Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
210 views

eDir Hiearchical to eDir Flat to AD Hiearchical - how to?


Are there any docs/cool solutions (I didn't seem to find any) on how to
basically take an existing IDM system:
eDir (Auth - hiearchical) -> eDir (Vault-flat) -> AD (currently flat,
but wish to replicate the eDir Hiearchy to AD now)

From what I can gather, one would basically need to get the layout setup
first (ie, ou's created in AD so that they matched eDir) --either
manually or via the driver.

and then

Basically hold the dn of the user objects/group objects into another
attribute so that they go into the Vault "flat" and then transformed
into the AD side with the proper formatting?

I'm sure this isn't a unique setup, I was just hoping someone had
something written already and wouldn't mind sharing how they did it.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=49587

Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: eDir Hiearchical to eDir Flat to AD Hiearchical - how to?

On 12/30/2013 01:14 PM, kjhurni wrote:
>
> Are there any docs/cool solutions (I didn't seem to find any) on how to
> basically take an existing IDM system:
> eDir (Auth - hiearchical) -> eDir (Vault-flat) -> AD (currently flat,
> but wish to replicate the eDir Hiearchy to AD now)
>
> From what I can gather, one would basically need to get the layout setup
> first (ie, ou's created in AD so that they matched eDir) --either
> manually or via the driver.
>
> and then
>
> Basically hold the dn of the user objects/group objects into another
> attribute so that they go into the Vault "flat" and then transformed
> into the AD side with the proper formatting?


Yup, that's about it. Out of curiosity, why would you not hook MAD
directly to the hierarchical eDir environment and set it up really easily
instead of storing DNs, replicating those, and then using that somehow in
the new placement policy in the next tree over?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir Hiearchical to eDir Flat to AD Hiearchical - how to?


ab;238663 Wrote:
> On 12/30/2013 01:14 PM, kjhurni wrote:
> >
> > Are there any docs/cool solutions (I didn't seem to find any) on how

> to
> > basically take an existing IDM system:
> > eDir (Auth - hiearchical) -> eDir (Vault-flat) -> AD (currently flat,
> > but wish to replicate the eDir Hiearchy to AD now)
> >
> > From what I can gather, one would basically need to get the layout

> setup
> > first (ie, ou's created in AD so that they matched eDir) --either
> > manually or via the driver.
> >
> > and then
> >
> > Basically hold the dn of the user objects/group objects into another
> > attribute so that they go into the Vault "flat" and then transformed
> > into the AD side with the proper formatting?

>
> Yup, that's about it. Out of curiosity, why would you not hook MAD
> directly to the hierarchical eDir environment and set it up really
> easily
> instead of storing DNs, replicating those, and then using that somehow
> in
> the new placement policy in the next tree over?
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


I think, at the time, (this was done years ago) the thought was that the
"vault" should be the central hub/traffic director, and we would
probably eventually tie in other systems that may not be able to cope
with hierarchies, but needed to feed into "the hub" and/or AD (text
drivers, databases, etc.), rather than rely upon tying other systems
into the Auth tree to then feed into AD.

Of course, I just remembered I have to do a lot of duplicate group
object cleanup (argh)


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=49587

0 Likes
Knowledge Partner
Knowledge Partner

Re: eDir Hiearchical to eDir Flat to AD Hiearchical - how to?

Sync the OU object class in the structured tree, into the flat tree in a
structure container. Then you can sync containers flat eDir to
structured AD.

Then use the DirXML-ADContext value in the AD mapping namespace to carry
the data.

So populate on new users, the DN they are in, into DirXML-ADContext,
with the ou=edirOU,o=eDirO replaced with dc=ad,dc=domain

Then sync that attr to the flat eDir. Then when it is time to place in
AD, use the DirXML-ADContext for getting the dest-dn.

Now converting via a driver, would be way more fun. I suppose you could
do it, but would be fun to play with.

Then support remapping move/renames in structured eDir to modifies to
DirXML-ADContext (in move, and also to DirXML-ADContext for renames).



On 12/30/2013 3:14 PM, kjhurni wrote:
>
> Are there any docs/cool solutions (I didn't seem to find any) on how to
> basically take an existing IDM system:
> eDir (Auth - hiearchical) -> eDir (Vault-flat) -> AD (currently flat,
> but wish to replicate the eDir Hiearchy to AD now)
>
> From what I can gather, one would basically need to get the layout setup
> first (ie, ou's created in AD so that they matched eDir) --either
> manually or via the driver.
>
> and then
>
> Basically hold the dn of the user objects/group objects into another
> attribute so that they go into the Vault "flat" and then transformed
> into the AD side with the proper formatting?
>
> I'm sure this isn't a unique setup, I was just hoping someone had
> something written already and wouldn't mind sharing how they did it.
>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir Hiearchical to eDir Flat to AD Hiearchical - how to?


Thanks Geoff. I forgot about renames and whatnots as well.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=49587

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir Hiearchical to eDir Flat to AD Hiearchical - how to?

On Mon, 30 Dec 2013 20:14:01 +0000, kjhurni wrote:

> Are there any docs/cool solutions (I didn't seem to find any) on how to
> basically take an existing IDM system: eDir (Auth - hiearchical) -> eDir
> (Vault-flat) -> AD (currently flat, but wish to replicate the eDir
> Hiearchy to AD now)


Probably, yes.


> From what I can gather, one would basically need to get the layout setup
> first (ie, ou's created in AD so that they matched eDir) --either
> manually or via the driver.


I use something like this:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-
builder-dtd" "/home/a02dag1/bin/designer_4.02/plugins/
com.novell.idm.policybuilder_4.0.0.201210161153/DTD/
dirxmlscript4.0.2.dtd"><policy>
<description>On a new object creation, also recursively create the
destination container path as needed.</description>
<rule>
<description>Container Path Create</description>
<comment xml:space="preserve">Check for, and recursively create
container path for new object as needed.</comment>
<conditions>
<and>
<if-operation mode="case" op="equal">add</if-operation>
<if-dest-dn op="available"/>
</and>
<and>
<if-operation mode="case" op="equal">modify</if-operation>
<if-op-attr name="niuMoveTargetDN" op="available"/>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-operation mode="case" op="equal">add</if-operation>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="target-container">
<arg-string>
<token-dest-dn length="-2"/>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions/>
</do-if>
<do-if>
<arg-conditions>
<and>
<if-operation mode="case" op="equal">modify</if-operation>
<if-op-attr name="niuMoveTargetDN" op="available"/>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="target-container" scope="policy">
<arg-string>
<token-op-attr name="niuMoveTargetDN"/>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions/>
</do-if>
<do-set-local-variable name="does-target-exist" scope="policy">
<arg-string>
<token-dest-attr class-name="Organizational Unit" name="Object
Class">
<arg-dn>
<token-local-variable name="target-container"/>
</arg-dn>
</token-dest-attr>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="does-target-exist"
op="equal"/>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="target-container-slash-dn"
scope="policy">
<arg-string>
<token-parse-dn dest-dn-format="qualified-slash" src-dn-
format="ldap">
<token-local-variable name="target-container"/>
</token-parse-dn>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="target-container-ns" scope="policy">
<arg-node-set>
<token-split delimiter="\\">
<token-local-variable name="target-container-slash-dn"/>
</token-split>
</arg-node-set>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-local-variable name="target-container-ns"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="dest-path" scope="policy">
<arg-string>
<token-local-variable name="dest-path"/>
<token-text xml:space="preserve">\</token-text>
<token-local-variable name="current-node"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="dest-path-ns" scope="policy">
<arg-node-set>
<token-split delimiter="\\">
<token-substring start="1">
<token-local-variable name="dest-path"/>
</token-substring>
</token-split>
</arg-node-set>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-xpath op="true">count($dest-path-ns) > 3</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="test-dest-path" scope="policy">
<arg-string>
<token-dest-attr class-name="Organizational Unit" name="Object
Class">
<arg-dn>
<token-parse-dn dest-dn-format="ldap" src-dn-
format="qualified-slash">
<token-local-variable name="dest-path"/>
</token-parse-dn>
</arg-dn>
</token-dest-attr>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="test-dest-path"
op="equal"/>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Create Container: </token-
text>
<token-parse-dn dest-dn-format="ldap" src-dn-
format="qualified-slash">
<token-local-variable name="dest-path"/>
</token-parse-dn>
</arg-string>
</do-trace-message>
<do-add-dest-object class-name="Organizational Unit"
when="before">
<arg-dn>
<token-parse-dn dest-dn-format="ldap" src-dn-
format="qualified-slash">
<token-local-variable name="dest-path"/>
</token-parse-dn>
</arg-dn>
</do-add-dest-object>
</arg-actions>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Container Exists: </token-
text>
<token-local-variable name="dest-path"/>
</arg-string>
</do-trace-message>
</arg-actions>
</do-if>
</arg-actions>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Skipping: </token-text>
<token-local-variable name="dest-path"/>
</arg-string>
</do-trace-message>
</arg-actions>
</do-if>
</arg-actions>
</do-for-each>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>
</policy>

to dynamically create container structure(s) as needed.


> Basically hold the dn of the user objects/group objects into another
> attribute so that they go into the Vault "flat" and then transformed
> into the AD side with the proper formatting?


Yeah, just make it a simple C_I_String so that it passes easily. Handle
object create and move events by setting the string to a new value (one
side), then use the changing value to generate the correct dest-dn for a
create or move (on the other side).


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir Hiearchical to eDir Flat to AD Hiearchical - how to?


Thanks David! That gives me something to start with.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=49587

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.