Welcome to Cool Solutions

How to do reconciliation in IDM 3.5

IDM – Reconciliation for AD

• This document describes the setup and configuration for performing reconciliation against the AD system.

• Both the IDM AD and Null drivers are used.

• Testing of the AD reconciliation was performed on the following setup:

  • IDM engine on SLES10 VM – 1GB memory

  • AD driver (RL) on Windows 2003 server VM – 1GB memory

  • Query results limit set to 50
    per query

  • 100,000 users in AD

  • Time taken: approximately 1 hour

  • CPU utilization on the Windows 2003 VM stayed below 5% most of the time, with occasional spikes to about 20%.

• The setup and configuration will need to be tested for other target systems.

IDVault setup

1. This process works only for IDM drivers/target systems that support the query-ex function.

2. A new effective object class was created in the IDVault, with the following attributes:

3. A new ReconMark-class object is created for each target system that:

   1. has an IDM driver

   2. will have reconciliation performed against it

4. In the test environment, the .ADRecon.system object was created.

5. A screenshot of the LDAP view of the ADRecon object is shown below.

Click to view.

IDM AD Driver Modifications

1. AD driver filter

   1. Modified to allow the object
      class “ReconMark” and associated attributes.

   2. See screen capture below for
      details.

Click to view.

2. Subscriber Event Transform

   1. The “TriggerTokenQuery” policy is added to the AD Subscriber Event Transform.

   2. Two rules are contained in “TriggerTokenQuery”:

      1. TriggerTokenQuery

         1. Starts the reconciliation process by inserting a “query” event, when a change in the “ReconStart” attribute of the ADRecon object is detected.

         2. A specific event-id is created for the query event.

         3. Sets the ReconComplete attribute of the ADRecon object to “0” (false).

         4. Clears the ReconResults attribute values of the ADRecon object.

      2. ContinueTokenQuery

         1. Detects a change in the “ReconCont” attribute, and inserts a “query-ex” to continue the query
            operation, using the “ReconContToken” attribute value.

3. Publisher Input Transform

   1. The “QueryExReturn” rule is added to the AD Publisher Input Transform.

   2. This policy is triggered only for events that have the specific event-id the AD reconciliation
      process will have.

      1. The query-results will always have this event-id.

   3. The rule will set a local variable “dredge-complete” to false.

   4. The query results are processed, with each node being processed as follows:

      1. For every query-result instance:

         1. If the user object is associated in the IDVault, veto the instance. No further action is required.

         2. If the user object is NOT associated in the IDVault, write the user object source-DN into the ReconResults attribute of the ADRecon object, then veto the instance.

      2. If a “query-token” node is found, this indicates that the query-ex operation is not complete, and more results are expected. The following action will be taken:

         1. Write the query-token value to the ReconContToken attribute of the ADRecon object.

            • This value will be used to indicate which query-ex operation is being continued.

         2. Set the ReconContTemp attribute of the ADRecon object to the current time, in milliseconds
            since 1 January 1970.

            • This is used to workaround the loop-back detection of the IDM engine/driver.

            • Milliseconds is used to ensure that there will be changes to the value.

         3. Set the local variable “dredge-complete” to “false”, to indicate the query-ex process has not
            been completed.

      3. The last node in the results will always be “query-status”.

         1. If the local variable “dredge-complete” is “true”, then set the “ReconComplete” attribute of the ADRecon object to “true”.

         2. Else take no action.

IDM Null Driver Modifications

1. Null driver filter

   1. Modified to allow the object class “ReconMark” and associated attributes.

   2. See screen capture below for details.

Click to view.

2. Subscriber Event Transform

   1. The policy “ContinueDredge” is added to the Subscriber Event Transform.

   2. The rule “ContinueDredge” is added to the policy, and performs the following:

      1. If the attribute “ReconContTemp” value is changing for the ADRecon object, then write the value into the “ReconCont” attribute of the ADRecon object.

Work to be completed

1. Configure a workflow to initiate the reconciliation process, with the following proposed functionality (may not implement all):

   1. User can select the target system to perform the reconciliation process against, from a drop-down
      list.

      1. This will require the ReconMark objects to be created for each target system.

   2. User can specify the date/time to start the reconciliation process (schedule).

   3. User can specify who to send the reconciliation results to.

   4. The workflow will create the necessary work order/job to schedule the reconciliation.

   5. Upon initiation, the workflow should watch for completion of the reconciliation process, by monitoring the ReconComplete attribute of the specific ReconMark object. You can sleep for 1 minute and check the the completion attribute value, if it is done already, you can actually retrieve the recon result and display on the page for next action

   6. Upon completion of the reconciliation process, query the ReconResults attribute for the un-associated user objects, and return the results to the designated recipient.