Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.

Aegis LDAP Adapter – Update 2 : Password Reset, Groups Memberships and more...

Aegis LDAP Adapter – Update 2 : Password Reset, Groups Memberships and more...

Welcome to the IQLdap Adapter Update 2 (version 0.6.0.0).

This update is the first to start looking at specific tasks which are possible (mainly and a bit of grunt work) with previous versions such as Group Membership Management, Resetting Passwords and Enabling/Disabling accounts.

It also allows for 'Activity Bundles' to be added without changes to the adapter itself, so rather than using the generic add object activity, a specific activity for Active Directory can be added which has inputs for the commonly used attributes of an Active Directory User.  So while the functions are possible currently, you need to go search for attribute names etc. to achieve it, so this will make populating activities much simpler.   An activity Bundle for NetIQ eDirectory is on the way!

Back to this update though... This is the list of new Activities in this update + descriptions.

 

Password Reset Activity

Up to to this version Password resets were possible on eDirectory, OpenLDAP and Oracle Internet Directory, but with varying levels of difficulty.  Problem #1 is finding which attribute to change!  After that different algorithms are used in order to convert the password text into the format required by the LDAP server.  For Active Directory it isn't possible to generate the datatype within a workflow so was not possible previously.

If you did jump the hurdles and managed password resets - well done!  However, both in the designer mode and at run-time those passwords were likely visible in plain text in the workflow as the input attribute value field is generic it doesn't know to mask password.

The Password Reset activity makes this much simpler ... you don't need to know the attribute name, passwords can be entered as plain text and they are masked at design and runtime.

2a

 

With Password Resets you still need to follow the rules defined by the target LDAP Directory.  Active Directory for example will only allow password resets if using an SSL connection.

 

User Enable/Disable Activity

This activity works for eDirectory, Active Directory and Oracle Internet Directory.  OpenLdap doesn't have a user attribute for enabled/disabled so its not possible, although there are a few workarounds, none which I felt would all - if I am wrong on this let me know!!!

Again this is possible with the Modify Attribute Activity with varying levels of difficulty, so this simplifies it again.

 

2b

If you do try and disable an OpenLDAP account you will get an error.  You can use alternative methods with Modify Attribute activity for example to expire the user - you may need to store the original expiration date of account in order to re-enable the account.

 

Test Authenticate Activity

This activity allows you to check if a users password is valid, or indeed if the user is enabled/disabled by the previous activity.  This is new feature and wasn't possible with existing activities.  Again passwords are masked at input on both design and run time.  This activity outputs a simple Boolean True/False if the authentication attempt was successful or not.

2c

 

Add or Remove Members to Groups Activity

Adding and Removing Users to and from groups is possible with the modify object attribute activity, but again it varies depending on the Directory Type.  eDirectory for example requires attributes on both the 'member' object and 'group' object to be updated, while Active Directory requires only attribute on the 'group' object to be modified.  Attribute names both vary between directories and on the type of group you are dealing with.  The activity currently works with common group types.  So again this activity really simplifies add and remove operations.  It also allows you to do bulk operations by specifying both arrays of groups and member objects.

Use this activity to add or remove multiple objects to multiple groups or from multiple groups in a single step.

 

Modify Object Attributes Activity

The original 'Modify Object' activity allowed you to modify one attribute of an object and choose the operation of add/delete/replace.  If you were trying to modify a large number of attributes this required looping through the attributes and making each change separately.  This activity is now renamed to ' Modify Object Attribute' activity.

A new activity, 'Modify Object Attributes' handles bulk operations.  It accepts the same name value pair table as the create object activity for defining attribute values.  The only caveat is that all attribute changes have to be the same operation i.e all replace, delete or add operations.

2d

Other than that there are a number of improvements under the hood and some ground work for LDIF import/export in a future update!  As always be sure to test your workflows well before putting them into a production environment, especially where changes are being made to your directory.

 

Installation Instructions

This version can either be applied in full or as an upgrade to the original version (0.2.0.0) which is here (or version 0.4.0.0).

For a new installation, follow the installation instructions here but using the zip file attachment from this page.

For an upgrade follow the instructions below:



      1. Copy the updated IQLdapAdapterCommunityXXXX.zip file to your installation folder:<installdrive>:\Program Files (x86)\NetIQAegis should be a sub-folder at this location. This location will be referred to as <installpath> in the next steps.




123


    1. Stop the NetIQ Aegis Namespace Provider Service and dependant services (NetIQ Aegis Engine, NetIQ Aegis Activity Broker). Close the Adapter configuration Utility if open.

    2. Unzip IQLdapAdapterXXXXXX.zip to the <installpath> directly. Do not unzip it to any subfolder extract to the existing Aegis folder structure.

    3. Restart the NetIQ Aegis Namespace Provider Service and dependant services (NetIQ Aegis Engine, NetIQ Aegis Activity Broker)

    4. Open an elevated command prompt (Run As Administrator) and navigate to:
      <installpath>\Aegis\IQConnect73\bin

    5. Execute the load_iqldapLibrary.cmd command, with the following parameters:



server hostname or FQDN (IP address will work but will need to be updated if it changes in the future) running the "NetIQ Aegis Namespace Provider" service
port the port the "NetIQ Aegis Namespace Provider" service runs on (probably 2219)
domain of service Aegis Service account
service account the Aegis Service Account
Service Account Password the Aegis Service Account passwordExample:
load_iqldapLibrary.cmd myAegisServer 2219 myDomain aegissvc PaZZwOrd

The last line of output should include:
Finished processing '..\mof\IQLdapActivitiesLibrary.mof'. Processed 2 instances.

 

And thats it!
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2014-07-25 20:11
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.