bartden Absent Member.
Absent Member.
373 views

Force delete on unassociated user objects


Hi,

I wonder if following is possible. Lets say IDM is informed that an
account is created on a Linux server (using sentinel starting a
workflow).
After checking that this account exists and has a Linux driver Account
entitlement the user must be deleted on the linux server (so the user
might not exist in the ID Vault or it might not have a Linux driver
Account entitlement). Is it possible to send this delete command to the
linux driver (or windows scripting driver if the target system is a
windows machine) and how?

Thanks in advance

Kind regards
Bart


--
bartden
------------------------------------------------------------------------
bartden's Profile: http://forums.novell.com/member.php?userid=43521
View this thread: http://forums.novell.com/showthread.php?t=448988

Labels (1)
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: Force delete on unassociated user objects

On 12/1/2011 10:56 AM, bartden wrote:
>
> Hi,
>
> I wonder if following is possible. Lets say IDM is informed that an
> account is created on a Linux server (using sentinel starting a
> workflow).
> After checking that this account exists and has a Linux driver Account
> entitlement the user must be deleted on the linux server (so the user


I think you meant, does NOT have a Linux Account entitlement, so
Sentinel is catching an illegal out of band create.

> might not exist in the ID Vault or it might not have a Linux driver
> Account entitlement). Is it possible to send this delete command to the
> linux driver (or windows scripting driver if the target system is a
> windows machine) and how?


You could probably do it via this approach:
http://www.novell.com/communities/node/6302/query-connected-system-driver-not-connected-system

Inject a query into another driver. So in principle you ought to be
able to send a <delete> event in. never tried it though.

Have you considered doing it in the Linux driver itself instead? That
is a Pub channel create, without an entitlement means delete in source?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Force delete on unassociated user objects

On Thu, 01 Dec 2011 15:56:02 +0000, bartden wrote:

> I wonder if following is possible. Lets say IDM is informed that an
> account is created on a Linux server (using sentinel starting a
> workflow).
> After checking that this account exists and has a Linux driver Account
> entitlement the user must be deleted on the linux server (so the user
> might not exist in the ID Vault or it might not have a Linux driver
> Account entitlement). Is it possible to send this delete command to the
> linux driver (or windows scripting driver if the target system is a
> windows machine) and how?


I don't understand what you're trying to do here. Could you elaborate?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
bartden Absent Member.
Absent Member.

Re: Force delete on unassociated user objects


Thanks for the reply.

@geoffc,
Yes i meant that. Does there exist a fan-out bi directional driver for
windows and linux? Because i need to manage local accounts on both
systems (could be up to 100 windows/linux systems), and i want a general
solution for this problem.

@David,

In general i'm trying to build a system that deletes ungranted local
accounts (or ungranted local rights) on windows and linux. If a IDM
provisioned linux admin creates a local account without using IDM, it
has to be deleted.

Best Regards
Bart


--
bartden
------------------------------------------------------------------------
bartden's Profile: http://forums.novell.com/member.php?userid=43521
View this thread: http://forums.novell.com/showthread.php?t=448988

0 Likes
Highlighted
jgrieshop Absent Member.
Absent Member.

Re: Force delete on unassociated user objects


Linux, you have an option of fan-out or bidirectional driver. Windows,
you're only way to manage local accounts is through the scripting driver
with the local account extension scripts:

http://www.novell.com/developer/ndk/idm_scripting_driver_for_windows_domain_and_local_accounts.html

bartden;2158099 Wrote:
> Thanks for the reply.
>
> @geoffc,
> Yes i meant that. Does there exist a fan-out bi directional driver for
> windows and linux? Because i need to manage local accounts on both
> systems (could be up to 100 windows/linux systems), and i want a general
> solution for this problem.
>
> @David,
>
> In general i'm trying to build a system that deletes ungranted local
> accounts (or ungranted local rights) on windows and linux. If a IDM
> provisioned linux admin creates a local account without using IDM, it
> has to be deleted.
>
> Best Regards
> Bart



--
jgrieshop
------------------------------------------------------------------------
jgrieshop's Profile: http://forums.novell.com/member.php?userid=5538
View this thread: http://forums.novell.com/showthread.php?t=448988

0 Likes
Knowledge Partner
Knowledge Partner

Re: Force delete on unassociated user objects

On 12/2/2011 9:36 AM, jgrieshop wrote:
>
> Linux, you have an option of fan-out or bidirectional driver. Windows,
> you're only way to manage local accounts is through the scripting driver
> with the local account extension scripts:
>
> http://www.novell.com/developer/ndk/idm_scripting_driver_for_windows_domain_and_local_accounts.html



So in general, the approach is you get your 100 linux boxes to use NIS,
NIS+, LDAP, etc.

Then you use one of those NIS/NIS+ servers with a single bidirectional
driver.

Your model sounds like you are using the Fan Out driver, and want to
prevent Linux side creates. Since the Fan out driver does not have much
of a Pub channel, I guess, you cannot get the event on the driver, like
you could in the BiDir driver.

Can you send a delete into the Fanout driver?

If so, perhaps you could have some monitoring object. (Driver object
itself?) and have your Sentinel workflow just add an attribute to the
object (Custom attribute) with the name of the object to delete.

Then have the driver monitor that object for that attribute and if it
changes, send a delete of that object into the Sub channel.

I do not know the Fanout driver well enough to know if you can send a
delete that way or not though.



> bartden;2158099 Wrote:
>> Thanks for the reply.
>>
>> @geoffc,
>> Yes i meant that. Does there exist a fan-out bi directional driver for
>> windows and linux? Because i need to manage local accounts on both
>> systems (could be up to 100 windows/linux systems), and i want a general
>> solution for this problem.
>>
>> @David,
>>
>> In general i'm trying to build a system that deletes ungranted local
>> accounts (or ungranted local rights) on windows and linux. If a IDM
>> provisioned linux admin creates a local account without using IDM, it
>> has to be deleted.
>>
>> Best Regards
>> Bart

>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Force delete on unassociated user objects

On Fri, 02 Dec 2011 08:36:02 +0000, bartden wrote:

> In general i'm trying to build a system that deletes ungranted local
> accounts (or ungranted local rights) on windows and linux. If a IDM
> provisioned linux admin creates a local account without using IDM, it
> has to be deleted.


So on the Publisher channel, Event Transform, watch for <add> events. If
you find one, a delete source object should take care of your problem.
Yes? Or are you looking for something more complicated?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Force delete on unassociated user objects

On 12/2/2011 12:00 PM, David Gersic wrote:
> On Fri, 02 Dec 2011 08:36:02 +0000, bartden wrote:
>
>> In general i'm trying to build a system that deletes ungranted local
>> accounts (or ungranted local rights) on windows and linux. If a IDM
>> provisioned linux admin creates a local account without using IDM, it
>> has to be deleted.

>
> So on the Publisher channel, Event Transform, watch for<add> events. If
> you find one, a delete source object should take care of your problem.
> Yes? Or are you looking for something more complicated?


I think his issue is that he is using the Fanout driver and may not be
getting such events on the Pub channel. You have fanout at NIU right?
Is that possible?


0 Likes
Knowledge Partner
Knowledge Partner

Re: Force delete on unassociated user objects

On Fri, 02 Dec 2011 17:12:27 +0000, Geoffrey Carman wrote:

> On 12/2/2011 12:00 PM, David Gersic wrote:
>> On Fri, 02 Dec 2011 08:36:02 +0000, bartden wrote:
>>
>>> In general i'm trying to build a system that deletes ungranted local
>>> accounts (or ungranted local rights) on windows and linux. If a IDM
>>> provisioned linux admin creates a local account without using IDM, it
>>> has to be deleted.

>>
>> So on the Publisher channel, Event Transform, watch for<add> events.
>> If you find one, a delete source object should take care of your
>> problem. Yes? Or are you looking for something more complicated?

>
> I think his issue is that he is using the Fanout driver and may not be
> getting such events on the Pub channel.


Ah, that would be a key detail then. Sorry if I've introduced any
confusion.


> You have fanout at NIU right?


Not so far, no.



--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.