This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UA resource users in PAM group are not syncing

Hello! I have configured the PAM driver in IDM. Expanded the eDirectory schema. Created groups in PAM. When creating a resource in UA, I synchronized groups in PAM. All PAM groups appeared in the drop-down list. I selected the group I needed and created a resource. Resource assigned to user, successfully. But in PAM, this user did not appear in the group. There are no errors in the driver, but the filling in the Entitlement confuses.

Screenshot_1.png

Parents
  • 0  

    I looked at the PAM driver for IDM a few years back...  But do not remember this detail.

    So your issue is the JSON payload inide the <param> node has a value for ID but ID2 is blank.  The question that needs to be answered is whether the driver, when it implements the entitlement uses ID2 or not.

    Usually ID2 is cosmetic. So I dropped a PAM driver onto a tree in Designer, and looked at the policies, usually I would look at the Sub-Command Transform to implement entitlements but I see this driver seems to be doing it in the Sub-Event transform. Different.

    It has the usual structure of looping over each removed entitlement and then over each Entitlement.  This is the USerGroup entitlement which is the one you showed.

    Pum-ETP.jpg

    It only reads the ID value, not ID2. So at first glance this would seem to be cosmetic.

    Oddly the ID value is formatted in your example as "UserGroup:30" but there is nothing in policy that I see that does anything with it, like splitting on the : or somesuch.

    In the Startup policy that builds the EntitlementConfguration object that User app uses to understand what values are available, it defines ID as the association, and ID2 as the CN:

    Pum-Startup.png

    Then in the DirXML-Entitlement object, which defines what object and attributes it queries for values to get the assoc and CN, we see:

    Pum-Entitlement.png

    So it looks for Groups, and returns the values.

    This makes me think maybe your group in PAM does not have a name? 

    Are you running the shim in the driver or Remote Loader?  (Make sure whichever one you have it running is, is at a high trace level. 3 is usually enough but for odd stuff, try something like 25 who knows if they added trace at higher levels).

    Then run through an Entitlement grant and show the trace.

  • 0 in reply to   

    Thank you for helping! I turned on level 25 tracing and was confused by one rule that blocks the operation. It doesn't find the DirXML-PUMUser-Aux attribute. But this attribute is not in the imported schema in the PAM iso file.

    Screenshot_1.png

    Screenshot_2.png

     I added a trace file and removed the driver reload events from it. In the file, the beginning and end of the event for assigning a resource to a user.

    pam.zip
  • 0   in reply to 

    I looked at the Schema included on the IDM 4.8 DVD and the npum.sch file does not include that Aux class.

    I looked at the NPUM driver 4..5.01 patch and the SCH file in there also does not include this class.

    I looked at Designer and it has most of the PUM schema but not this class.

    Interesting problem.

    Short term: You can probably turn that policy off. I know someone on the PUM team, let me see if he has any comment on this.

  • Verified Answer

    0   in reply to   

    Please use the PAM IDM Driver ver. 4.5.x ONLY.

    v4.8.x development was postponed for later release.

  • 0   in reply to   

    Do you mean, the 4.5x shim, or the 4.5.x packages?

    Could you be a bit more specific please.

  • 0   in reply to   

    Hi Geoff,

    I meant the PAM Driver package version.

    -KPRajesh

     

  • 0 in reply to   

    Thanks! My PAM packages were version 4.8.0. In Identity Designer, I chose to upgrade to 4.5.0. Removed the old driver from iManager and added a new driver. Added the required attributes to the filter. As a result, everything worked.

  • 0 in reply to 

    Hi all,
    we have same issue, but we are on IDM 4.7 (also designer 4.7) and PAM driver 4.5.0.1, but on schema extension files we can't find auxiliary class "DirXML-PUMUser-Aux" and on default matching policy they check this objectclass .
    What can we do to solve this?

     

    Regards

     

    Riccardo

  • 0 in reply to 

    check for pum.sch file in / opt / novell / eDirectory / lib / nds-schema path on Identity Vault host. If so, navigate to the / opt / novell / eDirectory / bin directory and run the idm-install-schema script. Reload eDirctory

Reply
  • 0 in reply to 

    check for pum.sch file in / opt / novell / eDirectory / lib / nds-schema path on Identity Vault host. If so, navigate to the / opt / novell / eDirectory / bin directory and run the idm-install-schema script. Reload eDirctory

Children
No Data