Identity Manager 4.0.1 Driver for Scripting Implementation ... - NetIQ
Identity Manager 4.0.1 Driver for Scripting Implementation ... - NetIQ
Identity Manager 4.0.1 Driver for Scripting Implementation ... - NetIQ
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
command=‘IDMGETVAR "COMMAND"‘<br />
# check <strong>for</strong> an add event<br />
if [ "$command" = "add" ]; then<br />
# call the add script<br />
add.sh<br />
fi<br />
Example 2:<br />
# obtain the event’s association and CN attribute<br />
ASSOCIATION=‘IDMGETVAR "ASSOCIATION"‘<br />
CN=‘IDMGETVAR "ADD_CN"‘<br />
if [ "$CN" = "bob" ]; then<br />
# <strong>for</strong> "bob", check to see if he’s been enabled<br />
ENABLE=‘IDMGETVAR "REMOVE_Login Disabled"‘<br />
if [ "$ENABLE" = "true" ]; then<br />
# bob is enabled again<br />
cmd="appenable -association $ASSOCIATION"<br />
EXEC "$cmd"<br />
fi<br />
fi<br />
Handling Associations<br />
The association value indicates which identity has been changed. If the identity has no association,<br />
an association must be generated <strong>for</strong> it using an implementation-specific rule that you have adopted.<br />
When <strong>Identity</strong> <strong>Manager</strong> processes an event <strong>for</strong> an identity with no association, it executes the<br />
driver’s Matching policy. This policy attempts to match the event’s identity to an identity on the<br />
external application’s system. Usually doing this involves executing a query. The default Matching<br />
policy included with the <strong>Scripting</strong> driver queries <strong>for</strong> matching Users and Groups based on the CN<br />
attribute. If the event’s identity matches an identity on the external application, both identities must<br />
be assigned the new association. Assigning this association can be done as part of the queryhandling<br />
script. (Handling queries is discussed in more detail in “Handling Query Events” on<br />
page 51.) If no identity matches, an Add event is issued, and the new association can be assigned as<br />
part of the Add event-handling script:<br />
# Adding an association<br />
IDMSETVAR "COMMAND" "ADD_ASSOCIATION"<br />
IDMSETVAR "ASSOCIATION" "$MyAssociation"<br />
IDMSETVAR "EVENT_ID" "$EVENT_ID"<br />
IDMSETVAR "DEST_DN" "$SRC_DN"<br />
IDMSETVAR "DEST_ENTRY_ID" "$SRC_ENTRY_ID"<br />
The above example demonstrates each name/value pair that must be set <strong>for</strong> an association to be<br />
assigned by the <strong>Identity</strong> <strong>Manager</strong> engine. The values of EVENT_ID, SRC_DN and SRC_ENTRY_ID are<br />
always sent by the engine during an add event, and there<strong>for</strong>e, are available <strong>for</strong> your add script to<br />
obtain using IDMGETVAR. The example above also illustrates the IDMSETVAR function. For<br />
detailed in<strong>for</strong>mation on how to use IDMSETVAR, see Section C.1, “UNIX Shell (idmlib.sh)<br />
Reference,” on page 143. This function sets a name and value which indicates what action <strong>Identity</strong><br />
<strong>Manager</strong> should per<strong>for</strong>m. For example, the pair COMMAND and ADD_ASSOCIATION instructs the shim<br />
to create an add-association document to assign an association to an identity, as discussed above.<br />
The pair EVENT_ID and $EVENT_ID instruct the shim to assign add-association document an eventid<br />
described by the variable $EVENT_ID. This is important <strong>for</strong> the engine to match documents sent<br />
and returned on the subscriber channel.<br />
The Subscriber can also issue MODIFY_ASSOCIATION and REMOVE_ASSOCIATION commands:<br />
Customizing the <strong>Scripting</strong> <strong>Driver</strong> 49