Cybersecurity
DevOps Cloud
IT Operations Cloud
A Forum reader recently asked:
"I'm using IDM 3.01 and Lotus Notes 6.x. I have a problem in the Subscriber Channel: during the user creation in the Identity Vault, I want the user in the Lotus Notes to be added to a particular group. For the test I used the Command policy "Disable access for Notes Users when eDirectory 'Login Disabled' attribute is set true" and I modified the condition (changed "when operation=add" to "when operation=modify"). But what happened is that in the "Deny Access Group" member I see the User but with the Identity Vault DN.
What I understood is that during the add operation the association is not created yet, and the Source DN in the policy is not resolved. How can I fix this? I have groups in Notes and I'd like add the new user to a group. I don't syncronize the group between IDV and Notes; these groups exist only in Notes."
And here's the reply from Novell's Perry Nuffer ...
Why does the NotesDriverShim push these bogus member values into the group, anyway?
1. In order to synchronize group membership, the Groups in Lotus Notes must be associated with the Groups in eDirectory. Without group object association, members cannot be associated.
2. If the NotesDriverShim is given a command to place a value as a member of a group, and Lotus Notes/Domino does not return an error, then the operation will succeed. Because you can set any string value as a group member, even using the Domino Administrator client, the NotesDriverShim also allows for this. And groups may also contain members that are actually e-mail references or other specific text strings that don't always map to a Notes users' FullName. Another way of looking at it: the NotesDriverShim is only as smart as the data which it receives. If the data doesn't make sense, then the resulting Group members may not make sense, either.
3. For the NotesDriverShim to properly set (or associate) Notes group members, an association-ref attribute can be used on each Member's value. If an association-ref attribute is available, then the NotesDriverShim will properly look up the Notes document. It places the FullName field in the Group members value, instead of the text string that was passed as the value in the XDS command. The IDM engine automatically places association-ref attributes on member values (of users) that are associated.
4. If you add a new Notes user or modifying Notes group membership (adding the new user to a group) in the same operation or command document, the group membership will never have and an association-ref attribute. That's because the association value is returned from the successful "add" command (which hasn't happened yet). Users need to be added to groups after they are successfully associated, or special driver policies can be implemented. These policies would detect a successful user add-association operation and appropriately apply group membership (modify the group members field within Notes). See the example below for one way this can be done.
Sometimes the driver policy is used to strip out group membership values that are not associated, so these "unwanted" Notes group membership entries are not inserted into Notes groups by the NotesDriverShim. Here is a Cool Solutions tip that talks about this:
http://www.novell.com/coolsolutions/tip/17510.html
Example
The following is an example that demonstrates one way for the Notes Driver to process add commands and correctly add group membership values to the Notes Address Book.
1. Place the following operation-data notification policy in the Subscriber Command Transformation Policy set.
<rule>
<description>Attach group fix-up operation-data to user add commands</description>
<conditions>
<and>
<if-operation op="equal">add</if-operation>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-op-property name="fix-up-users-associated-group-membership">
<arg-string>
<token-text xml:space="preserve">true</token-text>
</arg-string>
</do-set-op-property>
</actions>
</rule>
2. Place the following policy in the Input Transformation Policy Set.
<policy xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQueryProcessor">
<rule>
<description>Check user's group fix-up operation data on add-association</description>
<conditions>
<and>
<if-operation op="equal">add-association</if-operation>
<if-op-property name="fix-up-users-associated-group-membership" op="equal">true</if-op-property>
</and>
</conditions>
<actions>
<do-set-local-variable name="groupAssociations">
<arg-node-set>
<token-xpath expression="empty"/>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="userAssociationVal">
<arg-string>
<token-xpath expression="text()"/>
</arg-string>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-dest-attr name="Group Membership"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="groupAssociations">
<arg-node-set>
<token-local-variable name="groupAssociations"/>
<token-xpath expression="query:readObject($destQueryProcessor, '', $current-node, 'Group','')/association/text()[. != '']"/>
</arg-node-set>
</do-set-local-variable>
</arg-actions>
</do-for-each>
<do-for-each>
<arg-node-set>
<token-local-variable name="groupAssociations"/>
</arg-node-set>
<arg-actions>
<do-add-src-attr-value class-name="Group" name="Members">
<arg-association>
<token-local-variable name="current-node"/>
</arg-association>
<arg-value type="string">
<token-dest-dn/>
</arg-value>
</do-add-src-attr-value>
<do-set-xml-attr expression="../modify[@class-name='Group']/modify-attr[@attr-name='Members']/add-value/value" name="association-ref">
<arg-string>
<token-local-variable name="userAssociationVal"/>
</arg-string>
</do-set-xml-attr>
<do-set-xml-attr expression="../modify[@class-name='Group']/modify-attr[@attr-name='Members']/add-value/value" name="type">
<arg-string>
<token-text>dn</token-text>
</arg-string>
</do-set-xml-attr>
</arg-actions>
</do-for-each>
</actions>
</rule>
</policy>