Skip to main content

NetIQ IDM - Trigger idm job from driver policy on driver startup with dynamic argument values


Looking at this article:
https://www.netiq.com/communities/cool-solutions/how-start-idm-job-policy/

it shows you the complete recipe, except it does not show how to deal with dynamic argument values for the method itself; here is my version;

I wanted to run this on the driver startup and wanted to let driver die if job execution did not succeed.

1. username must be "dotted" format; one can use parseDN; example:

<token-parse-dn dest-dn-format="dot" src-dn-format="ldap">
                        <token-local-variable name="local.sub.etp.resource.UserId"/>
                    </token-parse-dn>

2. Jobname must be in "dotted" format too.


3. For more java lovers, one can dig into this: https://www.novell.com/documentation/developer/dirxml/dirxmlbk/api/com/novell/nds/dirxml/util/DxCommand.html




<rule> <description>Schedule job on the startup</description> <conditions> <and> <if-operation mode="nocase" op="equal">status</if-operation> <if-xpath op="true">@type="startup"</if-xpath> </and> </conditions> <actions> <do-set-local-variable name="local.sub.etp.ScheduleArguments" scope="policy"> <arg-string> <token-text xml:space="preserve">-user </token-text> <token-local-variable name="local.sub.etp.resource.UserId" /> <token-text xml:space="preserve"> </token-text> <token-text xml:space="preserve"> -password </token-text> <token-local-variable name="local.sub.etp.resource.Password" /> <token-text xml:space="preserve"> -startjob </token-text> <token-local-variable name="local.sub.ctp.JobName" /> </arg-string> </do-set-local-variable> <do-trace-message> <arg-string> <token-text xml:space="preserve">Prepare cmdline =&gt; </token-text> <token-local-variable name="local.sub.etp.ScheduleArguments" /> </arg-string> </do-trace-message> <do-set-local-variable name="local.sub.etp.Scheduleob" scope="policy"> <arg-object> <token-xpath expression="jcmd:commandLine(string($local.sub.etp.ScheduleArguments))" /> </arg-object> </do-set-local-variable> <do-trace-message> <arg-string> <token-text xml:space="preserve">Initiate startup token job =&gt; </token-text> <token-local-variable name="local.sub.etp.Scheduleob" /> </arg-string> </do-trace-message> <do-if> <arg-conditions> <and> <if-local-variable mode="nocase" name="local.sub.etp.Scheduleob" op="not-equal">0</if-local-variable> </and> </arg-conditions> <arg-actions> <do-set-local-variable name="local.sub.startup.Message" scope="policy"> <arg-string> <token-text xml:space="preserve">Driver could not run token refresh job with arguments </token-text> <token-local-variable name="local.sub.etp.ScheduleArguments" /> <token-text xml:space="preserve"> Please fix the error, clean driver event cache before starting the driver again.</token-text> </arg-string> </do-set-local-variable> <do-status level="error"> <arg-string> <token-local-variable name="local.sub.startup.Message" /> </arg-string> </do-status> <do-status level="fatal"> <arg-string> <token-local-variable name="local.sub.startup.Message" /> </arg-string> </do-status> </arg-actions> <arg-actions /> </do-if> </actions> </rule>

Comments

Popular posts from this blog

NetIQ IDM - SOAP driver -- Handling SOAP service response and manufacturing user association without XSLT

Always pain working with SOAP service and its handling of service response on Query(matching) for user to work with matching policies? Here is the quick wins; without reading  those long lengthy & boring useless SOAP driver blog series at netIQ forums; 1. Make sure you have mapped User class in the schema map with some service attributes 2. Make sure Input and Output policy is registered with all the namespaces you have in your request/response soap messages, example <policy xmlns:soap="http://www.w3.org/2003/05/soap-envelope" 3. I have added operation-data (which is being generated from the Output policy) as part of the SOAP query, but you can skip it if you do not need this. src-dn and association are important to indicate engine for building association.  Operation data will help you to identify operation type and you can carry actions according to it. Inject this on Output ( To support user matching) to send service request: < rule > ...

NetIQ IDM - Adding operation-data to subscriber command transformaiton custom commands

Recently i had to execute EOL cmdlets using psexecute though new NetIQ azure ad driver, since this operation is fire and forget in nature, i would like to track whole request and response for my own generated commands from subscriber command transofrmaiton policy, so i solved it by following policy: < do-set-dest-attr-value direct = "true" name = "psexecute" > < arg-association > < token-resolve datastore = "src" > < arg-dn > < token-text xml:space = "preserve" > {userref} </ token-text > </ arg-dn > </ token-resolve > </ arg-association > < arg-value type = "string" > < token-local-variable name = "cmdlet" /> </ arg-value > </ do-set-dest-attr-value > < do-append-xml-element expression = "../modify[@direct]" na...

Getting into Microsoft Identity Manager ...

Hmm... Microsoft Identity Manager 2010 is out.. but i really wanted to see how the new version is better then its older versions... i have read lots of documentation about FIM2010 and its declarative programming capabilities, MPRs (Management policy rules), workflows, Sets, Group etc, so before touching the fancy parts, i decided to dig into first how the sync-engine or as it previously called MIIS works before doing hands-on with the fancy FIM2010 and the sharepoint based user portal.. Going back to its earlier version and doing hands-on was necessary for me, since FIM2010 documentation always referred the "Classic-rules" as the more powerful then the declarative rules/programming in FIM2010. So i wanted to experience the power into Microsoft IdM before touching the declarative programming(less-power'd) stuff in FIM2010. Having already worked with event-based IdM products such as nOvell identity manager, i was excited to work with the state-based systems such as FIM2010....