Novell Identity Manager Tips, Tricks and Best Practices

Novell Identity Manager
®

Tips, Tricks and Best Practices

Glen Knutti
Consultant
TriVir LLC

David Wagstaff
Consultant
Novell

Tips and Tricks

• Use the Power of Regex
• Differentiate JDBC Driver Triggers
• Keep the JDBC Event Log Clean
• New Trace File Job
• Jobs: To Scope or Not to Scope?
• Disable Old Accounts Job
• Password Expiration Job
• Reciprocal Attribute Mapping

2 © Novell, Inc. All rights reserved.

Tips and Tricks

• Queries
• ECMAScript Errors Can Hang IDM 3.5.1
• Merge Cleaner
• Replace Rather Than Remove
• LDAP Credentials Auto-config
• Using dxcmd for Initial Migration
• Active Directory Driver – Line Feed
• Active Directory Driver – lockoutTime


Scoping too much

Quiz
• Subscriber Event Transformation
• You want to limit the operations on the subscriber
channel—block deletes, perhaps

• This will block everything other than add and modify!


Use the Power of Regex

• Challenge
– Some policy conditions can be quite lengthly


Use the Power of Regex

• Solution
– Use regex to shorten the policy


Differentiate JDBC Driver Triggers

• Challenge
– Simplify JDBC driver troubleshooting
– You've got multiple tables with triggers that feed the event
log table, but some entries in the event log table are
inserted improperly—from where is the problem coming?



• Solution
– Use different case in your table_key column to show from
which trigger an insert came

INSERT INTO cop.event_log INSERT INTO cop.event_log
( (
record_id, record_id,
table_key, table_key,
event_type , event_type ,
event_time , event_time ,
table_name table_name
) )
VALUES VALUES
( (
cop.seq_log_record_idnextval,
. cop.seq_log_record_idnextval,
.
'pk_EMPLOYEE=' |:old.employee
| , 'pk_employee=' |:old.employee
| ,
6, 6,
sysdate, sysdate,
'cop.idv' 'cop.idv'
); );



• Solution
– Use different case in your table_key column to show from
which trigger an insert came


Event Transformation Policies

Quiz
• Event transformation policies that attempt to operate on
add events

• Unassociated modifies pass by & then turn into an add
• Watch those <sync> events that turn into adds later...


Keeping the JDBC Event Log Clean

• Challenge

– JDBC event log is filling up with rows that have a
status of warning
– These rows represent valid vetoes of events that
didn't meet the create requirements

• Solution

– It's common to use a veto-if-operational-attribute
'not available' action in a create or matching rule
– Review adds before the matching and create
policies and veto events that don't meet criteria

New Trace File Job

• Challenge
– For security, troubleshooting or audit purposes you want to
maintain driver trace file contents for a long time (months)

• Solution
– Create a nightly job that triggers an update to the driver trace
attribute value every night

– Be careful with your disk space!

– Extra Credit: Incorporate automated zipping of your trace files
at the end of each week or month as part of the job/driver


New Trace File Job

ADDriver-2010-03-20.txt


Jobs: To Scope or Not to Scope?
• Scoped job
– Trigger event for every object in scope
– Filter options are object classes for containers
– Driver must have trustee assignment to the scoped
containers; can't use the Security Equals setting of driver
– Use in hierarchical structures
– Use to check all objects in a container
• Unscoped job
– Single trigger event—does nothing by itself
– Scope is configured in the ldapSearch ECMAScript
– An LDAP filter provides much more control
– Use in flat structures or for narrow result sets


Disable Old Accounts Job

• Challenge
– If users haven't logged in for more than 180 days, you want
to disable their accounts

• Solution
– Create a nightly job to search for users who haven't logged
in for more than 180 days

– Disable or delete the account

– Optional: Send the user an email to inform them the
account has been disabled


Password Expiration Job

• Challenge

– Rather than rely on grace logins, you want users to change
their password before the password expires

• Solution

– Create a nightly job to search for users whose passwords
will expire in a specific number of days (30, 15, 7, 3, 1)

– Send an email notification


Users, Groups and Referential Integrity

Quiz
• You have policies to sync and manage both users and
groups on a driver
• Delete a user
• eDirectory™ removes the user from a group
• The group modify event (remove member) may trigger
code to update user and remove group membership
• But the user is gone and an error is thrown!


Reciprocal Attribute Mapping

• Challenge
– Both the Group Membership attribute on users and
the Member attribute on groups are sync'd
– You're processing everything twice!
– You may end up with referential integrity errors
• Solution
– Sync users or groups and use reciprocal attribute
mappings so IDM can handle the referential integrity
for you!


Best Practices

• First write policies that work—then make them efficient,
elegant, clever, etc.
• Use Designer
• Review the trace file
• Use consistent policy and variable naming
• Document your policy with a description
• Refine your methodology


Identity Management Methodology

• Requirements Assessment
• Development
• Testing
• Deployment


Requirements Assessment

• Create an Acceptance Criteria (AC) document
• Document each process as a single, testable unit
• Break down to unit/feature functionality
• Take the time to fill in all the details
• Keep your document up to date


Acceptance Criteria Document

1.1 New Employee is Hired
A new employee is hired in the HR system.
Preconditions
The employee does not exist in the HR system.
The employee does not exist in the Identity Vault.
Action
The employee is hired in the HR system.
Results
The employee is created in the Identity Vault.


Development

• Create engineering estimates based on the AC doc
• Group the estimated work into iterations
• Create automated tests for each unit of functionality
that you code
• Deliver iterations on regular basis to show progress,
allow for manual testing and request feedback


Testing

• Test initial migration process first!
• Automated testing will save you countless hours
• Write positive tests first and add relevant negative tests
as appropriate
• Manual testing is still required to validate your
automated tests


Deployment

• Test your deployment process
• Retest your deployment process
• Test your deployment process again unless it was
flawless last time
• Add tests for bugs found post-deployment so they will
be avoided going forward


Tips and Tricks

• Queries
• ECMAScript Errors Can Hang IDM 3.5.1
• Merge Cleaner
• Replace Rather Than Remove
• LDAP Credentials Auto-config
• Using dxcmd for Initial Migration
• Active Directory Driver – Line Feed
• Active Directory Driver – lockoutTime


Queries

• Challenge
– Why does it take so long to process an event?

• Solution
– Check query times in the trace file

– Create indexes for attributes you query

– Avoid unnecessary queries
> Use Attribute instead of Source Attribute

> Query once for all the attributes you'll need in a policy

> Check for required create attributes before matching


ECMAScript Hangs in IDM 3.5.1
• Challenge
– You've got a beautiful ECMAScript which simply hangs when
you run it.
– The trace file shows that the function was called, but nothing
happens after that.
• Solution
– There seems to be a bug in IDM 3.5.1 where exceptions are not
handled properly—fixed in IDM 3.6.1
function testExceptionWithTryCatch() {
try {
functionThatCausesAnException();
} catch (e) {
return e;
}
return "SUCCESS";
}


Adding and Modifying Associations

Quiz
• You have a DTF, SOAP, Manual or Writeback driver
and you're setting association values with policies
• An associated object ends up with another association
via <add-association>
• You end up with two associations on that object which
will produce two events when touched again
• Check for existing associations and use <modify-
association> instead to replace the existing association


Merge Cleaner

• Challenge
– During a merge on your Active Directory driver, a single
error on an attribute will error out the whole event

• Solution
– Use a stylesheet to break up the merge event into discrete
modify events


Replace Rather than Remove

• Challenge
– When sending a modify to Active Directory, you attempt to
remove an old value and add a new value, but the old
value doesn't exist in Active Directory and the event errors
out

• Solution
– Convert those <remove-value> <add-value> pairs into
<remove-all-values> <add-value>
– Use a list GCV to make it easy to add and remove
attributes as needed
– Works for single valued attributes ONLY!


Replace Rather than Remove


Driver Variable in a Stylesheet

Quiz
• You've defined driver variable (as opposed to a policy
variable) and want to reference it later in a stylesheet
• The stylesheet reference is right... $variableName
<xsl:choose>
<xsl:when test=“$userDisabled = 'false'”>
• Code (-9061) Error processing XSLT policy: top-level
variable 'userDisabled' was referenced but not defined
<xsl:param name=“userDisabled”/>


LDAP Credentials Auto-config

• Challenge
– You don't want to store LDAP credentials in your driver

• Solution
– Found on Novell Cool Solutions
®

– You could use named passwords, but you have to set
those values each time the driver is imported or each time
you move to a new environment or when the account
password is updated

– Automagically leverage the credentials the driver is using
to perform the operation; the assumption is the driver will
have rights to any objects you want to read/modify/delete


Using dxcmd for Initial Migration

• Challenge
– When 'connecting' existing objects as part of an initial
migration, you want to minimize the churn of
processing all application objects when only subset is
needed
• Solution
– Use dxcmd and a query XSD to specify exactly
which objects you want to migrate


Using dxcmd for Initial Migration
• Query XDS
<nds dtdversion="3.5" ndsversion="8.x">
<input>
<query class-name="User" dest-dn="DC=abc,DC=edu" scope="subtree">
<search-class class-name="user"/>
<search-attr attr-name="extensionAttribute4"/>
<value>no</value>
</search-attr>
<search-attr attr-name="extensionAttribute8"/>
<value>no</value>
</search-attr>
</query>
</input>
</nds>

• Batch file
dxcmd -user cn=admin,o=services -host localhost -password xxx -migrateapp
“cn=NonEmployees,cn=Driver Set,ou=idm,o=services” file.txt


One Change Breaks Something Else

Quiz
• Everything is running great, but one more required
change or update ends up breaking existing
functionality in a totally unexpected way
• Use automated testing
– Allows you to define all the test cases

– Allows you to run and rerun test cases quickly and thoroughly

– IdMUnit at IdMUnit.org


Active Directory Driver – Line feed
Output - Street Address: Convert LF to CR-LF
• Bad

• “Suite 10n123 Elm Street” becomes “Suite 1n123 Elm Street”
• Sending rn doesn't work in Active Directory anyway

Output - Street Address: Convert LF to CR-LF
• Good


Input - streetAddress: Convert CR-LF to LF
• Bad

• The line feed is being removed, not the carriage return


Input - streetAddress: Convert CR-LF to LF
• Good

• Remove the carriage return, not the line feed


Active Directory Driver - lockoutTime
Can't set lockoutTime in AD
• Bad

• Can't set lockoutTime in AD, even with the proper time
syntax


Active Directory Driver - lockoutTime
Can't set lockoutTime in AD
• Good

• Must lockout the AD user 'manually'


Trends and Observations

• Using more null drivers
• Using more than one driver to the same application
– Different objects classes with different requirements
– Password Sync driver
• Increased need for automated testing
• IDM implementations are maturing
– More roles, governance and compliance starting
– More User Application
– More workflow


Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.

Novell Identity Manager Tips, Tricks and Best Practices

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Novell Identity Manager Tips, Tricks and Best Practices

Ähnlich wie Novell Identity Manager Tips, Tricks and Best Practices (20)

Mehr von Novell

Mehr von Novell (20)

Novell Identity Manager Tips, Tricks and Best Practices