Hi everyone,
we are currently working on implementing FIM 2010 for synchronizing multiple LDAP and AD systems.
Since we are only using the synchronisation engine without the FIM Portal, we built a small web app connected to a MSSQL database.
Currently, we are looking at our LDAP:
If an object is deleted directly in the LDAP (not through FIM), the connector object is also deleted in the connector space of the LDAP MA. While doing that, we are also setting an attribute called "ldapAccountActive" in the web app connector to "false",
so we can tell if the Identitiy managed through our web app has an account inside the LDAP directory. We do that through the MapAttributesForExport method in the extension for the web app MA:
void IMASynchronization.MapAttributesForExport (string FlowRuleName, MVEntry mventry, CSEntry csentry) { switch (FlowRuleName) { case "setLdapActiveState": if(csentry["ldapAccountActive"].BooleanValue) { if (mventry.ConnectedMAs["LDAP"].Connectors.Count == 0) { csentry["ldapAccountActive"].BooleanValue = false; } } break; default: throw new EntryPointNotImplementedException(); } }
This part works without problems. If we run an export to the web app, we check if the identity has connectors in the LDAP and set the attribute.
Our problem is with the provisioning. We have the following provisioning code in the MA extension:
int Connectors = 0; CSEntry csentry; ReferenceValue DN; ConnectedMA ManagementAgent; DateTime parsedDate; ManagementAgent = mventry.ConnectedMAs["LDAP"]; Connectors = ManagementAgent.Connectors.Count; if ((Connectors == 0) && (mventry["ldapAccountActive"].BooleanValue == true)) { ValueCollection objectClassValues = Utils.ValueCollection(new String[] { "person", "inetOrgPerson", "organizationalPerson" }); csentry = ManagementAgent.Connectors.StartNewConnector("inetOrgPerson"); DN = ManagementAgent.EscapeDNComponent("cn=" + mventry["serialNumber"].Value).Concat("ou=Users,o=Company"); csentry.DN = DN; csentry["objectclass"].Values = objectClassValues; csentry["cn"].Value = mventry["serialNumber"].Value; csentry["serialNumber"].Value = mventry["serialNumber"].Value; csentry["sn"].Value = mventry["lastName"].Value; csentry["givenName"].Value = mventry["firstName"].Value; csentry.CommitNewConnector(); }
In provisioning, we determine if a new account should be provisioned to the LDAP by two criterias:
- does the identity managed through the web app have no connectors in the LDAP MA connector space?
- is the "ldapAccountActive" state set to "true"?
This works fine, as long as we create a new identity directly in the web app, project it to metaverse, set the "ldapAccountActive" state to "true" and run an export on the LDAP MA.
If we now delete an account in the LDAP directory and run a full sync cycle (Export, Import, Sync) on the LDAP MA, the attribute "ldapAccountActive" attribute is set correctly on the "csentry" of the web app MA. The problem is, that in this moment, the provisioning method is also triggered. Meaning that in that point in time, the "csentry" is correct, but the "mventry" has not yet been set to the correct "ldapAccountActive" state, which we need to determine if an LDAP account should be provisioned.
What that means is:
We delete an account in the LDAP and FIM immediately provisions a new one. This can only be stopped if we set the "ldapAccountActive" state to "false" through the web app. This is not what we want in our case. There has do be a way to delete an LDAP account either through the web app or through the LDAP directly.
Is there a way to accomplish that?
Thank you in advance. Sorry for the long text.
Regards,
Timo