Novell Cool Solutions

Creating an eDirectory User based on ADS Group Membership

coolguys

By:

October 31, 2007 12:13 pm

Reads:4,954

Comments:0

Score:Unrated

Print/PDF

Problem

A Forum reader recently asked:

“My goal is to create a User in eDirectory based on a specific ADS (W2K3) GroupMembership. The problem: the ADS is Member “Attribute” in ADS is just a Query, not an Attribute. Therefore, if a User becomes Member of a Group, there is no REAL Attribute at the User Side which changes, therefore NO event happens at the UserSide. The Only visible Event is the one at the GroupSide.

It would be nice if the User were deleted from eDirectory. I don’t mind if this is done through the similar EDIR Group, as we could handle this event from the eDir side. The GroupMembership is removed at eDir side as well, so this should not be a problem to handle at this stage – remove the User from eDirectory, not just its membership.”

And here’s the response from Father Ramon …

Solution

Starting with a generic IDM 3.5 install of AD driver:

1. Add Group Membership to the filter for User.

<filter-attr attr-name="Group Membership" merge-authority="app" 
publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>

2. Add this at the beginning of the InputTransform:

<rule>
  <description>Trigger Reevaluation of SyncGroup members when membership 
changes</description>
  <conditions>
   <and>
    <if-class-name mode="nocase" op="equal">group</if-class-name>
    <if-src-dn op="equal">CN=SyncGroup,CN=Users,DC=my,DC=org</if-src-dn>
    <if-op-attr name="member" op="changing"/>
   </and>
  </conditions>
  <actions>
   <do-for-each>
    <arg-node-set>
     <token-op-attr name="member"/>
    </arg-node-set>
    <arg-actions>
     <do-add-dest-attr-value class-name="user" name="memberOf">
      <arg-association>
       <token-xpath expression="$current-node/@association-ref"/>
      </arg-association>
      <arg-value type="string">
       <token-text xml:space="preserve">People\SyncGroup</token-text>
      </arg-value>
     </do-add-dest-attr-value>
     <do-set-xml-attr expression="../modify[last()]" name="src-dn">
      <arg-string>
       <token-local-variable name="current-node"/>
      </arg-string>
     </do-set-xml-attr>
    </arg-actions>
   </do-for-each>
  </actions>
</rule>

3. Add this to the beginning of the Matching Policy on the Publisher Channel:

<rule>
  <description>veto users that are not members of the sync 
group</description>
  <conditions>
   <and>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
    <if-attr mode="dest-dn" name="Group Membership" 
op="not-equal">People\SyncGroup</if-attr>
   </and>
  </conditions>
  <actions>
   <do-veto/>
  </actions>
</rule>

4. Add this to the beginning of the Command Transform on the Publisher Channel

<rule>
  <description>Delete Users who are being removed from 
SyncGroup</description>
  <conditions>
   <and>
    <if-dest-dn op="equal">People\SyncGroup</if-dest-dn>
   </and>
  </conditions>
  <actions>
   <do-for-each>
    <arg-node-set>
     <token-removed-attr name="Member"/>
    </arg-node-set>
    <arg-actions>
     <do-remove-association>
      <arg-association>
       <token-resolve datastore="dest">
        <arg-dn>
         <token-local-variable name="current-node"/>
        </arg-dn>
       </token-resolve>
      </arg-association>
     </do-remove-association>
     <do-delete-dest-object class-name="User">
      <arg-dn>
       <token-local-variable name="current-node"/>
      </arg-dn>
     </do-delete-dest-object>
    </arg-actions>
   </do-for-each>
  </actions>
</rule>

The controlling Group in AD is CN=SyncGroup,CN=Users,DC=my,DC=org and is associated and synchronized with People\SyncGroup in eDirectory. Policies will have to be edited to include the actual DN’s of the groups in your systems.

If at all possible, enable the new “DirSync Incremental Values” option available in the latest patch of AD driver. This allows the member attribute to report the actual change instead of remove-all-values and add all remaining values. You can find this patch at:

https://download.novell.com/Download?buildid=TNph2gRCLWA~

Without this, every time someone is added or removed from the group, every single user that remains in the group will be re-evaluted.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Categories: Uncategorized

0

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS