Push User account from IDM to LDAP
Hi,
I need to push the new users created in IDM to LDAP. I created a rule library specifying the attributes that need to bu pushed and am calling that library in create user workflow.
However, the new user and related attributes are not being pushed to LDAP. Can somebody point out the mistake in my code?
Here is the Rule Library:
<Extension>
<Library>
<Comments>rule library that contains all rules</Comments>
<Rule name='RULE_create_LDAP_Acct'>
<RuleArgument name=''/>
<block trace='true'>
<set name='user.accounts[LDAP1].firstname'>
<ref>firstname</ref>
</set>
<set name='user.accounts[LDAP1].lastname'>
<ref>lastname</ref>
</set>
<set name='user.accounts[LDAP1].accountId'>
<ref>accountId</ref>
</set>
<set name='user.accounts[LDAP1].email'>
<ref>user.waveset.email</ref>
</set>
</block>
</Rule>
</Library>
</Extension>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
</MemberObjectGroups>
</Configuration>
Here is the change i made to provision activity in create user workflow:
<Activity id='4' name='Provision'>
<Comments>
Perform the standard Lighthouse provisioning process.
</Comments>
<Action id='0' process='Data Transformation'>
<Comments>Apply any defined data transformations</Comments>
<Argument name='ruleName'>
<ref>transforms.preProvisionRule</ref>
</Argument>
<Argument name='formName'>
<ref>transforms.preProvisionForm</ref>
</Argument>
</Action>
<Action id='1'>
<expression>
<cond>
<eq>
<ref>sunrise.createResourceAccounts</ref>
<s>true</s>
</eq>
<block>
<set name='options.targets'>
<List>
<String>LDAP1</String>
</List>
</set>
<set name='user.waveset.resources'>
<filterdup>
<appendAll>
<ref>user.waveset.resources</ref>
<list>
<s>LDAP1</s>
</list>
</appendAll>
</filterdup>
</set>
</block>
</cond>
</expression>
</Action>
<Action id='2' name='Create LDAP Account'>
<rule name='RULE-LIB-xxx:RULE_create_LDAP_Acct'>
<argument name ='firstname' value='$(firstname)'/>
<argument name='lastname' value='$(lastname)'/>
<argument name='email' value='(email)'/>
</rule>
</Action>
Any help is appreciated.
Thanks,
[3131 byte] By [
sungirla] at [2007-11-27 9:27:16]
# 1
Hi,
I could get this working. However, i am running into another problem. When i create a new user, and click on save, i am geting this error
com.waveset.util.WavesetException: An error occurred adding user 'uid=pushldap,dc=domain,dc=com' to resource 'LDAP1'. javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Object Class Violation]
I have uid,cn,sn as required attributes. Also, i ahve top,person,organizational person and interorg person in the list of object classes.
Not sure where i am going wrong.
Please help.
Thanks,
# 2
Hi,
I know the problem for this solution.
In slapd.conf , one should include core.schema,cosine.schema and inetOrgPerson.schema to use objectclass "inetOrgPerson" and related attributes-- "mail" and "uid".
as specified in http://forum.java.sun.com/thread.jspa?threadID=5064703&messageID=9243187
I was having a problem since i was trying to push mail attribute. However, i ahve slapd.at.conf and other confs but not slapd.conf. Any ideas on where i can find it?
Thanks
# 3
Which LDAP server you are using. I never have this issue in Sun one server.
# 4
Hi,
This same issue has surfaced back again. I am using SUN ONE DS 5.2. I am getting eith Error Code 32 or 65. Not sure how to resolve these.
For Error Code 32, i think i need to change the identity tamplete to where the users r pointing. I currenlty have uid=$accountId$,dc=domain,dc=com.
To resolve the error, i removed uid=$accountId$.
Now Error code 65 is surfacing. Not sure what to change, as everything seems fine.
Any help is appreciated.
Thanks,
# 5
Why r u making create user complecated
Why not use in your form like
<Field name='view.waveset.resources'>
<Display class='MultiSelect'>
<Property name='title' value='resource asigned'/>
</Display>
<Expansion>
<append>
<s>LDAP1</s>
<s>LDAP2</s>
</append>
</Expansion>
</Field>
I did like this and it is working good
# 6
Try to have the identity template point inside an existing container. Something likeuid=$accountId$,ou=Users,dc=example,dc=com.By the way, this is of concern only if you aren't being able to create a resource account by manually assigning the resource to the
# 7
Ankush,
I am having this problem only when trying to assign LDAP to a user through the WF. No problems whatsoever while doing it manually.
I tried creating a contained users under people and modified identity template accordingly. But no luck..the same Error Code 32.
I have 3 required attributes in the mapping, cn,sn and uid. The obejct classes i ahve are top,person,organizational person and inetOrgPerson.
The only modification i made to create user WF is add this action under provision:
<Action id='2' name='Create LDAP Account'>
<rule name='Create LDAP Account'>
<argument name ='firstname' value='$(firstname)'/>
<argument name='lastname' value='$(lastname)'/>
<argument name='email' value='$(email)'/>
</rule>
</Action>
The Rule is as follows:
<block>
<set name='user.waveset.accountId'>
<ref>accountId</ref>
</set>
<set name='user.accounts[Lighthouse].accountId'>
<ref>accountId</ref>
</set>
<set name='user.waveset.resources'>
<filterdup>
<appendAll>
<ref>user.waveset.resources</ref>
<s>LDAP1</s>
</appendAll>
</filterdup>
</set>
<set name='user.waveset.assignedLhPolicy'>
<s>LighthouseAccountPolicy</s>
</set>
<set name='user.waveset.firstname'>
<ref>firstname</ref>
</set>
<set name='user.waveset.lastname'>
<ref>lastname</ref>
</set>
<!--<set name='user.waveset.email'>
<ref>email</ref>
</set> -->
<set name='user.waveset.organization'>
<s>Top</s>
</set>
<set name='user.waveset.accounts[LDAP1].created'>
<s>true</s>
</set>
</block>
</Rule>
Please let me know if something is wrong with this.
Thanks,
# 8
gvivek99,I am not sure if i can do this in a form, since the account needs to be pushed to LDAP once the approver approves it.Thanks,
# 9
Hi Sungirl,
Still I think you should not do this explicitely.
Check this documentation in Workflow forms and View PDF
provision Provision Workflow Service
By default it will create user in IDM as well as resource if you assign argument correctly. You can also use Checkin view if you are creating your own custom workflow.
Thx
# 10
I agree with gvivek99. I don't think you should be explicitly pushing the LDAP account or attributes. Just assign the LDAP resource to the account you are creating. IDM will take care of the rest via the Schema Mapping and Metaview variables that you have set up..
# 11
True, the above is the preferred way.
But there were a few instances with IDM 5.5 (and previous versions) where resource assignments through the admin interface populated all variables from the schema map, but didn't populate when invoked through a custom workflow / userForm (quite an unpleasant surprise). In these cases, I was forced to explicitly push the variables that I needed.
Did anyone else face a similar issue?
Ankush
# 12
Did you do a Refresh View action before the Check In? I dealt with some issues by that, and was surprised at the results..
# 13
where i can found this slapd.conf
