Anonymous_User Absent Member.
Absent Member.
269 views

AD Driver Remove-all vs Remove


Hi,

IDM 402 AD Driver on W2K8r2 server (2003 forest level)
On the publisher channel I have filter allowing group class/group
membership to synch from AD back to IDVault. When there is a change in
AD Group object, the trace is telling me the driver is reading event
from AD, which is good. No matter whether it is an add or delete of
user to the group object in AD, the engine will issue a <remove-all>
first, and then synch the ones that are still in the AD group back to
IDVault, thru Pubchannel.

I would like to find out, is there a way we can change the behavior of
the AD driver to, in the event that I pull a user out from an AD group,
the driver will, instead of issuing a <remove-all>, the driver will
perform a single <remove><dn><value>userA</value></dn></remove>. I can
appreciate why it is doing a <remove-all> instead of remove...but we
come across a situation that we need to find out which user(s) has/have
been removed from a group object in AD, and further process those user
object in IDVault. And in the event there are multiple user(s) got
removed from the AD group, I can process each user objects that are
pulled, based on our business requirements. Or do you have other
suggestions..

Thanks for any kind of suggestions (except shelling out to script,
lol)... 🙂

Vinny


--
vzlchan
------------------------------------------------------------------------
vzlchan's Profile: https://forums.netiq.com/member.php?userid=4473
View this thread: https://forums.netiq.com/showthread.php?t=50624

Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver Remove-all vs Remove

https://www.netiq.com/documentation/idm402drivers/ad/data/b4dd0y2.html#b4m4h9a

Go down to 'Advanced Options' and then the 'Enable DirSync Incremental
Values' option, then restart the driver object.

MAD (microsoft active directory) used to be even less intelligent than it
is now and behaved exactly as you see it. Thankfully, they changed that
so at least now you're not doing ridiculous stuff needlessly on any group
change.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver Remove-all vs Remove


Yap! Thank you all. I used "ab"'s suggestion. It works.


--
vzlchan
------------------------------------------------------------------------
vzlchan's Profile: https://forums.netiq.com/member.php?userid=4473
View this thread: https://forums.netiq.com/showthread.php?t=50624

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD Driver Remove-all vs Remove

vzlchan wrote:

> we
> come across a situation that we need to find out which user(s) has/have
> been removed from a group object in AD, and further process those user
> object in IDVault.


Either follow Aarons suggestion, or set the group membership attribute to
"Optimize Modify" in the publisher filter and move your code to a command
transform. The engine boils what's coming from AD down to the actual delta
between AD and Edir then (after the last event transform and before processing
the first command transform) and you should see exactly what you ask for.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver Remove-all vs Remove


Is there any performance difference between the two approaches?

Btw, I think the 'Enable DirSync Incremental Values' option should be
default by now. If people run 10 year old stuff they can change it
back.

Cheers


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=50624

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver Remove-all vs Remove

joakim ganse wrote:

>
> Is there any performance difference between the two approaches?


Doubtful, the incremental values approach only works for group membership IIRC.

The downside of relying on the engine (optimize modify) is that you need to be sure that the engine has correctly parsed the AD schema to determine if an attribute is single or multi-valued. (also that the AD schema is actually correct)

> I think the 'Enable DirSync Incremental Values' option should be
> default by now. If people run 10 year old stuff they can change it
> back.


Especially as Windows 2000 Server (the only OS that doesn't support incremental values) is no longer supported by the vendor.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver Remove-all vs Remove


lhaeger;243719 Wrote:
> vzlchan wrote:
>
> > we
> > come across a situation that we need to find out which user(s)

> has/have
> > been removed from a group object in AD, and further process those

> user
> > object in IDVault.

>
> Either follow Aarons suggestion, or set the group membership attribute
> to
> "Optimize Modify" in the publisher filter and move your code to a
> command
> transform. The engine boils what's coming from AD down to the actual
> delta
> between AD and Edir then (after the last event transform and before
> processing
> the first command transform) and you should see exactly what you ask
> for.



I would stick with ab's suggestion so there are no unnecessary cpu
cycles wasted to resolve the associations of all the group members
(which will become significant if the group member count is huge).


--
vivekbm
------------------------------------------------------------------------
vivekbm's Profile: https://forums.netiq.com/member.php?userid=528
View this thread: https://forums.netiq.com/showthread.php?t=50624

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.