Environment
Novell Identity Manager 3.6.1
Novell Compliance Management Platform 1.0
NetIQ Identity Manager 4.0
Novell Compliance Management Platform 1.0
NetIQ Identity Manager 4.0
Situation
What is the format for the Account Tracking attributes used in NCMP 1.0 ?
What is the structure of the DirXML-Accounts attribute?
How do I create the Account Tracking attribute in my custom driver?
How do I create the Account Tracking attribute in my custom driver?
Resolution
The DirXML-Accounts attribute is used to hold the information that will be used by the Sentinel driver and the Identity Table to perform Identity Tracking. In NCMP 1.0 only the AD and LDAP drivers provide back this information.
The Schema for the attribute and the auxiliary class it is part of are available below:
--
-- DirXML-Accounts
-- Holds information about accounts in other systems like the system name,
-- account name and account status
--
"DirXML-Accounts" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_CE_STRING,
Flags {DS_SYNC_IMMEDIATE, DS_STRING_ATTR},
LowerBound 0,
UpperBound 64512,
ASN1ObjID {2 16 840 1 113719 1 14 4 1 2409}
}
--
-- **DirXML-Identity: 2060-2069
--
-- DirXML-Identity
-- Holds information about this identity and accounts it has in other systems
--
"DirXML-Identity" OBJECT-CLASS ::=
{
Operation ADD,
Flags {DS_AUXILIARY_CLASS},
MayContain {"DirXML-Accounts"},
ASN1ObjID {2 16 840 1 113719 1 14 6 1 2060}
}
The DirXML-Accounts attribute, to be used in the Identity Table, need to be formatted in an special way. Each value should be a string composed of 6 parts, delimited by a pound "#" sign. The fields are:
The Schema for the attribute and the auxiliary class it is part of are available below:
--
-- DirXML-Accounts
-- Holds information about accounts in other systems like the system name,
-- account name and account status
--
"DirXML-Accounts" ATTRIBUTE ::=
{
Operation ADD,
SyntaxID SYN_CE_STRING,
Flags {DS_SYNC_IMMEDIATE, DS_STRING_ATTR},
LowerBound 0,
UpperBound 64512,
ASN1ObjID {2 16 840 1 113719 1 14 4 1 2409}
}
--
-- **DirXML-Identity: 2060-2069
--
-- DirXML-Identity
-- Holds information about this identity and accounts it has in other systems
--
"DirXML-Identity" OBJECT-CLASS ::=
{
Operation ADD,
Flags {DS_AUXILIARY_CLASS},
MayContain {"DirXML-Accounts"},
ASN1ObjID {2 16 840 1 113719 1 14 6 1 2060}
}
The DirXML-Accounts attribute, to be used in the Identity Table, need to be formatted in an special way. Each value should be a string composed of 6 parts, delimited by a pound "#" sign. The fields are:
<driver guid>#<account id type>#<account id>#<idv account status>#<app account status>#<app Name>
Some examples of values (one per line):
{80ABFD39-CEE1-db11-AC7D-000BCD9E83F6}#sAMAccountName#JDoe#A#A#AD
{80ABFD39-CEE1-db11-AC7D-000BCD9E83F6}#userPrincipalname#JDoe@mycompany.com#A#A#AD
{80ABFD39-CEE1-db11-AC7D-000BCD9E83F6}#DN#cn=JDoe,cn=users,dc=mycompany,dc=com#A#A#AD
{80ABFD39-CEE1-db11-AC7D-000BCD9E83F6}#association#5de77f84f3ab534babbf13edd6540d77#A#A#AD
{80ABFD39-CEE1-db11-AC7D-000BFFFF12DC}#DN#cn=JonDoe,cn=users,dc=mycompany,dc=com#A#I#LDAP
The field definitions are as follows:
Driver ID (driver guid)
The driver identifier uniquely identifies a driver within the enterprise. It is based on the driver's eDirectory object GUID which is unique within the tree and not expected to change. This accounts for scenarios when the multiple drivers connect to the same application. An example is using two Active Directory Drivers to sync accounts from the same domain.
Account Identifier Type (account id type)
An account might have login id's or unique account identifiers per application. This field indicates the type of login id or account identifier that is used in the account identifier field. E.g, in Active Directory accounts can be identified by and users can login using the sAMAccountname attribute, the userPrincipalName attribute or its object distinguished name (DN).
Account Identifier
The identifier that uniquely identifies this account in an application. An account might have multiple unique identifiers per application. E.g. in Active Directory an account is identified by its sAMAccountName, userPrincipalName and LDAP DN. And in the IDM world the account is known by its association. So each AD account is represented with 4 entries in the DirXML-Accounts table.
Identity Vault Account Status
This indicates whether an account is active (A), inactive (I), or undefined (U) in the application and that that status has been triggered by the subscriber channel (identity vault).
Application Account Status
This indicates whether an account is active (A), inactive (I), or undefined (U) in the application and that that status has been triggered by the application (publisher channel). In order for this field to be updated correctly, the attribute of interest has to be in the driver's publisher filter and set to either synchronize or notify only.
Application Name
The application name, domain or realm this account is associated with. This typically identifies an application or system within the enterprise.
Driver ID (driver guid)
The driver identifier uniquely identifies a driver within the enterprise. It is based on the driver's eDirectory object GUID which is unique within the tree and not expected to change. This accounts for scenarios when the multiple drivers connect to the same application. An example is using two Active Directory Drivers to sync accounts from the same domain.
Account Identifier Type (account id type)
An account might have login id's or unique account identifiers per application. This field indicates the type of login id or account identifier that is used in the account identifier field. E.g, in Active Directory accounts can be identified by and users can login using the sAMAccountname attribute, the userPrincipalName attribute or its object distinguished name (DN).
Account Identifier
The identifier that uniquely identifies this account in an application. An account might have multiple unique identifiers per application. E.g. in Active Directory an account is identified by its sAMAccountName, userPrincipalName and LDAP DN. And in the IDM world the account is known by its association. So each AD account is represented with 4 entries in the DirXML-Accounts table.
Identity Vault Account Status
This indicates whether an account is active (A), inactive (I), or undefined (U) in the application and that that status has been triggered by the subscriber channel (identity vault).
Application Account Status
This indicates whether an account is active (A), inactive (I), or undefined (U) in the application and that that status has been triggered by the application (publisher channel). In order for this field to be updated correctly, the attribute of interest has to be in the driver's publisher filter and set to either synchronize or notify only.
Application Name
The application name, domain or realm this account is associated with. This typically identifies an application or system within the enterprise.
Account Identifier Breakdown by Application
| Driver/Application | Account Identifier Type | Account Identifier Sample Data | Comments |
| AD | sAMAccountName | flastname | |
| AD | userPrincipalName | flastname@novell.com | |
| AD | DN | cn=flastname,cn=users,dc=novell,dc=com | |
| AD | association | 5de77f84f3ab534babbf13edd6540d77 | |
| LDAP | DN | cn=flastname,cn=users,dc=novell,dc=com | Since the LDAP driver uses the DN as the association value, we only need one entry per LDAP application |