Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
6 replies Latest Post - ‏2013-10-10T08:09:47Z by Mcdz
Mcdz
Mcdz
35 Posts
ACCEPTED ANSWER

Pinned topic personsearch Or containersearch

‏2013-10-09T10:20:53Z |

i'm try to check if alias value on ADaccount is available or not

by use provisioning policy

can you plz help me which one between personsearch Or containersearch

in fact i had try all of this but it do not work.

My environment

isim 6.0

  LDAP location

provisioning policy

var chk = false;
var sn = subject.getProperty("sn")[0];
var giv = subject.getProperty("givenname")[0];
var val = "1";
var n = 1;
var s ="";
var searchResult1 = 0;
while(chk == false)
{
s = sn.substring(0,n);
val = giv+"."+s;
var ps = new ContainerSearch();
searchResult1 = ps.searchByFilter("erADAccount", "(eradealias="+val+")");
if(searchResult1.length > 0){
n = n+1;
}
else{
chk = true;
subject.setProperty("alias" , val+searchResult1);
}
}
 
return (subject.getProperty("alias")[0]);
Updated on 2013-10-10T02:51:34Z at 2013-10-10T02:51:34Z by Mcdz
  • franzw
    franzw
    331 Posts
    ACCEPTED ANSWER

    Re: personsearch Or containersearch

    ‏2013-10-09T10:55:08Z  in response to Mcdz

    Personsearch is for persons - ContainerSearch is for ISIM containers (e.g. org units) - so neither will help you...

    I use this code for setting extension attributes :

    var account = (new AccountSearch()).searchByUidAndService(parameters.eruid[0], service.name);
    if (account!=null) {
         if (account[0].getProperty("eradealias")[0]!=null && account[0].getProperty("eradealias")[0].length > 0) {
              // only return the value the value on existing accounts if exchange enabled
              if (subject.getProperty("roomnumber")!=null && subject.getProperty("roomnumber").length > 0) {
                   return(subject.getProperty("roomnumber")[0]);
              }
         }
    } else {
              if (subject.getProperty("roomnumber")!=null && subject.getProperty("roomnumber").length > 0) {
                   return(subject.getProperty("roomnumber")[0]);
              }
    }

     

    I believe that is what you need in your case. You will also need to add the AccountModelExtension to your proviosion policy setup in ScriptFramework.properties using this line

    ITIM.extension.ProvisioningPolicy.account=com.ibm.itim.script.extensions.model.AccountModelExtension
    

    HTH

    Regards

    Franz Wolfhagen

    Updated on 2013-10-09T10:56:35Z at 2013-10-09T10:56:35Z by franzw
    • Mcdz
      Mcdz
      35 Posts
      ACCEPTED ANSWER

      Re: personsearch Or containersearch

      ‏2013-10-10T02:43:12Z  in response to franzw

      thank you for you fast respond and sorry  i'm not told you clearly

      i try to check if it has an account that already use this value on eradealias attribute or not

      if have some account already use this value i will make it longer to make it unique

      Updated on 2013-10-10T02:47:25Z at 2013-10-10T02:47:25Z by Mcdz
      • franzw
        franzw
        331 Posts
        ACCEPTED ANSWER

        Re: personsearch Or containersearch

        ‏2013-10-10T05:52:38Z  in response to Mcdz

        In that case you have 2 problems :

        1.A design problem - this is not the purpose of the provisioning policy. This is a problem of your identifiers (IDs) - if alias was an account ID you would have done this calculation in your ID policy. Now - that is normally not a problem as you would normally make alias the same as your account ID (or unique derivation of this). I can now only guess why you have this problem - but this is the kind of problem you need to care of in your design phase and not as an ad-hoc problem when it pops up.

        My advice here is to analyze the situation - make an architectural design decision that makes it possible to handle it in the identity policy - this may include some cleanup and a consistent naming scheme. This is not a very good situation you are in - but it is necessary that you fix it the right way - else you will keep hitting similar derivation of the same problem - and this can jeopardize your whole project.

        2.Technically - to search accounts you will still need accountsearch - but you must never ever do this kind of searches in your provisioning policy. If you want to know why, the raise level for debug to DEBUG_MAX and see how many times your provisioning policy is evaluated....

        You could do this in an operation/lcr combination - but that will still be very bad way - so I will STRONGLY advice you to look into step 1 :-)

        HTH

        Regards

        Franz Wolfhagen

        • Mcdz
          Mcdz
          35 Posts
          ACCEPTED ANSWER

          Re: personsearch Or containersearch

          ‏2013-10-10T06:27:41Z  in response to franzw

          i'll insert alias value in tim person and evaluate this process on identity policy.

          what do you think? is it ok?

          how can i use personsearch() , accountsearch or containersearch() on identity policy side it aways said cannot found it.

          do i need to add something in ScriptFramework.properties?

          the reason why i have to change this value is i use alias value to generate new SMTP on exchange server.

           

          Updated on 2013-10-10T06:43:15Z at 2013-10-10T06:43:15Z by Mcdz
          • franzw
            franzw
            331 Posts
            ACCEPTED ANSWER

            Re: personsearch Or containersearch

            ‏2013-10-10T06:49:02Z  in response to Mcdz

            No - that is not going to work that easy.

            First you need to get a clear picture of your problem - you need to find out why you are in the mess. I guess that there has been a "sloppy" policy around mail ids so that people have been offered the possibility to define the own mail id - and that has been transformed into allowing people to define their own alias - very very bad idea...

            You will need to sit down and analyze all your aliases and see where this is problem - then you can start talking about how to remedy the situation - first and foremost you must define a new process for how the alias should be created in the future - and then analyze how many clashes with existing IDs you may run into. It may be necessary to change the aliases for some of these users (that will be a hard fight) - or find some way to handle the problem case by case (e.g. let the account operation fail and take it from there).

            But define you account/alias ID process first - normally I would suggest that eruid==alias (and hence that the primary mail address reflects this) - if people want another mail address this should be solved by using the alias mechanisms in mails (i.e. another proxy address). When you have decided on the id the identity policy should be simple to implement.

            This is difficult process - but it is in the center of what the IdM system does - so getting you IDs right is base for a successful implementation - it involves some nasty decisions if you have a mess - i.e. you cannot avoid cleanup at least some of the failures of the past....

            And as I wrote - this is NOT a technical problem - this is an architectural design decision that needs to be taken.

            HTH

            Regards

            Franz Wolfhagen

            • Mcdz
              Mcdz
              35 Posts
              ACCEPTED ANSWER

              Re: personsearch Or containersearch

              ‏2013-10-10T08:09:47Z  in response to franzw

              The cause is when tim add account to active directory and community to exchange to create mailbox

              it's use alias to create mail name and if i can't made alias unique. exchange will generate a new one and user would not know

              what mail name he has got in exchange server.

              i know it'll make itim overworked.

              Thank you for you advise i'll analyze my flow again and try to resolve this problem as your advise by use or add id to alias 

              if it really have no other way.  :D Thank you very much franz

              and one more question how to use personsearch() on identity policy i'm not gonna use it to solve this prob i just want  to practice.