none
Announcing General Availability of PowerShell Connector and Release Candidate of Generic SQL and SAP Roles/Users RRS feed

  • General discussion

  • The FIM team is pleased to announce the availability of some additional Connectors for FIM2010R2.

    General Availability of PowerShell Connector

    The PowerShell Connector can be used to communicate with a system through PowerShell scripts. This allows an easy and flexible way to communicate with other systems but also to pre-/post-process data and files before handed over to the FIM Synchronization Service. We believe the community will help providing scripts for this Connector for various systems and will open a place where scripts can be published for reuse.

    TechNet docs:   http://go.microsoft.com/fwlink/?LinkID=393057

    Download:          http://go.microsoft.com/fwlink/?LinkID=393056

    Release Candidate of Generic SQL Connector

    The Generic SQL Connector will allow you to connect to any database where you have an ODBC driver available. It enables new features compared to the built-in MA such as support for Stored Procedures, running SQL scripts, built-in delta import support, import multiple object types, connect to multiple tables, and much more. This Connector is built on ECMA2.3 which allows schema discoverability to be customized in the Sync Engine UI. A pre-release of the next Sync Engine hotfix is included with the Connector download and is required for the Connector to work.

    Download:          https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52652

    Release Candidate of SAP Users and Roles/Groups

    The updated SAP templates for Users and Roles/Groups allows you to manage Users, Roles, and Groups in SAP. This also include password sync for Users to SAP. The Connector will make sure roles are represented as groups to make it possible to manage these with bhold. This template will require the previously published WebService Connector: http://go.microsoft.com/fwlink/?LinkID=235883.

    Download:          https://connect.microsoft.com/site433/Downloads/DownloadDetails.aspx?DownloadID=52651

    If you have participated in any other Connector preview program you will have access to the Release Candidate downloads. If you have not participated before then to get access to the preview programs on Connect either join the program “Identity and Access Management”, “FIM Synchronization Service Connectors Pre-release” on http://connect.microsoft.com/directory or follow this link http://connect.microsoft.com/site433/SelfNomination.aspx?ProgramID=6709&pageType=1

    We have also published an update to the Generic LDAP Connector adding support for some additional LDAP directories, see http://support.microsoft.com/kb/2936070/. If you have additional LDAP directories you think we should support, please feel free to contact me.

                    On behalf of the FIM Sync team,

                    /Andreas Kjellman

    Friday, March 14, 2014 1:09 AM

All replies

  • Hi Andreas,

    We've been using the OpenLDAPXMA to be able to connect to ACF2 CA-LDAP (from Computer Associates) running on a IBM Z-OS Mainframe System. We've been using it for password synchronization since 2004 on MIIS. Today it's still used via the OpenLDAPXMA (64bit) on FIM 2010 R2.

    We had to tweak the password management component in the OpenLDAPXMA to support the error messages we get from the ACF2 System, as we support a multi-master password setup between Mainframe and Active Directory (one can change the password on MF and/or on Windows).
    by example  "LDP0406E ACF2 error modifying lid(ACF00155 NEW PASSWORD CANNOT BE THE SAME AS CURRENT PASSWORD)".

    Additionally, we cannot get the delta import to work with the CA-LDAP, there's no capability in it and we tried to use the time attribute to use in the query for recent changes, but it does not work. (I think we need it in a large integer format or unix time integer).

    Would be great to have Microsofts' support in this :)

    Kind regards,
    David Burghgraeve 
    PS: We are going to try this MA to connect to an Oracle LDAP implementation in our company! Thanks!

    Tuesday, March 18, 2014 8:09 AM
  • On Tue, 18 Mar 2014 08:09:43 +0000, David Burghgraeve wrote:

    We've been using the OpenLDAPXMA to be able to connect to ACF2 CA-LDAP (from Computer Associates) running on a IBM Z-OS Mainframe System. We've been using it for password synchronization since 2004 on MIIS. Today it's still used via the OpenLDAPXMA (64bit) on FIM 2010 R2.

    We had to tweak the password management component in the OpenLDAPXMA to support the error messages we get from the ACF2 System, as we support a multi-master password setup between Mainframe and Active Directory (one can change the password on MF and/or on Windows). by example  "LDP0406E ACF2 error modifying lid(ACF00155 NEW PASSWORD CANNOT BE THE SAME AS CURRENT PASSWORD)".

    Additionally, we cannot get the delta import to work with the CA-LDAP, there's no capability in it and we tried to use the time attribute to use in the query for recent changes, but it does not work. (I think we need it in a large integer format or unix time integer).

    Would be great to have Microsofts' support in this :)

    In a case like this where your follow-up has nothing to do with the
    original post you should create a new thread.

    Having said that, neither of the MAs to which you refer are official
    Microsoft MAs and as such there is no support from Microsoft available.

    Also, keep in mind that the ECMA1/XMA extensibility framework has been
    deprecated and replaced by the ECMA 2.0. You should plan on replacing
    existing ECMA1 management agents with ECMA2.0 connectors.


    Paul Adare - FIM CM MVP
    "It's 106 light-years to Chicago, we've got a full chamber of anti-matter,
    a half a pack of cigarettes, it's dark, and we're wearing visors."
    "Hotsync." -- Paul Tomblin & Peter da Silva

    Tuesday, March 18, 2014 8:20 AM
  • Hi Paul,

    It was in the context of Andreas mentioning:

    "If you have additional LDAP directories you think we should support, please feel free to contact me."

    I do keep the deprecation in mind, I hope the guys from OpenLDAPXMA write a ECMA2.0 version otherwise I'll have big problems.

    Tuesday, March 18, 2014 8:31 AM
  • On Tue, 18 Mar 2014 08:31:10 +0000, David Burghgraeve wrote:

    It was in the context of Andreas mentioning:


    "If you have additional LDAP directories you think we should support, please feel free to contact me."

    Right, but that was in the context of adding support to the Microsoft
    developed and supplied Generic LDAP connector. It seemed to me from your
    post that you were asking for support from Microsoft for 2 3rd party MAs.


    Paul Adare - FIM CM MVP
    You're never alone with a news spool.

    Tuesday, March 18, 2014 8:38 AM
  • On Tue, 18 Mar 2014 08:09:43 +0000, David Burghgraeve wrote:

    We had to tweak the password management component in the OpenLDAPXMA to support the error messages we get from the ACF2 System, as we support a multi-master password setup between Mainframe and Active Directory (one can change the password on MF and/or on Windows). by example  "LDP0406E ACF2 error modifying lid(ACF00155 NEW PASSWORD CANNOT BE THE SAME AS CURRENT PASSWORD)".

    As I'm sure you're aware, PCNS does not support password changes from
    multiple sources, all password changes must come from a single source.


    Paul Adare - FIM CM MVP
    Emacs is a nice operating system, but I prefer UNIX. - Tom Christiansen

    Tuesday, March 18, 2014 8:39 AM
  • Yes, I'm aware that PCNS does not support changes from multiple sources, but we've managed to set it up this way: FIM for AD --> MF, MF --> AD via CA its LDS on ACF2, and it works very well (no issues since we've started doing it for 30.000 users). If one wants, I can go into detail, contact me ;)

    No, I was asking to support the CA-LDAP on Z/OS in the Microsofts released Generic LDAP Connector.

    I was just sharing additional insights and information on how we're doing complex things (8 MA's connecting to oracle DB's, ADAM, 3 ADs, Sharepoint,CA-LDAP, Oracle OID, SSPR, .. ) and meet up with business requirements with a great product called FIM. But it has some limitations and it's a challenge to get in touch with "the creators". I was taking a leap here, hoping to get some people interested :)

    Kind regards,

    Tuesday, March 18, 2014 9:29 AM
  • Thanks for all of the hard work!

    Any guess when the documentation for the Generic LDAP Connector will be updated with features of the new supported directories?

    technet.microsoft.com/en-us/library/dn510997(v=ws.10).aspx

    Monday, April 21, 2014 6:33 PM