Novell Home

Synchronizing eDir-2-eDir, Flat to Hierarchical

Novell Cool Solutions: Feature
By William C Schneider

Digg This - Slashdot This

Posted: 13 Sep 2006
 

Problem

You want to sync users from a flat tree to a hierarchical tree using an attribute that contains a portion of the DN. You also only want to sync selective users, not all users.

Solution

1. Create an attribute that is a case-ignore string. For this example we will use orgContext.

2. Add this new variable to the driver filter. On the flat tree you will need to add it with the synchronize option on both channels.

3. On the hierarchical tree, you will add it as notify on the publisher and synchronize on the subscriber channel.

4. Place the following rules in your drivers. Their actions are described below.

Flat Tree eDir-2-eDir Driver

Subscriber Event Transform:

<?xml version="1.0" encoding="UTF-8"?><policy>
	<rule>
		<description>Account Deleted</description>
		<conditions>
			<and>
				<if-association op="associated"/>
				<if-operation op="equal">delete</if-operation>
			</and>
		</conditions>
		<actions>
			<do-break/>
		</actions>
	</rule>
	<rule>
		<description>orgContext Unavailable</description>
		<conditions>
			<and>
				<if-attr name="orgContext" op="not-available"/>
				<if-op-attr name="orgContext" op="not-changing"/>
			</and>
		</conditions>
		<actions>
			<do-veto/>
		</actions>
	</rule>
</policy>

This ruleset allows only those users into the channel for which we have set orgContext.

Input Transform:

<?xml version="1.0" encoding="UTF-8"?><policy>
   <rule>
      <description>Block: Adds and Renames</description>
      <conditions>
         <or>
            <if-operation op="equal">add</if-operation>
            <if-operation op="equal">rename</if-operation>
         </or>
      </conditions>
      <actions>
         <do-veto/>
      </actions>
   </rule>
   <rule>
      <description>Block: Modify Except orgContext</description>
      <conditions>
         <and>
            <if-operation op="equal">modify</if-operation>
            <if-op-attr name="orgContext" op="not-available"/>
         </and>
      </conditions>
      <actions>
         <do-veto/>
      </actions>
   </rule>
   <rule>
      <description>Delete: Remove Association</description>
      <conditions>
         <and>
            <if-operation op="equal">delete</if-operation>
         </and>
      </conditions>
      <actions>
         <do-remove-association direct="true">
            <arg-association>
               <token-association/>
            </arg-association>
         </do-remove-association>
         <do-clear-dest-attr-value direct="true" name="orgContext"/>
         <do-veto/>
      </actions>
   </rule>
</policy>

This policy blocks actions that happen in the hierarchical directory from being sent to the Identity Vault. It does, however, clean up the associations and orgContext attributes if an account is deleted.

Hierarchical Tree Driver

Publisher Matching Rule:

<rule>
		<description>User Found - Update orgContext and Description</description>
		<conditions>
			<and>
				<if-class-name op="equal">User</if-class-name>
				<if-dest-dn op="available"/>
			</and>
		</conditions>
		<actions>
			<do-set-src-attr-value name="orgContext">
				<arg-value type="string">
					<token-upper-case>
						<token-parse-dn length="-2">
							<token-dest-dn start="2"/>
						</token-parse-dn>
					</token-upper-case>
				</arg-value>
			</do-set-src-attr-value>
			<do-add-dest-attr-value name="Description">
				<arg-value type="string">
					<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">Merged from IDM Sync on </token-text>
					<token-xpath expression="jformat:format(jformat:new('MM/dd/yyyy:HH.mm.ss'),jdate:new())"/>
				</arg-value>
			</do-add-dest-attr-value>
		</actions>
	</rule>

This rule searches for an existing user to match against. If found, the rule updates the orgContext attribute of the user to reflect the new location.

Publisher Placement:

<?xml version="1.0" encoding="UTF-8"?><policy>
	<rule>
		<description>Users</description>
		<conditions>
			<or>
				<if-class-name op="equal">User</if-class-name>
			</or>
		</conditions>
		<actions>
			<do-set-op-dest-dn>
				<arg-dn>
					<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">uthsc\</token-text>
					<token-attr name="orgContext"/>
					<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">\</token-text>
					<token-src-name/>
				</arg-dn>
			</do-set-op-dest-dn>
		</actions>
	</rule>
</policy>

This rule takes the value of the orgContext attribute and creates the full destination DN of the user. Note: uthsc is the name of my O, so it is the same for every user. That's why it is not included in the attribute value, but instead in the rule.

Publisher Command Transform:

<?xml version="1.0" encoding="UTF-8"?><policy>
	<rule>
		<description>Move: orgContext Changing</description>
		<conditions>
			<and>
				<if-op-attr name="orgContext" op="changing"/>
			</and>
		</conditions>
		<actions>
			<do-move-dest-object>
				<arg-dn>
					<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">uthsc\</token-text>
					<token-attr name="orgContext"/>
				</arg-dn>
			</do-move-dest-object>
		</actions>
	</rule>
</policy>

This rule handles when orgContext is changed and transforms the attribute update into a move event.

Subscriber Event Transform

<?xml version="1.0" encoding="UTF-8"?><policy>
	<rule>
		<description>Block: Renames, Adds, and Modifies</description>
		<conditions>
			<or>
				<if-operation op="equal">rename</if-operation>
				<if-operation op="equal">add</if-operation>
				<if-operation op="equal">modify</if-operation>
			</or>
			<or>
				<if-op-attr name="nspmDistributionPassword" op="not-available"/>
			</or>
		</conditions>
		<actions>
			<do-veto/>
		</actions>
	</rule>
</policy>

Subscriber Command Transform

<?xml version="1.0" encoding="UTF-8"?><policy>
	<rule>
		<description>Move: Create uthContext Attribute Value</description>
		<conditions>
			<and>
				<if-class-name op="equal">User</if-class-name>
				<if-operation op="equal">move</if-operation>
			</and>
		</conditions>
		<actions>
			<do-set-dest-attr-value direct="true" name="uthContext">
				<arg-value type="string">
					<token-upper-case>
						<token-parse-dn length="-2">
							<token-src-dn start="2"/>
						</token-parse-dn>
					</token-upper-case>
				</arg-value>
			</do-set-dest-attr-value>
			<do-trace-message color="brred">
				<arg-string>
					<token-text xml:space="preserve" xmlns:xml="http://www.w3.org/XML/1998/namespace">**************************************************************************************************************************************************</token-text>
				</arg-string>
			</do-trace-message>
			<do-veto/>
		</actions>
	</rule>
</policy>

Usage

Create a task in iManager to populate your new attribute with the container DN that you want the user to be created in. The DN should be in the format OU\OU\OU, etc.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell