The IDM Toolbox offers a powerful set of functions to all system integrators, consultants, project managers and customers dealing with NetIQ Identity Manager or large directory trees. It consists of a rich set of functions covering the following tasks:
- Specify, generate and document drivers
- Design workflow forms and mail templates
- Analyse LOG files
- Data Migration & Modification on directory objects
- Document workflows, directory abstraction layer (DAL) and schema
- Workflow Translation
- Create Acceptance Documents for projects, drivers and workflows
- Collaboration with versioning and data exchange
This article is Part I of a series of which will explain the rich set of functions within the IDM toolbox. This article covers data migration of directory objects, otherwise known as directory cloning.
The NetIQ Identity Manager is a very powerful solution. It offers an incredible set of functionality for user provisioning, role based access control, segregation of duties, approval and re-certification processes. eDirectory is the heart of the system that makes it so powerful, flexible and reliable.
We can store users and groups, servers and workstations, organizational units, roles and resources, and a lot more of different object types in eDirectory. Whatever you want to save in eDirectory you can do it. If it does not support the type of object you want to store in eDirectory you can just create a new object class from scratch or build a new one based on an existing object class.
So it happens within an Identity Management project, that you have to deal with thousands, ten thousands or even millions of objects. When you have to do mass modification of directory objects like ’all users in location Buenos Aires must have the value ES in the attribute language’ or ’delete all DirXML-Associations with the Active Directory driver’ you will have a hard time finding a tool to solve this task. Furthermore if you have different environments for developing, testing, staging, production etc. and you have to copy live data from your production tree to your test tree, it won’t be easy to find the right tool.
The IDM Toolbox
The IDM Toolbox offers an easy and convenient solution for these tasks. Besides many other functions it has two modules for:
- cloning objects from one directory tree (source) to another tree (destination)
- mass modification of any object or attribute within your directories
Object Migration (Direcory Cloning)
You may have two IDM environments, one for testing and one for production. Once in a while you have to copy the current user and group objects from your live system (production) into your test system, because you need accurate data from production. How do you solve this task? Do you do a LDIF export from production and a LDIF import into the test system? Depending on how often you have to do this and how complex the tree is, where the users and groups reside that you have to migrate, it can consume a good amount of your valuable time.
If you have to change some attribute values before you import the data, you have to modify the LDIF file. Do you write a script to do this? Not to mention the problem that you have to do the import twice, because of the group memberships. You cannot import groups without the users already existing and vice versa you cannot import the users with the group memberships without the group existing.
The Directory Cloner provides you with all the necessary functions to copy just those objects and attributes you need from one directory tree to another and transform attribute values if needed. The definition process is straight forward.
- specify the connection parameter of the two directory trees
- define the mandatory attributes of the object
- you may add attributes you do not want to copy
- optionally you add some regex expression, for transforming attribute values
- copy & paste the DN’s of the objects you want to copy
- start the copy process
Let’s assume we have two identical trees. Let’s call them Utopia (you may know the Novell Online Demo System NODS). In both trees all user and group object reside in container “o=data”. In our example we want to copy all objects in container “o=data” from one tree into a container “o=CloneDir” in the other tree (figure 1).
First we have to define the connection parameters that the IDM Toolbox needs to connect to both trees. We select tab “Connection” and create the appropriate connection definitions. In our example one tree is running on IP 172.17.2.91 and the other tree on IP 172.17.2.92. We name one connection “Utopia Oct11 IP91” and the other connection “Utopia Oct11 IP92”.
Configure the correct port, userid and password to connect to the tree. Remember if you select SSL for the LDAP connection you have to import the certificate into the java keystore file.
After you have defined your connection parameters select the “CloneDir“ tab. First select the source and destination trees. Source tree is Utopia Oct11 IP91 and the destination tree is Utopia Oct11 IP92. The next parameters you should best leave unchanged. Just to give you the whole picture here’s a short explanation of those parameters.
Pass 1 / 2:
The cloning process is executed in two passes. The first pass just creates the basic object without additional attributes. Here you can choose whether you want to execute pass 1.
Pass 2 / 2:
Pass two adds all attributes to the objects created on the first pass. Here you can select whether you want to execute the second pass.
This option removes all special characters (like point, blank etc.) from object names that may cause problems.
This option sorts all pasted DN’s alphabetically before objects are processed. This guarantees for example that sub-containers will be created before a user has to be placed into that container because the DN of the container is shorter than the DN of the user to be placed there.
The next 3 parameters add a lot of flexibility into the copy process.
Define all attributes that have to be valued per objectclass. Just write the name of the objectclass followed by every attribute that has to be valued. If you have multiple objectclasses just separate the next entry with a “;“.
InetOrgPerson, sn, givenName, mail; groupOfNames, description
User objects must have values for the attributes “sn“ and “givenName“ and group objects must have a value for the attribute “description“ otherwise the object is not copied.
Per objectclass you have the option to drop specific attributes you do not want to copy. Just name the attributes you do not want to copy.
As you can define regular expressions to transform any attribute value, it sometimes makes sense to exclude attribute values from these expressions. The best example is the attribute ldapPhoto. It can happen that if some binary combination fulfills the regular expression it would be transformed. To avoid this unwanted side effect, exclude those attributes from being evaluated by the regular expressions by defining them as “copy attributes”.
DN’s to clone
Here you paste the DN’s of all objects you want to copy. We recommend that you use the Apache Directory studio to connect to the source tree, define a filter and just copy & paste the DN’s from there into the IDM Toolbox.
The “Regular Expression” option is very powerful. Every object and attribute is passed thru all defined regular expressions. In this specific case we only want to replace the original destination “o=data” with “o=CloneDir”. To do so we add the regular expression:
As we have pasted all DN’s from the Utopia tree 172.27.2.91 from Apache Directory Studio into the IDM Toolbox dialog it should look similar to what is shown in figure 3.
When the clone process finishes a windows will pop up to ask you whether you want to download the log file. Please do this. If you have missed this pop up window, select the tab “Clone Log” and press the button “refresh log”. You will see a detailed log there also. Please be aware of the two pass process in the log. First you see that pass 1 was creating the basic objects without additional attributes. Afterwards you will see that pass 2 added all the attributes to the objects.
As the final result you will see the original container “o=data” from the source tree with all its contents in the destination tree in container “o=CloneDir”.
Cloning directory data from one tree to another can be a time consuming and risky task. With the IDM Toolbox you create on the fly reusable templates to copy selected objects and transform their contents accordingly from one source tree the desired destination tree.
In IDM projects you often have to do mass modifications (add, replace, delete attribute values) on selected objects in a directory. The IDM Toolbox provides a powerful way to create flexible and reusable mass modification processes and I shall discuss this in the next article.
SKyPRO has developed the IDM Toolbox over a period of years working on many different IDM projects to help make NetIQ Identity Manager an even more valuable proposition.
The IDM Toolbox offers a powerful set of functions to all system integrators, consultants, project managers and customers dealing with NetIQ Identity Manager or large directory trees.
It consists of a rich set of functions covering the following tasks:
The IDM Toolbox is a java application that will run on Windows, Linux or Macintosh workstations. It uses a web browser interface and all main browsers are supported.
Some of the modules are free of charge and some need a commercial licence. For more information visit the website.
(This article was published in OHM28, 1-2015, p17-20).