Topic
  • 6 replies
  • Latest Post - ‏2014-08-27T14:19:10Z by Smita K
Smita K
Smita K
7 Posts

Pinned topic How to create account in ISIM LDAP only

‏2014-08-26T13:28:24Z |

This question is for ISIM/PIM usage.

Customer has existing privileged shared ids on thousands of servers. They will give us csv file with account info. We need to load them in ISIM. However, if we use 'createAccount' API, it will try to create account on end-point which we don't want as they already exist there.

Question is how to disable account creation on the end-point while adding account in ISIM preferrably via API?

The ITIM service can not be 'manual' as we need end point connection for check out/check in usage to trigger password changes upon 'check in.

There is no full life cycle management of ids being done here. Ids will be added in ISIM only for check out/check in/password changes.

Reconciliation is not a good option as there are only few shared ids per server and we do not want to touch other ids. I can not imagine writing adoption rule for each server given there are large no. of servers.

Thank you!

 

 

  • dgowda01
    dgowda01
    32 Posts
    ACCEPTED ANSWER

    Re: How to create account in ISIM LDAP only

    ‏2014-08-26T15:34:02Z  
    • Smita K
    • ‏2014-08-26T15:13:56Z

    Great idea.. Thanks! I appreciate your response.

    I am trying to understand how the solution will work..

    So, all requests to go to TDI AL and it will process some requests e.g. add but send 'password change' to  original adapter? OR Can we use custom adapter for add/modify/delete and standard 'out of the box' adapters  for 'password change'?

    if so, do we need to make changes in operation workflows  to route request to TDI adapter in certain cases only?

     

    That depends on how you package your service profile. Assuming your OOB adapter is RMI based, I don't see a need to change anything but add a line at the beginning of the add AL to return success for the duration of your bulk-load and go back to the original version immediately after. So, all other requests (modify/suspend/restore/changePassword/recertify) should work like they would work otherwise. There would be no need to change anything with the workflows.

  • stk
    stk
    2 Posts
    ACCEPTED ANSWER

    Re: How to create account in ISIM LDAP only

    ‏2014-08-27T13:48:09Z  

    I see three easy possibilities:

    1) Use filtered recon. This requires that there is an attribute identifying the privileged IDs

    2) Do a full recon and delete all accounts from LDAP, which are not in your list

    3) Manually create the account objects in LDAP. This might be not the officially supported way, but it should work for your case. The tricky part is to set the owner attribute of the account.

    In addition, maybe the "Shared access bulk load" functionality of ISPIM might help.

    Best Regards

       Stefan

    Updated on 2014-08-27T14:11:49Z at 2014-08-27T14:11:49Z by stk
  • dgowda01
    dgowda01
    32 Posts

    Re: How to create account in ISIM LDAP only

    ‏2014-08-26T14:45:37Z  

    Using a custom adapter, just create a TDI AL to return success when add request is called. Then revert back to your original adapter.

  • Smita K
    Smita K
    7 Posts

    Re: How to create account in ISIM LDAP only

    ‏2014-08-26T15:13:56Z  
    • dgowda01
    • ‏2014-08-26T14:45:37Z

    Using a custom adapter, just create a TDI AL to return success when add request is called. Then revert back to your original adapter.

    Great idea.. Thanks! I appreciate your response.

    I am trying to understand how the solution will work..

    So, all requests to go to TDI AL and it will process some requests e.g. add but send 'password change' to  original adapter? OR Can we use custom adapter for add/modify/delete and standard 'out of the box' adapters  for 'password change'?

    if so, do we need to make changes in operation workflows  to route request to TDI adapter in certain cases only?

     

  • dgowda01
    dgowda01
    32 Posts

    Re: How to create account in ISIM LDAP only

    ‏2014-08-26T15:34:02Z  
    • Smita K
    • ‏2014-08-26T15:13:56Z

    Great idea.. Thanks! I appreciate your response.

    I am trying to understand how the solution will work..

    So, all requests to go to TDI AL and it will process some requests e.g. add but send 'password change' to  original adapter? OR Can we use custom adapter for add/modify/delete and standard 'out of the box' adapters  for 'password change'?

    if so, do we need to make changes in operation workflows  to route request to TDI adapter in certain cases only?

     

    That depends on how you package your service profile. Assuming your OOB adapter is RMI based, I don't see a need to change anything but add a line at the beginning of the add AL to return success for the duration of your bulk-load and go back to the original version immediately after. So, all other requests (modify/suspend/restore/changePassword/recertify) should work like they would work otherwise. There would be no need to change anything with the workflows.

  • Smita K
    Smita K
    7 Posts

    Re: How to create account in ISIM LDAP only

    ‏2014-08-26T16:49:37Z  
    • dgowda01
    • ‏2014-08-26T15:34:02Z

    That depends on how you package your service profile. Assuming your OOB adapter is RMI based, I don't see a need to change anything but add a line at the beginning of the add AL to return success for the duration of your bulk-load and go back to the original version immediately after. So, all other requests (modify/suspend/restore/changePassword/recertify) should work like they would work otherwise. There would be no need to change anything with the workflows.

    Thanks again

    Requirement is for various platforms - Unix/Linux flavors, Windows AD, Windows local, AS400

    I like the idea of returning false success for RMI Based adapters for provisioning. It won't apply to non-RMI Adapters like AD.. So, I guess I might have to look into custom AL for add operation only, right.. probably changes in the service profile.

     

     

  • stk
    stk
    2 Posts

    Re: How to create account in ISIM LDAP only

    ‏2014-08-27T13:48:09Z  

    I see three easy possibilities:

    1) Use filtered recon. This requires that there is an attribute identifying the privileged IDs

    2) Do a full recon and delete all accounts from LDAP, which are not in your list

    3) Manually create the account objects in LDAP. This might be not the officially supported way, but it should work for your case. The tricky part is to set the owner attribute of the account.

    In addition, maybe the "Shared access bulk load" functionality of ISPIM might help.

    Best Regards

       Stefan

    Updated on 2014-08-27T14:11:49Z at 2014-08-27T14:11:49Z by stk
  • Smita K
    Smita K
    7 Posts

    Re: How to create account in ISIM LDAP only

    ‏2014-08-27T14:19:10Z  
    • stk
    • ‏2014-08-27T13:48:09Z

    I see three easy possibilities:

    1) Use filtered recon. This requires that there is an attribute identifying the privileged IDs

    2) Do a full recon and delete all accounts from LDAP, which are not in your list

    3) Manually create the account objects in LDAP. This might be not the officially supported way, but it should work for your case. The tricky part is to set the owner attribute of the account.

    In addition, maybe the "Shared access bulk load" functionality of ISPIM might help.

    Best Regards

       Stefan

    Thank you Stefan!

    Looks like adding accounts via manual load using custom code/AL or direct LDAP commands might be possible but tricky and messy.

    Option 1 you suggested is something very fitting here and one of my colleague also recommended it.  We can ask customer to update gecos/description field to identify it as 'pim managed shared id'

    That way we don't need to come up with thousands of adoption rules - one per server.
    We can just have one global adoption rule per platform where we filter based on the "description" attribute and also exclude almost all the account attributes except name, password,status as they are not required for check out/check in process.
    We still leave the responsibility of identifying shared ids for PIM with the customer team. Reconciliation won't bring the accounts unless they are marked for PIM use!
    One more advantage is reconciliation can bring attributes like 'password expiry date' and 'account status' which we normally wouldn't get via manual csv load.

    If password expires say after 90 days based on the expiry attribute, we can have LCR that kicks in to change password on the end-point.