Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Propagating AD Changelog entries to ITIM

100 views
Skip to first unread message

Peter

unread,
Dec 7, 2009, 12:53:12 PM12/7/09
to
As weird as this sounds, I need to determine how to read user
additions in Active directory and extract enough user information to
provision them in Tivoli Identity Manager. Would I use the AD
Changelog tool to detect changes, then use the TIM connector to update
TIM?

thanks

Peter

Peter

unread,
Dec 7, 2009, 10:47:48 PM12/7/09
to

OK - I was able to use the AD Change connector to connect to my AD
system and read in the attributes - however, I need to watch a
particular OU for additions. My thought was I should be able to watch
the OU for adds, then extract them and pipe them to the Tivoli
Identity manager ruleset which will provision them in ITIM. From there
the AD Agent on ITIM will perform passwd syncs. What I'm still not
sure of is how to process changes on the AD Changelog to view when
there are additions - if I can watch a change and output the
attributes to a file I guess would be one way to validate things....

thanks again

Peter Clark

Eddie Hartman

unread,
Dec 8, 2009, 5:12:07 AM12/8/09
to
Change Detection Connector, like the one for AD you are
using, tag the Work Entry with a "delta operation code"
which tells you what this is: "add", "modify" or "delete".
There is a write-up on this (with perhaps a bit much detail...?)
that details the Delta Handling features in TDI:
http://www.tdi-users.org/twiki/bin/view/Integrator/HowTo#DeltaHandling

So in your filtering logic you can check the operation code
of the Work Entry to decide what to do. For example, with
this code in the Script condition of an IF Branch:

ret.value = work.getOperation() == "add"

And you could call this Branch "IF Add" and under it
have the components to pass this new entry on to your
targets.

-Eddie

Peter

unread,
Dec 8, 2009, 8:42:41 AM12/8/09
to

Thank you Eddie - I'll have a look - the thing I'm still unclear
about is what specifically I'm watching to determine a change. I can
set up the connector, enable the delta detection, and configure it
output to a file to look for incoming changes - I think this is the
first part to figure out....still unsure...I'll read the link you sent
and see where I get from there - thanks again!

Peter

Victor Apetri

unread,
Dec 12, 2009, 3:12:42 PM12/12/09
to

Hello,
i need this AD changes end to updates too :)
The AD OrganizationalPerson Identity Feed does not updates
automatically the users from AD to TIM automatically, and that's why i
need this AD changelog too.
My questions are :
1. the AD 2008 is supported with the AD ChangeLog connector V2 ?
2. Instead using IF branches, is better to user case branches ? one
case for each operation type ? (add, update, delete) ?
3. I have test the AD changelog with a TDI Ad Changelog connector and
the Add User it the changelog it seems to be logged as an update
operation.This connector can updates also the Groups from AD to roles
in TIM ?
Thank you

Eddie Hartman

unread,
Dec 13, 2009, 6:09:37 AM12/13/09
to
1) TDI 6 is not supported on Win 2008 while TDI 7 is. That does
not mean that TDI 6 will not work on '08 though.

2) You only need an IF and ELSE branch, since Update mode
will automatically handle both adds and modifies.

IF work.getOperation() == "delete"
Delete mode Connector
ELSE
Update mode Connector

If your target is LDAP or JDBC then you can also use Delta mode
for output, which then does an incremental (fast) write to bring the
target in line with the source based on the delta operation tags.

3) You can determine an add by comparing the date created with
the date modified in the AD entry returned by the Change Connector.

Hope this helps!
-Eddie

Peter

unread,
Dec 17, 2009, 11:04:41 PM12/17/09
to
On Dec 8, 5:12 am, Eddie Hartman <eddiehart...@gmail.com> wrote:

ok - so I'm making forward progress - today on a lark - set changetype
to be changetype="add" and it picked up all the user adds and then set
the objectclass to select a person object and it seems to have
worked...still working down the road...thanks for your help.

Peter

Eddie Hartman

unread,
Dec 18, 2009, 6:37:06 AM12/18/09
to
Glad to hear it, Peter. You just keep TDI'ing away at the nut and
you'll crack it for sure :)

Have a great Christmas!

-Eddie

Victor Apetri

unread,
Dec 20, 2009, 12:56:59 PM12/20/09
to

Congrats Peter, you are on the "yelow brick road" :)
Have think how to get passwords from AD to ITIM ?

Victor Apetri

unread,
Dec 20, 2009, 1:21:26 PM12/20/09
to

One more question ? what info you get from AD with the AD changelog
conenctor because i get only this data:

uSNChanged uSNCreated objectGUID systemFlags objectGUIDStr whenChanged
whenCreated instanceType showInAdvancedViewOnly objectCategory cn
objectClass isCriticalSystemObject $dn changeType
dSCorePropagationData description distinguishedName name

I can't see the groups of the users, last name, userid,..etc
And when the change type is on modify how can we see what modification
occurred ? group change, password chage, name change, ou
change....etc ?

how did you resolve those problems ?

Thank you

Eddie Hartman

unread,
Dec 21, 2009, 6:21:49 AM12/21/09
to
Unfortunately, Victor, AD does not deliver that level of detail
on changes. If you want to know exactly which Attributes are modified
you will need to use delta computation in TDI.

One way is to enable the Delta tab (this will only work in TDI 7
where the same entry can be handled more than once in an
iteration). For TDI 6 you could use the deltaEngine script
published here:

http://www.tdi-users.org/twiki/bin/view/Integrator/DeltaEngineScript

-Eddie

Victor Apetri

unread,
Dec 22, 2009, 4:42:48 PM12/22/09
to

Thank You Eddie for the idea, but how can i propagate from AD to TIM
when a user membership is changed from admin users to normal users ?
does USNchange catch this change ?

0 new messages