none
Granfeldt Powershell MA for Provisioning Accounts RRS feed

  • Question

  • Hello,

    I have been working on using the Granfeldt Powershell MA for keeping our ActiveDirectory and eDirectory instances synchronized. I have it just exporting attribute changes from AD user/group object attributes to their corresponding eDir user/group object attributes, and have gotten that working. 

    I was wondering if there is the capability with this Management Agent to actually provision user/group objects from Active Directory to eDirectory. I love the flexibility of this MA, and would like to try and use it to provision accounts, but I'm not sure if it has hooks into that aspect of FIM.

    Should I just use the Granfeldt Codeless Provisioning for this instead?

    Tuesday, March 3, 2015 9:48 PM

All replies

  • Ok so after playing around and adding the Powershell MA dll as FIM's main metaverse rules extension and enabling provisioning, I get the following error which pretty clearly answers my question:

    failed on run profile "Full Stage and Sync" because the extension "Granfeldt.PowerShell.ManagementAgent.dll" does not contain a class implementing the required (IMVSynchronization or IMASynchronization) interface in the assembly.

    So that makes sense, it's not a part of the MA. So I need to come up with another way to provision accounts from AD to eDir. Attribute modifications on existing accounts seems to be working fine, so that's great. 

    Now i'm troubleshooting an error i'm getting on the codeless provisioning extension. I've had this working before while using the built-in AD MA, and the built-in eDir MA. Now I am using the built-in AD MA, and an eDir Powershell MA with my custom scripts. When I modify the XML rules file to provision an account, I get an "object reference not set to an instance of an object." I assume this is also something silly I'm doing wrong. I'm working through it now, but if anyone has any insight, it would be greatly appreciated. Here is the rule in the XML I have set up:

    It may very well be i'm not flowing enough attributes to create the account, but i'm just wondering, I don't have any "provosioning" code in the export scripts for the powershell MA. How does the FIM.MRE know how to provision the account in the first place? where is it getting it's instructions from as to how to provision the information I have provided in the XML?

    <Rule>
          <Name>provision new user in eDir</Name>
          <Description>creates new user in edirectory</Description>
          <TargetManagementAgentName xsi:type="xsd:string">eDir_PowerShell</TargetManagementAgentName>
          <Enabled>true</Enabled>
          <SourceObject>person</SourceObject>
          <TargetObject>inetorgperson</TargetObject>
          <Action>provision</Action>
    	  <conditions>
    	    <ConditionBase xsi:type="ConditionAttributeIsPresent">
              <Description></Description>
              <MVAttribute>ActiveDirectoryCN</MVAttribute>
            </ConditionBase>
    		<ConditionBase xsi:type="ConditionAttributeIsPresent">
              <Description></Description>
              <MVAttribute>ActiveDirectoryDisplayName</MVAttribute>
            </ConditionBase>
    		<ConditionBase xsi:type="ConditionAttributeIsPresent">
              <Description></Description>
              <MVAttribute>ActiveDirectoryEmployeeID</MVAttribute>
            </ConditionBase>
    		<ConditionBase xsi:type="ConditionAttributeIsPresent">
              <Description></Description>
              <MVAttribute>ActiveDirectoryGivenName</MVAttribute>
            </ConditionBase>
    		<ConditionBase xsi:type="ConditionAttributeIsPresent">
              <Description></Description>
              <MVAttribute>ActiveDirectorySN</MVAttribute>
            </ConditionBase>
    	  </conditions>
          <InitialFlows>
            <AttributeFlowBase xsi:type="AttributeFlowConstant">
    		  <EscapedCN>CN=#mv:ActiveDirectoryCN#</EscapedCN>
    		  <Constant>#param:EscapedCN#,ou=Tests,o=hcc</Constant>
              <Target>[DN]</Target>
            </AttributeFlowBase>
            <AttributeFlowBase xsi:type="AttributeFlowAttribute">
              <Source>ActiveDirectoryCN</Source>
              <Target>cn</Target>
            </AttributeFlowBase>
    		<AttributeFlowBase>
              <Source>ActiveDirectoryCN</Source>
              <Target>uniqueid</Target>
            </AttributeFlowBase>
    		<AttributeFlowBase xsi:type="AttributeFlowAttribute">
              <Source>ActiveDirectoryGivenName</Source>
              <Target>givenname</Target>
            </AttributeFlowBase>
    		<AttributeFlowBase xsi:type="AttributeFlowAttribute">
              <Source>ActiveDirectoryCN</Source>
              <Target>fullname</Target>
            </AttributeFlowBase>
    		<AttributeFlowBase xsi:type="AttributeFlowAttribute">
              <Source>ActiveDirectorySN</Source>
              <Target>sn</Target>
            </AttributeFlowBase>
          </InitialFlows>
        </Rule>

    Wednesday, March 4, 2015 9:41 AM
  • Hi

    Have you gotten this to work? I can see in your XML that you have written the tag

    conditions

    with all lowercase. I know for a fact that this should be cased like this <Conditions> - so try changing that first and see if you null reference goes away. It is because the FIM.MRE cannot read your conditions elements.

    Thanks for the kind words on the PowerShell MA :-)


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    Wednesday, March 25, 2015 3:30 PM