Skip to Content

How to retrigger the assignments which are in OK status to AD (LDAP repositories)

Dear Experts,

There is a requirement from my client to set up force reprovisioning. What ever system they select, IDM should push the user attributes and assignmens to the target system.

  1. I have created a custom task to retrigger the ModifyUser & AssignUserMembership task available in the respective connector packages using uProvision Function.Where i pass the user mskey, rpository id and auditid to the function as input
  2. The above task is working as expected for ABAP, Java systems.
  3. For AD (Microsoft Directory - LDAP) only modify user task is working as expected but not the assignuser membership.

Error Message of the assign user membership task when fails:

Error putNextEntry failed storing!ERROR:Entry does not exist
Exception from Modify operation:javax.naming.InvalidNameException: !ERROR:Entry does not exist: [LDAP: error code 34 - 0000208F: NameErr: DSID-03100225, problem 2006 (BAD_NAME), data 8350, best match of:'!ERROR:Entry does not exist']; remaining name '!ERROR:Entry does not exist' 

After analyzing further found the reason why, the assignment is being failed as i am tring to trigger the task based on user mskey, but the Assignment is happening based on the AD groups (user is assigned to AD groups but not vice versa)

How can i achieve sync between AD group privileges between AD & IDM. Doesn't want to remove the privileges and assign them back.

Can some one please let me know how we can achieve this for Active Directory. You help is much appreciated.

Input Screen:

Once the request is submitted, idm would trigger the custom task, and would call the below script

Code: Below is the javascript code used to trigger the AssignUserMemberShip provisioning task.

Input parameters for below script is User MSkey and the repository list which user has selected in UI

function retryForceProvisionUserAssignments(Par) {

    var script = "retryForceProvisionUserAssignments::";
    var debugKey = uGetConstant("pck.ENABLE_DEBUG");
    var repositories = '' + Par.get("REPOSITORIES") + ''; // go on JS mode
    var mskey = Par.get("MSKEY");
    var RetryRepositories = "";

    if (debugKey == "1" || debugKey == "TRUE") {
        uWarning(script + "entered with repositories: [" + repositories + "]");
    }

    if (repositories == null || repositories.length < 2) {
        if (debugKey == "1" || debugKey == "TRUE") {
            uWarning(script + "no repositories has been found... silent exit");
        }
        return "";
    }

    var tempArr = repositories.split('|');

    for (var i = 0; i < tempArr.length; ++i) {
        RetryRepositories += "!!" + tempArr[i];
    }
    // get rid of the first "!!"
    RetryRepositories = RetryRepositories.substring(2);

    if (RetryRepositories != "") {
        uWarning("retry provision in repositories: [" + RetryRepositories + "], length: [" + (RetryRepositories.split("!!")).length + "]");

        var repArr = RetryRepositories.split("!!");
        var AuditID = uGetAuditID();
        var idStore = uGetIDStore();

        for (var j = 0; j < repArr.length; ++j) {
            var repName = repArr[j];
            var packageID = getPackageIDForRepositoryName(repName);
            var executeTask = '' + uGetPackageTaskID(packageID, "AssignUserMembership");

            if (executeTask !== null) {
                var repid = getRepositoryIDForRepositoryName(repName);
                var OutString = uProvision(mskey, executeTask, AuditID, repid, 0, 1);

                    if (OutString.indexOf("!ERROR") >= 0) {
                        var msg1 = script + ": mskey=" + mskey + " ExecuteTask=" + executeTask + ". An error occured executing uProvision. Reason: " + OutString;
                        uError(msg1);
                        uSkip(2, 2, msg1);
                    }                
            } else {
                var msg2 = script + "executeTask variable is null or empty";
                uInfo(msg2);
                uSkip(2, 2, msg2);
            }
        }
    }
}

Regards,

Deva

1.png (67.9 kB)
1.png (166.7 kB)
Add comment
10|10000 characters needed characters exceeded

  • Steffi Warnecke - Hi Steffi, as mentioned i have tried to update the user but encountered an error

    attribute value

    dn dnvalue

    changetype modify

    + member groupdn

    even tried with memberOf attribute

    putNextEntry failed storing cn=xyz,OU=Users,OU=IDM,DC=txyz,DC=local

    Exception from Modify operation:javax.naming.directory.SchemaViolationException:

    [LDAP: error code 65 - 0000207D: UpdErr: DSID-0315166D, problem 6002 (OBJ_CLASS_VIOLATION), data 31]; remaining name 'cn=xyz,OU=Users,OU=IDM,DC=txyz,DC=local'

  • Hey Deva,

    looks like "member" is not an attribute for user accounts then. :/

    .

    Have you tried creating a job the other way around? Not adding all the groups again to the user, but adding all the users to the group?

    .

    Regards,

    Steffi.

  • Get RSS Feed

2 Answers

  • Best Answer
    Apr 10 at 09:40 AM

    Hello Deva,

    as mentioned here before, the AD interface and LDAP works different to the ABAP interface for the privilege assignment. The STANDARD ABAP Connector (ToSAP) process "AssignAllABAPPrivileges" gets all privileges which are assiged for the repository in SAP IDM.

    (Only for Information: * There is also another ABAP Connector ToSAPIdentity were also only the delta is given to the ABAP System).

    This is easy for reconciliation process you want to create. The Standard LDAP/AD Connector (ToLDAP) process "AssignUserToADSGroup" writes the delta (only the assignments[+] and revokations[-] ) for the repository TO THE GROUP with the standard member attribute.

    An easy way to stay with your uprovision concept by triggering the standard existing hooks/plugins would be, to enhance your javascript shared with us above with a new part for LDAP/AD where you determine the delta (assignments and revokations which have to be done for the account/repository) and trigger the standard LDAP/AD hooks/plugin for each group.

    There are other possibilities to meet the requirement of your client, but I like this one, because you trigger the existing hooks/plugin (interfaces) which are also triggered in the normal identity/ account lifecycle. If there is any change of these hooks/plugin (interfaces), the changes also take effect in your reconciliation process.

    Best regards,

    Christoph Reckers

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 25 at 06:06 PM

    Hello,

    Can you please add uWarning at the end of both scripts sap_core_getGroupACCOUNTFromPrivilege and sap_core_checkAccountAttributeValueExists and post the values?

    Add comment
    10|10000 characters needed characters exceeded

    • Deva Prakash B

      You can't check out the provisioning engine package, so you can't edit the standard SAP scripts (or really any other standard anything in there) even if you want to.

      If you can find an attribute in the LDAP connector (or AD), through which groups are linked to an account, you could just change the parameters of the pass: distinguished name of the user account and then as + whatever the name of the attribute is in combination with the DN of the group.

      .

      We don't have this in use, but I have a pass, that adds a group to another group using the same info as the standard ( via attribute "member"). So maybe "member" also works the other way around?

      If you have a test environment with test-ad linked, you could just try it out. :)

      .

      Regards,

      Steffi.