ILM2007 Password Extension in C#
-
Thursday, February 16, 2012 4:14 PM
I am new to ILM and I am working on Syncing Passwords. I have followed the "Creating Passwords Extensions" help documentation for ILM2007 and created a .dll file that will Change and SetPasswords. But after writing the file and placing it under the bin directory I don't know what to do next so that it will trigger that code.
What should I do next so that whenever AD change occurs it will trigger the .dll methods?
Should I create a Management Agent to configure this? In the very first step I don't know which type of MA should I create.
There is only one option at the end to add a .dll to an MA. Should I create an Active Directory MA for this purpose?
Mitul P. Suthar Web Developer and Database Analyst http://www.bsintelligence.wordpress.com
All Replies
-
Thursday, February 16, 2012 4:51 PM
See http://technet.microsoft.com/en-us/library/cc720654%28WS.10%29.aspx for most of the information you'll need.
Assuming you are recieving the passwords from AD and sending them out to some other connected data source (if another AD is the target you wouldn't have to write your own extension), here are some of the high-level steps:
1. Install PCNS on every DC in the domain.
2. Configure PCNS for the domain.
3. Enable password synchronization in ILM (Tools-->Options...).
4. Create an ADMA if you don't already have one. When using PCNS, I think it is recommended you have only one AD MA per forest.
5. In the AD MA Properties, in "Configure Directory Partitions", enable the partition as a source and then select your Target(s).
6. On your target MA(s), in properties go to the "Configure Extensions" tab and enable password management.
I highly recommend elevating the logging level when implementing PCNS, especially while testing and troubleshooting. See http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-pcns.aspx for more info.
I hope this helps.
Chris
- Marked As Answer by Mitul Suthar Thursday, February 16, 2012 6:46 PM
- Unmarked As Answer by Mitul Suthar Thursday, February 16, 2012 7:36 PM
- Marked As Answer by Mitul Suthar Thursday, February 16, 2012 8:05 PM
-
Thursday, February 16, 2012 5:19 PM
Thanks for replying.
Another CDS is not an AD target. What I am trying to do is whenever in one AD, if password changes it should change in another system through web API and in order to interact with that a custom .dll is created. So what would be the best way to do this?
The web API for changing password accepts UserDN and Password.
-
Thursday, February 16, 2012 7:37 PM
What I am trying to do is whenever in one AD, if password changes it should change in another system through web API
I see you marked the answer after replying, but in case you're still having trouble...
That other system would need to be a connected data source in ILM and you'll have to make it a target. I guess I missed a step between 4 and 5 in my list...create an MA for your other system if you don't already have it.
In order to pass the password from AD to your other system through ILM, you need to have the AD object and the object from your other system joined to the same metaverse object. The password from AD is "received in" the AD MA, and then "passed out" through the password extension for your other MA. In the password extension for the other MA you make the call to your web API, not a password extension for AD.
If you can't import objects from that other system in some kind of MA and join them to the existing objects, you'd be better off sending users to a web application where they change the password and have your application write the password to AD and your other system at the same time.
Chris
- Marked As Answer by Mitul Suthar Thursday, February 16, 2012 8:05 PM
-
Thursday, February 16, 2012 7:56 PM
This was most helpful answer I was expecting. Actually I was stuck following the above answer at a point and searched a lot. I even read all the documentation you provided. Thanks for that too. But I couldn't find solution to what I was trying.
This is where I stumbled, In the very next step of creating an MA it is asking me what type of MA to create. I have this goofy system where it only talks through webAPI, I don't know which type to select. It would talk only through this .DLL I have created. Should I just create another AD MA type for this purpose? And at the end during step 6, I should provide my ".dll" file and enable password management, if I am correct.
Again thanks for answering and sorry for unmarking the answer.
Mitul
-
Thursday, February 16, 2012 8:15 PM
If your webAPI will let you read out the information for your users, you could build an eXtensible MA that imports your users into ILM. If they don't change a lot and you have a way of extracting a list of the users in that system (again, possibly through that same web API if you don't like the XMA idea), you could use a File MA and have a process that drops the updated file listing your users into the MaData\OtherMA subfolder on your ILM server. You could then schedule an import of the file and sync them that way.
I use XMAs to create home folders and manage Lync users. I based my first one off of Carol's example.
Chris
-
Thursday, February 16, 2012 8:55 PM
If your webAPI will let you read out the information for your users, you could build an eXtensible MA that imports your users into ILM. {.................................}
I use XMAs to create home folders and manage Lync users. I based my first one off of Carol's example.
Chris
Extensible MA exactly the thing I was looking for. Best. And Carol's example really helped. Thanks again.
The description for Extensible MA is this,
"With this MA, you can sync or manage passwords in a CDS by developing CDSX and pwd extensions (which I needed). See Developer Reference for more information".
The Developer Reference documentation is not obvious. In fact I looked over those words but didn't realize that Extensible MA was actually a type when you create MA.
.png)
