Novell Home

AD Password Synch with IDM 3.5

Novell Cool Solutions: Tip

Digg This - Slashdot This

Posted: 23 May 2007
 

Problem

A Forum reader recently asked:

"I am having some issues with password synchronization with the Active Directory driver.

The scenario: In eDirectory I have a User container, and in Active Directory I have different OUs according to the department. The placement policy in the Active Directory driver places the users in respective OUs in the connected system.

I enabled the bidirectional Password Synchronization, and it is working fine between AD and eDirectory. But I want to synchronize the password only for the a particular OU in AD. For example, with 3 OUs (X,Y,Z) in the AD system, I want to synchronize the password only for the users under the container Y, and the passwords for the users under the OUs X and Z should not get synchronized.

I heard there is a way in IDM 3.5 to enable OU-level password synchronization ..."

And here's the response from Father Ramon ...

Solution

There are a number of ways that policies can be parameterized so they can be driven by data outside of the policies. The exact details of how you would do are going to depend greatly on the exact details of what you are trying to accomplish. There are number of enhancements in IDM 3.5 that simplify common types of access to external data as well as simplify the the use of that data.

The new IDM 3.5 features that may be useful to you are:

  • Variable expansion in static parameters
  • Mapping Tables
  • Nested If-then-else
  • While Loops
  • Resolve token
  • XML Parse token
  • Document token

Here's how I think I would do it:

1. Define a GCV of type "list" to hold the list of containers that should have passwords synchronized:

<configuration-values>
   <definitions>
     <definition display-name="Password Sync AD Containers" 
name="pwd-sync-containers" type="list">
       <description>Containers in AD where password sync is 
allowed</description>
       <value>
         <item>dc=com,dc=novell,ou=Sales</item>
         <item>dc=com,dc=novell,ou=Support</item>
       </value>
     </definition>
   </definitions>
</configuration-values>

2. Add a policy like the following to the end of the subscriber command transformation.

<policy>
   <rule>
     <description>
       Filter Password Sync on Destination Container
     </description>
     <conditions>
       <and>
         <if-password op="available" />
       </and>
     </conditions>
     <actions>
       <do-if>
         <arg-conditions>
           <and>
             <if-operation mode="case" 
op="equal">modify-password</if-operation>
             <if-dest-dn op="not-available" />
           </and>
         </arg-conditions>
         <arg-actions>
           <do-set-op-dest-dn>
             <arg-dn>
               <token-resolve datastore="dest">
                 <arg-association>
                   <token-association />
                 </arg-association>
               </token-resolve>
             </arg-dn>
           </do-set-op-dest-dn>
         </arg-actions>
       </do-if>
       <do-for-each>
         <arg-node-set>
           <token-global-variable name="pwd-sync-containers" />
         </arg-node-set>
         <arg-actions>
           <do-if>
             <arg-conditions>
               <and>
                 <if-dest-dn op="in-subtree">$current-node$</if-dest-dn>
               </and>
             </arg-conditions>
             <arg-actions>
               <do-break />
             </arg-actions>
           </do-if>
         </arg-actions>
       </do-for-each>
       <do-if>
         <arg-conditions>
           <and>
             <if-operation mode="case" 
op="equal">modify-password</if-operation>
           </and>
         </arg-conditions>
         <arg-actions>
           <do-veto />
         </arg-actions>
         <arg-actions>
           <do-strip-xpath expression="password" />
         </arg-actions>
       </do-if>
     </actions>
   </rule>
</policy>

3. Add a policy like the following to the publisher event transformation:

<policy>
   <rule>
     <description>Filter Password Sync on Source Container</description>
     <conditions>
       <and>
         <if-operation mode="case" op="equal">modify-password</if-operation>
       </and>
     </conditions>
     <actions>
       <do-for-each>
         <arg-node-set>
           <token-global-variable name="pwd-sync-containers" />
         </arg-node-set>
         <arg-actions>
           <do-if>
             <arg-conditions>
               <and>
                 <if-src-dn op="in-subtree">$current-node$</if-src-dn>
               </and>
             </arg-conditions>
             <arg-actions>
               <do-break />
             </arg-actions>
           </do-if>
         </arg-actions>
       </do-for-each>
       <do-veto />
     </actions>
   </rule>
</policy>


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell