DirXML 2 Driver


What the driver does

This simple loopback driver is writing a record into a log file (c:\orphans.log) whenever the last member is deleted from a dynamicGroup, or whenever the last group membership for a dynamicGroup is deleted from a user. It leverages the advanced java class.

One reason why this driver would be useful is when security is a concern and users without group memberships or groups (dynamicGroup in our case) without members correspond to users without privileges or privileges (groups) without grantees. By identifying unneeded users or groups, it is possible to eliminate security breaches associated to unneeded accounts and privileges.

This driver will not scan eDirectory and generate a report. It needs to be running in order to fire for events creating orphans (users without groups and groups without members).

This driver can be modified to log events into another channel than the c:\orphans.log file on the DirXML server running the driver. It is also writing messages into DSTrace, and could be modified to generate errors that could be registered into Novell Audit for example.

Subscriber Channel:

A Command Transform StyleSheet has two templates which are firing for modify events (which are converted to Add because there is no association) on classes dynamicGroup and User.

If the last member is removed from a dynamicGroup, or if the last group membership is removed for User, the log is updated.


Comment List