This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UA resource users in PAM group are not syncing

Hello! I have configured the PAM driver in IDM. Expanded the eDirectory schema. Created groups in PAM. When creating a resource in UA, I synchronized groups in PAM. All PAM groups appeared in the drop-down list. I selected the group I needed and created a resource. Resource assigned to user, successfully. But in PAM, this user did not appear in the group. There are no errors in the driver, but the filling in the Entitlement confuses.

Screenshot_1.png

Parents
  • 0  

    I looked at the PAM driver for IDM a few years back...  But do not remember this detail.

    So your issue is the JSON payload inide the <param> node has a value for ID but ID2 is blank.  The question that needs to be answered is whether the driver, when it implements the entitlement uses ID2 or not.

    Usually ID2 is cosmetic. So I dropped a PAM driver onto a tree in Designer, and looked at the policies, usually I would look at the Sub-Command Transform to implement entitlements but I see this driver seems to be doing it in the Sub-Event transform. Different.

    It has the usual structure of looping over each removed entitlement and then over each Entitlement.  This is the USerGroup entitlement which is the one you showed.

    Pum-ETP.jpg

    It only reads the ID value, not ID2. So at first glance this would seem to be cosmetic.

    Oddly the ID value is formatted in your example as "UserGroup:30" but there is nothing in policy that I see that does anything with it, like splitting on the : or somesuch.

    In the Startup policy that builds the EntitlementConfguration object that User app uses to understand what values are available, it defines ID as the association, and ID2 as the CN:

    Pum-Startup.png

    Then in the DirXML-Entitlement object, which defines what object and attributes it queries for values to get the assoc and CN, we see:

    Pum-Entitlement.png

    So it looks for Groups, and returns the values.

    This makes me think maybe your group in PAM does not have a name? 

    Are you running the shim in the driver or Remote Loader?  (Make sure whichever one you have it running is, is at a high trace level. 3 is usually enough but for odd stuff, try something like 25 who knows if they added trace at higher levels).

    Then run through an Entitlement grant and show the trace.

Reply
  • 0  

    I looked at the PAM driver for IDM a few years back...  But do not remember this detail.

    So your issue is the JSON payload inide the <param> node has a value for ID but ID2 is blank.  The question that needs to be answered is whether the driver, when it implements the entitlement uses ID2 or not.

    Usually ID2 is cosmetic. So I dropped a PAM driver onto a tree in Designer, and looked at the policies, usually I would look at the Sub-Command Transform to implement entitlements but I see this driver seems to be doing it in the Sub-Event transform. Different.

    It has the usual structure of looping over each removed entitlement and then over each Entitlement.  This is the USerGroup entitlement which is the one you showed.

    Pum-ETP.jpg

    It only reads the ID value, not ID2. So at first glance this would seem to be cosmetic.

    Oddly the ID value is formatted in your example as "UserGroup:30" but there is nothing in policy that I see that does anything with it, like splitting on the : or somesuch.

    In the Startup policy that builds the EntitlementConfguration object that User app uses to understand what values are available, it defines ID as the association, and ID2 as the CN:

    Pum-Startup.png

    Then in the DirXML-Entitlement object, which defines what object and attributes it queries for values to get the assoc and CN, we see:

    Pum-Entitlement.png

    So it looks for Groups, and returns the values.

    This makes me think maybe your group in PAM does not have a name? 

    Are you running the shim in the driver or Remote Loader?  (Make sure whichever one you have it running is, is at a high trace level. 3 is usually enough but for odd stuff, try something like 25 who knows if they added trace at higher levels).

    Then run through an Entitlement grant and show the trace.

Children
  • 0 in reply to   

    Thank you for helping! I turned on level 25 tracing and was confused by one rule that blocks the operation. It doesn't find the DirXML-PUMUser-Aux attribute. But this attribute is not in the imported schema in the PAM iso file.

    Screenshot_1.png

    Screenshot_2.png

     I added a trace file and removed the driver reload events from it. In the file, the beginning and end of the event for assigning a resource to a user.

    pam.zip