Identity Provisioning Policy Administration
Configuration Example
This section will serve as a guide to create a policy with all it’s components and then to run the policy in “debug” mode. The policy example will synchronize user information from Microsoft Active Directory (AD) to a SQL database. Actions also convert user attributes from AD to match the table layout in the SQL database.
Create Microsoft Active Directory Data Source
Open Provisioning Configurator and in the left pane click on General–Data Sources and select “LDAP Data Source”.
Configure the following parameters:
| Option | Value | Description |
| Name | Microsoft Active Directory | Name for database |
| Type | LDAP | Each type of database have different options. |
| General tab | ||
| Host IP/DNS | localhost | The LDAP hosts IP address or DNS name |
| Portnr | 636 | The LDAP host port number (usually 389 or 636) |
| SSL | Enabled | If SSL should be used when communication with the LDAP host |
| TLS | Not enabled | If TLS should be used when communication with the LDAP host |
| Admin DN | cn=Administrator,cn=users,DC=YourDomain,DC=local | The full DN to an administrative account |
| Password | ********** | The administrative account password |
| Used Paged Result | true / false | If simple paged result (RFC 2696) should be used when searching the directory |
| Use Common Connection Pool | true / false | Use a common connection pool to share the communication between actions. Enable this to avoid connecting and disconnecting LDAP connection between actions. Read more in PSD5006. |
| Ignore LDAP Referral | true / false | If LDAP referrals should be followed or not. |
| Other tab | ||
| Description | This active directory is set to work in 2003 forest mode. | A description of this database |
| Usage tab | ||
| Usage | Shows associated policies with this database. Double click a entry to go to policy. |
Test the LDAP Connection
Click on the button “Test LDAP Connection“.Testing the LDAP connection will also control if the LDAP directory supports “paged result” and persistent search. Persistent search is a scheduler type used by Identity Provisioning.
Configure SQL Data Source
In the left pane click on General-Data Sources and select “SQL ODBC or JDBC (SQL) Data Source”.
Configure the following parameters:
| Option | Value | Description |
| General tab | ||
| JDBC Driver | com.microsoft.sqlserver.jdbc.SQLServerDriver | Specify the driver to connect to the database. A number of examples is included. |
| Database URL | jdbc:sqlserver://192.168.100.200:1433;DatabaseName=Employee | Example: jdbc:odbc:UserDB |
| Admin name | sa | The full DN to an administrative account |
| Password | ********* | The administrator account password |
| View SQL | Example select * from person. This will show all objects from the table “person” in the “Employee” database | This button can be used to test query to a existing table. |
| Other tab | ||
| Description | This is configuration how to reach the Employee database | A description of this database |
| Usage tab | ||
| Shows associated policies with this database. Double click a entry to go to policy. |
Test the SQL Connection
Click on the button “Test JDBC/ODBC Connection“.
Create a Schedule
Create a schedule to define that the policy should run every 60 minutes, all days of the week.
In the left pane click on General-Schedules.
Create a Policy
In the left pane click on Policies.
Policy Name
Give the policy an appropriate name and an optional category.
Select the data source from the browse button.
Select database
Add Schedule
Add a schedule to the policy. Select a schedule from the browse button.
Select schedule
LDAP Search Settings
Define an LDAP search criteria for finding user objects and add what attributes that should be collected from each object.
| Option | Value | Description |
| Search base | OU=InternalUsers,DC=nordicedge,DC=local | Use the search button to browse for a specific search base in the LDAP directory. |
| Search scope | SUB | Enter the LDAP search scope SUB, ONE or BASE. |
| Max search results | 0 | Enter 0 (zero) to get all results. |
| Search filter | objectclass=user | Type a search a LDAP search filter or use the browse button to select a object class or attribute from the LDAP schema. |
| Get attributes | cn,sn,givenName,title,telephoneNumber,mail | Set the attributes that should be fetched for each object. Use , (comma) for separation. When entering characters in the window a type-a-head function will show corresponding attributes from the LDAP schema. |
LDAP Search Settings
Test the LDAP search settings to verify that a result is delivered from the LDAP directory.
Test Search Result
Actions Tab
Actions will be assigned to this policy later.
Enable the following check-boxes:
| Option | Value | Description |
| Stop Policy if no session objects | Enabled | Stop the policy if there are no session objects to process. Check the search criteria. |
| Stop policy if an action fails | Enabled | Do not continue to run any other action if one fails. |
Other Tab
Contains a description of the policy and prerun checks.
Configure the following parameters:
| Option | Value | Description |
| Description | This policy synchronize user information from Active Directory to a SQL database. Actions also convert attributes from AD to match the table layout in the SQL database. | Free text description of this policy. |
| Prerun Checks | ||
| Verify primary database connection | Enabled | Check before running this policy that the assigned database is accessible. |
| Verify SMTP connection | Check before running this policy that the mail server (SMTP) is accessible. | |
| Verify other database connections | Microsoft SQL Express 2005 | Check before running this policy that these databases is accessible. Add new database to the list from button. |
| Run Garbage Collector after completion | Force an immediate run of the Garbage Collector to free memory after the policy completed. | |
| Clear objects from memory completion | If all session objects should be cleared from memory after policy has run. |
Other tab
Log Tab
In this tab enable the checkbox “Enable Logging”.
This execution log, will after the policy has been executed, give the possibility to query the log for some statistics.
Execution Log
Configure Actions
There are many actions shipped with Identity Provisioning. Actions can be sorted in several ways.
In the left pane, right click on Actions, this will show several ways to sort actions. During this configuration the option Sorted by Action Type is selected.
Sorted action types
In this section three actions will be configured and the added to the policy:
- Rename attributes for SQL. Rename attributes fetched from AD to conform with table fields in SQL
- Create a random password. Create an new attribute with a random password for each object.
- Create or update SQL database. Create a new entry in the database if none exists, otherwise update entry.
Action: Rename Attribute for SQL
In the left pane, browse to the action named Rename Attribute.
This action will rename a number of attributes from AD to match the table fields in the SQL database.
| Option | Value | Description |
| General tab | ||
| Org Attribute | cn, sn, givenName | The attribute to be renamed. Rename multiple attributes by separating them with a comma. Type in the attributes or use the browse button to select a data source to show attributes from. |
| New Attribute | Userid, Lastname, Firstname | The new attribute name |
| Other tab | ||
| Configuration notes | This action will rename a number of attributes from AD to match the table fields in the SQL database. | A description of usage of this action. |
| Action description | Rename one or several session attribute(s) | Action description. |
Rename Attribute action
Action: Create a Random Password
Create an new attribute with a random password for each object.
In the left pane, browse to the action named Create a random password.
This action will create a random password and store the value in a new attribute.
| Option | Value | Description |
| General tab | ||
| Attribute Name | Password | Set a attribute name. Type in the attributes or use the browse button to select a database to show attributes from. |
| Min Length | 8 | The minimum length. Default 6. |
| Max Length | 10 | The maximum length. Default 6. |
| Use These Characters | abcdefghijklmnqopqrstuvwxyz
@$=! ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789 |
A string with characters to build password value from. Must include lowercase, uppercase characters and digits if they are required. |
| Copy to Other Attribute | Copy the password to another session attribute. | |
| Nr of Uppercase Chars | 2 | The number of uppercase characters to use in password value. |
| Nr of Lowercase Chars | 2 | The number of lowercase characters to use in password value. |
| Nr of Digits Chars | 2 | The number of digits characters to use in password value. |
| Other tab | ||
| Configuration Notes | Create an new attribute with a random password for each object. | A description of usage of this action. |
| Action Description | Generate a password attribute. | Action description. |
Create Password Value action
Action: Create or update SQL database entry
Create or update a database table with information.
In the left pane browse to the action named Write and Match to SQL.
This action will create the user if it do not exist, otherwise it will update the entity in the database.
| Option | Value | Description |
| General tab | ||
| Force User Database | Microsoft SQL Express 2005 | Always match and write to this database. Use the browse button to select a defined SQL database. |
| SQL Match Query | SELECT * From Person WHERE Userid=’SESSION(Userid)’ | Match a session object to a SQL database. Use SESSION(attributeName) to insert attribute names into the SQL query. |
| SQL Update Query | UPDATE Person SET LastName=’SESSION(LastName)’, FirstName=’SESSION(FirstName)’ WHERE Userid=’SESSION(Userid)’ | This query will be executed if match query found a result. Leave blank if no update should be performed. Use SESSION(attributeName) to insert attribute names to SQL query. |
| SQL Create Query | INSERT INTO Person (Userid, LastName, FirstName, Password) VALUES (‘SESSION(Userid)’, ‘SESSION(LastName)’, ‘SESSION(FirstName)’,’SESSION(Password)’) | This query will be executed if no match query found a result. Leave blank if no create should be performed. Use SESSION(attributeName) to insert attribute names to SQL query. |
| Set isNew flag (true/false) | If set to true, the isNew flag will be set if the SQL Create Query is executed. Default: false. | |
| Other tab | ||
| Configuration notes | This action will create user if not exist otherwise it will update the entity in the database. | A description of usage of this action. |
| Action description | Match and update or create records and values to a SQL database. | Action description. |
Write and Match to SQL action
Add Actions to Policy
Add all of the above created actions to the policy.
In the left pane right click on Policies, and select the policy “Synchronize Active Directory to SQL db“.
Click on the tab Actions. In the window for available actions find and select each action and click on the arrow to assigned these actions to the policy.
Actions assigned to policy
Save the Configuration
Save the configuration before running or testing the policy.
Go to File-Save Configuration or use the key Ctrl+S.
Test “Dry Run” the Policy
There is built in functionality in Provisioning Configurator to run a policy in a step-by-step scenario. When running the policy in this way a person can go through each object and each action performed on the session object. The purpose is to evaluate that the actions executed delivers the expected result.
In the left pane right click on Policies, and select the policy “Synchronize Active Directory to SQL db“.
Click on the button “Run policy”. This will start up the “Dry Run” mode.
Run policy
The run policy search query result will be displayed after completion. Have some patience if a large result is expected.
Click on the tab Objects and then select a entry to display session attributes for that object.
Run policy session object and attributes
Click on the Actions tab to see what actions that will be performed on this session object.
Every time the button “Next step” is clicked a action will be run. The result can be viewed on the session attributes displayed or in the tab Log.
Action results
The last action will try to match the AD object to the SQL database. The action will create the user if it do not exist, otherwise it will update the entity in the database.
SQL action result viewed in Log tab
If the result of the “Dry Run” was as expected, uncheck the “Confirm each object & action” to run through the rest of the session objects.