Your SlideShare is downloading. ×
0
Novell Identity Manager
                 ®


Tips, Tricks and Best Practices


Glen Knutti
Consultant
TriVir LLC

David Wa...
Tips and Tricks

    •   Use the Power of Regex
    •   Differentiate JDBC Driver Triggers
    •   Keep the JDBC Event Log...
Tips and Tricks

    •   Queries
    •   ECMAScript Errors Can Hang IDM 3.5.1
    •   Merge Cleaner
    •   Replace Rather...
Scoping too much

                                          Quiz
    •   Subscriber Event Transformation
    •   You want ...
Use the Power of Regex

    •   Challenge
          –   Some policy conditions can be quite lengthly




5   © Novell, Inc...
Use the Power of Regex

    •   Solution
          –   Use regex to shorten the policy




6   © Novell, Inc. All rights r...
Differentiate JDBC Driver Triggers

    •   Challenge
          –   Simplify JDBC driver troubleshooting
          –   You...
Differentiate JDBC Driver Triggers

    •   Solution
          –   Use different case in your table_key column to show fro...
Differentiate JDBC Driver Triggers

    •   Solution
          –   Use different case in your table_key column to show fro...
Event Transformation Policies

                                           Quiz
     •   Event transformation policies that...
Keeping the JDBC Event Log Clean

     •   Challenge

          –   JDBC event log is filling up with rows that have a
   ...
New Trace File Job

     •   Challenge
          –   For security, troubleshooting or audit purposes you want to
         ...
New Trace File Job




                                           ADDriver-2010-03-20.txt
                                ...
Jobs: To Scope or Not to Scope?
     •   Scoped job
          –   Trigger event for every object in scope
          –   Fi...
Disable Old Accounts Job

     •   Challenge
          –   If users haven't logged in for more than 180 days, you want
   ...
Password Expiration Job

     •   Challenge

          –   Rather than rely on grace logins, you want users to change
    ...
Users, Groups and Referential Integrity

                                           Quiz
     •   You have policies to syn...
Reciprocal Attribute Mapping

     •   Challenge
          –   Both the Group Membership attribute on users and
          ...
Best Practices
Best Practices

     •   First write policies that work—then make them efficient,
          elegant, clever, etc.
     •  ...
Identity Management Methodology

     •   Requirements Assessment
     •   Development
     •   Testing
     •   Deploymen...
Requirements Assessment

     •   Create an Acceptance Criteria (AC) document
     •   Document each process as a single, ...
Acceptance Criteria Document

     1.1 New Employee is Hired
     A new employee is hired in the HR system.
     Precondit...
Development

     •   Create engineering estimates based on the AC doc
     •   Group the estimated work into iterations
 ...
Testing

     •   Test initial migration process first!
     •   Automated testing will save you countless hours
     •   ...
Deployment

     •   Test your deployment process
     •   Retest your deployment process
     •   Test your deployment pr...
Tips and Tricks

     •   Queries
     •   ECMAScript Errors Can Hang IDM 3.5.1
     •   Merge Cleaner
     •   Replace Ra...
Queries

     •   Challenge
          –   Why does it take so long to process an event?

     •   Solution
          –   C...
ECMAScript Hangs in IDM 3.5.1
     •   Challenge
          –   You've got a beautiful ECMAScript which simply hangs when
 ...
Adding and Modifying Associations

                                           Quiz
     •   You have a DTF, SOAP, Manual o...
Merge Cleaner

     •   Challenge
          –   During a merge on your Active Directory driver, a single
              err...
Replace Rather than Remove

     •   Challenge
          –   When sending a modify to Active Directory, you attempt to
   ...
Replace Rather than Remove




33   © Novell, Inc. All rights reserved.
Driver Variable in a Stylesheet

                                           Quiz
     •   You've defined driver variable (...
LDAP Credentials Auto-config

     •   Challenge
           –   You don't want to store LDAP credentials in your driver

 ...
Using dxcmd for Initial Migration

     •   Challenge
          –   When 'connecting' existing objects as part of an initi...
Using dxcmd for Initial Migration
     •   Query XDS
                       <nds dtdversion="3.5" ndsversion="8.x">
      ...
One Change Breaks Something Else

                                           Quiz
     •   Everything is running great, bu...
Active Directory Driver – Line feed
         Output - Street Address: Convert LF to CR-LF
     •   Bad




     •   “Suite...
Active Directory Driver – Line feed
         Output - Street Address: Convert LF to CR-LF
     •   Good




40   © Novell,...
Active Directory Driver – Line feed
         Input - streetAddress: Convert CR-LF to LF
     •   Bad




     •   The line...
Active Directory Driver – Line feed
         Input - streetAddress: Convert CR-LF to LF
     •   Good




     •   Remove ...
Active Directory Driver - lockoutTime
         Can't set lockoutTime in AD
     •   Bad




     •   Can't set lockoutTime...
Active Directory Driver - lockoutTime
         Can't set lockoutTime in AD
     •   Good




     •   Must lockout the AD ...
Trends and Observations

     •   Using more null drivers
     •   Using more than one driver to the same application
    ...
Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, propriet...
Novell Identity Manager Tips, Tricks and Best Practices
Upcoming SlideShare
Loading in...5
×

Novell Identity Manager Tips, Tricks and Best Practices

10,103

Published on

This session covers the top tips, tricks and best practices for each component of Novell Identity Manager. You will receive experience by learning from the common mistakes made by others. The session focuses on the identity engine, connector set, Roles Based Provisioning Module and utilities that go into making any Identity Manager implementation easy. You will walk away with the knowledge of best practices for installation, configuration, and customization of Identity Manager. In addition, you will know how to create new policies to enhance your identity and access management solution by removing the barriers between applications, data stores and network platforms. A good understanding of Novell Identity Manager architectures and policies is highly recommended.

Transcript of "Novell Identity Manager Tips, Tricks and Best Practices"

  1. 1. Novell Identity Manager ® Tips, Tricks and Best Practices Glen Knutti Consultant TriVir LLC David Wagstaff Consultant Novell
  2. 2. Tips and Tricks • Use the Power of Regex • Differentiate JDBC Driver Triggers • Keep the JDBC Event Log Clean • New Trace File Job • Jobs: To Scope or Not to Scope? • Disable Old Accounts Job • Password Expiration Job • Reciprocal Attribute Mapping 2 © Novell, Inc. All rights reserved.
  3. 3. Tips and Tricks • Queries • ECMAScript Errors Can Hang IDM 3.5.1 • Merge Cleaner • Replace Rather Than Remove • LDAP Credentials Auto-config • Using dxcmd for Initial Migration • Active Directory Driver – Line Feed • Active Directory Driver – lockoutTime 3 © Novell, Inc. All rights reserved.
  4. 4. Scoping too much Quiz • Subscriber Event Transformation • You want to limit the operations on the subscriber channel—block deletes, perhaps • This will block everything other than add and modify! 4 © Novell, Inc. All rights reserved.
  5. 5. Use the Power of Regex • Challenge – Some policy conditions can be quite lengthly 5 © Novell, Inc. All rights reserved.
  6. 6. Use the Power of Regex • Solution – Use regex to shorten the policy 6 © Novell, Inc. All rights reserved.
  7. 7. Differentiate JDBC Driver Triggers • Challenge – Simplify JDBC driver troubleshooting – You've got multiple tables with triggers that feed the event log table, but some entries in the event log table are inserted improperly—from where is the problem coming? 7 © Novell, Inc. All rights reserved.
  8. 8. Differentiate JDBC Driver Triggers • Solution – Use different case in your table_key column to show from which trigger an insert came INSERT INTO cop.event_log INSERT INTO cop.event_log ( ( record_id, record_id, table_key, table_key, event_type , event_type , event_time , event_time , table_name table_name ) ) VALUES VALUES ( ( cop.seq_log_record_idnextval, . cop.seq_log_record_idnextval, . 'pk_EMPLOYEE=' |:old.employee | , 'pk_employee=' |:old.employee | , 6, 6, sysdate, sysdate, 'cop.idv' 'cop.idv' ); ); 8 © Novell, Inc. All rights reserved.
  9. 9. Differentiate JDBC Driver Triggers • Solution – Use different case in your table_key column to show from which trigger an insert came 9 © Novell, Inc. All rights reserved.
  10. 10. Event Transformation Policies Quiz • Event transformation policies that attempt to operate on add events • Unassociated modifies pass by & then turn into an add • Watch those <sync> events that turn into adds later... 10 © Novell, Inc. All rights reserved.
  11. 11. Keeping the JDBC Event Log Clean • Challenge – JDBC event log is filling up with rows that have a status of warning – These rows represent valid vetoes of events that didn't meet the create requirements • Solution – It's common to use a veto-if-operational-attribute 'not available' action in a create or matching rule – Review adds before the matching and create policies and veto events that don't meet criteria 11 © Novell, Inc. All rights reserved.
  12. 12. New Trace File Job • Challenge – For security, troubleshooting or audit purposes you want to maintain driver trace file contents for a long time (months) • Solution – Create a nightly job that triggers an update to the driver trace attribute value every night – Be careful with your disk space! – Extra Credit: Incorporate automated zipping of your trace files at the end of each week or month as part of the job/driver 12 © Novell, Inc. All rights reserved.
  13. 13. New Trace File Job ADDriver-2010-03-20.txt ADDriver-2010-03-21.txt ADDriver-2010-03-22.txt 13 © Novell, Inc. All rights reserved.
  14. 14. Jobs: To Scope or Not to Scope? • Scoped job – Trigger event for every object in scope – Filter options are object classes for containers – Driver must have trustee assignment to the scoped containers; can't use the Security Equals setting of driver – Use in hierarchical structures – Use to check all objects in a container • Unscoped job – Single trigger event—does nothing by itself – Scope is configured in the ldapSearch ECMAScript – An LDAP filter provides much more control – Use in flat structures or for narrow result sets 14 © Novell, Inc. All rights reserved.
  15. 15. Disable Old Accounts Job • Challenge – If users haven't logged in for more than 180 days, you want to disable their accounts • Solution – Create a nightly job to search for users who haven't logged in for more than 180 days – Disable or delete the account – Optional: Send the user an email to inform them the account has been disabled 15 © Novell, Inc. All rights reserved.
  16. 16. Password Expiration Job • Challenge – Rather than rely on grace logins, you want users to change their password before the password expires • Solution – Create a nightly job to search for users whose passwords will expire in a specific number of days (30, 15, 7, 3, 1) – Send an email notification 16 © Novell, Inc. All rights reserved.
  17. 17. Users, Groups and Referential Integrity Quiz • You have policies to sync and manage both users and groups on a driver • Delete a user • eDirectory™ removes the user from a group • The group modify event (remove member) may trigger code to update user and remove group membership • But the user is gone and an error is thrown! 17 © Novell, Inc. All rights reserved.
  18. 18. Reciprocal Attribute Mapping • Challenge – Both the Group Membership attribute on users and the Member attribute on groups are sync'd – You're processing everything twice! – You may end up with referential integrity errors • Solution – Sync users or groups and use reciprocal attribute mappings so IDM can handle the referential integrity for you! 18 © Novell, Inc. All rights reserved.
  19. 19. Best Practices
  20. 20. Best Practices • First write policies that work—then make them efficient, elegant, clever, etc. • Use Designer • Review the trace file • Use consistent policy and variable naming • Document your policy with a description • Refine your methodology 20 © Novell, Inc. All rights reserved.
  21. 21. Identity Management Methodology • Requirements Assessment • Development • Testing • Deployment 21 © Novell, Inc. All rights reserved.
  22. 22. Requirements Assessment • Create an Acceptance Criteria (AC) document • Document each process as a single, testable unit • Break down to unit/feature functionality • Take the time to fill in all the details • Keep your document up to date 22 © Novell, Inc. All rights reserved.
  23. 23. Acceptance Criteria Document 1.1 New Employee is Hired A new employee is hired in the HR system. Preconditions The employee does not exist in the HR system. The employee does not exist in the Identity Vault. Action The employee is hired in the HR system. Results The employee is created in the Identity Vault. 23 © Novell, Inc. All rights reserved.
  24. 24. Development • Create engineering estimates based on the AC doc • Group the estimated work into iterations • Create automated tests for each unit of functionality that you code • Deliver iterations on regular basis to show progress, allow for manual testing and request feedback 24 © Novell, Inc. All rights reserved.
  25. 25. Testing • Test initial migration process first! • Automated testing will save you countless hours • Write positive tests first and add relevant negative tests as appropriate • Manual testing is still required to validate your automated tests 25 © Novell, Inc. All rights reserved.
  26. 26. Deployment • Test your deployment process • Retest your deployment process • Test your deployment process again unless it was flawless last time • Add tests for bugs found post-deployment so they will be avoided going forward 26 © Novell, Inc. All rights reserved.
  27. 27. Tips and Tricks • Queries • ECMAScript Errors Can Hang IDM 3.5.1 • Merge Cleaner • Replace Rather Than Remove • LDAP Credentials Auto-config • Using dxcmd for Initial Migration • Active Directory Driver – Line Feed • Active Directory Driver – lockoutTime 27 © Novell, Inc. All rights reserved.
  28. 28. Queries • Challenge – Why does it take so long to process an event? • Solution – Check query times in the trace file – Create indexes for attributes you query – Avoid unnecessary queries > Use Attribute instead of Source Attribute > Query once for all the attributes you'll need in a policy > Check for required create attributes before matching 28 © Novell, Inc. All rights reserved.
  29. 29. ECMAScript Hangs in IDM 3.5.1 • Challenge – You've got a beautiful ECMAScript which simply hangs when you run it. – The trace file shows that the function was called, but nothing happens after that. • Solution – There seems to be a bug in IDM 3.5.1 where exceptions are not handled properly—fixed in IDM 3.6.1 function testExceptionWithTryCatch() { try { functionThatCausesAnException(); } catch (e) { return e; } return "SUCCESS"; } 29 © Novell, Inc. All rights reserved.
  30. 30. Adding and Modifying Associations Quiz • You have a DTF, SOAP, Manual or Writeback driver and you're setting association values with policies • An associated object ends up with another association via <add-association> • You end up with two associations on that object which will produce two events when touched again • Check for existing associations and use <modify- association> instead to replace the existing association 30 © Novell, Inc. All rights reserved.
  31. 31. Merge Cleaner • Challenge – During a merge on your Active Directory driver, a single error on an attribute will error out the whole event • Solution – Use a stylesheet to break up the merge event into discrete modify events 31 © Novell, Inc. All rights reserved.
  32. 32. Replace Rather than Remove • Challenge – When sending a modify to Active Directory, you attempt to remove an old value and add a new value, but the old value doesn't exist in Active Directory and the event errors out • Solution – Convert those <remove-value> <add-value> pairs into <remove-all-values> <add-value> – Use a list GCV to make it easy to add and remove attributes as needed – Works for single valued attributes ONLY! 32 © Novell, Inc. All rights reserved.
  33. 33. Replace Rather than Remove 33 © Novell, Inc. All rights reserved.
  34. 34. Driver Variable in a Stylesheet Quiz • You've defined driver variable (as opposed to a policy variable) and want to reference it later in a stylesheet • The stylesheet reference is right... $variableName <xsl:choose> <xsl:when test=“$userDisabled = 'false'”> • Code (-9061) Error processing XSLT policy: top-level variable 'userDisabled' was referenced but not defined <xsl:param name=“userDisabled”/> 34 © Novell, Inc. All rights reserved.
  35. 35. LDAP Credentials Auto-config • Challenge – You don't want to store LDAP credentials in your driver • Solution – Found on Novell Cool Solutions ® – You could use named passwords, but you have to set those values each time the driver is imported or each time you move to a new environment or when the account password is updated – Automagically leverage the credentials the driver is using to perform the operation; the assumption is the driver will have rights to any objects you want to read/modify/delete 35 © Novell, Inc. All rights reserved.
  36. 36. Using dxcmd for Initial Migration • Challenge – When 'connecting' existing objects as part of an initial migration, you want to minimize the churn of processing all application objects when only subset is needed • Solution – Use dxcmd and a query XSD to specify exactly which objects you want to migrate 36 © Novell, Inc. All rights reserved.
  37. 37. Using dxcmd for Initial Migration • Query XDS <nds dtdversion="3.5" ndsversion="8.x"> <input> <query class-name="User" dest-dn="DC=abc,DC=edu" scope="subtree"> <search-class class-name="user"/> <search-attr attr-name="extensionAttribute4"/> <value>no</value> </search-attr> <search-attr attr-name="extensionAttribute8"/> <value>no</value> </search-attr> </query> </input> </nds> • Batch file dxcmd -user cn=admin,o=services -host localhost -password xxx -migrateapp “cn=NonEmployees,cn=Driver Set,ou=idm,o=services” file.txt 37 © Novell, Inc. All rights reserved.
  38. 38. One Change Breaks Something Else Quiz • Everything is running great, but one more required change or update ends up breaking existing functionality in a totally unexpected way • Use automated testing – Allows you to define all the test cases – Allows you to run and rerun test cases quickly and thoroughly – IdMUnit at IdMUnit.org 38 © Novell, Inc. All rights reserved.
  39. 39. Active Directory Driver – Line feed Output - Street Address: Convert LF to CR-LF • Bad • “Suite 10n123 Elm Street” becomes “Suite 1n123 Elm Street” • Sending rn doesn't work in Active Directory anyway 39 © Novell, Inc. All rights reserved.
  40. 40. Active Directory Driver – Line feed Output - Street Address: Convert LF to CR-LF • Good 40 © Novell, Inc. All rights reserved.
  41. 41. Active Directory Driver – Line feed Input - streetAddress: Convert CR-LF to LF • Bad • The line feed is being removed, not the carriage return 41 © Novell, Inc. All rights reserved.
  42. 42. Active Directory Driver – Line feed Input - streetAddress: Convert CR-LF to LF • Good • Remove the carriage return, not the line feed 42 © Novell, Inc. All rights reserved.
  43. 43. Active Directory Driver - lockoutTime Can't set lockoutTime in AD • Bad • Can't set lockoutTime in AD, even with the proper time syntax 43 © Novell, Inc. All rights reserved.
  44. 44. Active Directory Driver - lockoutTime Can't set lockoutTime in AD • Good • Must lockout the AD user 'manually' 44 © Novell, Inc. All rights reserved.
  45. 45. Trends and Observations • Using more null drivers • Using more than one driver to the same application – Different objects classes with different requirements – Password Sync driver • Increased need for automated testing • IDM implementations are maturing – More roles, governance and compliance starting – More User Application – More workflow 45 © Novell, Inc. All rights reserved.
  46. 46. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×