Topic
  • 227 replies
  • Latest Post - ‏2017-01-19T17:16:15Z by Sigmaomega
streetglide
streetglide
78 Posts

Pinned topic Issues and comment for the ITIM Adapter Development Tool

‏2008-11-04T19:03:17Z |
This thread is for questions and comments regarding the ADT tool. I will be watching the thread and will reply as needed.

http://www-01.ibm.com/software/brandcatalog/portal/opal/details?catalog.label=1TW10IM0H

Cheers,
Dave Saucier
Updated on 2013-03-26T17:06:00Z at 2013-03-26T17:06:00Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    104 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-01-07T04:25:07Z  
    Hi Dave,
    I am trying to develop a custom agent for TIM4.6. using ADT 2.1 The managed system is a database with a table for users, table for roles and a table for Users and Roles. I was able to create an adapter that manages the users only but do not know exactly how to handle the supportive data ( role membership ). The video training sessions for ADT are great but they do not explain how to manage supportive data. Can you point me to some more training materials or exaples.
    My e-mail is: radavd@yahoo.com
    Thank you in advance.

    Rado
  • streetglide
    streetglide
    78 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-01-08T14:12:15Z  
    Hi Dave,
    I am trying to develop a custom agent for TIM4.6. using ADT 2.1 The managed system is a database with a table for users, table for roles and a table for Users and Roles. I was able to create an adapter that manages the users only but do not know exactly how to handle the supportive data ( role membership ). The video training sessions for ADT are great but they do not explain how to manage supportive data. Can you point me to some more training materials or exaples.
    My e-mail is: radavd@yahoo.com
    Thank you in advance.

    Rado
    Rado,

    There are two parts to supporting data processing. Using a group as an example, the user can have multiple groups assigned to them. You would need to determine which groups the user is a member of and return them in the same work entry as the rest of the user's attributes.

    These second part is retrieving the list of groups available to assign the person in ITIM. You would do this in the recon assembly line by adding a second iterator connector that returns the groups information.

    As far as training goes, what you are asking is not really an ADT issue, it is an Adapter development issue. We do have an adapter development course that is available. I would suggest taking that course since it covers creating an adapter with group support and uses ADT as part of the class.

    Cheers,
    Dave
  • SystemAdmin
    SystemAdmin
    104 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-01-14T14:19:26Z  
    Rado,

    There are two parts to supporting data processing. Using a group as an example, the user can have multiple groups assigned to them. You would need to determine which groups the user is a member of and return them in the same work entry as the rest of the user's attributes.

    These second part is retrieving the list of groups available to assign the person in ITIM. You would do this in the recon assembly line by adding a second iterator connector that returns the groups information.

    As far as training goes, what you are asking is not really an ADT issue, it is an Adapter development issue. We do have an adapter development course that is available. I would suggest taking that course since it covers creating an adapter with group support and uses ADT as part of the class.

    Cheers,
    Dave
    Hi Dave,
    Thanks for your advice but I don't have the luxury to take a 2 - 3 days course. If it was an on-line course I would have consider. Do you have a working example of the scenario I described? The LDAP adaptor is very similar but it is build with a lot of custom java classes and scripts so it does not really work for me.
    Thanks,
    Rado
  • SystemAdmin
    SystemAdmin
    104 Posts

    ADT - Specify Parameters

    ‏2009-01-27T00:49:49Z  
    try this agin, sorry,
    On the ITIM Profile ui, the Parameters (Specify Parameters that must be provided with a request) tab I have listed items that were in an original TDI event handler solution, then when I get down to the Supported Requests, say Create New Account, Key Attributes , I can not pull up any of the Parameters specified above. So does this mean that on the Service Attributes I need to add the other items ? If not there then maybe on the Account Attributes ? I need more items transmitted to each Supported Request. How is this done?
  • streetglide
    streetglide
    78 Posts

    Re: ADT - Specify Parameters

    ‏2009-01-27T15:14:31Z  
    try this agin, sorry,
    On the ITIM Profile ui, the Parameters (Specify Parameters that must be provided with a request) tab I have listed items that were in an original TDI event handler solution, then when I get down to the Supported Requests, say Create New Account, Key Attributes , I can not pull up any of the Parameters specified above. So does this mean that on the Service Attributes I need to add the other items ? If not there then maybe on the Account Attributes ? I need more items transmitted to each Supported Request. How is this done?
    Steve,

    The RMI framework provides two ways to pass parameters from ITIM to the adapter. Where you want to use the data in the adapter determines which method you would use.

    First, there are parameters that may be passed from ITIM that are going to be used by the AssemblyLine processing. These parameters are refered to in the service.def as "dispatcher parameters". In ADT I refer to them as Request Parameters. These parameters are available to the assembly line via the Task Call Block (TCB) in TDI. ADT provides a simple way of accessing these parameters. The parameters are stored in a global variable that has the same name as the parameter but is prefixed with a lowercase "g". For example, if you define a parameter that is called "MyCustomParam", it can be referenced in the assemblylines as "gMyCustomParam". This global variable is created in the PrologInit hook of each assembly line. ADT retrieves the data from the TCB and stored it for you. You can see this by looking at the hooks in the Request Editor. These parameters are configured in the project/profile editor and can be inherited by any of the requests. These are what you described in your post. The parameters can be configured to pass data from the ITIM service form or by hard coding the value. Again, you would use these parameters if you need to have the value available as a javascript variable so you can access it in scripting.

    Secondly, there are parameters that can be passed directly to a connector. The service.def file allows you to specify that you want to pass the value of a service attribute directly to a connector parameter. In ADT, you can configure these by first defining a service objectclass attribute to hold the value in ITIM. You would typically make this attribute available on the service form so that the ITIM administrator can configure it on the service. You then go to the parameters tab on either the project level connector or on a specific connector in an assembly line and click on the label for the parameter you would like to set via this service attribute. You will get a popup dialog that allows you to specify a service attribute to map to the connector parameter. This is a good way to set connector parameters such as URL, User ID or password that differ from one target platform to the next.

    Both parameter types can be set defined at a global level and inherited by an assembly line. By defining the Request parameters in the project/profile editor, you can inherit them in the individual requests and not have to edit them in every request. The project connector provides an easy way to define common connector configuration in one place. The various requests that are using the same type of connector can then inherit the connector configuration as needed. The project connector parameters tab is where you would typically define the connector parameter mapping and then just inherit it in the various request connectors.

    Hopefully this makes it a bit more clear. The bottom line is you can pass all the data you want to an assembly line. Rather than using properties files to configure connector parameters you can no set them from a service form in ITIM.

    Cheers,
    Dave
  • streetglide
    streetglide
    78 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-01-27T15:23:31Z  
    Hi Dave,
    Thanks for your advice but I don't have the luxury to take a 2 - 3 days course. If it was an on-line course I would have consider. Do you have a working example of the scenario I described? The LDAP adaptor is very similar but it is build with a lot of custom java classes and scripts so it does not really work for me.
    Thanks,
    Rado
    Rado,

    I don't have any specific examples that I can give you right now. What you would do is to add another connector in the recon assembly line that is in the "iterate" mode. This connector would retrieve all of the supporting data (such as list of groups) and return it to itim in the work entry just the same as the people. Of course the objectclass would be the groups objectclass not the person objectclass. Each iterator is handled as a separate set of data so if you have several sets of supporting data you would define an objectclass for each and add an iterator connector to retrieve each. The work entry will be reset for each different set of data that is being iterated on so they actually run as completely separate loops. Just make sure you return the data to ITIM using the objectclass that corresponds to the supporting data you are returning. The output map must have an objectclass attribute and a $dn attribute. The $dn would be set to something like "erMyGroupName=" + work.getString("dbGroupName") where dbGroupName is the attribute you retrieved from the endpoint that contains the group name.

    Cheers,
    Dave
  • SystemAdmin
    SystemAdmin
    104 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-01-27T21:48:31Z  
    So I have exported my profile and have the jar to Import via ITIM 4.6 UI, once I do this and find an issue with a variable, label, default value or missing required item how do I back out the entire thing from ITIM? What are the steps and impact to LDAP ? On ITIM 4.5 I recall a script in a remote resources directory or is that way old?
  • streetglide
    streetglide
    78 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-01-27T22:14:35Z  
    So I have exported my profile and have the jar to Import via ITIM 4.6 UI, once I do this and find an issue with a variable, label, default value or missing required item how do I back out the entire thing from ITIM? What are the steps and impact to LDAP ? On ITIM 4.5 I recall a script in a remote resources directory or is that way old?
    You can re-import right over the top of the current one. It should update the profile components as required.
  • SystemAdmin
    SystemAdmin
    104 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-01-28T16:07:28Z  
    Two more questions:
    1. To get the value from the 'dispatcher parameters' in the assembly line you say to look at the variable with a prefix of "g". So is the syntax of
    ret.value = gNDSRSOpassword; be correct or would it be the typical ret.value = work.getString("gNDSRSOpassword");

    2. In my exported schema.dsml there are items which have "<attribute ref="erURL" required="false"></attribute>" but I feel that this attribute must be required. So in ADT is there something that I missed where all the attributes can be controlled and set to Required OR do I have to modify the Exported files prior to the Import to ITIM.
    Thanks
  • streetglide
    streetglide
    78 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-01-28T16:25:02Z  
    Two more questions:
    1. To get the value from the 'dispatcher parameters' in the assembly line you say to look at the variable with a prefix of "g". So is the syntax of
    ret.value = gNDSRSOpassword; be correct or would it be the typical ret.value = work.getString("gNDSRSOpassword");

    2. In my exported schema.dsml there are items which have "<attribute ref="erURL" required="false"></attribute>" but I feel that this attribute must be required. So in ADT is there something that I missed where all the attributes can be controlled and set to Required OR do I have to modify the Exported files prior to the Import to ITIM.
    Thanks
    1. The dispatcher parameters are stored into a Javascript variable not the work entry. So, yes you would use:
    ret.value = gNDSRSOpassword; You can see where these variables are set if you look in the prolog init hook in the request editor (not the connector hooks, the assemblyline hooks).

    2. No you should never have to edit the exported files manually. If you go to the account or service objectclass definition and click on an attribute you will see a checkbox to define if the attribute is required for the objectclass. Since attributes can be reused in multiple objectclasses, the required constraint is part of the objectclass and not specific to an attribute definition.

    Dave
  • SystemAdmin
    SystemAdmin
    104 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-01T01:10:08Z  
    The IBM Tivoli Identity Manager, Version 4.6 Custom Adapter
    Developer’s Guide says that the dispatcher defines
    ITDIAdapterException as a comm vehicle for exceptions back to ITIM.
    Does anyone have a sample of how to move from old Event Handler to new RMI:
    system.throwException("Some really meaningful info " + work.getString
    ("myName") +" - Remove User Failed");

    to something that will sit inside the RETURN entry for the Dispatcher
    And then I am assuming it would be REASON_MESSAGE ?? Need to add this to script inside ADT hooks at certain points. Is this documented in ADT someplace? Or just need more on error handling and communications back to ITIM
  • SystemAdmin
    SystemAdmin
    104 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-02T14:27:22Z  
    The IBM Tivoli Identity Manager, Version 4.6 Custom Adapter
    Developer’s Guide says that the dispatcher defines
    ITDIAdapterException as a comm vehicle for exceptions back to ITIM.
    Does anyone have a sample of how to move from old Event Handler to new RMI:
    system.throwException("Some really meaningful info " + work.getString
    ("myName") +" - Remove User Failed");

    to something that will sit inside the RETURN entry for the Dispatcher
    And then I am assuming it would be REASON_MESSAGE ?? Need to add this to script inside ADT hooks at certain points. Is this documented in ADT someplace? Or just need more on error handling and communications back to ITIM
    Ok, I found the Adalpter Global Script and think I see what is going on in there. I assume I would alter "function processError()" to pass a string for additional info , correct ?
  • streetglide
    streetglide
    78 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-02T14:53:11Z  
    Ok, I found the Adalpter Global Script and think I see what is going on in there. I assume I would alter "function processError()" to pass a string for additional info , correct ?
    One thing you could do is to create a new project in ADT (with the same connector type) and look at the stuff that the ADT adds to the hooks for error processing. But yes, the Adapter Global Script has some functions for handling errors. The "error" object in TDI contains the type of error and the function will convert the error type if possible into a return code and message. Basically, what ITIM expects is a work entry that contains a property set on it for the return code and a property for the reason message. In addition, any attributes included in the work entry at the end of the processing are returned to ITIM as attributes that contain errors. So if you had a multivalued attribute (like groups) that you had a problem with one or more values, you could set that attribute on the workentry and include the values that were a problem. That way ITIM can display to the user that certain values had problems. Of course this does not apply to Recon since in recon the attributes in the work entry are the actual account attributes. You can also use the TDI exception to throw exceptions of your own if you like. There is vector you can set that contains additional error messages. You should be able to see that in processError().

    Dave
  • SystemAdmin
    SystemAdmin
    104 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-04T17:11:58Z  
    In ADT the Create New Account - Supported Request for a LDAP connector generates code in the On Add - Override Add , this causes a problem , for me, and I have to disable the Hook script as soon as I get it into TDI for stand alone testing. The generated script that I hit is:
    task.logmsg("ERROR","User Entry not found");

    var e = new Packages.com.ibm.di.exception.ITDIAgentException(work.getString("entryDN") + ": Not Found in managed resource");
    e.setEntry(work);
    throw e;
    So I must disable the hook script. So why is this enabled ?
  • SystemAdmin
    SystemAdmin
    104 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-04T17:18:54Z  
    ADT , for an LDAP Create New Account, generates the script:
    task.logmsg("DEBUG","Update OK Hook");
    work.removeAllAttributes();
    work.setProperty(Packages.com.ibm.di.dispatcher.Defs.STATUSCODE, new Packages.java.lang.Integer(
    Packages.com.ibm.itim.remoteservices.provider.Status.SUCCESSFUL));

    in the Update Successfully hook. I can now add the person to the target LDAP but get and error from within this hook that says:
    11:41:39 Add CTGDIS181E Error while evaluating single attribute map Add.update_ok.
    com.ibm.jscript.InterpretException: Script interpreter error, line=5, col=89
    Cannot convert JavaPackageObject to java.lang.String
    at com.ibm.jscript.types.JavaPackageObject

    Why would I be getting this error?
  • streetglide
    streetglide
    78 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-04T17:22:31Z  
    In ADT the Create New Account - Supported Request for a LDAP connector generates code in the On Add - Override Add , this causes a problem , for me, and I have to disable the Hook script as soon as I get it into TDI for stand alone testing. The generated script that I hit is:
    task.logmsg("ERROR","User Entry not found");

    var e = new Packages.com.ibm.di.exception.ITDIAgentException(work.getString("entryDN") + ": Not Found in managed resource");
    e.setEntry(work);
    throw e;
    So I must disable the hook script. So why is this enabled ?
    ADT does not generate that hook code in the "Add" request. It only should be generating that code in the Modify request. That is because if you are doing a modify on an account that ITIM believes you have, you should not create it if it does not exist. That should be done via reconcile. If you choose to use the update mode connector for both add and modify requests than you must adjust your logic as required.

    Also, keep in mind that the hooks generated by ADT are just defaults that cover most situations. If you want to remove the hook scripts or disable them you can do that in ADT. You don't need to wait till it is in TDI to do that. Also, under the options menu you can edit the default hook scripts for use in future projects (but the changes won't affect your current project)

    Dave
  • streetglide
    streetglide
    78 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-04T17:29:31Z  
    ADT , for an LDAP Create New Account, generates the script:
    task.logmsg("DEBUG","Update OK Hook");
    work.removeAllAttributes();
    work.setProperty(Packages.com.ibm.di.dispatcher.Defs.STATUSCODE, new Packages.java.lang.Integer(
    Packages.com.ibm.itim.remoteservices.provider.Status.SUCCESSFUL));

    in the Update Successfully hook. I can now add the person to the target LDAP but get and error from within this hook that says:
    11:41:39 Add CTGDIS181E Error while evaluating single attribute map Add.update_ok.
    com.ibm.jscript.InterpretException: Script interpreter error, line=5, col=89
    Cannot convert JavaPackageObject to java.lang.String
    at com.ibm.jscript.types.JavaPackageObject

    Why would I be getting this error?
    Are you sure you have the RMI Dispatcher installed into the copy of TDI that you are running the test in?
  • SystemAdmin
    SystemAdmin
    104 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-04T18:25:41Z  
    Are you sure you have the RMI Dispatcher installed into the copy of TDI that you are running the test in?
    working off my laptop and almost always use RHEL for TDI serious development but that would mean moving the files to RHEL each time. I can try the sftp and test it out. How do I determine if the RMI dispatcher is unstalled and running?
  • streetglide
    streetglide
    78 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-04T19:59:36Z  
    working off my laptop and almost always use RHEL for TDI serious development but that would mean moving the files to RHEL each time. I can try the sftp and test it out. How do I determine if the RMI dispatcher is unstalled and running?
    You have to install the RMI dispatcher manually. It comes with all of the Out-of-the-box adapters like LDAP, Posix etc. You can also check with support. It has a setup.exe on windows. Not sure how it installs on Linux. In any case, it adds some jars to your TDI install area that contain the RMI Dispatcher java classes.

    Dave
  • SystemAdmin
    SystemAdmin
    104 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-11T14:59:21Z  
    Hi Dave,

    since you have published ADT I'm working with it and it makes work a lot easier!

    If possible I would like to see some additional features:

    1) In my actual development it is necessary to change the 'Initialize Options' of an connector. Although ADT offers this option it does not work. Is this a bug? (The workaround is: myConnector.setInitializeOption(1) in the prolog)

    2) Building a simple search criteria is limited to ITIM/platform attributes. If you need other values you have to write a script (which is sometimes hard to find the right syntax).

    3) When specifying a map entry I miss the native TDI option 'expression'.

    4) The latest rmi dispatcher gives the opportunity to add 'concurrency control', but to specify 'MaxConnectionCnt' you have to edit service.def. It would be very nice to have control over such lines in ADT.

    What do you think about this ?

    Regards
    Bernhard
  • streetglide
    streetglide
    78 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-11T16:41:43Z  
    Hi Dave,

    since you have published ADT I'm working with it and it makes work a lot easier!

    If possible I would like to see some additional features:

    1) In my actual development it is necessary to change the 'Initialize Options' of an connector. Although ADT offers this option it does not work. Is this a bug? (The workaround is: myConnector.setInitializeOption(1) in the prolog)

    2) Building a simple search criteria is limited to ITIM/platform attributes. If you need other values you have to write a script (which is sometimes hard to find the right syntax).

    3) When specifying a map entry I miss the native TDI option 'expression'.

    4) The latest rmi dispatcher gives the opportunity to add 'concurrency control', but to specify 'MaxConnectionCnt' you have to edit service.def. It would be very nice to have control over such lines in ADT.

    What do you think about this ?

    Regards
    Bernhard
    Bernard,

    Thanks for your input. Here are my responses:

    FYI - I am currently working on version 3.1.

    1. This was a bug that I was not aware of. I fixed it and it will be available in 3.1.

    2. I added the ability to edit the attribute names in the simple mapping dialog. So you can now select an attribute or enter an attribute name. (3.1)

    3. I will be adding a field for expressions in the attribute map in 3.1

    4. I will be adding the ability to set additional properties such as the one you mentioned. I have already added one new property that allows you to disable requiring passwords on restore. These will all be in the project editor (probably the overview screen)

    Also,

    A much requested feature has been added to 3.1. A full form editor so you can create the service and account forms in ADT. It will also support import from the profile directory.

    If you or anyone else has requests for additional features, now would be the time or you will have to wait till 4.0 which will be done to support TDI 7 later in the year.

    Cheers,
    Dave
  • streetglide
    streetglide
    78 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-11T16:58:40Z  
    Bernard,

    Thanks for your input. Here are my responses:

    FYI - I am currently working on version 3.1.

    1. This was a bug that I was not aware of. I fixed it and it will be available in 3.1.

    2. I added the ability to edit the attribute names in the simple mapping dialog. So you can now select an attribute or enter an attribute name. (3.1)

    3. I will be adding a field for expressions in the attribute map in 3.1

    4. I will be adding the ability to set additional properties such as the one you mentioned. I have already added one new property that allows you to disable requiring passwords on restore. These will all be in the project editor (probably the overview screen)

    Also,

    A much requested feature has been added to 3.1. A full form editor so you can create the service and account forms in ADT. It will also support import from the profile directory.

    If you or anyone else has requests for additional features, now would be the time or you will have to wait till 4.0 which will be done to support TDI 7 later in the year.

    Cheers,
    Dave
    Bernard,

    After looking closer at the new parameters, I realized that these are not properties but dispatcher parameters. As such, you can already add these in adt. All you have to do is go to the project parameters tab (or the parameters tab for a specific assembly line if you are not inheriting) and enter the parameter. These parameters are in fact dispatcher parameters in service.def

    Dave
  • SystemAdmin
    SystemAdmin
    104 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-11T19:12:22Z  
    Bernard,

    After looking closer at the new parameters, I realized that these are not properties but dispatcher parameters. As such, you can already add these in adt. All you have to do is go to the project parameters tab (or the parameters tab for a specific assembly line if you are not inheriting) and enter the parameter. These parameters are in fact dispatcher parameters in service.def

    Dave
    Yes, your are right!
    Thanks for the advise.

    Bernhard
  • SystemAdmin
    SystemAdmin
    104 Posts

    Re: Issues and comment for the ITIM Adapter Development Tool

    ‏2009-02-11T19:27:01Z  
    Bernard,

    Thanks for your input. Here are my responses:

    FYI - I am currently working on version 3.1.

    1. This was a bug that I was not aware of. I fixed it and it will be available in 3.1.

    2. I added the ability to edit the attribute names in the simple mapping dialog. So you can now select an attribute or enter an attribute name. (3.1)

    3. I will be adding a field for expressions in the attribute map in 3.1

    4. I will be adding the ability to set additional properties such as the one you mentioned. I have already added one new property that allows you to disable requiring passwords on restore. These will all be in the project editor (probably the overview screen)

    Also,

    A much requested feature has been added to 3.1. A full form editor so you can create the service and account forms in ADT. It will also support import from the profile directory.

    If you or anyone else has requests for additional features, now would be the time or you will have to wait till 4.0 which will be done to support TDI 7 later in the year.

    Cheers,
    Dave
    Dave,

    there is one more feature that would be great:

    Using filters in reconciliation requests is always a problem. Translating a filter specified in TIM directly for the use in the connectors highly depends on the type of the connectors and is sometimes impossible.

    So the only chance is to implement a functionality like in all 'standard' adapters: read all entries and apply the filter before sending back the result. Is it possible to develop such a function and add it to the 'Global Script' ? I have no quick idea how to apply a LDAP filter (the syntax specified in TIM) to an TDI entry. I know that this is not a native ADT problem, but perhaps you have an idea.

    Regards
    Bernhard