Task #423
closed
IDs for provisioning
100%
Description
The IdM must allow 2 scenarios for IDs for provisioning:
- For example when connecting LDAP, the identifier tends to be attribute like distinguishedName. It uniquely identifies the object but it can change. Usually, the DN is build from identity's name and organization. When its name or organization changes, the distinguishedName also needs to change. Now Idm doesn't allow for change of identifier.
- The identifier is generated by the resource. Example can be Active Directory, which generates a GUID when creating a record - global identifier, which is immutable. It is then returned from the connector. Now, IdM requires the identifier to be generated in IdM.
Both of these scenarios are very common and is critical to support them.
Updated by Vít Švanda almost 7 years ago
- Category set to Provisioning
- Target version set to Citrine (7.3.0)
Updated by Vít Švanda almost 7 years ago
- % Done changed from 0 to 80
- Allowed change account identifier (UID )
- Added "uid" parameter to script "transformToResource".
- Added test for change account UID.
Updated by Vít Švanda almost 7 years ago
- % Done changed from 80 to 90
1) - Primary accaunt (AccAccount.uid) can be changed now. More informations are in wiki https://proj.bcvsolutions.eu/ngidm/doku.php?id=en:navrh:account-management#example_of_account_life_cycle.
2) - This case has been implemented in the past. GUID id ,returned by system, should be saved to SysSystemEntity.uid.
- I added variable "uid" to script "transformToSystem" - Interfaces had to be changed for this.
- I created test for change account uid situation.
Updated by Vít Švanda almost 7 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Vít Švanda to Filip Měšťánek
Can you try it now?
Updated by Filip Měšťánek almost 7 years ago
- Assignee changed from Filip Měšťánek to Vít Švanda
It still behaves strangely. I tried it on LDAP with DN being marked as identifier:
- Created account with DN 'cn=Ondrej Kopr,ou=AAA,O=XXXC=CZ'. This was saved to AccAccount and SysAccount.
- I changed the DN to 'cn=Ondrej Kopr,O=XXXC=CZ'. It changed the DN on the LDAP and it was saved to the SysAccount. But the AccAccount remained the same.
- When I tried to provision the user again, it tried to create a new account!
Updated by Vít Švanda almost 7 years ago
This behavior makes sense (only SysSystemEntity.uid does not change).
The problem is that if SystemEntity.uid updated automatically, it lost this information for systems that generate its own ID.
Updated by Vít Švanda almost 7 years ago
- Assignee changed from Vít Švanda to Ondřej Kopr
I have extended the behavior (AbstractProvisioningProcessor) for modifying SystemEntity.uid if a different UID is returned from the system.
This works for creating and editing account.
Updated by Ondřej Kopr almost 7 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Ondřej Kopr to Vít Švanda
- % Done changed from 90 to 100
Feedback (i tested this bugfix/feature on temporary local ldap, very simple for setup: https://github.com/intelie/dummyldap):
test with identities. OK, you may close this ticket.
Updated by Vít Švanda almost 7 years ago
- Status changed from Resolved to Closed