Topic
  • 6 replies
  • Latest Post - ‏2013-10-10T08:09:47Z by Mcdz
Mcdz
Mcdz
35 Posts

Pinned topic personsearch Or containersearch

‏2013-10-09T10:20:53Z |

i'm try to check if alias value on ADaccount is available or not

by use provisioning policy

can you plz help me which one between personsearch Or containersearch

in fact i had try all of this but it do not work.

My environment

isim 6.0

  LDAP location

provisioning policy

var chk = false;
var sn = subject.getProperty("sn")[0];
var giv = subject.getProperty("givenname")[0];
var val = "1";
var n = 1;
var s ="";
var searchResult1 = 0;
while(chk == false)
{
s = sn.substring(0,n);
val = giv+"."+s;
var ps = new ContainerSearch();
searchResult1 = ps.searchByFilter("erADAccount", "(eradealias="+val+")");
if(searchResult1.length > 0){
n = n+1;
}
else{
chk = true;
subject.setProperty("alias" , val+searchResult1);
}
}
 
return (subject.getProperty("alias")[0]);
Updated on 2013-10-10T02:51:34Z at 2013-10-10T02:51:34Z by Mcdz
  • franzw
    franzw
    395 Posts
    ACCEPTED ANSWER

    Re: personsearch Or containersearch

    ‏2013-10-10T05:52:38Z  
    • Mcdz
    • ‏2013-10-10T02:43:12Z

    thank you for you fast respond and sorry  i'm not told you clearly

    i try to check if it has an account that already use this value on eradealias attribute or not

    if have some account already use this value i will make it longer to make it unique

    In that case you have 2 problems :

    1.A design problem - this is not the purpose of the provisioning policy. This is a problem of your identifiers (IDs) - if alias was an account ID you would have done this calculation in your ID policy. Now - that is normally not a problem as you would normally make alias the same as your account ID (or unique derivation of this). I can now only guess why you have this problem - but this is the kind of problem you need to care of in your design phase and not as an ad-hoc problem when it pops up.

    My advice here is to analyze the situation - make an architectural design decision that makes it possible to handle it in the identity policy - this may include some cleanup and a consistent naming scheme. This is not a very good situation you are in - but it is necessary that you fix it the right way - else you will keep hitting similar derivation of the same problem - and this can jeopardize your whole project.

    2.Technically - to search accounts you will still need accountsearch - but you must never ever do this kind of searches in your provisioning policy. If you want to know why, the raise level for debug to DEBUG_MAX and see how many times your provisioning policy is evaluated....

    You could do this in an operation/lcr combination - but that will still be very bad way - so I will STRONGLY advice you to look into step 1 :-)

    HTH

    Regards

    Franz Wolfhagen

  • franzw
    franzw
    395 Posts

    Re: personsearch Or containersearch

    ‏2013-10-09T10:55:08Z  

    Personsearch is for persons - ContainerSearch is for ISIM containers (e.g. org units) - so neither will help you...

    I use this code for setting extension attributes :

    var account = (new AccountSearch()).searchByUidAndService(parameters.eruid[0], service.name);
    if (account!=null) {
         if (account[0].getProperty("eradealias")[0]!=null && account[0].getProperty("eradealias")[0].length > 0) {
              // only return the value the value on existing accounts if exchange enabled
              if (subject.getProperty("roomnumber")!=null && subject.getProperty("roomnumber").length > 0) {
                   return(subject.getProperty("roomnumber")[0]);
              }
         }
    } else {
              if (subject.getProperty("roomnumber")!=null && subject.getProperty("roomnumber").length > 0) {
                   return(subject.getProperty("roomnumber")[0]);
              }
    }

     

    I believe that is what you need in your case. You will also need to add the AccountModelExtension to your proviosion policy setup in ScriptFramework.properties using this line

    ITIM.extension.ProvisioningPolicy.account=com.ibm.itim.script.extensions.model.AccountModelExtension
    

    HTH

    Regards

    Franz Wolfhagen

    Updated on 2013-10-09T10:56:35Z at 2013-10-09T10:56:35Z by franzw
  • Mcdz
    Mcdz
    35 Posts

    Re: personsearch Or containersearch

    ‏2013-10-10T02:43:12Z  
    • franzw
    • ‏2013-10-09T10:55:08Z

    Personsearch is for persons - ContainerSearch is for ISIM containers (e.g. org units) - so neither will help you...

    I use this code for setting extension attributes :

    var account = (new AccountSearch()).searchByUidAndService(parameters.eruid[0], service.name);
    if (account!=null) {
         if (account[0].getProperty("eradealias")[0]!=null && account[0].getProperty("eradealias")[0].length > 0) {
              // only return the value the value on existing accounts if exchange enabled
              if (subject.getProperty("roomnumber")!=null && subject.getProperty("roomnumber").length > 0) {
                   return(subject.getProperty("roomnumber")[0]);
              }
         }
    } else {
              if (subject.getProperty("roomnumber")!=null && subject.getProperty("roomnumber").length > 0) {
                   return(subject.getProperty("roomnumber")[0]);
              }
    }

     

    I believe that is what you need in your case. You will also need to add the AccountModelExtension to your proviosion policy setup in ScriptFramework.properties using this line

    <pre dir="ltr">ITIM.extension.ProvisioningPolicy.account=com.ibm.itim.script.extensions.model.AccountModelExtension </pre>

    HTH

    Regards

    Franz Wolfhagen

    thank you for you fast respond and sorry  i'm not told you clearly

    i try to check if it has an account that already use this value on eradealias attribute or not

    if have some account already use this value i will make it longer to make it unique

    Updated on 2013-10-10T02:47:25Z at 2013-10-10T02:47:25Z by Mcdz
  • franzw
    franzw
    395 Posts

    Re: personsearch Or containersearch

    ‏2013-10-10T05:52:38Z  
    • Mcdz
    • ‏2013-10-10T02:43:12Z

    thank you for you fast respond and sorry  i'm not told you clearly

    i try to check if it has an account that already use this value on eradealias attribute or not

    if have some account already use this value i will make it longer to make it unique

    In that case you have 2 problems :

    1.A design problem - this is not the purpose of the provisioning policy. This is a problem of your identifiers (IDs) - if alias was an account ID you would have done this calculation in your ID policy. Now - that is normally not a problem as you would normally make alias the same as your account ID (or unique derivation of this). I can now only guess why you have this problem - but this is the kind of problem you need to care of in your design phase and not as an ad-hoc problem when it pops up.

    My advice here is to analyze the situation - make an architectural design decision that makes it possible to handle it in the identity policy - this may include some cleanup and a consistent naming scheme. This is not a very good situation you are in - but it is necessary that you fix it the right way - else you will keep hitting similar derivation of the same problem - and this can jeopardize your whole project.

    2.Technically - to search accounts you will still need accountsearch - but you must never ever do this kind of searches in your provisioning policy. If you want to know why, the raise level for debug to DEBUG_MAX and see how many times your provisioning policy is evaluated....

    You could do this in an operation/lcr combination - but that will still be very bad way - so I will STRONGLY advice you to look into step 1 :-)

    HTH

    Regards

    Franz Wolfhagen

  • Mcdz
    Mcdz
    35 Posts

    Re: personsearch Or containersearch

    ‏2013-10-10T06:27:41Z  
    • franzw
    • ‏2013-10-10T05:52:38Z

    In that case you have 2 problems :

    1.A design problem - this is not the purpose of the provisioning policy. This is a problem of your identifiers (IDs) - if alias was an account ID you would have done this calculation in your ID policy. Now - that is normally not a problem as you would normally make alias the same as your account ID (or unique derivation of this). I can now only guess why you have this problem - but this is the kind of problem you need to care of in your design phase and not as an ad-hoc problem when it pops up.

    My advice here is to analyze the situation - make an architectural design decision that makes it possible to handle it in the identity policy - this may include some cleanup and a consistent naming scheme. This is not a very good situation you are in - but it is necessary that you fix it the right way - else you will keep hitting similar derivation of the same problem - and this can jeopardize your whole project.

    2.Technically - to search accounts you will still need accountsearch - but you must never ever do this kind of searches in your provisioning policy. If you want to know why, the raise level for debug to DEBUG_MAX and see how many times your provisioning policy is evaluated....

    You could do this in an operation/lcr combination - but that will still be very bad way - so I will STRONGLY advice you to look into step 1 :-)

    HTH

    Regards

    Franz Wolfhagen

    i'll insert alias value in tim person and evaluate this process on identity policy.

    what do you think? is it ok?

    how can i use personsearch() , accountsearch or containersearch() on identity policy side it aways said cannot found it.

    do i need to add something in ScriptFramework.properties?

    the reason why i have to change this value is i use alias value to generate new SMTP on exchange server.

     

    Updated on 2013-10-10T06:43:15Z at 2013-10-10T06:43:15Z by Mcdz
  • franzw
    franzw
    395 Posts

    Re: personsearch Or containersearch

    ‏2013-10-10T06:49:02Z  
    • Mcdz
    • ‏2013-10-10T06:27:41Z

    i'll insert alias value in tim person and evaluate this process on identity policy.

    what do you think? is it ok?

    how can i use personsearch() , accountsearch or containersearch() on identity policy side it aways said cannot found it.

    do i need to add something in ScriptFramework.properties?

    the reason why i have to change this value is i use alias value to generate new SMTP on exchange server.

     

    No - that is not going to work that easy.

    First you need to get a clear picture of your problem - you need to find out why you are in the mess. I guess that there has been a "sloppy" policy around mail ids so that people have been offered the possibility to define the own mail id - and that has been transformed into allowing people to define their own alias - very very bad idea...

    You will need to sit down and analyze all your aliases and see where this is problem - then you can start talking about how to remedy the situation - first and foremost you must define a new process for how the alias should be created in the future - and then analyze how many clashes with existing IDs you may run into. It may be necessary to change the aliases for some of these users (that will be a hard fight) - or find some way to handle the problem case by case (e.g. let the account operation fail and take it from there).

    But define you account/alias ID process first - normally I would suggest that eruid==alias (and hence that the primary mail address reflects this) - if people want another mail address this should be solved by using the alias mechanisms in mails (i.e. another proxy address). When you have decided on the id the identity policy should be simple to implement.

    This is difficult process - but it is in the center of what the IdM system does - so getting you IDs right is base for a successful implementation - it involves some nasty decisions if you have a mess - i.e. you cannot avoid cleanup at least some of the failures of the past....

    And as I wrote - this is NOT a technical problem - this is an architectural design decision that needs to be taken.

    HTH

    Regards

    Franz Wolfhagen

  • Mcdz
    Mcdz
    35 Posts

    Re: personsearch Or containersearch

    ‏2013-10-10T08:09:47Z  
    • franzw
    • ‏2013-10-10T06:49:02Z

    No - that is not going to work that easy.

    First you need to get a clear picture of your problem - you need to find out why you are in the mess. I guess that there has been a "sloppy" policy around mail ids so that people have been offered the possibility to define the own mail id - and that has been transformed into allowing people to define their own alias - very very bad idea...

    You will need to sit down and analyze all your aliases and see where this is problem - then you can start talking about how to remedy the situation - first and foremost you must define a new process for how the alias should be created in the future - and then analyze how many clashes with existing IDs you may run into. It may be necessary to change the aliases for some of these users (that will be a hard fight) - or find some way to handle the problem case by case (e.g. let the account operation fail and take it from there).

    But define you account/alias ID process first - normally I would suggest that eruid==alias (and hence that the primary mail address reflects this) - if people want another mail address this should be solved by using the alias mechanisms in mails (i.e. another proxy address). When you have decided on the id the identity policy should be simple to implement.

    This is difficult process - but it is in the center of what the IdM system does - so getting you IDs right is base for a successful implementation - it involves some nasty decisions if you have a mess - i.e. you cannot avoid cleanup at least some of the failures of the past....

    And as I wrote - this is NOT a technical problem - this is an architectural design decision that needs to be taken.

    HTH

    Regards

    Franz Wolfhagen

    The cause is when tim add account to active directory and community to exchange to create mailbox

    it's use alias to create mail name and if i can't made alias unique. exchange will generate a new one and user would not know

    what mail name he has got in exchange server.

    i know it'll make itim overworked.

    Thank you for you advise i'll analyze my flow again and try to resolve this problem as your advise by use or add id to alias 

    if it really have no other way.  :D Thank you very much franz

    and one more question how to use personsearch() on identity policy i'm not gonna use it to solve this prob i just want  to practice.