Archive for the ‘LDAP’ Category

CA 12.5 SP6 Connector Express Group Membership via Virtual Attributes

Tuesday, May 31st, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

The CA RCM documentation is not very clear about how Reverse Association works and provides no guidelines on how to work with Virtual attributes, how they are mapped or controlled in Provisioning Manager.  Group membership provisioning from the account or user side can be accomplished in CA RCM Connector Express using Virtual attributes .  What this means is that if you have a user class (User Account)  and group class (Groups) you can provision the group member attribute with account members:

In the above example, when the group membership is added to the user in the group membership attribute on the user, than the group member attribute is updated with the user account as well.  This is accomplished doing the following steps:

1.  Map the User class. The user class contains an attribute that contains the DN of the group, in this example this is Group Membership, the type is Flexi-DN and the attribute may or may not be multi-valued
2.  Map the Group class.  The group class contains a multi-valued attribute (Member) that contains the DN of the user(s).
3.  Create the account to group direct association.  The user account physical attribute Group Membership the attribute that stores the DN of the group.  The Match attribute is the Groups naming attribute that is mapped as the required name for the group.

4.  Create account to group reverse association.  The groups class group attribute must be a virtual attribute which is given a new account attribute name that does not exist in the group class, in this case I made the virtual attribute ‘vMember’ so that it is easily understandable.  The match user account attribute is the required Account ID attribute.

5.  When you complete this, a brand new attribute will appear in the group attribute listing with the virtual attribute name.  In figure 1 you can see the vMember attribute in the group class and this attribute was created by using the reverse association step above and not created manually.
6.  Repeat the group to account direct association.  Follow the same steps used for account to group with the values reversed and the groups member attribute and account Account ID attribute used.
7.  Repeat the group to account reverse association.  The virtual attribute to create will be virtual of the group member (Group Membership) attribute which will be created in the account class.  the match groups attribute will be the name of group class.

The completed associations should look like figure 1.  Two virtual attributes were created, the vMember created by the reverse association on the account class and vGroup Membership created by the reverse association on the group class.  You do not need to modify the virtual attribute in any way except to verify that the attribute is multi-valued.

When you have completed the connector express configuration, created the new endpoint, and acquired the new endpoint you are ready to work with target in Provisioning Manager.  After you have Explored and Correlated the endpoint and mapped the endpoint on the Endpoints tab you can work with account and group membership as follows (notice the vGroupMembership and Group Membership tabs):

  • The Group Membership tab represents the users group membership in the users account (member) attribute.
  • The vGroupMembership tab represents the users group membership in the groups member  (Group Membership) attribute

By adding the same searched group  in both these tabs you can provision the user account with a group membership and modify the group member attribute with the user account in the same operation.

Membership is the attribute that stores the DN of the group.  The Match attribute is the Groups naming attribute that is mapped as the required name for the group.

As always, questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , ,
Posted in CA, CA Identity Manager, CA Role & Compliance Manager (RCM), Identity Provisioning, LDAP, Tips & Tricks, User IDs | No Comments »

Building your IAM project toolbox

Wednesday, August 25th, 2010

New clients sometimes ask “what tools do I need to keep this new technology up and running”?

A basic tool kit for IDM or WAM environments is essential for making a successful project into a successful long term operation.

Here are a few basics I have collected over time.

For any LDAP access, you need an LDAP browser that can read any LDAP acessable directory. Apache Directory Studio fills that need and is available on just about any platform you might be running.

Apache Directory Studio LDAP browser is based on Eclipse, and can be had in two flavors. One is a stand alone installable program that requires only a system Java Run Time to function. Download, install, and run.

http://directory.apache.org/studio/

The second flavor is as a plug-in to your existing Eclipse installation. If you already use Eclipse for other work, this will add the LDAP browser capability.

http://directory.apache.org/studio/installation-in-eclipse.html

Either way you go, you get an LDAP browser that is capable of working with any LDAP accessible directory.

Many IDM and WAM products run on Linux. Working with Linux requires different tools than a Window Server. Many applications use a command line installer that may or may not have a GUI component.

GUI access necessitates X-Windows capability to display. If you run a Mac, you should have it covered. PC’s do not come with any X-Windows capability. Xming provides that capability for PC’s and
I have been able to run Xming on all recent versions of the Windows OS.

http://www.straightrunning.com/XmingNotes/

Start with the Public Domain version, and don’t forget the fonts. Get all the fonts because you never know what a vendor may use.

Of course, you cannot get to the X-Windows unless you have some way of accessing the Linux
Console. Once again, Mac users have that covered with Terminal. You can use telnet on a
PC, but a better method is via the old standby, Putty. No, this is not your Plumbers Putty,
but an SSH client that has stood the test of time.

http://www.chiark.greenend.org.uk/~sgtatham/putty/

This is the official site, grab a copy. There is no installation necessary, it just runs.

The next tool is something to transfer files back and forth between your PC and the
Linux systems. For this, the SCP secure protocol is used, and you need a program that
can do this reliably.

For the PC, I use WinSCP.

http://winscp.net/eng/index.php

This is another of those programs that has stood up over time. It allows you to drag and
drop files between systems. Even better, if you set it up to do so, you can have it
open and edit text files on the target system in your favorite text editor (more on those below).

For the Mac I like Cyberduck. I have tried a few others, but I keep coming back to this one.

http://cyberduck.ch/

Must be the name…

Next up would be some text editors. Often this is a personal choice, there are many out there,
but here are a couple that I use.

For the PC, PSPad is a free and very capable editor available with many languages.

http://www.pspad.com/

When I say languages, I refer both to spoken and programming languages. Highly versatile, and
very configurable. Much better than Notepad or Wordpad

For the Mac, I use TextWrangler

http://www.barebones.com/products/textwrangler/

Many of the same features, in a package for the Mac.

I have not done too many IDM projects where some type of SQL database was not involved. Most have their own client tools, but what if you wanted something that could handle them all? For that, I turn to the Squirrels… SQuirreL SQL.

http://squirrel-sql.sourceforge.net/

You will need to obtain each vendors JDBC Type 4 driver to connect. I am a Novell IDM person, and I like this because I can use the same JDBC URL in SQuirreL as I do in the JDBC Driver. This gives me the same view of the data that the driver should see. SQuirreL is Java, so it works well on pretty much any desktop OS.

I did not intend to go into how to use these, maybe later. These are just a few available
tools to keep in your toolbox for system administration and maintenance. Remember, when
it comes to ideas on how to use these tools, Google is your friend.

Questions? Ask away at IDMWorks.

Tags: , , , , , , ,
Posted in Best Practices, LDAP, Novell, Novell Identity Manager | No Comments »