association/>
 </arg-string>
 </do-set-xml-attr>
 <do-add-dest-attr-value class-name="Group" name="Equivalent To Me">
 <arg-association>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-association>
 <arg-value type="dn">
 <token-local-variable name="lv.UserDestDN"/>
 </arg-value>
 </do-add-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-association/>
 </arg-string>
 </do-set-xml-attr>
 <do-add-dest-attr-value class-name="User" name="Group Membership">
 <arg-value type="dn">
 <token-global-variable name="gcDr.DfnGrp"/>
 </arg-value>
 </do-add-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-string>
 </do-set-xml-attr>
 <do-add-dest-attr-value class-name="User" name="Security Equals">
 <arg-value type="dn">
 <token-global-variable name="gcDr.DfnGrp"/>
 </arg-value>
 </do-add-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-string>
 </do-set-xml-attr>
 </arg-actions>
 <arg-actions>
 <do-remove-dest-attr-value class-name="Group" name="Member">
 <arg-association>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-association>
 <arg-value type="dn">
 <token-local-variable name="lv.UserDestDN"/>
 </arg-value>
 </do-remove-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/remove-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-association/>
 </arg-string>
 </do-set-xml-attr>
 <do-remove-dest-attr-value class-name="Group" name="Equivalent To Me">
 <arg-association>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-association>
 <arg-value type="dn">
 <token-local-variable name="lv.UserDestDN"/>
 </arg-value>
 </do-remove-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/remove-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-association/>
 </arg-string>
 </do-set-xml-attr>
 <do-remove-dest-attr-value class-name="User" name="Group Membership">
 <arg-value type="dn">
 <token-global-variable name="gcDr.DfnGrp"/>
 </arg-value>
 </do-remove-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/remove-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-string>
 </do-set-xml-attr>
 <do-remove-dest-attr-value class-name="User" name="Security Equals">
 <arg-value type="dn">
 <token-global-variable name="gcDr.DfnGrp"/>
 </arg-value>
 </do-remove-dest-attr-value>
 <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/remove-value[last()]/value[last()]" name="association-ref">
 <arg-string>
 <token-local-variable name="lv.GroupDestAsspciation"/>
 </arg-string>
 </do-set-xml-attr>
 </arg-actions>
 </do-if>
 </actions>
 </rule>


With both the association reference and the value in the LDAP-Syntax the DN attributes can be managed as usual.

Labels:

How To-Best Practice
Comment List
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.