Novell Identity Manager Tips, Tricks and Best Practices

Novell® Identity ManagerTips, Tricks and Best Practices

Glen KnuttiConsultantTriVir LLC

David WagstaffConsultantNovell

© Novell, Inc. All rights reserved.2

Tips and Tricks

• Use the Power of Regex• Differentiate JDBC Driver Triggers• Keep the JDBC Event Log Clean• New Trace File Job• Jobs: To Scope or Not to Scope?• Disable Old Accounts Job• Password Expiration Job• Reciprocal Attribute Mapping


Tips and Tricks

• Queries• ECMAScript Errors Can Hang IDM 3.5.1• Merge Cleaner• Replace Rather Than Remove• LDAP Credentials Auto-config• Using dxcmd for Initial Migration• Active Directory Driver – Line Feed• Active Directory Driver – lockoutTime


Scoping too much

Quiz

• Subscriber Event Transformation

• You want to limit the operations on the subscriber channel—block deletes, perhaps

• This will block everything other than add and modify!


Use the Power of Regex

• Challenge– Some policy conditions can be quite lengthly


Use the Power of Regex

• Solution– Use regex to shorten the policy


Differentiate JDBC Driver Triggers

• Challenge– Simplify JDBC driver troubleshooting– You've got multiple tables with triggers that feed the event

log table, but some entries in the event log table are inserted improperly—from where is the problem coming?



• Solution– Use different case in your table_key column to show from

which trigger an insert came

INSERT INTO cop.event_log (

record_id,table_key,event_type,event_time,table_name

) VALUES (

cop.seq_log_record_id.nextval,'pk_EMPLOYEE='||:old.employee,6,sysdate,'cop.idv'

);

INSERT INTO cop.event_log (

record_id,table_key,event_type,event_time,table_name

) VALUES (

cop.seq_log_record_id.nextval,'pk_employee='||:old.employee,6,sysdate,'cop.idv'

);



• Solution– Use different case in your table_key column to show from

which trigger an insert came


Event Transformation Policies

Quiz

• Event transformation policies that attempt to operate on add events

• Unassociated modifies pass by & then turn into an add

• Watch those <sync> events that turn into adds later...


Keeping the JDBC Event Log Clean

• Challenge

– JDBC event log is filling up with rows that have a status of warning

– These rows represent valid vetoes of events that didn't meet the create requirements

• Solution

– It's common to use a veto-if-operational-attribute 'not available' action in a create or matching rule

– Review adds before the matching and create policies and veto events that don't meet criteria


New Trace File Job

• Challenge

– For security, troubleshooting or audit purposes you want to maintain driver trace file contents for a long time (months)

• Solution

– Create a nightly job that triggers an update to the driver trace attribute value every night

– Be careful with your disk space!

– Extra Credit: Incorporate automated zipping of your trace files at the end of each week or month as part of the job/driver


New Trace File Job

ADDriver-2010-03-20.txtADDriver-2010-03-21.txtADDriver-2010-03-22.txt


Jobs: To Scope or Not to Scope? • Scoped job

– Trigger event for every object in scope– Filter options are object classes for containers– Driver must have trustee assignment to the scoped

containers; can't use the Security Equals setting of driver– Use in hierarchical structures– Use to check all objects in a container

• Unscoped job– Single trigger event—does nothing by itself– Scope is configured in the ldapSearch ECMAScript– An LDAP filter provides much more control– Use in flat structures or for narrow result sets


Disable Old Accounts Job

• Challenge

– If users haven't logged in for more than 180 days, you want to disable their accounts

• Solution

– Create a nightly job to search for users who haven't logged in for more than 180 days

– Disable or delete the account

– Optional: Send the user an email to inform them the account has been disabled


Password Expiration Job

• Challenge

– Rather than rely on grace logins, you want users to change their password before the password expires

• Solution

– Create a nightly job to search for users whose passwords will expire in a specific number of days (30, 15, 7, 3, 1)

– Send an email notification


Users, Groups and Referential Integrity

Quiz

• You have policies to sync and manage both users and groups on a driver

• Delete a user

• eDirectory™ removes the user from a group

• The group modify event (remove member) may trigger code to update user and remove group membership

• But the user is gone and an error is thrown!


Reciprocal Attribute Mapping

• Challenge– Both the Group Membership attribute on users and

the Member attribute on groups are sync'd– You're processing everything twice!– You may end up with referential integrity errors

• Solution– Sync users or groups and use reciprocal attribute

mappings so IDM can handle the referential integrity for you!

Best Practices


Best Practices

• First write policies that work—then make them efficient, elegant, clever, etc.

• Use Designer

• Review the trace file

• Use consistent policy and variable naming

• Document your policy with a description

• Refine your methodology


Identity Management Methodology

• Requirements Assessment

• Development

• Testing

• Deployment


Requirements Assessment

• Create an Acceptance Criteria (AC) document• Document each process as a single, testable unit• Break down to unit/feature functionality

• Take the time to fill in all the details

• Keep your document up to date


Acceptance Criteria Document

1.1 New Employee is HiredA new employee is hired in the HR system.

PreconditionsThe employee does not exist in the HR system.The employee does not exist in the Identity Vault.

Action The employee is hired in the HR system.

ResultsThe employee is created in the Identity Vault.


Development

• Create engineering estimates based on the AC doc

• Group the estimated work into iterations

• Create automated tests for each unit of functionality that you code

• Deliver iterations on regular basis to show progress, allow for manual testing and request feedback


Testing

• Test initial migration process first!

• Automated testing will save you countless hours

• Write positive tests first and add relevant negative tests as appropriate

• Manual testing is still required to validate your automated tests


Deployment

• Test your deployment process

• Retest your deployment process

• Test your deployment process again unless it was flawless last time

• Add tests for bugs found post-deployment so they will be avoided going forward


Tips and Tricks

• Queries• ECMAScript Errors Can Hang IDM 3.5.1• Merge Cleaner• Replace Rather Than Remove• LDAP Credentials Auto-config• Using dxcmd for Initial Migration• Active Directory Driver – Line Feed• Active Directory Driver – lockoutTime


Queries

• Challenge

– Why does it take so long to process an event?

• Solution

– Check query times in the trace file

– Create indexes for attributes you query

– Avoid unnecessary queries

> Use Attribute instead of Source Attribute

> Query once for all the attributes you'll need in a policy

> Check for required create attributes before matching


ECMAScript Hangs in IDM 3.5.1

• Challenge– You've got a beautiful ECMAScript which simply hangs when

you run it.– The trace file shows that the function was called, but nothing

happens after that.

• Solution– There seems to be a bug in IDM 3.5.1 where exceptions are not

handled properly—fixed in IDM 3.6.1function testExceptionWithTryCatch() { try { functionThatCausesAnException(); } catch (e) { return e; } return "SUCCESS";}


Adding and Modifying Associations

Quiz

• You have a DTF, SOAP, Manual or Writeback driver and you're setting association values with policies

• An associated object ends up with another association via <add-association>

• You end up with two associations on that object which will produce two events when touched again

• Check for existing associations and use <modify-association> instead to replace the existing association


Merge Cleaner

• Challenge

– During a merge on your Active Directory driver, a single error on an attribute will error out the whole event

• Solution

– Use a stylesheet to break up the merge event into discrete modify events


Replace Rather than Remove

• Challenge– When sending a modify to Active Directory, you attempt to

remove an old value and add a new value, but the old value doesn't exist in Active Directory and the event errors out

• Solution– Convert those <remove-value> <add-value> pairs into

<remove-all-values> <add-value>– Use a list GCV to make it easy to add and remove

attributes as needed– Works for single valued attributes ONLY!


Replace Rather than Remove


Driver Variable in a Stylesheet

Quiz• You've defined driver variable (as opposed to a policy

variable) and want to reference it later in a stylesheet

• The stylesheet reference is right... $variableName<xsl:choose>

<xsl:when test=“$userDisabled = 'false'”>

• Code (-9061) Error processing XSLT policy: top-level variable 'userDisabled' was referenced but not defined

<xsl:param name=“userDisabled”/>


LDAP Credentials Auto-config

• Challenge

– You don't want to store LDAP credentials in your driver

• Solution– Found on Novell® Cool Solutions

– You could use named passwords, but you have to set those values each time the driver is imported or each time you move to a new environment or when the account password is updated

– Automagically leverage the credentials the driver is using to perform the operation; the assumption is the driver will have rights to any objects you want to read/modify/delete


Using dxcmd for Initial Migration

• Challenge– When 'connecting' existing objects as part of an initial

migration, you want to minimize the churn of processing all application objects when only subset is needed

• Solution– Use dxcmd and a query XSD to specify exactly

which objects you want to migrate


Using dxcmd for Initial Migration• Query XDS

<nds dtdversion="3.5" ndsversion="8.x"> <input> <query class-name="User" dest-dn="DC=abc,DC=edu" scope="subtree"> <search-class class-name="user"/> <search-attr attr-name="extensionAttribute4"/> <value>no</value> </search-attr> <search-attr attr-name="extensionAttribute8"/> <value>no</value> </search-attr> </query> </input></nds>

• Batch filedxcmd -user cn=admin,o=services -host localhost -password xxx -migrateapp “cn=NonEmployees,cn=Driver Set,ou=idm,o=services” file.txt


One Change Breaks Something Else

Quiz

• Everything is running great, but one more required change or update ends up breaking existing functionality in a totally unexpected way

• Use automated testing

– Allows you to define all the test cases

– Allows you to run and rerun test cases quickly and thoroughly

– IdMUnit at IdMUnit.org


Active Directory Driver – Line feedOutput - Street Address: Convert LF to CR-LF

• Bad

• “Suite 10\n123 Elm Street” becomes “Suite 1\n123 Elm Street”

• Sending \r\n doesn't work in Active Directory anyway


Active Directory Driver – Line feedOutput - Street Address: Convert LF to CR-LF

• Good


Active Directory Driver – Line feedInput - streetAddress: Convert CR-LF to LF

• Bad

• The line feed is being removed, not the carriage return


Active Directory Driver – Line feedInput - streetAddress: Convert CR-LF to LF

• Good

• Remove the carriage return, not the line feed


Active Directory Driver - lockoutTimeCan't set lockoutTime in AD

• Bad

• Can't set lockoutTime in AD, even with the proper time syntax


Active Directory Driver - lockoutTimeCan't set lockoutTime in AD

• Good

• Must lockout the AD user 'manually'


Trends and Observations

• Using more null drivers

• Using more than one driver to the same application– Different objects classes with different requirements– Password Sync driver

• Increased need for automated testing• IDM implementations are maturing

– More roles, governance and compliance starting– More User Application– More workflow

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Documents

Novell Identity Manager Tips, Tricks and Best Practices