Article
Problem
A Forum reader recently asked:
"I am having some issues with password synchronization with the Active Directory driver.
The scenario: In eDirectory I have a User container, and in Active Directory I have different OUs according to the department. The placement policy in the Active Directory driver places the users in respective OUs in the connected system.
I enabled the bidirectional Password Synchronization, and it is working fine between AD and eDirectory. But I want to synchronize the password only for the a particular OU in AD. For example, with 3 OUs (X,Y,Z) in the AD system, I want to synchronize the password only for the users under the container Y, and the passwords for the users under the OUs X and Z should not get synchronized.
I heard there is a way in IDM 3.5 to enable OU-level password synchronization ..."
And here's the response from Father Ramon ...
Solution
There are a number of ways that policies can be parameterized so they can be driven by data outside of the policies. The exact details of how you would do are going to depend greatly on the exact details of what you are trying to accomplish. There are number of enhancements in IDM 3.5 that simplify common types of access to external data as well as simplify the the use of that data.
The new IDM 3.5 features that may be useful to you are:
- Variable expansion in static parameters
- Mapping Tables
- Nested If-then-else
- While Loops
- Resolve token
- XML Parse token
- Document token
Here's how I think I would do it:
1. Define a GCV of type "list" to hold the list of containers that should have passwords synchronized:
<configuration-values>
<definitions>
<definition display-name="Password Sync AD Containers"
name="pwd-sync-containers" type="list">
<description>Containers in AD where password sync is
allowed</description>
<value>
<item>dc=com,dc=novell,ou=Sales</item>
<item>dc=com,dc=novell,ou=Support</item>
</value>
</definition>
</definitions>
</configuration-values>
2. Add a policy like the following to the end of the subscriber command transformation.
<policy>
<rule>
<description>
Filter Password Sync on Destination Container
</description>
<conditions>
<and>
<if-password op="available" />
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-operation mode="case"
op="equal">modify-password</if-operation>
<if-dest-dn op="not-available" />
</and>
</arg-conditions>
<arg-actions>
<do-set-op-dest-dn>
<arg-dn>
<token-resolve datastore="dest">
<arg-association>
<token-association />
</arg-association>
</token-resolve>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
</do-if>
<do-for-each>
<arg-node-set>
<token-global-variable name="pwd-sync-containers" />
</arg-node-set>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-dest-dn op="in-subtree">$current-node$</if-dest-dn>
</and>
</arg-conditions>
<arg-actions>
<do-break />
</arg-actions>
</do-if>
</arg-actions>
</do-for-each>
<do-if>
<arg-conditions>
<and>
<if-operation mode="case"
op="equal">modify-password</if-operation>
</and>
</arg-conditions>
<arg-actions>
<do-veto />
</arg-actions>
<arg-actions>
<do-strip-xpath expression="password" />
</arg-actions>
</do-if>
</actions>
</rule>
</policy>
3. Add a policy like the following to the publisher event transformation:
<policy>
<rule>
<description>Filter Password Sync on Source Container</description>
<conditions>
<and>
<if-operation mode="case" op="equal">modify-password</if-operation>
</and>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-global-variable name="pwd-sync-containers" />
</arg-node-set>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-src-dn op="in-subtree">$current-node$</if-src-dn>
</and>
</arg-conditions>
<arg-actions>
<do-break />
</arg-actions>
</do-if>
</arg-actions>
</do-for-each>
<do-veto />
</actions>
</rule>
</policy>
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.
Related Articles
User Comments
- Be the first to comment! To leave a comment you need to Login or Register
- 4058 reads


0