Novell Home

Dynamic Groups and the RBE Driver

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 28 Feb 2007
 

Problem

A Forum reader recently asked:

"I would like to start deploying some "Dynamic Groups" in eDirectory to associate users based on department and or specific attributes, then have those groups, and the users associated synchronize to Active Directory. The desired outcome is to create the user and group in Active Directory and maintain the membership.

I have read that entitlements can help with this, but I am not confortable enough with it to re-design our ID vault and AD driver. Is there a way I can do this without entitlements ?"

And here's the response from Father Ramon ...

Solution

Using dynamic groups for anything related to IDM is extremely problematic because of how dynamic groups work. In particular:

1. There is no notification from eDirectory when a User becomes a member or ceases to be a member of a dynamic group.
2. You cannot tell if a User is a member of a dynamic group by querying the Group Membership attribute of a User.
3. Querying the effective value of the Member attribute of the dynamic group is recalculated every time it is read.

What this means is that for a driver to use dynamic groups to do anything, it has to monitor all the User attributes that could affect membership in the dynamic groups and recheck everything any time any of those attributes changes. This is something that is going to be extremely difficult to get right, but also happens to be exactly what the RBE driver does.

One way to use RBE to accomplish what you want without directly affecting your existing driver is not use dynamic groups but rather to use static groups, whose membership is controlled by RBE and an entitlement on a loopback driver (see configuration below). Then you will have static groups that can be synchronized in any of your other drivers, but whose membership is kept up to date by RBE, based on dynamic criteria.

<driver-configuration dn="GroupEntitlementLoopback.DriverSet.novell" 
driver-set-dn="DriverSet.novell" name="GroupEntitlementLoopback">
  <attributes>
   <application-schema>
    <schema-def/>
   </application-schema>
   <configuration-manifest>
    <manifest>
     <capability name="entitlements"/>
    </manifest>
   </configuration-manifest>
   <global-config-values>
    <configuration-values>
     <definitions/>
    </configuration-values>
   </global-config-values>
   <driver-filter-xml>
    <filter>
     <filter-class class-name="User" publisher="sync" 
publisher-create-homedir="true" publisher-track-template-member="false" 
subscriber="sync">
      <filter-attr attr-name="DirXML-EntitlementRef" 
from-all-classes="true" merge-authority="edir" publisher="ignore" 
publisher-optimize-modify="true" subscriber="notify"/>
     </filter-class>
    </filter>
   </driver-filter-xml>
   <java-module 
value="com.novell.nds.dirxml.driver.loopback.LoopbackDriverShim"/>
   <driver-start-option value="1"/>
   <driver-cache-limit value="0"/>
   <shim-config-info-xml/>
   <driver-password-query/>
   <shim-auth-password-query/>
  </attributes>
  <children>
   <publisher name="Publisher">
    <attributes/>
    <children/>
   </publisher>
   <subscriber name="Subscriber">
    <attributes>
     <command-transformation-rule 
dn="EntitlementsCommandTransformation.Subscriber.GroupEntitlementLoopback.DriverSet.novell"/>
     <event-transformation-rule 
dn="EventTransformation.Subscriber.GroupEntitlementLoopback.DriverSet.novell"/>
    </attributes>
    <children>
     <rule name="EntitlementsCommandTransformation">
      <policy>
       <rule>
        <description>Check for group membership being granted or 
revoked</description>
        <conditions>
         <or>
          <if-operation op="equal">add</if-operation>
          <if-operation op="equal">modify</if-operation>
         </or>
        </conditions>
        <actions>
         <do-for-each>
          <arg-node-set>
           <token-removed-entitlement name="Groups"/>
          </arg-node-set>
          <arg-actions>
           <do-remove-src-attr-value name="Group Membership">
            <arg-value type="dn">
             <token-local-variable name="current-node"/>
            </arg-value>
           </do-remove-src-attr-value>
           <do-remove-src-attr-value name="Security Equals">
            <arg-value type="dn">
             <token-local-variable name="current-node"/>
            </arg-value>
           </do-remove-src-attr-value>
          </arg-actions>
         </do-for-each>
         <do-for-each>
          <arg-node-set>
           <token-added-entitlement name="Groups"/>
          </arg-node-set>
          <arg-actions>
           <do-add-src-attr-value name="Group Membership">
            <arg-value type="dn">
             <token-local-variable name="current-node"/>
            </arg-value>
           </do-add-src-attr-value>
           <do-add-src-attr-value name="Security Equals">
            <arg-value type="dn">
             <token-local-variable name="current-node"/>
            </arg-value>
           </do-add-src-attr-value>
          </arg-actions>
         </do-for-each>
         <do-veto/>
        </actions>
       </rule>
      </policy>
     </rule>
     <rule name="EventTransformation">
      <policy>
       <rule>
        <description>Veto any operation but add, modify, and 
sync</description>
        <conditions>
         <and>
          <if-operation op="not-equal">add</if-operation>
          <if-operation op="not-equal">modify</if-operation>
          <if-operation op="not-equal">sync</if-operation>
         </and>
        </conditions>
        <actions>
         <do-veto/>
        </actions>
       </rule>
       <rule>
        <description>Manufacture association of none available</description>
        <conditions>
         <and>
          <if-association op="not-available"/>
         </and>
        </conditions>
        <actions>
         <do-set-local-variable name="assoc">
          <arg-string>
           <token-src-attr name="GUID"/>
          </arg-string>
         </do-set-local-variable>
         <do-add-association>
          <arg-dn>
           <token-src-dn/>
          </arg-dn>
          <arg-association>
           <token-local-variable name="assoc"/>
          </arg-association>
         </do-add-association>
         <do-set-op-association>
          <arg-association>
           <token-local-variable name="assoc"/>
          </arg-association>
         </do-set-op-association>
        </actions>
       </rule>
      </policy>
     </rule>
    </children>
   </subscriber>
   <entitlement-definition name="Groups">
    <entitlement conflict-resolution="union" description="Groups in 
Identity Vault" display-name="Identity Vault Groups" name="Group">
     <values>
      <query-app>
       <query-xml>
        <nds dtd-version="2.0">
         <input>
          <query class-name="Group" scope="subtree">
           <search-class class-name="Group"/>
           <read-attr attr-name="Description"/>
           <read-attr attr-name="CN"/>
          </query>
         </input>
        </nds>
       </query-xml>
       <result-set>
        <display-name>
         <token-attr attr-name="CN"/>
        </display-name>
        <description>
         <token-attr attr-name="Description"/>
        </description>
        <ent-value>
         <token-src-dn/>
        </ent-value>
       </result-set>
      </query-app>
     </values>
    </entitlement>
   </entitlement-definition>
  </children>
  <global-config-values>
   <configuration-values>
    <definitions/>
   </configuration-values>
  </global-config-values>
</driver-configuration>


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell