Sun IdM - Remedy - Active Sync

Similar Messages

• Active sync : process selection values are not persistent

  Hi,
  Version: IDM : 6
  I am attempting to provision oracle user accounts through IDM active sync process running against an AD LDAP server.
  I want to use default forms/views supplied by IDM product, and configure active sync to use my custom workflow on create/update events.
  I was not able to save my workflow for any of the events in process selection module of active sync configuration.
  this is what i did..
  ======================================================
  Active sync in (advanced mode) ->Process Selection
  Process Mode      
  Use the event type to determine the process / workflow ? (enabled)
  Create -> (from available workflows i select my custom workflow ) save
  ======================================================
  after saving my changes , i again re-visited active sync-> process selection : to confirm my changes.
  i do not see my saved workflow for create , but i see "default" as selected.
  Is assigning custom workflows through actives syncs process selection allowed?
  If Yes, How do i preserve my active sync-> process selection configurations?
  Thanks
  Edited by: idm_new_user on Jun 3, 2008 9:44 AM

  Hi Chapo,
  Thanks for trying to help me out...
  Issue is not with assigning my custom form to my active sync process, it works that way...(i can achieve AD->IDM->ORACLE provisioning) using custom form/workflow...i now want to use, forms/workflow shipped out of box by IDM product to achieve provisioning of oracle accounts(Target) with Active Sync configured on AD (source).I am having issues with this configuration...i am not sure , it even works, out of box with out editing any forms/workflows !!!
  what i now to achieve is a partial customization, i.e use forms supplied out of box by idm's active sync process, and ONLY use my custom workflows to do create/updates...
  This is what i am trying to do, for an active sync configured on AD resource in advanced mode.
  Find the AD LDAP resource under the Resources tab.
  The check the box on the left hand side.
  Now select "edit Active Sync process" from the drop down box.
  In the active sync ->process selection view...select "use event type to determine the process/workflow ?"
  and assign my custom workflows for create/update events...
  after saving this, i revisit to confirm my changes...only to find that , they get lost/replaced by "default"
  so, my question is how do i configure an active sync to use my workflow on create/update events...with out using my custom forms? if "process selection" module of active sync wizard is the way to do this, how can i save my configurations?

• Problem with Active Sync Process in Flat File

  I have a flat file (Employee.csv) as a resource. I populated that data into IDM using Active Sync.
  Ive created another flat file that is empty (CopyEmployee.csv) and added that as resource to IDM.
  By using the Active Sync process I want to populate the data from Employee.csv to CopyEmployee.csv.
  I tried but unable to get the output. Is this really possible ?
  Im using IDM 6.0 on SunApp 8.1

  Nope, flatfile is a read only adapter, to the best of my knowledge. You can use it to feed IM, that's it. No recon, nothing else. That's coz IM doesn't maintain a state for it (just does a diff with an index file during ActiveSync).
  You can think of maintaining a simulated resource on a file though.
  Ankush

• Synchronization Policy Input Form versus Meta View Active Sync

  In IdM 7.1, the Resources/ Active Sync Resource/ Edit Synchronization Policy provides options for �Input Form� under the Common Settings section. If the Active Sync application is enabled on the Meta View � Identity attributes page, the Input Form option on the Edit Synchronization Policy becomes disabled, and shows a statement ��MetaView will be used to handle detected changes for this resource��
  I have logic to set IAPI.cancel based on certain conditions in my Synchronization Policy Input Form. Where does this type of logic go if Meta View is turned on for Active Sync?

  Which Imput Form are you Selecting
  Default User form or create user form.
  I want to enter users into AD from IDM using Active Sync.

• Expert pls help: Sun IDM with ldap active sync

  Hi all,
  Currently i am configuring Sun IDM 6.0 SP1 to active sync with Sun directory server. I have enabled Retro Change Log but yet i cant find my changeNumber in directory server. Could anyone show me a way (search?) to get what changeNumber directory server currently running?

  Check the account used by IDM to access DS can search cn=changelog branch. If he is not Directory Manager, you probably need to set an ACI on that branch.
  HTH

• Sun IdM Password Sync 8.1 - Urgent help needed

  Hi,
  I have installed Sun Idm 8.1 password sync. It has been installed in Direct mode.
  The test environment is 1 dc controller and 1 windows xp machine.
  The following test cases were done -
  1. Admin/User changes password (IDM) - it is synchronized to AD and user is able to log into XP.
  2. Admin changes the password in AD - it is synchronized to IdM and user is able to log into XP and IdM
  **3. When the user changes the password in XP, it does not get synchronized to idm.**
  Please let me know your suggestions. Password Sync is a proven technology and should work.

  It should work - we have it working.
  Few things to look at:
  1) Check the Password Sync DLL trace log, level 4. It will help you see what is going on.
  2) What is the version of Windows domain controller?
  3) Make sure you have the latest password syc DLL installed.

• Provisioning User IDs in Remedy Help Desk with Sun IdM 7.0.

  Hi,
  Our team is in the process of defining a approach to provision user IDs in Remedy Help Desk system using Sun IdM version 7.0.
  What we wanted to know is whether it is possible to use the Remedy resource adapter bundled with Sun IdM 7.0 to provision user IDs. We think that this resource adapter is used to provision help desk tickets into the help desk system and not user IDs. Is the understanding correct?
  If user IDs cannot be provisioned using the resource adapter, we are planning the following approach to provision user IDs into Remedy:
  1. Understand the table schema of the Remedy database.
  2. Configure the Database Table resource adapter to provision into the Remedy user tables.
  We are looking for inputs from people who have come across a similar design issues with Remedy Help Desk and could validate our design approach. We will highly appreciate any inputs on this.
  Thank You.
  Regards,
  Vallabh Vengulekar.

  "We think that this resource adapter is used to provision help desk tickets into the help desk system and not user IDs"
  hi as per ur post...where did u find this information..I am looking for this information of how to manage Remedy tickets through IDM.
  If you can help me it wil be great...looking for your inputs...
  thanks in advance.

• Can IdM use TimeStamp files in its Active Sync for Database table ?

  I have an IdM 7.1 implementation that I inherited
  and have a Database Table resource adapter with Active Sync.
  Here's a few ways to set up Active Sync, but I want to explore the latter.
  -Static Search Predicate (clause)
  You can use a flag (column) in your data table. Does not require any mapping, and presumably whatever process you're kicking off would turn off the flag, so the record is not picked up subsequently.
  -Last Fetched Predicate (documented in the Resource Reference, under Database Table),
  Normally, you'd be doing a comparison based on timestamps, and the mapping between a timestamp-User Extended Attribute AND timestamp-Database Column
  In this implementation, I do not see a User Extended Attribute (UXA) but I do see a 0 byte timestamp file on the server. Did not see anything like this discussed in the docs, but my hypothesis is that this is being used, or has been configured somehow. I wonder if I am right ?
  Let's call it 'MyTS'
  I see MyTS both in ActiveSync logs, as well as in the 'XML Data' object, resource_SYNC, that A/S creates. Maybe this is a hidden feature, or mostly undocumented, or from an earlier version. Anyone care to offer a suggestion or explanation ? Your thoughts would be welcome.
  thanks

  'MyTS' would be a resource attribute. Have a look in the schema map for your resource.
  It doesn't need to be, and would not normally be, a user extended attribute.

• Active Sync - What attributes to set in UserMap

  I am have written an active sync adapter for MySQL Table. I am not sure what attributes to add in the user map object that is passed in the list of updates.
  I get the following error:
  The result of submitting the message - com.waveset.exception.FormValidation: Validation errors detected in form.
  My Code is as follows:
  private List getUpdateRows(Map lastProcessedRow) throws WavesetException {
  final String method = "getUpdateRows";
  TRACE.entry3(method);
  Connection conn = getConnection();
  ResultSet rslt = null;
  Statement stmt = null;
  List listOfUpdatedUsers = new ArrayList();
  String query = "select id, password, first_name, last_name, email, department, users_event.event " +
  " from users, users_event " +
  "where users_event.updated = 0 and users.id = users_event.user_id";
  try {
  stmt = conn.createStatement();
  rslt = stmt.executeQuery(query);
  if(null == rslt) {
  Message msg = new Message("NULL resultset returned on query execution");
  throw new WavesetException(msg);
  while(rslt.next()) {
  HashMap userMap = new HashMap();
  userMap.put("name", rslt.getString(1));
  userMap.put("password", rslt.getString(2));
  userMap.put(AA_FIRST_NAME, rslt.getString(3));
  userMap.put(AA_LAST_NAME, rslt.getString(4));
  userMap.put("email", rslt.getString(5));
  userMap.put(AA_DEPARTMENT, rslt.getString(6));
  if("delete".equals(rslt.getString(7))) {
  userMap.put(ATTR_IS_DELETED, "true");
  listOfUpdatedUsers.add(userMap);
  } catch (Exception e) {
  Message msg = new Message("Unable to get list of updated rows " + e.getMessage());
  throw new WavesetException(msg);
  } finally {
  TRACE.exit3(method);
  return listOfUpdatedUsers;
  * Take a list of Maps that are rows of the audit data and turn them
  * into IAPI calls.
  * @param list - a List of Map objects from getUpdateRows.
  protected int processUpdates(List list)
  throws WavesetException, IAPIException {
  final String METHOD = "processUpdates";
  TRACE.entry2( METHOD );
  int numProcessed = 0;
  if (list != null) {
  final int listSize = list.size();
  util.logString(IAPI.TRACELEVEL_INFO,
  "processUpdates: " +
  listSize +
  " elements.\n" );
  int currentRowCount = 0;
  Iterator it = list.iterator();
  while (it.hasNext() && !_util.isStopRequested()) {
  Map userMap = (Map)it.next();
  ++currentRowCount;
  // Announce our intentions with the current row, and
  // which row is being processed.
  logUpdate(IAPI.TRACE_LEVEL_INFO,userMap,null);
  util.logString( IAPI.TRACELEVEL_INFO,
  "processing update " +
  currentRowCount +
  " of " +
  listSize +
  ".\n");
  // Build the event
  Map options = new HashMap();
  // Check for any required attributes, which are either
  // not in the schema map, or are the names on the left hand side
  // of the schema map.
  String identity = (String)userMap.get("name");
  util.logString( IAPI.TRACELEVEL_INFO, "processing update Identity = " + identity + ".\n");
  if (identity == null){
  String message = "Missing required attribute name. " +
  "This is a configuration problem.";
  // If an error message can be safely ignored, namely it
  // is not a problem communicating with the resource, use
  // the resources's "CONTINUE_ON_ERROR" setting to determine
  // whether to skip the entry, or throw an exception.
  if ( isFeatureEnabled(Features.CONTINUE_ON_ERROR) ){
  util.logString( IAPI.TRACELEVEL_WARNING,
  message );
  continue;
  } else {
  throw new WavesetException(message);
  // If deletes aren't detected by a resource, the following
  // block should be removed.
  boolean wasDelete = false;
  if ( userMap.get(ATTR_IS_DELETED) != null ){
  // If the event was detected as a delete, flag it as such
  // in the options.
  options.put(IAPI.OPTION_DELETE_EVENT_DETECTED, Boolean.TRUE);
  wasDelete = true;
  util.logString( IAPI.TRACELEVEL_INFO, "About to process userMap \n");
  // IAPIFactory will use the resource configuration, options,
  // and userMap provided to create the event.
  IAPI event = IAPIFactory.getIAPI(options, userMap, this);
  util.logString( IAPI.TRACELEVEL_INFO, "Retrieved event object after processing userMap \n");
  // If deletes aren't detected by a resource, the following
  // block should be removed.
  if ( (event == null) && wasDelete ){
  // identity is used here as an example, replace with
  // whatever identifying attribute or attributes are
  // appropriate for the resource.
  util.logString(IAPI.TRACELEVEL_INFO,
  "Received delete for user " +
  identity +
  " not in IdM. Ignoring.\n");
  if (event != null) {
  ++numProcessed;
  event.setLogger(_util.getLogger());
  WavesetResult result = event.submit(); //This method returns an error message
  util.logString( IAPI.TRACELEVEL_INFO, " The result of submitting the message - " + result.getErrorMessage());
  // Log the result of submitting the current event.
  logUpdate(IAPI.TRACE_LEVEL_INFO,userMap,result);
  } // else nothing to do with the current row.
  TRACE.exit2(METHOD, numProcessed);
  return numProcessed;
  Please let me know the list of attributes that need to be set in the userMap objects.
  Thanks

  It looks like that the information than goe through ActiveSync form. Examples of such forms are at /homeDir/idm-staging/samples. More information can be found in documenatation Sun™ Identity Manager 8.0
  Workflows, Forms, and Views.
  Martin

• Movement of accounts in AD natively; How Sun IDM identity is affected

  Dear Reader,
  We are planning to integrate Windows Active Directory with Sun IDM 6.0 SP1. Even after integrating AD with Sun IDM there will be lots of changes to the native account like especially moving the account from one OU to another etc
  Since Sun IDM identity has the distinguished name of AD account for its reference; if someone moves the AD Account natively how will that affect IDM identity.
  I heard from couple of my friends that Sun IDM uses objectGUID to refer account in AD so even if the account is moved from one OU to another there will be no issue, is that right?
  Will Sun IDM 6.0 SP1 work that way or this fix was introduced in the later release?
  Is there any other factor involved in this which will affect the way Sun IDM works when the account is moved natively?
  Any help is appreciated
  Thanks in advance

  We use IdM 7.1.1.11 and AD.
  Sun does use the GUID once it has it. And, if the dn changes and the GUID stays the same, IdM won't care. Although in examining logs I saw that Sun asks AD first based on the GUID, then if it can't find it, reverts to the dn. We manage what OU our accounts are in via IdM. So we don't allow AD admins to move accounts around. During our initial migration, we are syncing up GUIDs, and correcting any bad OU values. Don't know if that helps, but I have some experience looking at some of this and can offer my oberservations.

• Notes Enable fails with Active Sync

  We are using the Sun IdM 6.0. we using the oracle database table as a authoritative source.we have configured the Active sync to keep polling for any change in the "status" attribute in database table.
  With the status attribute "0", it disables user on Lotus notes (resource).Which in turn passing the DenyGroups account attribute(access expire) to the resource.This is working sucessfully.
  But when we trying to Enable back that user i.e when the status attribute is "1" we could not able to enable that user.

  Are they using the same user account?
  If so how many IPads using the same user account. Might be throttling policy

• How to fix an active sync problem

  All,
  I came across some issues with active sync that I could not find reference to in Sun documentation that we found a fix for. Read and enjoy.
  Problem: Active sync stopped working for no reason
  Reason: Too many users were attempting to be updated at the same time. SARunner was not running.
  Fix: Manually delete the invalid TaskInstances from the database.
  Process:
  Stop active sync
  Find the invaild task instances
  Oracle SQL Code to find errors:
  SELECT * from object where type='TaskInstance' and ATTR1='EXECUTING';
  Delete invalid task instances
  Oracle SQL to delete invalid TaskInstances:
  DELETE from object where type='TaskInstance' and ATTR1='EXECUTING';
  After this is done commit the changes to the DB.
  Active Sync can now be re-started.
  It should start functioning properly at this point.

  There were no problems what so ever. The integrity of the repository was not affected. I did this as a last resort because nothing else I tried worked.
  One of the other side issues we were having was viewing tasks. When all tasks was clicked on I was getting invailid Object references. The Object reference ended up being the ID of a task that failed to update users because of an invalid character that IdM can not apparently parse. We had about 16 of these entries in the table. Active Sync no longer worked. We made the decision to delete the records from the table, we backed up the DB, then deleted the invalid records. I also checked in the other tables and could not find reference to the invalid objects anywhere. Once I deleted the records active sync began to function again after is was cycled and the system was brought back to full operational status.
  Apparently someone created a new security group in AD but when it was created they did not use a normal "-" in the name. I think the person used MS Word to type the name, in some cases word then substitutes a special character in for the dash that looks longer. This character was the root of my problem. I had someone go back and change the name of the security group and changed the dash to the right dash and that solved the root of my problem.

• How Create LDAP Group Inside Active Sync Form?

  I have an Active Sync form that is working well to synchronize (and slightly massage) data from an Active Directory source to a Sun Directory Server destination.
  I need to synchronize group information from AD to DS. It must automatically create groups during the Active Sync processing. It can't be done externally using another scripting language; it must be done within IdM.
  I have the following code...
  <Action id='0' application='com.waveset.provision.WorkflowServices'>
  <Argument name='op' value='createResourceObject'/>
  <Argument name='object'>
    <Object>
    <Attribute name='resourceId' value='DS'/>
    <Attribute name='resourceName' value='DS'/>
    <Attribute name='resourceType' value='LDAP'/>
    <Attribute name='objectName' value='abcd'/>
    <Attribute name='attributes'>
      <Object>
      <Attribute name='cn' value='abcd'/>
      <Attribute name='groupType' value='abcd'/>
      </Object>
    </Attribute>
    <Attribute name='objectType' value='group'/>
    <Attribute name='objectId' value='CN=abcd,ou=Groups,dc=blah,dc=com>
    </Object>
  </Argument>
  <Argument name='objectType' value='group'/>
  <Argument name='resourceId' value='DS'/>
  </Action>However with that code inside the <Field><Expansion>...</Expansion><Field> section the group is not created. I've enabled tracing and as best I can determine the code isn't even executed.
  I have created resource schemas for accounts[DS].ldapGroups and accounts[AD].groups and that works well. I can read group memberships from those lists. However I can't simply append to those lists to automatically create groups (which would be nice). That's why I've gone down this path of attempting to create the groups programatically.
  I've scoured the groups and the course notes and found nothing relevant here. The examples all refer to creating the groups within an interactive form. I'm trying to do the same within the <Field> section of an Active Sync form.

  TTSLSAB wrote:
  Hi Vladimir,
  can you please tell me what should i import in the java class inorder to avoid the below error (session) for the line
            Resource resource = (Resource)session.getObject(Type.RESOURCE, resId);
           ResourceAdapter ra = ResourceOp.findAdapter(resource, session.getCache());Error, which i am getting is
  Exception in thread "main" java.lang.Error: Unresolved compilation problems:
       session cannot be resolved
       session cannot be resolvedsession is your LighthouseContext handle so depending on how you are implementing the class you quoted, you will either need to pass it in, for example via the invoke tag from your form/workflow, or get your own - don't know how this is done but I'm assuming authenticating to IdM would have to be done.
  For all those interested, I have implemented the Java code snippet listed by Vladimir in XPRESS.
  idmSessionHandle - is the LighthouseContext for the current session
  currentOUDN - is a string representing the AD DN of the OU to be created
                  <defvar name='resourceAdapterHandle'/>
                  <set name='resourceAdapterHandle'>
                    <invoke name='findAdapter' class='com.waveset.provision.ResourceOp'>
                      <ref>resourceObject</ref>
                      <invoke name='getCache'>
                        <ref>idmSessionHandle</ref>
                      </invoke>
                    </invoke>
                  </set>
                  <defvar name='newOUGenericObject'/>
                  <set name='newOUGenericObject'>
                    <new class='com.waveset.object.GenericObject'>
                      <map>
                        <s>objectId</s>
                        <ref>currentOUDN</ref>
                        <s>objectType</s>
                        <s>Organizational Unit</s>
                      </map>
                    </new>
                  </set>
                  <invoke name='createObject'>
                    <ref>resourceAdapterHandle</ref>
                    <ref>newOUGenericObject</ref>
                    <new class='java.util.HashMap'/>
                  </invoke>
  [...]Although the above works well, to create OUs in AD, I have not yet tested its real life application with regards to the initial mass loading of users (from LDAP (auth source) to IdM to AD) and ActiveSyncing. My concerns are two threads attempting to create the OU at roughly the same time, the first succeeds, and second one fails because AD will reply with the fact that the object already exists. The workaround would be to do a recheck of the existence of the OU, after a failure was encountered. This ties into exception handling in general in this approach.
  If anyone can contribute exception handling and possibly a create with retries approach, to the above code, I'd appreciate it.
  Cheers.

• Sun idm 8.0.0.3: generate random password according to policy

  Hi all,
  probably a stupid question: using sun idm 8 I have an active-sync-source, containing employees but no passwords. So I should generate a new password in my active-sync-form and search for a way to export the password so new employees can be sent a letter "welcome at company, here is your password". Something like that.
  However, I fail to generate a password in the first place. I think I read about a PasswordGenerator once, but can't find it.
  So, what's the preferred way to generate a new password, if possible according to a selected password-policy?
  CU,
  Patrick.

  OK, OK if the policy is set to generate my troubles go away.... I thought that was gone with metaview?
  Anyway, what if I'd like to choose a special Policy for creation that differs from normal operations?
  CU,
  Patrick.

• OpenSSO-Sun IDM integration

  Hi All,
  I have implemented the OpenSSO-Sun IDM integration based on the "OpenSSO Integration Guide.pdf". Now, if the users are created in Sun-IDM are provisioned to OpenSSO. Can anyone suggest me, can the users created in OpenSSO be provisioned to Sun IDM?
  Also, is there any way to have a password sync between OpenSSO and Sun IDM users? That is, if the user's password is changed in OpenSSO can it also be changed in Sun-IDM?
  Best Wishes,
  Aruna

  Hi Frank,
  Thanks for the response,
  1. This is user/pw from the AC system you need to send with the web service call from SUN to AC
  So, we create and provide user credentials to IDM team and they need to incorporate the user credentials when ever they are calling the web services in AC5.3 ?
  For this initial communication happening, what need to be done. Setting up SAP Jco is required in this case? Do we get involved with the configuration/development activity at IDM end?
  I could not find proper documentation on this, this leaves me in what amount of involvement I have to do as a SAP GRC AC5.3 consultant.
  Regards......