IDM Driver Walkthrough: GroupWise (Part 3 of 4)

IDM Driver Walkthrough: GroupWise (Part 3 of 4)

Introduction



In this, part 3 of 4, the Subscriber Command Transform, Filter, Schema Mapping are covered.





Subscriber Command Transform



Policy Set: sub-ctp-EntitlementsImpl



Rule: DL Entitlement: add or remove DL memberships



Purpose: This rule transforms changes to the list of GroupWise Distribution Lists the user is entitled to in to events to implement those changes in GroupWise.

Rule: Account Entitlement: Enable or Disable account



Purpose: If the driver has been configured (driver.gw.ent.account.remove = disable) to disable the GroupWise mailbox when the associated User object is deleted, and if the user's entitlement to a GroupWise mailbox (gwAccount) is changing, then this rule transforms the change in entitlements in to events to implement the entitlement. The mailbox will be enabled or disabled based on the user's entitlement to it.



Note: See the notes above on Disabled and Expired and what they mean to GroupWise.



Rule: Account Entitlement: Expire or Unexpire account



Purpose: If the driver has been configured (driver.gw.ent.account.remove = expire) to expire the GroupWise mailbox when the associated User object is deleted, and if the user's entitlement to a GroupWise mailbox (gwAccount) is changing, then this rule transforms the change in entitlements in to events to implement the entitlement. The mailbox will be expired or unexpired based on the user's entitlement to it.



Rule: Account Entitlement: Enable/Unexpire or Disable/Expire account



Purpose: If the driver has been configured (driver.gw.ent.account.remove = dispire) to disable and expire the GroupWise mailbox when the associated User object is deleted, and if the user's entitlement to a GroupWise mailbox (gwAccount) is changing, then this rule transforms the change in entitlements in to events to implement the entitlement. The mailbox will be expired and disabled or unexpired and enabled based on the user's entitlement to it.



Rule: Account Entitlement remove: Delete account



Purpose: If the driver has been configured (driver.gw.ent.account.remove = delete) to remove the GroupWise mailbox when the associated User object is deleted, and if the user's entitlement to a GroupWise mailbox (gwAccount) is changing, then this rule transforms the change in entitlements in to events to implement the entitlement. The mailbox will be deleted because the user is no longer entitlement to it.



Note:Additionally, XML attribute gw:original-event on the Delete is set to "modify" here. Why?



Policy Set: sub-ctp-Audit-TagEvent



Rule: User gwAccount Entitlement change (Delete Option)



Purpose: This rule checks two Global Configuration Values (drv.entitlement.GWAccount and driver.gw.ent.account.remove) to see if it should activate. This rule is used to handle the GroupWise driver being configured to Create or Delete the GW mailbox when the entitlement is changed. It then also checks to see if the object being processed is a User, if the event is an Add or Modify, and to see if the gwAccount entitlement is what is changing (the reason that this User is being added or modified). If all of these conditions are true, then several Operation Properties are added to the current event. These contain data




  • accountAction - why this object is being processed

  • sourceDN - the DN of the object

  • assocation - the association value for this object

  • guid - the eDirectory GUID of the object

  • objectClass - User



This data is then forwarded to the configured audit platform agent.



Rule: User gwAccount Entitlement change (Disable Option)



Purpose: This rule checks two Global Configuration Values (drv.entitlement.GWAccount and driver.gw.ent.account.remove) to see if it should activate. This rule is used to handle the GroupWise driver being configured to Expire/Unexpire or Enable/Disable the GW mailbox when the entitlement is changed. It then also checks to see if the object being processed is a User, if the event is an Add or Modify, and to see if the gwAccount entitlement is what is changing (the reason that this User is being added or modified). If all of these conditions are true, then several Operation Properties are added to the current event. These contain data




  • accountAction - why this object is being processed

  • sourceDN - the DN of the object

  • assocation - the association value for this object

  • guid - the eDirectory GUID of the object

  • objectClass - User



This data is then forwarded to the configured audit platform agent.



Rule: User gwAccount Entitlement remove (Delete Option)




Purpose: This rule checks two Global Configuration Values (drv.entitlement.GWAccount and driver.gw.ent.account.remove) to see if it should activate. This rule is used to handle the GroupWise driver being configured to Create or Delete the GW mailbox when the entitlement is changed. It then also checks to see if the object being processed is a User, if the event is an Delete, and to see if the gwAccount entitlement is what is changing (the reason that this User is being deleted from GroupWise). If all of these conditions are true, then several Operation Properties are added to the current event. These contain data




  • accountAction - why this object is being processed

  • sourceDN - the DN of the object

  • assocation - the association value for this object

  • guid - the eDirectory GUID of the object

  • objectClass - User



This data is then forwarded to the configured audit platform agent.



Note: Bug (https://bugzilla.novell.com/show_bug.cgi?id=585166) report - the comments on the rules in this policy set all refer to Active Directory. This is the GroupWise driver!



Note: The accountAction operation data is used later on the Publisher channel (lib-AuditSendEntitlementEvents-itp-V1) to send entitlement updates to the auditing system.



Policy Set: sub-ctp-TransformDistributionPassword



Rule: Convert add nspmDistributionPassword attribute to a modify-password operation



Purpose: This is one of the standard Universal Password password synchronization policies. It transforms the nspmDistributionPassword in an <add> document to a <modify-password> event, if the driver has been configured for password synchronization (password subscribe).



Rule: Convert modify nspmDistributionPassword attribute to a modify-password operation



Purpose: This is the second of the standard Universal Password password synchronization policies. It transforms the nspmDistributionPassword in an <modify> document to a <modify-password> event, if the driver has been configured for password synchronization (password subscribe).



Rule: Block empty modify operations



Purpose: The third of three standard Universal Password rules. If nothing remains of the <modify> document, this rule strips it. So if all that changed in the original modify is the password value, the modify-password event replaces it, otherwise, other changes in the document will be processed because the document is non-empty.



Filter



This is a standard Filter, containing the object classes and attributes that this driver is going to process on the Subscriber and Publisher channels. By default, User, GroupWise External Entity, GroupWise Distribution List, GroupWise Post Office, GroupWise Resource, Group, and Organizational Unit objects will be processed. Configuration, via Global Configuration Values, is used to control what this driver actually does.



Schema Mapping



smp-DefaultSchemaMap



This is a standard IDM schema map, containing eDirectory and GroupWise object and attribute values.



Policy Set: smp-ExtendedSchemaMap



Note: This is a rather unusual place to find a policy set. Normally only schema mapping is done in the Schema Map.



Rule: Strip nspmDistributionPassword



Purpose: This rule unconditionally removes nspmDistributionPassword from all documents. Normally this is done in the Command Transform by one of the standard Universal Password password synchronization rules.



Rule: GW 6.5+ from eDir



Purpose: This rule checks to see if the driver is configured to work with a GroupWise 5.50 or a GroupWise 6.00 system. If not, it assumes then that the driver is working with a GroupWise 6.5 or newer system. It then checks to see if the event being processed is coming from eDirectory (ie: on the Subscriber) via local variable fromNDS (equal to 'true'). Then, if the object being processed is a User, it fiddles with some attribute names to map eDirectory to GroupWise. This would normally be done by the schema map, but it appears that some of the GroupWise attribute names have changed between versions, so this bit of policy handles the conditional mapping needed to have one driver preconfig work with multiple versions of GroupWise.



Note: This rule shows two interesting things. First, that you can actually put Policy Builder script in the Schema Mapping, and second, that the local variable fromNDS is maintained by the engine (http://www.novell.com/documentation/idm36/policy/?page=/documentation/idm36/policy/data/policyvariables.html) so that it is possible to use it in policies that need to work in both directions.



Rule: GW 6.5+ from GW



Purpose: This rule checks to see if the driver is configured to work with a GroupWise 5.50 or a GroupWise 6.00 system. If not, it assumes then that the driver is working with a GroupWise 6.5 or newer system. It then checks to see if the event being processed is coming from GroupWise (ie: on the Publisher) via local variable fromNDS (equal to 'false'). Then, if the object being processed is a User, it fiddles with some attribute names to map eDirectory to GroupWise. This would normally be done by the schema map, but it appears that some of the GroupWise attribute names have changed between versions, so this bit of policy handles the conditional mapping needed to have one driver preconfig work with multiple versions of GroupWise.



Rule: GW 5.5/6.0 from eDir



Purpose: This rule checks to see if the driver is configured to work with a GroupWise 5.50 or a GroupWise 6.00 system. If so, it then checks to see if the event being processed is coming from eDirectory (ie: on the Subscriber) via local variable fromNDS (equal to 'true'). Then, if the object being processed is a User or External Entity, it fiddles with some attribute names to map eDirectory to GroupWise. This would normally be done by the schema map, but it appears that some of the GroupWise attribute names have changed between versions, so this bit of policy handles the conditional mapping needed to have one driver preconfig work with multiple versions of GroupWise.



Rule: GW 5.5/6.0 from GW



Purpose: This rule checks to see if the driver is configured to work with a GroupWise 5.50 or a GroupWise 6.00 system. If so, it then checks to see if the event being processed is coming from GroupWise (ie: on the Publisher) via local variable fromNDS (equal to 'false'). Then, if the object being processed is a User or External Entity, it fiddles with some attribute names to map eDirectory to GroupWise. This would normally be done by the schema map, but it appears that some of the GroupWise attribute names have changed between versions, so this bit of policy handles the conditional mapping needed to have one driver preconfig work with multiple versions of GroupWise.




Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
4 of 4
Last update:
‎2020-03-10 19:15
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.