Highlighted
Super Contributor.
Super Contributor.
600 views

Proper procedure to remove a driver.


We have a driver that we want to remove that has a dirxml association.
What we don't want is the driver to trigger thousands and thousands of
transactions that will be synced. What is the best method to approach
driver removal without causing the driver to create massive sync
requests?


--
jburns80
------------------------------------------------------------------------
jburns80's Profile: https://forums.netiq.com/member.php?userid=10701
View this thread: https://forums.netiq.com/showthread.php?t=55731

Labels (1)
0 Likes
10 Replies
Highlighted
Knowledge Partner
Knowledge Partner


Turn it off and disable it on all servers. Then it will not cache
anything. After that you can delete it.


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=55731

Highlighted
Knowledge Partner
Knowledge Partner

Removing a driver will not trigger transactions normally, since the
DirXML-Associations attribute itself dose not trigger transactions on
other drivers (I think Office365 may be an exception).

Unless you see 'DirXML'Associations' in a filter of another driver, you
can just delete the driver object. Note that this WILL cause a fair bit
of internal work as associations are removed from all linked object, but
unless you have millions of object you probably will not notice. You can
mitigate this in a large environment by manually deleting the appropriate
associations with a little scripting, but most environments need not worry
about that.

If you do have DirXML-Associations in a filter on the Subscriber channel
set to something other than Ignore, perhaps stop and disable that driver
config object (note: you'll stop picking up all events) and then delete
your driver. When the driver is completely deleted and things have calmed
down, re-enabled and start your driver object that has that attribute in
its filter and you should not see any of the delete events.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
Highlighted
Super Contributor.
Super Contributor.

Thank you everyone for your input. The method we were following was very similar to what ab had stated. I think that's the safest approach. Just wanted to see what the consensus would be here in the forum.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

On Mon, 18 Apr 2016 14:58:54 +0000, ab wrote:

> Removing a driver will not trigger transactions normally, since the
> DirXML-Associations attribute itself dose not trigger transactions on
> other drivers (I think Office365 may be an exception).


Yes, the Office365 driver has Dirxml-Associations in the filter for the
subscriber channel. Be careful of this one.


> Unless you see 'DirXML'Associations' in a filter of another driver, you
> can just delete the driver object. Note that this WILL cause a fair bit
> of internal work as associations are removed from all linked object, but
> unless you have millions of object you probably will not notice.


If you have even a couple of hundred thousand objects, you're going to
notice this. This is write intensive and eDirectory write operations are
a bottleneck.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Highlighted
Super Contributor.
Super Contributor.


One other thing I'd like to add, we are using RBE to grant the user
account entitlement to the driver to be deleted. How will that fit in to
the removal process? I figure deleting the entitlement policy first will
spike most of the drivers since they are syncing the
DirXML-entitlementRef attribute. Can the driver be removed first and the
RBE entitlement at a later date?

I appreciate any insights.


--
joelburke
------------------------------------------------------------------------
joelburke's Profile: https://forums.netiq.com/member.php?userid=9019
View this thread: https://forums.netiq.com/showthread.php?t=55731

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner


Remove the driver first and the Entitlements after.

As a general rule you should not touch the user's since that would
trigger a sync.


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=55731

0 Likes
Highlighted
Super Contributor.
Super Contributor.


Thanks for the response. One other question. We are under pressure to
decommission an LDAP server(s). Can I disable the LDAP driver and then
let the systems team remove the server(s) Then at a later date remove
the driver and entitlements?

It's seem like that would work to me but I am unsure of the behind
scenes work that occurs when a driver is deleted and RBE entitlements
are removed.


--
joelburke
------------------------------------------------------------------------
joelburke's Profile: https://forums.netiq.com/member.php?userid=9019
View this thread: https://forums.netiq.com/showthread.php?t=55731

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

joelburke wrote:

> Thanks for the response. One other question. We are under pressure to
> decommission an LDAP server(s). Can I disable the LDAP driver and then
> let the systems team remove the server(s) Then at a later date remove
> the driver and entitlements?


Removing a disabled driver and it's entitlements involves your IDM tree only,
not the target LDAP server the driver used to connect to. No difference if it
still exists or not.

--
http://www.is4it.de/en/solution/identity-access-management/
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner


joelburke;267146 Wrote:
> Thanks for the response. One other question. We are under pressure to
> decommission an LDAP server(s). Can I disable the LDAP driver and then
> let the systems team remove the server(s) Then at a later date remove
> the driver and entitlements?
>
> It's seem like that would work to me but I am unsure of the behind
> scenes work that occurs when a driver is deleted and RBE entitlements
> are removed.


Do you have a plan to use same LDAP driver in the future or you don't
need this driver anymore?


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=55731

0 Likes
Highlighted
Super Contributor.
Super Contributor.


We do not plan on using the driver anymore.


--
joelburke
------------------------------------------------------------------------
joelburke's Profile: https://forums.netiq.com/member.php?userid=9019
View this thread: https://forums.netiq.com/showthread.php?t=55731

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.