wferguson1 Absent Member.
Absent Member.
503 views

AD driver


I am successfully synching edir accounts to AD, but the question I have
is for every account that I synch...........the IDM AD driver on it's
polling cycle is seeing a rename of the account. I of course have the
dirxmlADcontexts and names setup, but why is the driver seeing a rename
for the account everytime it runs it's scheduled polling of AD. This
driver is setup so that all attributes on the publisher channel in the
filter are set to ignore, because we do not want any changes synching
from this domain into eDir.

It is doing this for every account I synch to AD while testing, and I
really don't want to migrate all of my users to this domain until this
is figured out.

Thank you,


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

Labels (1)
0 Likes
22 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: AD driver

As always, post the full trace.

MAD does not share with IDM whether a rename or move is happening, so
instead when one or the other is detected( because they are the same
operation coming from MAD) the shim sends both through and it is up to the
engine to figure this out.

You're reporting a rename, so it would seem that perhaps something about
your creation process is causing that to happen; maybe a create happens
and something in the logic immediately renames the object, which MAD then
sends back and is likely then optimized out (the name is already changed
in the vault). A trace will probably reveal all.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
wferguson1 Absent Member.
Absent Member.

Re: AD driver


Thank you for the response! The attachment is a level 3 trace of what
the vault receives from the RL when the driver polling occurs. Which i
am not only interested in the RL not sending it to the vault but I would
prefer to not have AD doing this on the RL server either, so basically
how can I prevent this all-together. Thanks a million


+----------------------------------------------------------------------+
|Filename: trace080715.txt |
|Download: https://forums.netiq.com/attachment.php?attachmentid=322 |
+----------------------------------------------------------------------+

--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
wferguson1 Absent Member.
Absent Member.

Re: AD driver


This is a copy of the html in my creation policy

<?xml version="1.0" encoding="UTF-8"?><policy>
<rule>
<description>Break if not a User</description>
<conditions>
<and>
<if-class-name mode="nocase" op="not-equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-break/>
</actions>
</rule>
<rule>
<description>xxx</description>
<conditions>
<or>
<if-attr mode="regex" name="Type" op="equal">xxx</if-attr>
<if-attr mode="regex" name="Category" op="equal">xxx</if-attr>
</or>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>
<rule>
<description>Veto if IDMx status is NOT active</description>
<comment xml:space="preserve"></comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-attr mode="nocase" name="xxx" op="not-equal">active</if-attr>
<if-attr mode="nocase" name="xxx" op="not-equal">active</if-attr>
<if-attr mode="nocase" name="xxx" op="not-equal">active</if-attr>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>
<rule>
<description>Veto if nspmDistributionPassword is not
available</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-veto-if-op-attr-not-available name="nspmDistributionPassword"/>
</actions>
</rule>
<rule>
<description>Escape object name</description>
<comment xml:space="preserve">Removes irregular characters in the
account name.</comment>
<conditions>
<or>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</or>
</conditions>
<actions>
<do-set-local-variable name="object-name" scope="policy">
<arg-string>
<token-replace-all
regex="^a-zA-Z0-9\x21\x23-\x29\x2d\x2e\x40\x5e-\x60\x7b\x7d\x7e\xc0-\xf6\xf8-\xff\x410-\x44f"
replace-with="">
<token-src-name/>
</token-replace-all>
</arg-string>
</do-set-local-variable>
</actions>
</rule>
<rule>
<description>Map CN to Active Directory user logon name</description>
<comment xml:space="preserve"></comment>
<conditions>
<and>
<if-global-variable name="UpnMap"
op="equal">edir-name-auth</if-global-variable>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="DirXML-ADAliasName">
<arg-value type="string">
<token-local-variable name="object-name"/>
<token-text xml:space="preserve">@</token-text>
<token-text xml:space="preserve">xxx.xxx</token-text>
</arg-value>
</do-set-dest-attr-value>
<do-add-src-attr-value class-name="User" name="Object Class">
<arg-value type="string">
<token-text
xml:space="preserve">DirXML-ApplicationAttrs-plural</token-text>
</arg-value>
</do-add-src-attr-value>
<do-for-each>
<arg-node-set>
<token-src-attr name="DirXML-ADAliasNames"/>
</arg-node-set>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-xpath
op="true">$current-node/component[@name='volume']="~dirxml.auto.driverdn~"</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-remove-src-attr-value name="DirXML-ADAliasNames">
<arg-value type="structured">
<arg-component name="nameSpace">
<token-xpath
expression='$current-node/component[@name="nameSpace"]'/>
</arg-component>
<arg-component name="volume">
<token-xpath
expression='$current-node/component[@name="volume"]'/>
</arg-component>
<arg-component name="path">
<token-xpath
expression='$current-node/component[@name="path"]'/>
</arg-component>
</arg-value>
</do-remove-src-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-for-each>
<do-add-src-attr-value name="DirXML-ADAliasNames">
<arg-value type="structured">
<arg-component name="nameSpace">
<token-time format="!CTIME" tz="UTC"/>
</arg-component>
<arg-component name="volume">
<token-global-variable name="dirxml.auto.driverdn"/>
</arg-component>
<arg-component name="path">
<token-local-variable name="object-name"/>
<token-text xml:space="preserve">@</token-text>
<token-text xml:space="preserve">xxx.xxxA</token-text>
</arg-component>
</arg-value>
</do-add-src-attr-value>
</actions>
</rule>
<rule>
<description>Map CN to Active Directory user logon name (pre-Windows
2000)</description>
<comment xml:space="preserve">Logon name policy: Keep destination
sAMAccountName in sync with source object name.</comment>
<conditions>
<and>
<if-global-variable mode="case" name="LogonNameMap"
op="equal">true</if-global-variable>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="CN">
<arg-value>
<token-substring length="20">
<token-local-variable name="object-name"/>
</token-substring>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
<rule>
<description>Identity Vault accounts are enabled if Login Disabled
does not exist</description>
<comment xml:space="preserve">If LoginDisabled does not exist, then
make sure the destination attribute Login Disabled is false.</comment>
<conditions>
<and>
<if-op-attr name="Login Disabled" op="not-available"/>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="Login Disabled">
<arg-value type="string">
<token-text xml:space="preserve">false</token-text>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
</policy>


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
wferguson1 Absent Member.
Absent Member.

Re: AD driver


Here is the html copy of our PP policy, where we are stripping the
fullname and composing it in order to take into consideration preferred
given and surname

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
"policy-builder-dtd" "C:\Program Files
(x86)\Novell\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201206110753\DTD\dirxmlscript3.6.1.dtd"><policy>
<rule>
<description>Set full name (displayname)</description>
<comment xml:space="preserve">We are stripping the full name, then
composing it in the order of SurnamePref > Surname and then
GivenNamePref > GivenName, putting that value back into attribute Full
Name, and then checking to make sure there isn't a match. If there is a
match, add a 01 to the end of the Full Name and check again, if another
match is found, add 02 and check again etc. until a match is not
found.</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-strip-op-attr name="Full Name"/>
<do-if>
<arg-conditions>
<and>
<if-attr name="Initials" op="available"/>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="appfullname" scope="policy">
<arg-string>
<token-replace-all regex="\s+$" replace-with="">
<token-attr name="Surname"/>
</token-replace-all>
<token-text xml:space="preserve">, </token-text>
<token-replace-all regex="\s+$" replace-with="">
<token-attr name="Given Name"/>
</token-replace-all>
<token-text xml:space="preserve"> </token-text>
<token-substring length="1">
<token-attr name="Initials"/>
</token-substring>
<token-text xml:space="preserve">.</token-text>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions>
<do-set-local-variable name="appfullname" scope="policy">
<arg-string>
<token-replace-all regex="\s+$" replace-with="">
<token-attr name="Surname"/>
</token-replace-all>
<token-text xml:space="preserve">, </token-text>
<token-replace-all regex="\s+$" replace-with="">
<token-attr name="Given Name"/>
</token-replace-all>
</arg-string>
</do-set-local-variable>
</arg-actions>
</do-if>
<do-add-dest-attr-value name="Full Name">
<arg-value type="string">
<token-unique-name counter-digits="2" counter-pattern="last"
counter-start="1" counter-use="fallback" name="Full Name"
on-unavailable="error" scope="subtree">
<arg-dn>
<token-global-variable name="xxx"/>
</arg-dn>
<arg-string>
<token-local-variable name="appfullname"/>
</arg-string>
</token-unique-name>
</arg-value>
</do-add-dest-attr-value>
</actions>
</rule>
<rule>
<description>set dest context</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-attr mode="nocase" name="xxx" op="equal">active</if-attr>
</and>
<and>
<if-attr mode="nocase" name="xxx" op="equal">active</if-attr>
</and>
<and>
<if-attr mode="nocase" name="xxx" op="equal">active</if-attr>
</and>
</arg-conditions>
<arg-actions>
<do-if>
<arg-conditions>
<or>
<if-attr mode="regex" name="xxx" op="not-equal">xxx</if-attr>
<if-attr mode="regex" name="xxx" op="not-equal">xxx</if-attr>
</or>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="NewContext" scope="policy">
<arg-string>
<token-text
xml:space="preserve">OU=xxx,DC=xxx,DC=xxx,DC=xxx</token-text>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions>
<do-set-local-variable name="NewContext" scope="policy">
<arg-string>
<token-text
xml:space="preserve">OU=xxx,DC=xxx,DC=xxx,DC=xxx</token-text>
</arg-string>
</do-set-local-variable>
</arg-actions>
</do-if>
</arg-actions>
<arg-actions>
<do-set-local-variable name="NewContext" scope="policy">
<arg-string>
<token-text
xml:space="preserve">OU=xxx,DC=xxx,DC=xxx,DC=xxx</token-text>
</arg-string>
</do-set-local-variable>
</arg-actions>
</do-if>
</actions>
</rule>
<rule>
<description>Set User DN</description>
<comment xml:space="preserve">When User Full Name mapping is enabled,
the destination object name is set to the Full Name attribute. The
account will also be placed in the OU mentioned in the action
below.</comment>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-global-variable mode="case" name="FullNameMap"
op="equal">true</if-global-variable>
<if-op-attr mode="nocase" name="Full Name" op="not-equal"/>
<if-local-variable mode="nocase" name="destcontext"
op="not-equal"/>
</and>
</conditions>
<actions>
<do-set-op-dest-dn>
<arg-dn>
<token-text xml:space="preserve">cn=</token-text>
<token-escape-for-dest-dn>
<token-op-attr name="Full Name"/>
</token-escape-for-dest-dn>
<token-text xml:space="preserve">,</token-text>
<token-local-variable name="NewContext"/>
</arg-dn>
</do-set-op-dest-dn>
</actions>
</rule>
</policy>


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD driver

wferguson <wferguson@no-mx.forums.microfocus.com> wrote:
> Here is the html copy of our PP policy, where we are stripping the
> fullname and composing it in order to take into consideration preferred
> given and surname
>


I would not re-create full name op-attr here. I would use a local variable
(if you need the composite full name here).

Generally I advise customers to avoid using a naming scheme in AD where CN
is based on full name. Makes maintenance far simpler and the only people
who really see the CN are techie / help desk types.

That said, what you want to do is technically possible, but you should look
at the way it is done in the standard AD driver packages and go from there
rather than trying to diverge so much.




--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: AD driver

This trace does not show the create. Maybe I was not clear, and if so I
apologize. I want to see the create coming from the vault into MAD, as
well as (up to a minute later by default) the response that you see here
in this trace. The reason is that if the vault is sending a rename, we'll
see it earlier, and then have our reason for the rename coming back from
MAD. If not, you need to find what is causing the rename in MAD, or just
ignore it (or veto it explicitly).


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
wferguson1 Absent Member.
Absent Member.

Re: AD driver


Can I just do a veto if operation = rename in my ITP? Would that cause a
problem or prevent the adcontexts from being set. I am not allowing
renames from AD to eDir anyways.


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
wferguson1 Absent Member.
Absent Member.

Re: AD driver


Attached in this message is the trace of an account add. The post from
earlier is the response that I get back from the driver after that
default of 1 minutes. Thank you so much.


+----------------------------------------------------------------------+
|Filename: trace on add080715.txt |
|Download: https://forums.netiq.com/attachment.php?attachmentid=323 |
+----------------------------------------------------------------------+

--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: AD driver

Silly notes: in the future do not get traces via ndstrace or iMonitor, but
instead please write them directly from a driver config object ("Trace
File Name"). This increases reliability of the trace (especially when in
a busy system), avoids overlapping drivers (which makes traces impossible
to read), and also preserves formatting that makes reading these easier.

You're sending a move from your policy. If you do not want to see that
loop back, don't send it to MAD in the first place:


16:35:30 CCEE940 Drvrs: Driver ST: Evaluating selection criteria for rule
'Move Account'.
16:35:30 CCEE940 Drvrs: Driver ST: (if-local-variable 'destcontext'
available) = TRUE.
16:35:30 CCEE940 Drvrs: Driver ST: (if-local-variable 'NewContext'
available) = TRUE.
16:35:30 CCEE940 Drvrs: Driver ST: Expanded variable reference
'$NewContext$' to 'OU=ACTIVE,DC=xxx,DC=xxx,DC=xxx'.
16:35:30 CCEE940 Drvrs: Driver ST: (if-local-variable 'destcontext'
not-equal "$NewContext$") = TRUE.
16:35:30 CCEE940 Drvrs: Driver ST: Rule selected.
16:35:30 CCEE940 Drvrs: Driver ST: Applying rule 'Move Account'.
16:35:30 CCEE940 Drvrs: Driver ST: Action:
do-move-dest-object(when="after",arg-dn(token-local-variable("NewContext"))).
16:35:30 CCEE940 Drvrs: Driver ST: arg-dn(token-local-variable("NewContext"))
16:35:30 CCEE940 Drvrs: Driver ST: token-local-variable("NewContext")
16:35:30 CCEE940 Drvrs: Driver ST: Token Value:
"OU=ACTIVE,DC=xxx,DC=xxx,DC=xxx".
16:35:30 CCEE940 Drvrs: Driver ST: Arg Value:
"OU=ACTIVE,DC=xxx,DC=xxx,DC=xxx".


This policy is, I believe, in the Command Transformation Policyset.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
wferguson1 Absent Member.
Absent Member.

Re: AD driver


How do you suggest that I move accounts in the AD domain when they go to
inactive in eDir.....? This is basically what I am trying to
accomplish...so
1) determine the context of the account in the destination directory
2) determine if the account is active or not in eDir
3) move the account if the src and dest local variables are
different.... hence the "move account" rule in my CTP

thank you!


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
wferguson1 Absent Member.
Absent Member.

Re: AD driver


I am wondering if what you "ab" initially stated about renames being the
issue. I disabled the policy in the CTP that you referenced and synched
a new account and it is now also a part of the problem of the syncs
coming back from AD and disabling the move rule didn't seem to change
anything. The attachment is from my remote loader trace screen showing
the logs that is has right when the Remote Loader gets finish sending
the data back to eDir on behalf of the polling cycle.

Thank you


+----------------------------------------------------------------------+
|Filename: remoteloader trace.txt |
|Download: https://forums.netiq.com/attachment.php?attachmentid=324 |
+----------------------------------------------------------------------+

--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: AD driver

This particular trace shows a rename, not a move, so a different code path
was taken which makes sense as your initial report was about renames/moves
coming back after an add, and this is not an add (looks like you just
changed an attribute on a user).

If you have the engine-side trace from this transaction, you can probably
either see a rename from the start (if you renamed the object) or else a
synthesized rename event from an action, similar to what was done with the
previous (now disabled) move action.

The problem, per your description, is that your move logic is firing when
it should not. It should fire whens somebody is made inactive, but
instead it is firing on an add event (never correct, perhaps). You could
add a condition to your move-event rule that basically skips past the rule
if the operation is an add, and that may do the trick so you both get
moves when you want them (on user disabled) but not when you do not want
them (on user adds).

Getting the conditions/criteria for rules right for all situations can be
one of the bigger challenges of IDM work; per the cliche quote, with great
power, comes great responsibility. I think you're up for it, though
(eight posts today... you're not giving up for sure). It may help to have
some kind of design document for each driver that specifics what should
happen, and when. Part of that template should include what happens for
each type of event, and then as you create policies and their rules you
can be sure that all of the possible situations are handled, even if
"handled" means an explicit veto, or no action at all, or whatever.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
wferguson1 Absent Member.
Absent Member.

Re: AD driver


Thank you for hanging in there with me. The attachment I uploaded named
"trace on add080715.txt" is the engine side trace of an add operation
like you were describing. Would you be able to kindly look at that and
tell me if you see a rename taking place as you suggested. I have been
going over this for days now and just can't find it. Thanks again.


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD driver

wferguson <wferguson@no-mx.forums.microfocus.com> wrote:
> Thank you for hanging in there with me. The attachment I uploaded named
> "trace on add080715.txt" is the engine side trace of an add operation
> like you were describing. Would you be able to kindly look at that and
> tell me if you see a rename taking place as you suggested. I have been
> going over this for days now and just can't find it. Thanks again.
>


That trace shows an add with a move immediately after (due to your command
transform that moves a user in AD)

This will generate a. The following looped back events for the specific
user on publisher channel.

1. Add
2. Move
3. rename

There is a policy in the publisher event transform that should normally
veto out the rename.

However that policy relies on an itp policy called itp-SubscriberUserAdd
which updates the DirXML-ADContext attribute on add-association and that
policy appears absent in your driver.

This particular policy was added to the default packages/preconfigured
around the time of IDM 4.0.

So the absence of that policy likely explains the rename you see in the
publisher channel.

Regardless. It seems counter-intuitive to add and then move straight away.

I would scope your command transform move policy to only apply to modifies
and adjust your placement policy to include the same logic that your move
code reflects (where necessary)

Note you can specify multiple placement rules. The last one that sets the
dest-dn will win.

That way rather than place and move straight afterwards you place in the
correct location (saving a move)
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.