UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Absent Member.
Absent Member.
813 views

Using psexecute attribute

Hi
I noticed from Azure AD driver documentation capability to access Powershell commands through adding psexecute attribute with Powershell command as value..
This part of Exchange Service [HTML]https://www.netiq.com/documentation/identity-manager-47-drivers/msazure_ad/data/understanding-identity-manager-exchange-service.html[/HTML].

I'd like to read nodes (name) from returning instance document and that is not possible in starting policy, Input transform or following policy.
I returns fine instance document, but I didn't understand How I can access that..

1. Add attribute psexecute with value for example Get-MSolDomain. This is added to processing after policy where it was executed is completed.

<modify class-name="User" event-id="idm1#20181121065444#1#1:a60f9816-1387-44aa-aa79-16980fa68713" qualified-src-dn="O=vault\OU=data\OU=Users\CN=user"
src-dn="\VAULT-TREE\vault\data\Users\user" src-entry-id="36212">
<association>dd040518-729f-427f-be70-90f6a81fe964</association>
<modify-attr attr-name="psexecute">
<remove-all-values/>
<add-value>
<value type="string">Get-MSolDomain</value>
</add-value>
</modify-attr>
</modify>


2. Shim returns instance document with values returned from Powershell.

[11/21/18 08:54:48.565]:Azure AD Driver ST: Remote Interface Driver: Received command: SUBSCRIBER REPLY(10).
[11/21/18 08:54:48.566]:Azure AD Driver ST: SubscriptionShim.execute() returned:
[11/21/18 08:54:48.567]:Azure AD Driver ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20180222_0642" instance="Azure AD Driver" version="5.1.0.0">Identity Manager Driver for Azure AD and Office 365</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="idm1#20181121065444#1#1:a60f9816-1387-44aa-aa79-16980fa68713" level="success"/>
<instance class-name="PSObject" event-id="0">
<attr attr-name="ExtensionData">
<value type="structured"/>
</attr>
<attr attr-name="Authentication">
<value>0</value>
</attr>
<attr attr-name="Capabilities">
<value>5</value>
</attr>
<attr attr-name="IsDefault">
<value>false</value>
</attr>
<attr attr-name="IsInitial">
<value>false</value>
</attr>
<attr attr-name="Name">
<value>emaildomain.fi</value>
</attr>

<attr attr-name="Status">
<value>1</value>
</attr>
<attr attr-name="VerificationMethod">
<value>1</value>
</attr>
</instance>
<status event-id="idm1#20181121065444#1#1:a60f9816-1387-44aa-aa79-16980fa68713" level="success" type="powershell"/>
</output>
</nds>
[11/21/18 08:54:48.609]:Azure AD Driver ST: Processing returned document.
[11/21/18 08:54:48.610]:Azure AD Driver ST: Processing operation <status> for .
[11/21/18 08:54:48.610]:Azure AD Driver ST:
DirXML Log Event -------------------
Driver: \VAULT-TREE\vault\services\DriverSet\Azure AD Driver
Channel: Subscriber
Object: \VAULT-TREE\vault\data\Users\user
Status: Success
[11/21/18 08:54:48.616]:Azure AD Driver ST: Processing operation <instance> for .
[11/21/18 08:54:48.617]:Azure AD Driver ST: Processing operation <status> for .
[11/21/18 08:54:48.617]:Azure AD Driver ST:
DirXML Log Event -------------------
Driver: \VAULT-TREE\vault\services\DriverSet\Azure AD Driver
Channel: Subscriber
Object: \VAULT-TREE\vault\data\Users\user
Status: Success


3. after instance document is displayed in the trace original modification document will be returned to the flow and processing continues with original event in following policy .

[11/21/18 08:54:48.663]:Azure AD Driver ST:Policy returned:
[11/21/18 08:54:48.663]:Azure AD Driver ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.7.1.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" event-id="idm1#20181121065444#1#1:a60f9816-1387-44aa-aa79-16980fa68713" from-merge="true" qualified-src-dn="O=vault\OU=data\O
U=Users\CN=user" src-dn="\VAULT-TREE\vault\data\Users\user" src-entry-id="36212">
<association>dd040518-729f-427f-be70-90f6a81fe964</association>
<modify-attr attr-name="Attr">
...
</modify-attr>
</modify>
</input>
</nds>

Labels (1)
0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

On 11/21/2018 2:34 AM, vm luotonen wrote:
>
> Hi
> I noticed from Azure AD driver documentation capability to access
> Powershell commands through adding psexecute attribute with Powershell
> command as value..
> This part of Exchange Service
>
> https://www.netiq.com/documentation/identity-manager-47-drivers/msazure_ad/data/understanding-identity-manager-exchange-service.html.
>
> I'd like to read nodes (name) from returning instance document and that
> is not possible in starting policy, Input transform or following
> policy.


So NetIQ sells a scripting driver for more full PowerShell support.
they sell an Azure/Office 365 driver for more full Azure/O365 Powershell
support (sort of).

The psexecute built into the AD driver is not meant to replace that.
Though it would be nice, would it not?

Thus you can send commands in, via psexecute, but you just get success
or failure back, alas.

Sorry. Now as part of your PS you might maybe have it collect the name
and write it via LDAP back to your directory, but I have never tried that.

0 Likes
Absent Member.
Absent Member.

Thanks Geoff!
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Agree with Geoffrey: full scripting driver can be the best choice, but for some small tasks "build" PSEXECUTE, can be good enough.

I believe, than this "Using Powershell in the NetIQ AD connector" article can help a little bit
https://www.linkedin.com/pulse/using-powershell-netiq-ad-connector-sjoerd-korfage/
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.