none
Provisioning based on an Metaverse attribute RRS feed

  • Question

  • Hi everyone,

    we are currently working on implementing FIM 2010 for synchronizing multiple LDAP and AD systems.
    Since we are only using the synchronisation engine without the FIM Portal, we built a small web app connected to a MSSQL database.

    Currently, we are looking at our LDAP:
    If an object is deleted directly in the LDAP (not through FIM), the connector object is also deleted in the connector space of the LDAP MA. While doing that, we are also setting an attribute called "ldapAccountActive" in the web app connector to "false", so we can tell if the Identitiy managed through our web app has an account inside the LDAP directory. We do that through the MapAttributesForExport method in the extension for the web app MA:

    void IMASynchronization.MapAttributesForExport (string FlowRuleName, MVEntry mventry, CSEntry csentry)
            {
                switch (FlowRuleName)
                {
                    case "setLdapActiveState":
    
                        if(csentry["ldapAccountActive"].BooleanValue) {
                            if (mventry.ConnectedMAs["LDAP"].Connectors.Count == 0)
                            {
                                csentry["ldapAccountActive"].BooleanValue = false;
                                
                            }
                        }
    
                        break;
                    default:
                        throw new EntryPointNotImplementedException();
                }
    
            }

    This part works without problems. If we run an export to the web app, we check if the identity has connectors in the LDAP and set the attribute.

    Our problem is with the provisioning. We have the following provisioning code in the MA extension:

    int Connectors = 0;
    CSEntry csentry;
    ReferenceValue DN;
    ConnectedMA ManagementAgent;
    DateTime parsedDate;
    
    
    ManagementAgent = mventry.ConnectedMAs["LDAP"];
    Connectors = ManagementAgent.Connectors.Count;
    
    if ((Connectors == 0) && (mventry["ldapAccountActive"].BooleanValue == true))
    {
    	ValueCollection objectClassValues = Utils.ValueCollection(new String[] { "person", "inetOrgPerson", "organizationalPerson" });
    
    	csentry = ManagementAgent.Connectors.StartNewConnector("inetOrgPerson");
    
    	DN = ManagementAgent.EscapeDNComponent("cn=" + mventry["serialNumber"].Value).Concat("ou=Users,o=Company");
    	csentry.DN = DN;
    
    	csentry["objectclass"].Values = objectClassValues;
    	csentry["cn"].Value = mventry["serialNumber"].Value;
    	csentry["serialNumber"].Value = mventry["serialNumber"].Value;
    	csentry["sn"].Value = mventry["lastName"].Value;
    	csentry["givenName"].Value = mventry["firstName"].Value;
    
    	csentry.CommitNewConnector();
    }

    In provisioning, we determine if a new account should be provisioned to the LDAP by two criterias:

    - does the identity managed through the web app have no connectors in the LDAP MA connector space?
    - is the "ldapAccountActive" state set to "true"?

    This works fine, as long as we create a new identity directly in the web app, project it to metaverse, set the "ldapAccountActive" state to "true" and run an export on the LDAP MA.

    If we now delete an account in the LDAP directory and run a full sync cycle (Export, Import, Sync) on the LDAP MA, the attribute "ldapAccountActive" attribute is set correctly on the "csentry" of the web app MA. The problem is, that in this moment, the provisioning method is also triggered. Meaning that in that point in time, the "csentry" is correct, but the "mventry" has not yet been set to the correct "ldapAccountActive" state, which we need to determine if an LDAP account should be provisioned.

    What that means is:

    We delete an account in the LDAP and FIM immediately provisions a new one. This can only be stopped if we set the "ldapAccountActive" state to "false" through the web app. This is not what we want in our case. There has do be a way to delete an LDAP account either through the web app or through the LDAP directly.

    Is there a way to accomplish that?

    Thank you in advance. Sorry for the long text.

    Regards,

    Timo

    Friday, November 20, 2015 9:44 AM

All replies

  • As a workaroud you can do for example the following:

    1. create new attribute in MV "AccountWasCreated" (boolean)
    2. Create import of constant "true" from LDAP MA
    3. Create export of AccountWasCreated (do not allow null) to any attribute in your WebAppMA or any other MA (if there are more) and also import of it to AccountWasCreated.
    4. Make sure LDAP MA has higher precedence in Metaverse Designer on AccountWasCreated attribute.

    Now, in your if in provisioning code, just check if this attribute's value is other than true.

    How would this work?

    Once account would be created, you update status in MV to store that information and you also export it to other system so even if LDAP connector would be removed, you still can see suitable status in MV (that account was created previously). So account won't be re-created then. And if you want it to be re-created, you have to delete this AccountWasCreated attribute's value from WebAppMA.

    That's only one of possible solutions, but it's pretty simple one to implement :)


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by FIM Indian Wednesday, November 25, 2015 7:50 AM
    Friday, November 20, 2015 2:04 PM
  • Hi Dominik,

    thanks for the response! We tried to implement it the way you described but didnt have any look so far
    Could you maybe explain it in a Little more Detail?

    Step 1 and 2 are easy to understand, but what we dont understand yet are step 3 and 4.
    Why the higher precedence in the LDAP MA? And what do you mean by "export to any attribute"?

    I think that this is the way to go but we still dont understand the big picture of your solution. :)

    Thank you in advance!

    Regards,

    Timo

    Tuesday, November 24, 2015 7:55 AM
  • Hello Timo,

    Why the higher precedence in the LDAP MA?

    Just to be sure that this attribute would be set. If it would be lower in precedence than from your WebApp MA, you may encounter "Skipped: Attribute not precedent" during synch from LDAP

    And what do you mean by "export to any attribute"?

    Pick or create new attribute in your WebApp schema just to hold "true" value once set. So just add one column named "AlreadyCreatedInLDAP" to MSSQL where WebApp agent is connected, create an export (don't allow null values) from MV:AccountWasCreated to CS:AlreadyCreatedInLDAP and import with the same two attributes.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Proposed as answer by FIM Indian Wednesday, November 25, 2015 7:50 AM
    Tuesday, November 24, 2015 8:39 AM