|
| |
| Sun Java[TM] System Identity Manager 7.1 Deployment Tools | |
Chapter 4
Developing AdaptersThis chapter describes how to construct your own custom Sun Java™ System Identity Manager resource adapter that is tailored to your company or customer. Specifically, this chapter:
This information is organized as follows:
You are encouraged to use the sample adapters (called skeleton adapters) that ship with the product as a starting point for your own custom adapter. To enhance your understanding of these valuable starter files, this chapter uses them frequently to exemplify particular characteristics of resource adapter files.
OverviewThis section provides an overview of basic issues related to adapter purpose and function with Identity Manager. It covers the following topics:
Who Should Read this Chapter?
This chapter provides background that describes overall resource adapter design and operation that may be useful to:
This chapter assumes that you are familiar with creating and using the built-in Identity Manager resources and familiar with the topics discussed in the Resources chapter of Sun Java™ System Identity Manager Administration.
What is a Resource Adapter?
Each resource that you want Identity Manager to communicate with or manage must be defined by a resource object in Identity Manager. Identity Manager requires a resource object for each resource that it must manage. A resource adapter class contains the methods needed to register the resource object in the Identity Manager repository and to manage the external resource.
An adapter’s primary purpose is to define the essential characteristics of this resource type. This information is saved in the Identity Manager repository as a resource object.
Resource objects define the capabilities and configuration of the resource you are managing in Identity Manager, including the information described in Table 4-1.
Table 4-1 Information Defined by Resource Objects
Type of Information
Sample Attributes
Connection information
User attributes
Identity Manager attributes
Your customized adapter provides the means to define these essential characteristics as well as the methods to transform requests from Identity Manager into actions performed on the resource.
Note
You can view resource objects from the Identity Manager Administrator Interface from the Debug page.
A resource adapter serves as a proxy between Identity Manager and an external resource, such as an application or database. A resource adapter class implements the methods needed to push information from Identity Manager to the resource or optionally pull information from the resource into Identity Manager. The optional pull capability is known as Active Sync. A resource adapter with Active Sync capability is referred to as Active Sync-enabled.
Identity Manager supplies Active Sync-enabled adapters for some common resources, such as Active Directory, and supplies standard resource adapters for many other resource types, including Web servers, Web applications, databases, and even legacy applications and operating systems. The resource adapters supplied with Identity Manager provide a generic interface to each of the different resource types that Identity Manager supports. Given an instance of one of these supported resource types, the resource adapter can communicate with and manage the real-world resource.
The open architecture of Identity Manager allows for custom resource adapters in order to permit management of external resources that are not already supported by supplied resource adapters. The mechanism for creating new custom resource adapter types are discussed later in this chapter.
How Do Active Sync-Enabled Adapters
and Standard Adapters Differ?A resource adapter can be a standard adapter and/or an Active Sync-enabled adapter. In Java terms, a resource adapter extends the ResourceAdapterBase class to be a standard resource adapter, and implements the Active Sync interface to be Active Sync-enabled.
Active Sync-enabled adapters can retrieve information from the source. They are typically either driven by events or poll the resource for information. Standard resource adapters push changes to account information to the external resource managed by Identity Manager.
Standard resource adapters propagate changes from Identity Manager to their managed resources. The typical administrative activities that resource adapters perform include:
Active Sync-enabled adapters can gather the data changes directly from the resource to initiate activities in Identity Manager. These activities include:
Types of Resources Monitored by Active Sync-Enabled Adapters
Active Sync-enabled adapters are especially suitable for supporting the following resource types:
For example, when a user account is modified natively on the Active Directory server, the transaction is recorded in an audit log. The Identity Manager Active Directory resource can be configured to review this log every 30 minutes and any changes found will trigger events in Identity Manager.
Other Active Sync-enabled adapters can be registered with the resource through an API. The adapter is then notified with an event message when changes occur to items. These messages contain a reference to the item that has changed, the information that is updated, and often the user that made the change. For example, the LDAP resource uses the notification implementation of Active Sync-enabled adapters.
- Databases populated with update information. Database resources can also be managed by using a table of deltas. You can generate this table through several different ways. For example, you could compare a snapshot of the database to the current values and creating a new table with the differences. The adapter can then pull the rows from the table of deltas, process them, and subsequently mark them when completed.
- Databases with modification timestamps. A third type of Active Sync-enabled adapter is one that can query for database entries that have been modified after a particular time, run updates, and then poll for new queries.
By storing the last successfully processed row, Identity Manager can perform a “starts with” query to minimize polling impact. Only the changes that have been made to the resource because the last time are returned for processing.How Standard Resource Adapters Work
This section presents an overview of the basic steps of standard adapter processing.
All standard resource adapters follow these general steps when pushing information from Identity Manager to the resource managed by Identity Manager:
- Identity Manager server initializes the resource manager.
All available resource types are registered through the Resource Adapter interface. As part of the registration process, the resource adapter provides a prototype XML definition.
- User initiates process of creating a new resource.
When an Identity Manager administrator creates a new resource, the task which is creating the form to display the prototype definition for the resource type is queried for the resource attribute fields. Identity Manager uses these attributes to display a form on the browser. The user who is creating the new resource fills in the information and clicks Save.
- Identity Manager saves the entered information along with the other resource fields in the resource object repository under the name of the new resource object.
When the user clicks Save during resource creation, the creation task gathers the entered data, executes any necessary validation, then serializes the data via XML before writing the serialized object to the object repository.
- Identity Manager displays the list of available resources in a multi-selection box when an Identity Manager user is created, or modified.
Selecting a resource causes Identity Manager to query the resource object for the available account attribute fields. Identity Manager uses these field descriptions to display a form that contains the attribute fields, which the user can fill in with the appropriate data.
- The resource object is queried for the connection information when this form is saved, and a connection is established with the resource.
- The adapter sends the command to perform the intended action on the account on the resource over this connection.
- If this is a create request, the Identity Manager user object is updated with the resource account information.
When user account information is displayed, Identity Manager requests the list of resources on which the user has accounts from the saved account object. For each resource, Identity Manager queries the resource object and uses the connection information to establish a connection to the resource.
The adapter sends a command over this connection to retrieve account information for the user, and it uses the retrieved information to fill in the attribute fields that are defined in the resource object. The system creates a form to display these values.
How Active Sync-Enabled Adapters Work
This section describes:
Basic Active Sync-Enabled Adapter Processing
All Active Sync-enabled adapters follow the following basic steps when listening or polling for changes to the resource managed by Identity Manager. When the adapter detects that a resource has changed, the Active Sync-enabled adapter:
- Extracts the changed information from the resource.
- Determines which Identity Manager object is affected.
- Builds a map of user attributes to pass to the IAPIFactory.getIAPI method, along with a reference to the adapter and a map of any additional options, which creates an Identity Application Programming Interface (IAPI) object.
- Sets the logger on the IAPI event to the adapter’s Active Sync logger.
- Submits the IAPI object to the Active Sync Manager.
- Active Sync Manager processes the object and returns to the adapter a WavesetResult object that informs the Active Sync-enabled adapter if the operation succeeds. This object can contain many results from the various steps that the Identity Manager system uses to update the identity. Typically, a workflow also handles errors within Identity Manager, often ending up as an Approval for a managing administrator.
Exceptions are logged in the Active Sync and Identity Manager tracing logs with the ActiveSyncUtil.logResourceException method.
Identifying the Identity Manager User
When the Active Sync-enabled adapter detects a change to an account on a resource, it either maps the incoming attributes to an Identity Manager user, or creates an Identity Manager user account if none can be matched.
The following parameters determine what happens when a change is detected.
The presence of a Process Rule determines whether IAPIProcess is used, or IAPIUser is attempted. If Identity Manager cannot use IAPIUser because a correlation or confirmation rule did not uniquely identify an Identity Manager user for the event given the other parameter settings, and a Resolve Process Rule is configured, it is used to create an IAPIProcess event. Otherwise an error condition is reported.
IAPIUser checks out a view and makes this view available to the user form. For creates and updates, the User view is checked out. For deletes, the deprovision view is checked out. However, a view is not available with IAPIProcess. Either a Process rule has been set, or a Resolve Process rule is invoked.
Preparing to Create a Custom AdapterThe following section describes an approach to begin developing your custom adapter.
Understanding Your Resource
This section helps you prepare to edit the adapter file, including:
Getting to Know Your Resource
Use the following questions to help gather information and define prerequisites.
Which type of default Identity Manager resource adapter does your planned adapter most closely resemble?
See Table 4-4 for a brief description of the adapter files that are shipped with the standard Identity Manager configuration. Select the Identity Manager adapter file that most closely matches the resource type to which you are connecting.
What are the characteristics of user accounts on the resource? How do you perform basic tasks on the resource?
You should find out how to perform the following tasks on the remote resource:
- Authenticate access to the remote resource
- Update user
- Search for changes to users (Active Sync-enabled only)
- Get the details on the changed users
- List all users on the system
- Identify a way to search for changed users only. (Active Sync-enabled only)
- List other system objects such as groups, which are used in the listAllObjects method
You will also need to identify the minimum attributes needed to perform an action as well as all supported attributes.
Do you have appropriate tools to support connection to the resource?
Many resources are shipped with a set of APIs or a complete toolkit that you can use when integrating an outside application to the resource. Find out if your resource has a published set of APIs or if the toolkit provides documentation and tools to speed up integration with Identity Manager. For example, for databases, you will need to connect to the database through JDBC.
Who can login and search for users on the resource? How do they do so?
Most resource adapters require an administrative account that they can run as to perform tasks such as searching for users and retrieving their attributes. This is often a highly privileged, or super user, account but may be a delegated administration account with read-only access.
Can the resource be customized to add additional attributes?
Most resources allow you to extend the built-in attributes. For example, Active Directory and LDAP both allow the creation of custom attributes.
Consider which attributes you want this resource to maintain in Identity Manager, what their names are on the resource and how you want them named in Identity Manager. The attribute names will go in the schema map and end up as inputs to the form that is used when creating a resource of that type.
Which attributes/actions on the source will create an event? (Active Sync-Enabled)
If the resource supports subscribing to notification messages when changes are made (such as LDAP), identify which attribute changes you want to trigger the notification and which attributes you want in the message.
Which action will Identity Manager take when an event on the source is detected? (Active Sync-enabled)
These actions can include:
Do you want your Active Sync-enabled adapter to be driven by events in the external resource or by set polling intervals?
Before you make your decision, consider how polling works within typical Identity Manager installations. Although some installations implement or are driven by external events, most environments in which Identity Manager is deployed use a hybrid method.
You can choose one of the following approaches:
- Setting Up Polling Intervals. The poll interface can be called by an ActiveSyncManager thread at a configurable interval or on a specified schedule. You can set polling parameters, including settings such as faster polling if work was received, thread-per-adapter or common thread, and limits on the amount of concurrent operations.
- Setting Up an Event-Driven Environment. Adapters can also be purely event-driven. In this model, the adapter sets up a listening connection (such as an LDAP listener) and waits for messages from the remote system. In this case, the poll method can be implemented to do nothing, and the polling interval set to an arbitrary value, such as once a week. If the updates are event-driven, they must have a guaranteed delivery mechanism (such as MQ Series) or synchronization will be lost.
- Implementing a Hybrid Solution. In this scenario, external events can trigger smart polling, and the regular poll routine can recover from missed messages. (Smart polling is adapting the poll rate to the change rate and polling infrequently unless changes are being made often. It balances the performance impact of frequent polling with the update delays of infrequent polling.)
In this model, incoming messages can be queued and multiple updates for a single object can be collapsed into a single update, increasing efficiency. For example, multiple attributes can be updated on a directory, and each one triggers a message. The poll routine can walk the message queue and remove all duplicates, then fetch the complete object. This ensures that the latest data is synchronized and the updates are handled efficiently.
Additional Preparations
After using the preceding questions to profile your resource, continue your preparations by completing the following steps:
- Identify the list of methods that you must write.
The most time-intensive part of creating an adapter file is writing your own methods for pushing information from Identity Manager to the resource or creating a feed from the resource into Identity Manager.
The methods you include in your Java file depend in part upon which type of resource you are creating a connection to.
- Review the Identity Manager JavaDoc.
The relevant JavaDoc are included on your product CD and identify the base classes and methods that you will use as is or those that you will need to extend.
What’s in the Resource Extension Facility (REF) Kit?
The Sun Resource Extension Facility Kit (provided in the /REF directory on your product CD or with your install image) is your guide to creating your custom resources. This REF Kit provides the example code and tools you need to create custom resource and Active Sync-enabled adapters.
Table 4-3 describes the file and directory categories provided in the REF Kit.
Resource Adapter Samples
The Ref kit provides sample adapter files and tools that you can use to jump-start the process of creating your own custom adapter. The resource source files give you an example of the different types of resources that are commonly developed. The Ref kit also provides a set of skeleton files that are intended for you to use as the basis for your adapter development.
Table 4-4 describes the sample files provided in the REF Kit.
Identifying Code for Revision
Both skeleton files that are shipped in the REF kit contain @todo and change-value-here text strings that identify the places in the code where you must make adapter-specific modifications. When customizing these files, search on these strings to determine where you must make changes.
Table 4-5 identifies the text you can search for when identifying code that needs customization.
Setting Up a Build Environment
Set up a build environment following these steps:
Prerequisite: You must install the JDK version required for your Identity Manager version.
After installing the JDK, install the REF kit by copying the entire REF directory to your system.
- Change directories to the new directory and create a file called ws.bat (if you are working on a system running a Microsoft Windows operating system) or ws.sh (if you are working on a UNIX system).
- Add the following lines to this file before saving and closing it:
:Where WSHOME is the path where the REF kit is installed and JAVA_HOME identifies the path where Java is installed.
Getting Started
Use the following steps to start creating a custom adapter:
- Copy the appropriate skeleton file to a name of your choice.
- Edit your adapter source file. Perform a global search for Skeleton, and replace it with the name of your adapter.
- Source the ws.bat or ws.sh file you created previously to set up your environment.
- Compile your source files using the following command:
javac -d . -classpath %CLASSPATH% yourfile.java
Getting Familiar with Your Resource AdapterThis section provides an overview of the resource adapter source code components that are common to most adapters and provides examples from the skeleton adapters that are part of the Resource Extension Facility.
Adapter Components
Table 4-6 describes the main resource adapter components.
Table 4-6 Adapter Components
File Component
Description
Standard Java header information
Includes identification of the parent class for the new adapter class file you are creating, constructors, and imported files.
prototypeXML string
Defines which information about the resource appears in the Identity Manager interface. Maps each resource attribute to an Identity Manager User Attribute.
Methods that create a feed from the resource into Identity Manager
In Active Sync-enabled adapters, presents methods that search the resource for changes or receive updates. Writing these methods requires that you understand how to register for or search for changes on the resource as well as how to communicate with the resource.
Methods that perform the update operations in the Identity Manager repository
In Active Sync-enabled adapters, performs the feed form the resource into Identity Manager.
Methods that write information from Identity Manager in to the external resource
These customized methods must be written by a developer with knowledge of the resource.
Note
One enhancement to the skeleton adapter file is the addition of the @todo and @change-attribute-here comments. These comments mark places where you should substitute adapter-specific text.
Resource Information Defined in Resource Adapters
There are three distinct types of information that define a resource in Identity Manager, and they are defined for the resource type in the adapter file:
- Resource attributes. Defined in the prototypeXML section of the adapter Java file. You can modify these values from the Identity Manager interface when creating a specific instance of this resource type.
- Account DN or identity template. Includes account name syntax for users, which is especially important for hierarchical namespaces.
- Identity Manager account attributes. Defined in the Schema map for the resource. Identity Manager account attributes define the Identity Manager attributes of the resource object.
Standard Java Header Information
The header information is representative of the standard Java files (including public class declaration and class constructors). You must edit the sections of the file that list the constructors and public classes, and, if necessary, the imported files.
PrototypeXML Section
This section of the adapter Java file (the prototypeXML) is the XML definition of a resource. It must contain the resource name and all attributes of the resource that the Identity Manager interface will display.
Table 4-7 introduces the components of the prototypeXML. Some components are more relevant for resource adapters than Active Sync-enabled adapters. Each component that is relevant for Active Sync-enabled adapters is discussed in greater detail in the sections following the table.
Table 4-7 prototypeXML Components
Component
Description
Resource
Define top-level characteristics of resource. Keywords for this element include:
Resource attributes
Used by Identity Manager to configure the resource. Resource attributes are XML elements that are defined with the <ResourceAttribute> element. Keywords for this element include:
- type: Identifies supported data types (currently, string only).
- multi: Specifies whether multiple values can be accepted for the attribute.
If set to true, a multi-line box is displayed.- facets: Specify usage for this resource attribute.
- provision: Used in standard processing. This is the default value.
- activesync: Used in Active Sync processing, if Active Sync is configured and enabled.
Account attributes
Defines the default schema map for basic user attributes. Account attributes are defined with the <AccountAttribute> element. You define account attributes that map to the standard Identity Manager account attribute types differently than you map to custom attributes.
For more information on mapping account attributes to resource attributes, see How to Map Resource Attributes to Identity Manager Account Attributes.
Identity template
Defined by the <Template> tag, this template defines how the account name for the user is built. Account names are typically of two forms. One form is the accountId, which is typically used for resources with a flat namespace such as NT or Oracle.
The other is a complete distinguished name of the user in the form: cn=accountId,ou=sub-org,ou=org,o=company. This latter form is used for hierarchical namespaces such as directories.
Login configuration
(Standard resource adapter only) Defined by the <LoginConfigEntry> element, this value defines the values for support of pass-through authentication for this resource. For more information about pass-through authentication, see the Sun Java™ System Identity Manager Resources Reference.
Form
(Active Sync-enabled adapter only) Designates a form object that will process the data from the Active Sync-enabled adapter before it is integrated into Identity Manager. A form is optional, but in most cases it provides flexible changes in the future. It can be used to transform the incoming data, map the data to other user attributes on the other resource accounts, and cause other actions in Identity Manager to occur.
Resource user form
(Active Sync-enabled adapter only) Defined by the <ResourceUserForm> element.
Resource Methods
Resource methods can be categorized by task. When developing your own custom adapter, you first determine which categories are necessary to meet the goals of your development. For example, is your adapter going to be an Active Sync-enabled adapter? Will the first phase of your deployment support password reset only? The answers to these questions determine which methods must be completed. Additional information about each functional category is discussed later in this chapter.
These resource methods categories are described in Table 4-8.
Table 4-8 Resource Methods Categories
Category
Description
Basic
Provide the basic methods for connecting to the resource and performing simple actions
Bulk operations
Provide bulk operations to get all the users from the resource
Active Sync
Provides the methods to schedule the adapter.
Object management
Provides the methods to manage groups and organizations on your resources.
Defining the PrototypeXML Section
In the resource source code, the prototypeXML defines the resource object that is stored in the Identity Manager repository.
Table 4-9 describes the five, distinct types of information that define a resource in Identity Manager. The first three types are visible to administrators when they are defining the resource. The remaining two types help define the resource but are not easily modifiable by Identity Manager administrators.
Table 4-9 Information Types that Define Identity Manager Resources
Information Type
Description
Resource attribute
Defines the connection information on the resource being managed. Resource attributes typically include the resource host name, resource administrator name and password, and the container information for directory-based resources. Identity Manager attributes such as the list of resource approvers and the number of times to retry operations on the resource are also considered resource attributes.
Account attribute
Maps the relationship between the Identity Manager attribute name and the resource attribute name. These attributes are defined on the resource schema map and appear in the prototypeXML. For example, on LDAP, the resource attribute sn is mapped to the more common attribute in Identity Manager called lastname.
Identity template or
account DNDefines the default account name for users.
Login config
Defines the parameters that are used if this resource is to be used for pass-through authentication. Typically, these parameters are username and password. However, in the example of SecurId, it includes a user name and passcode.
Object management
Resource Attributes
Resource attributes define:
From the perspective of an administrator using the Identity Manager Administrator Interface, these attributes define the field names that are visible in the Identity Manager interface and prompt the user for values.
For Windows NT resources, attributes can include source name, host name, port number, user, password, and domain. For example, the Create/Edit Resource page for a resource type requires a host field in which administrators creating a resource identify the host on which the resource resides. This field (not the contents of the field) is defined in this adapter file.
- Authorized account that has rights to create users on the resource.
For a Windows NT resource, this includes the user and password fields.- Source attributes including the form, the Identity Manager administrator that the adapter will run as, scheduling and logging information, and additional attributes used only in Active Sync methods.
How Resource Attributes Are Defined
Resource attributes are defined in the Java file with the <ResourceAttribute> element as follows:
<ResourceAttribute name='"+RA_HOST+"' type='string' multi='false'\n"+ description='<b>host</b><br>Enter the resource host name.'>\n"+
The description field identifies the item-level help for the RA_HOST field and must not contain the < character. In the preceding example, the < characters are replaced by < and '.
Table 4-10 describes the keywords you can use in <ResourceAttribute> element.
Table 4-10 <ResourceAttribute> Element Keywords
Keyword
Description
name
Identifies the name of the attribute. For a list of the required attributes, see Required Resource Attributes.
type
Identifies data type used. Currently, only the string type is supported.
multi
Specifies if multiple values can be accepted for the attribute. If true, a multi-line box is displayed.
description
Identifies the item-level help for the RA_HOST field. Identity Manager displays help with the item being described (host in this case) in bold text. Because the HTML brackets necessary to do this (< and >) interfere with XML parsing, they are replaced by < and >. After the binary is translated, the description value looks like:
Description=’<b>host</b> Enter the resource host name.’
facets
Specifies the usage of this resource attribute. Valid values are
Overwriting Resource Attributes You can choose between the following two strategies when working with resource adapters and adapter parameters:
In Code Example 4-1, the user form must override the resource attribute value for template during the creation of each user. When implementing similar code in a production environment, you would probably include more detailed logic that would calculate this template value within your user form.
Code Example 4-1 Overriding the Resource Attribute Value for template
<Field name='template'>
<Display class='Text'>
<Property name='title' value='NDS User Template'/>
</Display
</Field>
<!-- Change NDS for the name of your NDS resource -->
<!-- The word Template is the name of the attribute field, as viewed in the resource xml -->
<Field name='accounts[NDS].resourceAttributes.Template'>
<Expansion>
<ref>template</ref>
</Expansion>
</Field>
Required Resource Attributes Table 4-11 describes the resource attributes provided in the skeleton adapter files.
Table 4-11 Resource Attributes in Skeleton Adapter Files
Required Resource Attribute
Description
RA_HOST
The host name of the resource. This corresponds to the Host field on the Resource Parameters page.
RA_PORT
The port number used to communicate with the resource. This corresponds to the Port field on the Resource Parameters page.
RA_USER
The name of a user account that has permission to connect to the resource. The field name varies on the Resource Parameters page.
RA_PASSWORD
The password for the account specified by RA_USER. This corresponds to the Host field on the Resource Parameters page.
Table 4-12 describes the Active Sync-specific attributes defined in the ACTIVE_SYNC_STD_RES_ATTRS_XML string of the Active Sync class.
Table 4-12 Active Sync-Specific Attributes Defined in ACTIVE_SYNC_STD_RES_ATTRS_XML
Required Resource Attribute
Description
RA_PROXY_ADMINISTRATOR
Identity Manager administrator for authorization and logging. This corresponds to the Proxy Administrator field in the Identity Manager display. You do not define this value in the adapter Java file. Instead, an administrator enters this information when defining a specific instance of this resource type.
RA_FORM
Form that processes incoming attributes and maps them to view attributes. This corresponds to the Input Form field.
RA_MAX_ARCHIVES
Specifies the number of log files to retain.
RA_MAX_AGE_LENGTH
Specifies the maximum time before a log file is archived. If time is zero, then no time-based archival will occur. If the value of RA_MAX_ARCHIVES is zero, then the active log will instead be truncated and re-used after this time period.
RA_MAX_AGE_UNIT
One of seconds, minutes, hours, days, weeks, or months. This value is used with RA_MAX_AGE_LENGTH.
RA_LOG_LEVEL
Logging level (0 disabled; 4 very verbose). This corresponds to the Log Level field in the Identity Manager display.
RA_LOG_PATH
Absolute or relative path for the log file. This corresponds to the Log File Path field in the Identity Manager display.
RA_LOG_SIZE
Maximum log file size. This corresponds to the Maximum Log File Size field in the Identity Manager display.
RA_SCHEDULE_INTERVAL
Pop-up menu of the supported scheduling intervals (second, minute, hour, day, week, month).
RA_SCHEDULE_INTERVAL_COUNT
The number of intervals between scheduled periods (for example, 10 minutes would have an interval count of 10 and an interval of minute). Not necessary for Active Sync-enabled adapters.
RA_SCHEDULE_START_TIME
The time of the day to run. Setting this to 13:00 and the interval to week would set the adapter to run at 1 P.M. once a week. Not necessary for Active Sync-enabled adapters.
RA_SCHEDULE_START_DATE
The date to start scheduling. Setting date to 20020601, the interval to month, and the time to 13:00 would have the adapter start running on June 1st and run once a month at 1 P.M. Not necessary for Active Sync-enabled adapters.
Table 4-13 describes the Active Sync-specific attributes which are defined in the ACTIVE_SYNC_EVENT_RES_ATTRS_XML string in the by default class. See Identifying the Identity Manager User for more information about each of these attributes.
Table 4-13 Active Sync-Specific Attributes Defined in ACTIVE_SYNC_EVENT_RES_ATTRS_XML
Required Resource Attribute
Description
RA_PROCESS_RULE
The name of a TaskDefinition or a rule that returns the name of a TaskDefintion to run for every record in the feed. This parameter overrides all others.
RA_CORRELATION_RULE
A rule that returns a list of strings of potentially matching users/accountIDs, based on the resource account attributes in the account namespace.
RA_CONFIRMATION_RULE
A rule that confirms if a user is a match.
RA_DELETE_RULE
A rule that determines whether a delete detected on the resource is processed as an IAPI delete event, or as an IAPI update event.
RA_CREATE_UNMATCHED
If set to true, creates unmatched accounts. If false, don’t create the account unless the process rule is set and the workflow it identifies determines that a create is warranted. The default is true.
RA_RESOLVE_PROCESS_RULE
A rule that determines the workflow to run when there are multiple matches using the confirmation rule on the results of the correlation rule.
RA_POPULATE_GLOBAL
Indicates whether to populate the global namespace in addition to the activeSync namespace. The default is false.
Account Attributes
The standard Identity Manager account attributes (defined in the AttributeDefinition object) include the following:
Identity Manager account attributes define the Identity Manager attributes of the resource object. The prototypeXML section of the adapter file maps the incoming resource attributes to account attributes in Identity Manager. These account attributes are visible when you access the Edit Schema page. (To access the Edit Schema page, click Edit Schema at the bottom of the Edit/Create Resource page.)
The attribute mappings specified in the resource schema map determine which account attributes that can be requested when creating a user. Based on the role selected for a user, the set of account attributes that are prompted for will be the union of attributes of all resources in the selected role. With an Active Sync-enabled adapter, these are the attributes that are available to update the Identity Manager user account. The Active Sync-enabled adapter collects these attributes and stores them in the global area for the input form.
When administrators have created an instance of a resource, they can subsequently use a schema map to:
The schema map is optional. It is provided as a utility to allow the administrator to edit inputs to an Active Sync-enabled adapter, which are often database column names or directory attribute names. Using the schema map and the form, you can implement Java code to handle a resource type, defining details of the resource configuration in the map and form.
For information on creating a resource or editing a resource schema map, see Sun Java™ System Identity Manager Administration.
Schema Maps and Active Sync-Enabled Adapters
Identity Manager uses an Active Sync resource’s schema map in the same way that it uses a typical schema map. It specifies which attributes to fetch from the resource and their local names. All attribute names that are listed in the schema map (that is, all attributes that exist on the resource) are made available to the Active Sync form and the user form with the activeSync.name attribute. If the Active Sync resource does not use a form, all attributes are named global to ensure that all attributes automatically propagate to attributes with the same name on all resources. Use a form rather than the global namespace.
Tip
Never put the accountId attribute in the global namespace. It is a special attribute that is used for identifying the waveset.account.global. The accountId attribute also will become a resource's accountId directly if the resource account is being created for the first time, bypassing the identity template.
For example, if a new Identity Manager user is created through the Active Sync-enabled adapter and that user has an LDAP account assigned to it, the LDAP accountID will match the global.accountId instead of the correct DN from the DN template.
How to Map Resource Attributes to Identity Manager Account Attributes
You can map an account attribute to standard Identity Manager account attributes or to a custom attribute (called an Extended Schema Attribute).
Code Example 4-2 shows the incoming resource attribute mapped to a standard Identity Manager account attribute. The <AccountAttributesTypes> element surrounds the prototypeXML section where you map the resource attribute to the Identity Manager account attribute. You define each account attribute with the <AccountAttributesType> element.
Code Example 4-2 Defining Account Attributes with <AccountAttributesType>
"<AccountAttributeTypes>\n"+
<AccountAttributeType name='accountId' mapName='change-value-here' mapType='string' required='true'>\n"+
"<AttributeDefinitionRef>\nt"+
<ObjectRef type='AttributeDefinition' name='accountId'/>\n"+
"</AttributeDefinitionRef>\n"+
"</AccountAttributeType>\n"+
"</AccountAttributeTypes>\n"+
For more information on mapping resource attributes to account attributes, see Setting Options and Attributes for the Adapter.
Standard Resource Adapter-Specific Issues with prototypeXML
The following issues are specific to account attributes in resource adapters only:
User Identity Template
The user identity template establishes the account name that is used when creating the account on the resource. It is used to translate information about an Identity Manager user account to account information on the external resource.
Account names are currently in one of two forms:
You can use any schema map attribute (an attribute listed on the left side of the schema map) in the identity template.
You can overwrite the user identity template from the User form. This is commonly done to substitute organization names.
About User Names in Identity Manager
A user has an identity for each of his accounts. This identity can be the same on some or all accounts. The system sets the identity for an account when the account is provisioned. The Identity Manager user object maintains a mapping between a user's identities and the resources to which they correspond. The user has a primary accountId in Identity Manager that is used as a key as well as a separate accountId for each of the resources on which he has an account and is denoted in the form of accountId:<resource name>, as shown in Table 4-14.
Table 4-14 Account IDs
Attribute
Example
accountId
maurelius
accountId:NT_Res1
marcus_aurelius
accountId:LDAP_Res1
uid=maurelius,ou=marketing,ou=employees,o=abc_company
accountId:AIX_Res1
maurelius
Flat Namespaces
You typically use the accountId attribute for systems with a flat namespace, which include:
For resources with flat namespaces, the identity template can simply specify that the Identity Manager account name should be used.
Hierarchical Namespaces
Distinguished name can include the account name, organizational units, and organizations. It is used for systems with a hierarchical namespace.
For resources with hierarchical namespaces, the template can be more complicated than that of a flat namespace. This allows the full, hierarchical name to be built.
Table 4-15 contains examples of hierarchical namespaces and how they represent distinguished names.
Table 4-15 Hierarchical Namespace Examples
System
Distinguished Name String
LDAP
cn=$accountId,ou=austin,ou=central,ou=sales,o=comp
Novell NDS
cn=$accountId.ou=accounting.o=comp
Microsoft Windows 2000
CN=$fullname,CN=Users,DC=mydomain,DC=com
Here is an example of an identity template for a resource with a hierarchical namespace such as LDAP:
uid=$accountID,ou=$department,ou=People,cn=waveset,cn=com
Where:
Creating an Identity Template out of Multiple User Attributes You can also create an identity template out of a portion of multiple user attributes. For example, a template could consist of the first letter of the first name plus seven characters of the last name. In this scenario, you can customize the user form to perform the desired logic and then override the identity template that is defined on the resource.
Login Configuration and Pass-Through Authentication The <LoginConfigEntry> element specifies the name and type of login module as well as the set of authentication properties required by this resource type to complete successful user authentication.
The <LoginConfig> and <SupportedApplications> sections of the adapter file specify whether the resource will be included in the options list on the Login Module configuration pages. Leave this section of the file unchanged if you want the resource to appear in the options list.
Each <AuthnProperty> element contains the following attributes:
Table 4-16 <AuthnProperty> Element Attributes
Attribute
Description
name
Identifies the internal authentication property name.
displayName
Specifies the value to use when this property is added as an HTML item to the Login form.
formFieldType
Specifies the data type that can be either text or password. This type is used to control whether data input in the HTML field associated with this property is visible (text) or not (password)s
isId
Specifies whether this property value should be mapped to the Identity Manager accountID. For example, a property should not be mapped when the property value is an X509 certificate.
dataSource
Specifies the source for the value of this property. The default value is user.
doNotMap
Specifies whether to map to a LoginConfigEntry.
Most resource login modules support both the Identity Manager Administrator Interface and the Identity Manager User Interface.
Code Example 4-3 illustrates how SkeletonResourceAdapter.java implements the <LoginConfigEntry> element:
Code Example 4-3 SkeletonResourceAdapter.java Implementing <LoginConfigEntry>
<LoginConfigEntry name='"+Constants.WS_RESOURCE_LOGIN_MODULE+"' type='"+RESOURCE_NAME+"' displayName='"+RESOURCE_LOGIN_MODULE+"'>\n"+
" <AuthnProperties>\n"+
" <AuthnProperty name='"+LOGIN_USER+"' displayName='"+DISPLAY_USER+"' formFieldType='text' isId='true'/>\n"+
" <AuthnProperty name='"+LOGIN_PASSWORD+"' displayName='"+DISPLAY_PASSWORD+"' formFieldType='password'/>\n"+
" </AuthnProperties>\n"+
" <SupportedApplications>\n"+
" <SupportedApplication name='"+Constants.ADMINCONSOLE+"'/>\n"+
" <SupportedApplication name='"+Constants.SELFPROVISION+"'/>\n"+
" </SupportedApplications>\n"+
"</LoginConfigEntry>\n"+
Example LoginConfig Entries
The following example LoginConfig entry is taken from the LDAP resource adapter supplied by Identity Manager. It defines two authentication properties whose dataSource value, if not specified, is supplied by the user.
Code Example 4-4 defines the supported Login Module data source options:
Code Example 4-4 Defining Supported Login Module Data Source Options
public static final String USER_DATA_SOURCE = "user";
public static final String HTTP_REMOTE_USER_DATA_SOURCE = "http remote user";
public static final String HTTP_ATTRIBUTE_DATA_SOURCE = "http attribute";
public static final String HTTP_REQUEST_DATA_SOURCE = "http request";
public static final String HTTP_HEADER_DATA_SOURCE = "http header";
public static final String HTTPS_X509_CERTIFICATE_DATA_SOURCE = "x509 certificate";
" <LoginConfigEntry name='"+WS_RESOURCE_LOGIN_MODULE+"'
type='"+LDAP_RESOURCE_TYPE+"'
displayName='"+Messages.RES_LOGIN_MOD_LDAP+"'>\n"+
" <AuthnProperties>\n"+
" <AuthnProperty name='"+LDAP_UID+"' displayName='"+Messages.UI_USERID_LABEL+"'
formFieldType='text' isId='true'/>\n"+
" <AuthnProperty name='"+LDAP_PASSWORD+"'
displayName='"+Messages.UI_PWD_LABEL+"'
formFieldType='password'/>\n"+
" </AuthnProperties>\n"+
" </LoginConfigEntry>\n"+
Code Example 4-5 shows a Login Config entry where the authentication property’s dataSource value is not supplied by the user. In this case, it is derived from the HTTP request header.
Code Example 4-5 Login Config Entry
" <LoginConfigEntry name='"+Constants.WS_RESOURCE_LOGIN_MODULE+"' |type='"+RESOURCE_NAME+"'
displayName='"+RESOURCE_LOGIN_MODULE+"'>\n"+
" <AuthnProperties>\n"+
" <AuthnProperty name='"+LOGIN_USER+"' displayName='"+DISPLAY_USER+"' formFieldType='text'
isId='true' dataSource='http header'/>\n"+
" </AuthnProperties>\n"+|
" </LoginConfigEntry>\n"+
Windows NT Object Resource Attribute Declarations
Code Example 4-6 shows how prototypeXML defines fields displayed on the Create/Edit Resource page.
Code Example 4-6 prototypeXML Defining Fields Displayed on Create/Edit Resource Page
<ResourceAttributes>
<ResourceAttribute name='Host' description='The host name running the resource
agent.' multi='false' value='n'>
</ResourceAttribute>
<ResourceAttribute name='TCP Port' description='The TCP/IP port used to communicate
with the LDAP server.' multi='false' value='9278'>
</ResourceAttribute>
<ResourceAttribute name='user' description='The administrator user name with which
the system should authenticate.' multi='false' value='Administrator'>
</ResourceAttribute>
<ResourceAttribute name='password' type='encrypted' description='The password that
should be used when authenticating.' multi='false' value='VhXrkGkfDKw='>
</ResourceAttribute>
<ResourceAttribute name='domain' description='The name of the domain in which
accounts will be created.' multi='false' value='nt'>
</ResourceAttribute>
</ResourceAttributes>
Identity Manager Rendering of prototypeXML
The Identity Manager Administrator interface displays the resource attributes for the default Windows NT resource as specified in the preceding section.
Figure 4-1 Resource Attributes for Windows NT Resource
Editing the Skeleton File: Overview
The SkeletonActiveSyncResourceAdapter file provides a starting point for creating a new Active Sync-enabled adapter type that administrators can use to create specific instances. Once you have renamed and edited the skeleton file to include the default values you want the adapter to support, you can load it into Identity Manager.
Basic steps include:
- Name the resource adapter type. The name you supply here will appear in the New Resources menu in the Identity Manager Administrator Interface.
- Map resource attributes to Identity Manager account attributes. This requires that you edit the default values in the skeleton prototypeXML to create your own defaults for this adapter type. For example, you might want to delete the RA_GROUPS attribute that is included in this file from your adapter type.
- Add or delete methods from the skeleton file. In particular, add Java code to support the following operations, which are not supported in this example file: joins, leaves, and moves. For example, you want to write an Active Sync-enabled adapter to pull information from an HR database to determine whether employees are still active. To trigger updates based on a change in an employee’s active status, you need several items: an effective date column in the database; a window of time to search in; and a list of the updates that have already been done in previous iterations of the search.
Naming the Adapter and Editing Preliminary Information
Editing the preliminary adapter information requires three actions:
Setting Options and Attributes for the Adapter
The primary way to set options for the adapter type is by mapping the incoming resource attributes to the standard Identity Manager account attributes or creating your own extended schema attributes. The attributes included in SkeletonActiveSyncResourceAdapter are mandatory. Do not delete these attribute definitions when customizing the file.
Mapping a Resource Attribute to a Standard Account Attribute
If you are mapping a resource attribute to one of the standard Identity Manager account attributes, use the syntax shown in Code Example 4-7.
Code Example 4-7 Mapping a Resource Attribute
"<AttributeDefinitionRef>\nt"+
<ObjectRef type='AttributeDefinition' name='accountId'/>\n"+
" </AttributeDefinitionRef>\n"+
Use the <AttributeDefinitionRef> element to identify the Identity Manager account attribute. Table 4-17 describes the <AttributeDefinitionRef> element fields.
Table 4-17 <AttributeDefinitionRef> Element Fields
Attribute Field
Description
name
Identifies the Identity Manager account attribute that the resource attribute is being mapped to. (The left column on the resource schema page in the Identity Manager User Interface.)
mapName
Identifies the name of the incoming resource attribute. When editing this skeleton file, replace change-value-here with the resource attribute name.
mapType
Identifies the type of the incoming attribute (string, int, or encrypted).
Mapping Resource Attributes to an Extended Schema Attribute
If you want to map an incoming resource attribute to an attribute other than the standard Identity Manager attributes, you must create an extended schema attribute. Code Example 4-8 illustrates how to map a resource attribute to a custom account attribute.
Code Example 4-8 Mapping Resource Attribute to Custom Account Attribute
<AccountAttributeType name='HomeDirectory' type='string'
mapName='HomeDirectory' mapType='string'>\n"+
</AccountAttributeType>\n"+
Note that you do not need to declare an ObjectRef type. The mapName field identifies the custom account attribute HomeDirectory. You can define the mapType field the same as you would when mapping an attribute to a standard account attribute.
To test the validity of the resources you just defined (in particular the connection to the resource), save the adapter, load it into Identity Manager, and click Start on the Resources page. The Start button is enabled only if the resource start-up type is Automatic or Manual. The adapter’s init() and poll() methods will be called when the adapter is scheduled.
Setting the Distinguished Name
When creating a new resource, Identity Manager will ask the resource adapter to create a prototype resource that is the XML object definition of the resource.
The distinguished name displays on these Identity Manager user interface pages:
The resource does not need to present the prototype object, it simply has to define the resource attributes and set default values for the resource attributes for which it makes sense to have defaults.
Defining Resource Object Classes, Type, Features, and Attributes
Object types uniquely define a specific type of resource. They are defined in the adapter’s prototypeXML section.
Defining an Object Type
The XML <ObjectTypes> element is a container within the adapter prototypeXML that contains one or more object type definitions to be managed on that resource.
The XML <ObjectTypes> element is a container within the <ObjectTypes> element that fully describes the resource-specific object to Identity Manager, including information about:
Table 4-18 lists the supported attributes of the <ObjectType> element.
Table 4-18 Supported <ObjectType> Elements
Attribute
Description
name
Defines the name by which this object type will be displayed and referred to within Identity Manager (required).
icon
Specifies the name of the .gif file to be displayed to the left of objects of this type within the interface. You must install this .gif file in idm/applet/images for use by Identity Manager.
container
If true, specifies that this type of resource object can contain other resource objects of the same or other object types.
Example Object Type Definitions
Code Example 4-9 includes example object type definitions:
Code Example 4-9 Example Object Type Definitions
static final String prototypeXml ="<Resource name='Skeleton' class=
'com.waveset.adapter.sample.SkeletonStandardResourceAdapter'
typeString='Skeleton of a resource adapter' typeDisplayString='"+Messages.RESTYPE_SKELETON+"'>\n"+
" <ObjectTypes>\n"+
" <ObjectType name='Group' icon='group'>\n"+
… other content defined below will go here …
“ </ObjectType>\n”+
“ <ObjectType name=’Role’ icon=’ldap_role’>\n”+
… other content defined below will go here …
“ </ObjectType>\n”+
“ <ObjectType name=’Organization’ icon=’folder_with_org’ container=’true’>\n”+
… other content defined below will go here …
“ </ObjectType>\n”+
“ </ObjectTypes>\n”+
Object Classes
Object classes are handled differently for LDAP-based resource objects than for other resource objects.
LDAP-Based Resource Objects
LDAP-based resource objects can consist of more than one LDAP object class, where each object class is an extension of its parent object class. However, within LDAP, the complete set of these object classes is viewed and managed as a single object type within LDAP.
To manage this type of resource object within Identity Manager, include the XML element <ObjectClasses> within the <ObjectType> definition. The <ObjectClasses> element allows you to define the set of object classes that is associated with this <ObjectType> as well as the relationship of classes to each other.
Non-LDAP-Based Resource Objects
For non-LDAP-based resource objects, you can use the <ObjectType> to represent information other than the resource object type name.
In Code Example 4-10, the primary attribute defines the object class to be used when creating and updating an object of this type. In this case, inetorgperson is the object class that is defined as the primary one because it is a subclass of the other listed object classes. The operator attribute specifies whether the list of object classes should be treated as one (logical AND) or treated as unique classes (logical OR) when listing or getting an object of this type. In this case, Identity Manager performs an AND operation on these object classes prior to any list or get requests for this object type.
Code Example 4-10 Using inetorgperson Object Class
<ObjectClasses primary='inetorgperson' operator='AND'>\n"+
<ObjectClass name='person'/>\n"+
<ObjectClass name='organizationalPerson'/>\n"+
<ObjectClass name='inetorgperson'/>\n"+
</ObjectClasses>\n"+
In Code Example 4-11, all requests to create and/or update resource objects of this type are done using the groupOfUniqueNames object class. All list and get requests will query for all objects whose object class is either groupOfNames or groupOfUniqueNames.
Code Example 4-11 Using groupOfUniqueNames Object Class
<ObjectClasses primary='groupOfUniqueNames' operator='OR'>\n"+ <ObjectClass name='groupOfNames'/>\n"+
<ObjectClass name='groupOfUniqueNames'/>\n"+
</ObjectClasses>\n"+
Only one object class is defined in Code Example 4-12; so all create, update, list, and get operations will be done using object class organizationalUnit.
Code Example 4-12 Using organizationalUnit Object Class
<ObjectClasses operator='AND'>\n"+
<ObjectClass name='organizationalUnit'/>\n"+
</ObjectClasses>\n"+
Because there is only one object class, you could exclude the <ObjectClasses> section. If left out, the object class defaults to the value of the <ObjectType> name attribute. However, if you want the object type name to differ from the resource object class name, you must include the <ObjectClasses> section with the single <ObjectClass> entry.
Object Features
The <ObjectFeatures> section specifies a list of one or more features supported by this object type, where each object feature is directly tied to the implementation of the associated object type method in the resource adapter.
Each ObjectFeature definition must contain the name attribute, which specifies a feature name. The create and update features may also specify the form attribute. This attribute defines the resource form that will be used to process create and update features. If the form attribute is not specified, then Identity Manager processes the features with the same form used by all resources of a given type.
Table 4-19 lists the object feature mappings.
Table 4-19 Object Feature Mappings
Object Feature
Method
Supports Form Attribute?
create
createObject
Yes
delete
deleteObject
No
find
listObjects
No
list
listObjects
No
rename
updateObject
No
saveas
createObject
No
update
updateObject
Yes
view
getObject
No
The <ObjectFeatures> section in Code Example 4-13 includes all supported object features. Your resource adapter can support all or a subset. The more object features your adapter supports, the richer the object management function within Identity Manager.
Code Example 4-13 <ObjectFeatures> Section Including all Supported Object Features
<ObjectFeatures>\n"+
<ObjectFeature name='create' form='My Create Position Form'/>
<ObjectFeature name='update' form='My Update Position Form'/>
<ObjectFeature name='create'/>\n"+
<ObjectFeature name='delete'/>\n"+
<ObjectFeature name='rename'/>\n"+
<ObjectFeature name='saveas'/>\n"+
<ObjectFeature name='find'/>\n"+
<ObjectFeature name='list'/>\n"+
<ObjectFeature name='view'/>\n"+
</ObjectFeatures>\n"+
Object Attributes
The <ObjectAttributes> section specifies the set of attributes that will be managed and queried in Identity Manager. The name of each <ObjectAttribute> element should be the native resource attribute name. Unlike user attributes in Identity Manager, no attribute mapping is specified. Only the native attribute names should be used.
Table 4-20 describes attributes that are required for <ObjectAttributes>.
Table 4-20 Required Attributes for <ObjectAttributes>
Attribute
Description
idAttr
The value of this attribute should be the resource object attribute name that uniquely identifies this object within the resource’s object namespace (for example, dn, uid)
displayNameAttr
The value of this attribute should be the resource object attribute name whose value is the name you want displayed when objects of this type are viewed within Identity Manager (for example, cn, samAccountName).
descriptionAttr
(Optional) This value of this attribute should be the resource object attribute name whose value you want displayed in the Description column of the Resources page.
Code Example 4-14 shows an <ObjectAttributes> section defined in an <ObjectType>.
Code Example 4-14 <ObjectAttributes> Section Defined in an <ObjectType>
<ObjectAttributes idAttr='dn' displayNameAttr='cn' descriptionAttr=
'description'>\n"+
<ObjectAttribute name='cn' type='string'/>\n"+
<ObjectAttribute name='description' type='string'/>\n"+
<ObjectAttribute name='owner' type='distinguishedname' namingAttr=
'cn'/>\n"+
<ObjectAttribute name='uniqueMember' type='dn' namingAttr='cn' />\n"+
</ObjectAttributes>\n"+
Each <ObjectAttribute> has the attributes described in Table 4-21:
Table 4-21 <ObjectAttribute> Attributes
Attribute
Description
name
Identifies the resource object type attribute name (required)
type
Identifies the type of object. Valid types include string or distinguishedname / ‘dn’ (defaults to string)
namingAttr
If object type is distinguishedname or dn, this value specifies the attribute whose value should be used to display an instance of this object type referred to by the dn within Identity Manager
Note
The methods in the resource adapter object type implementation is responsible for coercing all string values into the appropriate type based on the resource attribute name.
Assigning a Form
You can assign an optional form for processing incoming data before storing it in Identity Manager. This resource form is a mechanism for transforming the incoming data from the schema map and applying it to the user view. The sample form also performs actions (such as enabling and disabling an account) that are based on specific values of incoming data such as employee status.
Defining Resource Forms
You must provide a resource form named <resource type> Create <object type> Form for each resource <ObjectType> that supports the Create feature.
(For example, AIX Create Group Form or LDAP Create Organizational Unit Form.)You must also provide a ResourceForm named <resource type> Update <object type> Form for each resource <ObjectType> that supports the Update feature. (For example, AIX Update Group Form or LDAP Update Organizational Unit Form)
Table 4-22 describes attributes contained in the top-level namespace.
(All values are strings unless otherwise specified.)
Table 4-22 Top-Level Namespace Attributes
Attribute
Description
<objectType>.resourceType
Identity Manager resource type name (for example, LDAP, Active Directory)
<objectType>.resourceName
Identity Manager resource name
<objectType>.resourceId
Identity Manager resource ID
<objectType>.objectType
Resource-specific object type (for example, Group)
<objectType>.objectName
Name of resource object (for example, cn or samAccountName)
<objectType>.objectId
Fully qualified name of resource object (for example, dn)
<objectType>.requestor
ID of user requesting view
<objectType>.attributes
Resource object attribute name/value pairs (object)
<objectType>.organization
Identity Manager member organization
<objectType>.attrsToGet
List of object type specific attributes to return when requesting an object through checkoutView or getView (list)
<objectType>.searchContex
Context used to search for non-fully qualified names in form input
<objectType>.searchAttributes
List of resource object type-specific attribute names that will be used to search within the specified searchContext for names input to the form (list).
<objectType>.searchTimeLimit
Maximum time spent searching where <objectType> is the lowercase name of a resource specific object type. For example, group, organizationalunit, organization.
<objectType>.attributes
<resource attribute name>Used to get or set the value of specified resource attribute (for example, <objectType>.attributes.cn, where cn is the resource attribute name). When resource attributes are distinguished names, the name returned when getting the value is the value of the namingAttr specified in the <ObjectAttribute> section of the <ObjectType> description.
The next section references forms that show how to access the resource object namespace.
Writing Adapter MethodsThe Identity Manager adapter interface provides general methods that you must customize to suit your particular environment. This section briefly describes these methods and covers:
- Standard resource adapter-specific methods. These methods are specific to the resource you are updating to synchronize with Identity Manager.
- Active Sync-specific methods. These methods provide the mechanism for updating Identity Manager based on pulling information from the authoritative resource. They also include methods for stopping, starting, and scheduling the adapter.
Standard Resource Adapter-Specific Methods
The body of a resource adapter consists of resource-specific methods. Consequently, the resource adapter provides methods that are only generic placeholders for the specific methods that you will write.
This section describes how the methods used to implement operations are categorized. The information is organized into the following sections:
Creating the Prototype Resource
Table 4-23 describes the methods used to create a Resource instance.
Table 4-23 Methods Used to Create a Resource Instance
Method
Description
staticCreatePrototypeResource
Creates a Resource instance from the predefined prototype XML string defined in the resource adapter. Because it is a static method, it can be called knowing only the path to the Java class which is the resource adapter.
createPrototypeResource
A local method that can be executed only if you already have an instance of a Java object of the resource adapter class. Typically, the implementation of createPrototypeResource() is to just call the staticCreatePrototypeResource() method.
Connecting with the Resource
The following methods are responsible for establishing connections and disconnections as an authorized user. All resource adapters must implement these methods.
Checking Connections and Operations
ResourceAdapterBase provides methods that you can use to check the validity of an operation, such as whether the connection to the resource is working, before the adapter attempts the actual operation.
The methods described in Table 4-24 verify that communication can be made and that the authorized account has access.
Table 4-24 Methods Used to Check Communication
Method
Description
checkCreateAccount
Checks to see if an account can be created on the resource. The following features can be checked:
This method does not check whether the account already exists. It contains the account attribute information needed to create the user account such as account name, password, and user name.
After confirming that the account can be created, the method closes the connection to the resource.
checkUpdateAccount
Establishes a connection and checks to see if the account can be updated.
This method receives a user object as input. It contains the account attribute information needed to create the user account such as account name, password, and user name.
The user object specifies the account attributes that have been added or modified. Only these attributes are checked.
checkDeleteAccount
Checks to see if an account exists and can deleted. The following features can be checked:
This method does not check whether the account already exists. It receives a user object as input. It contains the account attribute information needed to delete the user account such as account name, password, and user name.
After checking to see if the account can be deleted, the method closes the connection to the resource
Defining Features
The getFeatures() method specifies which features are supported by an adapter. The features can be categorized as follows:
The ResourceAdapterBase class defines a base implementation of the getFeatures() method. The Enabled in Base? column in the following tables indicates whether the feature is defined as enabled in the base implementation in ResourceAdapterBase.
Table 4-25 General Features
Feature Name
Enabled in Base?
Comments
ACTIONS
No
Indicates whether before and after actions are supported. To enable, override the supportsActions method with a true value.
RESOURCE_PASSWORD_CHANGE
No
Indicates whether the resource adapter supports password changes. To enable, override the supportsResourceAccount method.
Table 4-26 Account Features
Feature Name
Enabled in Base?
Comments
ACCOUNT_CASE_
INSENSITIVE_IDSYes
Indicates whether user account names are case-insensitive. Override the supportsCaseInsensitiveAccountIds method with a false value to make account IDs case-sensitive.
ACCOUNT_CREATE
Yes
Indicates whether accounts can be created. Use the remove operation to disable this feature.
ACCOUNT_DELETE
Yes
Indicates whether accounts can be deleted. Use the remove operation to disable this feature.
ACCOUNT_DISABLE
No
Indicates whether accounts can be disabled on the resource. Override the supportsAccountDisable method with a true value to enable this feature.
ACCOUNT_EXCLUDE
No
Determines whether administrative accounts can be excluded from Identity Manager. Override the supportsExcludedAccounts method with a true value to enable this feature.
ACCOUNT_ENABLE
No
Indicates whether accounts can be enabled on the resource. Override the supportsAccountDisable method with a true value if accounts can be enabled on the resource.
ACCOUNT_EXPIRE_
PASSWORDYes
Enabled if the expirePassword Identity Manager User attribute is present in the schema map for the adapter. Use the remove operation to disable this feature.
ACCOUNT_GUID
No
If a GUID is present on the resource, use the put operation to enable this feature.
ACCOUNT_ITERATOR
Yes
Indicates whether the adapter uses an account iterator. Use the remove operation to disable this feature.
ACCOUNT_LIST
Yes
Indicates whether the adapter can list accounts. Use the remove operation to disable this feature.
ACCOUNT_LOGIN
Yes
Indicates whether a user can login to an account. Use the remove operation if logins can be disabled.
ACCOUNT_PASSWORD
Yes
Indicates whether an account requires a password. Use the remove operation if passwords can be disabled.
ACCOUNT_RENAME
No
Indicates whether an account can be renamed. Use the put operation to enable this feature.
ACCOUNT_REPORTS_DISABLED
No
Indicates whether the resource reports if an account is disabled. Use the put operation to enable this feature.
ACCOUNT_UNLOCK
No
Indicates whether an account can be unlocked. Use the put operation if accounts can be unlocked.
ACCOUNT_UPDATE
Yes
Indicates whether an account can be modified. Use the remove operation if accounts cannot be updated.
ACCOUNT_USER_PASSWORD_ON_CHANGE
No
Indicates whether the user’s current password must be specified when changing the password. Use the put operations if the user’s current password is required.
Table 4-27 Group Features
Feature Name
Enabled in Base?
Comments
GROUP_CREATE,
GROUP_DELETE
GROUP_UPDATENo
Indicates whether groups can be created, deleted, or updated. Use the put operation to if these features are supported on the resource.
Table 4-28 Organizational Unit Features
Feature Name
Enabled in Base?
Comments
ORGUNIT_CREATE,
ORGUNIT_DELETE
ORGUNIT_UPDATENo
Indicates whether organizational units can be created, deleted, or updated. Use the put operation to if these features are supported on the resource.
If your custom adapter overrides the ResourceAdapterBase implementation of the getFeatures method, add code similar to the following:
public GenericObject getFeatures() {
GenericObject genObj = super.getFeatures();
genObj.put(Features.ACCOUNT_RENAME, Features.ACCOUNT_RENAME);
genObj.remove(Features.ACCOUNT_UPDATE, Features.ACCOUNT_UPDATE);
.. other features supported by this Resource Adapter …
return genObj;
}
To disable a feature by overriding a different method (such as supportsActions) add code similar to the following:
The following tables describe the methods used to create, delete, and update accounts on Resources.
Table 4-29 Creating Accounts on the Resource
Method
Description
realCreate()
Creates the account on the resource.
Receives a user object as input, and contains the account attribute information needed to create the user account (such as account name, password, and user name)
Table 4-30 Deleting Accounts on the Resource
Method
Description
realDelete()
Deletes an account(s) on the resource.
Receives a user object or list of user objects as input. By default, this method creates a connection, calls realDelete, closes the connection for each user object in the list.
Table 4-31 Updating Accounts on the Resource
Method
Description
realUpdate()
Updates a subset of the account attributes.
By default, this method creates a connection, calls realUpdate, and closes the connection for each user object in the list.
Note
User account attributes from the resource are merged with any new changes from Identity Manager.
Table 4-32 Getting User Information
Method
Description
getUser()
Retrieves information from the resource about user attributes.
Receives a user object as input (typically with only an account identity set), and returns a new user object with values set for any attribute defined in resource schema map.
You can use list methods to establish processes that adapters use to retrieve user information from the resource.
Table 4-33 List Methods
Method
Description
getAccountIterator()
Used to discover or import all the users from a resource.
Implements the Account Iterator interface to iterate over all users of a resource.
listAllObjects ()
Given a resource object type (such as accountID or group), returns a list of that type from the resource.
Implement this method to generate lists that are used by the resource, such as a list of resource groups or distribution lists.
This method is called from the user form (not called by provisioning engine).
Code Example 4-15 contains code for retrieving information on a resource and converting it to information that Identity Manager can work with.
Code Example 4-15 Resource Adapters: Retrieving Information on a Resource
public WSUser getUser(WSUser user)
throws WavesetExceptionString identity = getIdentity(user);
WSUser newUser = null;try {
startConnection();Map attributes = fetchUser(user);
if (attributes != null) {
newUser = makeWavesetUser(attributes);
}
} finally {
stopConnection();
}
return newUser;
}
Table 4-34 Enable and Disable Methods
Method
Description
supportsAccountDisable()
Returns true or false depending on whether the resource supports native account disable.
realEnable()
Implements the native calls that are necessary to enable the user account on the resource.
realDisable()
Implements the native calls that are necessary to disable the user account on the resource.
Disabling User Accounts
You can disable an account by using the disable utilities supported by the resource or the account disable utility provided by Identity Manager.
- Native support for disabling an account: Certain resources provide a separate flag that, when set, prevents users from logging in. Example utilities include User Manager for NT, Active Directory Users and Computers for Active Directory, and ConsoleOne or Netware Administrator for NDS/Netware. When an account is enabled, the user’s original password is still valid. You can determine whether native support for account disable is available on your resource by implementing the supportsAccountDisable method.
- Identity Manager disable utility: If the resource does not support disabling an account, or supports disable by means of resetting the user’s password, the Identity Manager provisioning engine disables the account. You can perform the disable by setting the user account to a randomly generated, non-displayed, non-retained password. When the account is enabled, the system randomly generates a new password, which is displayed in the Identity Manager Administrator Interface or emailed to the user
Enabling Pass-Through Authentication for Resource Types
Use the following general steps to enable pass-through authentication in a resource type:
- Ensure that the adapter’s getFeatures() method returns ResourceAdapter.ACCOUNT_LOGIN as a supported feature.
- If your custom adapter overrides the ResourceAdapterBase implementation, add the following code:
public GenericObject getFeatures() {
GenericObject genObj = super.getFeatures();
genObj.put(Features.ACCOUNT_RENAME, Features.ACCOUNT_RENAME);
.. other features supported by this Resource Adapter …
return genObj;
}- If your custom adapter does not override the getFeatures() implementation in the ResourceAdapterBase class, it will inherit the getFeatures() implementation that is exported for ACCOUNT_LOGIN by default.
- Add the <LoginConfigEntry> element to the adapter’s prototypeXML.
- Implement the adapter’s authenticate() method.
The authenticate() method authenticates the user against the resource by using the authentication property name/value pairs provided in the loginInfo map. If authentication succeeds, be sure that the authenticated unique ID is returned in the WavesetResult by adding a result as follows:
result.addResult(Constants.AUTHENTICATED_IDENTITY, accountID);
If authentication succeeded, but the user's password was expired, then in addition to the identity added above, also add the password expired indicator to the result to be returned. This will ensure that the user will be forced to change their password on at least resource upon next login to Identity Manager.
result.addResult(Constants.RESOURCE_PASSWORD_EXPIRED, new Boolean(true));
If authentication fails (because the username or password is invalid), then:
throw new WavesetException("Authentication failed for " + uid + ".");
Writing Active Sync-Specific Methods
In this section of the adapter, you must supply the methods that accomplish the main task of your adapter — updating Identity Manager. The methods you write are based on the generic methods supplied with the skeleton adapter file.
You will need to edit some of these methods, which are categorized by task. General guidelines for handling these tasks are discussed in the following sections:
Initializing and Scheduling the Adapter
You initialize and schedule the adapter by implementing the init() and poll() methods.
The init() method is called when the adapter manager loads the adapter. There are two methods for loading the adapter:
In the initialization process, the adapter can perform its own initialization. Typically, this involves initializing logging (with the ActiveSyncUtil class), and any adapter-specific initialization such as registering with a resource to receive update events.
If an exception is thrown, the adapter is shut down and unloaded.
Polling the Resource
All of the adapter’s work is performed by the poll() method. Scheduling the adapter requires setting up a poll() method to search for and retrieve changed information on the resource.
This method is the main method of the Active Sync-enabled adapter. The adapter manager calls the poll() method to poll the remote resource for changes. The call then converts the changes into IAPI calls and posts them back to a server. This method is called on its own thread and can block for as long as needed.
It should call its ActiveSyncUtil instance’s isStopRequested method and return when true. Check isStopRequested as part of the loop condition when looping through changes.
To configure defaults for polling, you can set the polling-related resource attributes in the adapter file. Setting these polling-related attributes provides administrators with a means to later use the Identity Manager interface to set the start time and date for the poll interval and the length of the interval.
Scheduling Parameters
The following scheduling parameters are used in Active Sync-enabled adapters:
See Table 4-12 for a description of these parameters.
Scheduling Parameters in the prototypeXML
The scheduling parameters are present in the string constant ActiveSync. ACTIVE_SYNC_STD_RES_ATTRS_XML, along with all other general Active Sync-related resource attributes.
Sample Polling Scenarios
The following table lists some sample polling scenarios.
Table 4-35 Sample Polling Scenarios
Polling Scenario
Parameters
Daily at 2 A.M.
Interval = day, count =1, start_time=0200
Four times daily
Interval=hour, count=6.
Poll once every two weeks on Thursday at 5 P.M
Interval = week, count=2, start date = 20020705 (a Thursday), time = 17:00.
Storing and Retrieving Adapter Attributes
Most Active Sync-enabled adapters are also standard adapters, where a single Java class both extends ResourceAdapterBase (or AgentResourceAdapter) and implements the Active Sync interface.
The attribute retrieval and update should then pass through to the base as shown in Code Example 4-16:
Code Example 4-16 Attribute Retrieval and Update
public Object getAttributeValue(String name) throws WavesetException {
return getResource().getResourceAttributeVal(name);
}
public void setAttributeValue(String name, Object value) throws WavesetException {
getResource().setResourceAttributeVal(name,value);
Updating the Identity Manager Repository
When an update is received, the adapter uses the IAPI classes, notably IAPIFactory to:
Mapping the Changes to the Identity Manager Object
Using the Active Sync event parameter configurator for the resource, IAPIFactory.getIAPI constructs an IAPI object, either IAPIUser or IAPIProcess from a map of changed attributes. If an exclusion rule (iapi_create, iapi_delete, or iapi_update) is configured for the resource, IAPIFactory checks if the account is excluded. If a non-null object is created and returned by the Factory, the adapter can modify the IAPI object (for example, by adding a logger), then submits it.
When the object is submitted, the form associated with the resource is expanded with the object view before the view is checked in. For more information about forms and views, see Identity Manager Workflows, Forms, and Views.
In SkeletonActiveSyncResourceAdapter, this process is handled in the buildEvent and processUpdates methods.
Shutting Down the Adapter
No system requirements are associated with adapter shutdown. This is an opportunity for system cleanup.
Installing the Custom AdapterTo install a resource adapter you’ve customized:
- Load the NewResourceAdapter.class file in the Identity Manager installation directory under
idm/WEB-INF/classes/com/waveset/adapter/sample
(You might have to create this directory.)
- Copy the .gif file to idm/applet/images.
This .gif file is the image that displays next to the resource name on the List Resources page, and it should contain an image for your resource that is 18x18 pixels and 72 DPI in size.
- Add the class to the resource.adapter property in config/waveset.properties.
- Stop and restart the application server. (For information about working with application servers, see Identity Manager Installation.)
- Create an HTML help file for your resource. (For examples, see the idm.jar provided in the com/waveset/msgcat/help/resources directory. In addition, the procedure for including online help with the application is provided in Identity Manager Workflows, Forms, and Views.)
- Install your adapter and associated help file into Identity Manager.
- Create a resource in Identity Manager using your adapter.
- Start your resource and verify connectivity.
Maintaining the Custom AdapterWhen you install an Identity Manager service pack, you will need to test the custom resource with the new idmcommon.jar and idmformui.jar files. You may need to make modifications or enhancements to the custom adapters to adapt to changes made in the new release or service pack. Alternatively, your resource adapter may just need to be rebuilt or refreshed in your installation.
See Identity Manager Administration for more information on adapter maintenance.
Testing Your AdapterAfter writing the adapter, you must test and load it in to Identity Manager. Testing involves testing both from Identity Manager and running unit tests on your own machine.
You can test the validity of the resources you have just defined (in particular the connection to the resource) by saving the adapter, loading it into Identity Manager, and clicking Start on the List Resources page. The Start button is enabled only if the resource startup type is Automatic or Manual.
This section is organized as follows:
Testing a Custom Adapter
One tool for debugging adapters is the log file that all adapters generate. This log file is generated in the in the $WSHOME/config directory and is named WSTrace1.log.
Note
Tracing must be enabled and the methods for which tracing is requested must be identified for any logging to occur. You can enable tracing through the Identity Manager Debug page or through the command line utility. Also, the custom adapter must include the calls that will make the log entries for the new methods.
The adapter writes to the log file all resource settings that you can use to validate both that the adapter started and that setting changes have been saved.
Active Sync-enabled adapters that make log calls to the ActiveSyncUtil instance will create a log file (or set of log files) in the directory specified by the Log File Path resource attribute. Be sure to check these log files for additional Active Sync-related log entries.
General Steps
Follow these general steps when debugging your adapter.
- Create a test program for your adapter.
This Java file should perform the following basic functions:
- Set your log level as appropriate for your level of debugging. Increase the log level to 4 for your first pass at debugging, and set the log file path and size. When you subsequently start the adapter, it writes to the log file all resource settings that you can use to validate both that the adapter started and that setting changes have been saved.
- Compile and test your adapter. To compile the test program, use
javac -d . test/filename.java. (This command creates the class file in the appropriate com/waveset/adapter/test directory.) To test your new adapter using this file, make sure that your compiled adapter is in the com/waveset/adapter directory and run it using the following:java –D waveset.home=<path> com.waveset.adapter.test.MyResourceAdapter
- Create an HTML help file for your resource. (See idm.jar in com/waveset/msgcat/help/resources directory for examples. Procedures describing how to include online help with the application, consult Identity Manager Workflows, Forms, and Views.)
- (Active Sync-enabled adapter only) To reset synchronization on the last resource, delete the XmlData SYNC_resourceName object.
- Read the error log and modify the adapter.
- Set the debug level to 2. Level 2 debugging yields information about the adapter settings and any errors, but limits the amount of log detail to a manageable level.
- Before starting Identity Manager, you must identify the new adapter in the $WSHOME/config/waveset.properties file by placing the adapter name under the resource.adapters entry — otherwise Identity Manager will not recognize the adapter.
- Install your adapter and its associated help file into Identity Manager.
Note
Before an instance of the new adapter can be recognized in the display, you must create a new resource of that type. You can do this through the List Resource page. From this page, select
New > new adapter. Use the Resource Wizard to create a new adapter.
- Use Identity Manager to create a resource and a user on that resource.
Tip
When debugging an Active Sync-enabled adapter, if you edit the XmlData SYNC_resourceName object to remove the MapEntry for the ActiveSync synchronization process from the Debug page, the adapter starts over from the first detected change.
If you used the IAPI event, set the Property() method to store synchronization state for the resource, such as a last change processed value. Setting this method is very useful for debugging adapters. You can set the adapter to run and ignore past changes. Subsequently, you can modify the adapter and see the results of your changes in the adapter log file.
Tracing Methods in Your Test Adapter
To trace methods in your test adapter
- Turn on tracing from the Debug page (debug/Show_Trace.jsp).
- Add your adapter using the following format:
com.waveset.adapter.sample.MyResourceAdapter
- Set the trace level to 4 for maximum output, or 2 for sufficient output.
- Indicate whether you want the trace information emitted to standard output or sent to a file.
- To debug the synchronization process further, configure synchronization logging for your test resource. (Instructions are provided in the Identity Manager online help.)
Testing the Resource Object in Identity Manager
You can test your implementation through the Identity Manager Administrator Interface through the Find Resources and List Resources pages.
- Select Resource > List Resource to confirm the following performance characteristics:
Table 4-36 List Resource Performance Characteristics
Expected Behavior in Interface
If not...
Identity Manager includes your resource type in the drop-down list of possible new resources.
Confirm that you have added it to the resource.adapters attribute in the Waveset.properties file.
When you open the resource folder, its contents reflect all the <ObjectType> elements that are defined in your resource adapter’s <ObjectTypes> section.
Review the <ObjectType> elements in the adapter’s prototypeXML.
When you right-click on one of your resource object types, all the supported features specified in your resource adapter’s <ObjectFeatures> section per <ObjectType> is available from the menu.
Go to the Debug page and view or edit the resource in question to ensure that its list of <ObjectFeatures> for the <ObjectType> in question is correct.
You can create new resources and update existing resource objects.
Verify that your resource adapter code is in WEB-INF/classes/com/waveset/adapter/sample
The correct ResourceForms have been loaded for each type of operation.
- Select Resource > Find Resources to confirm the following performance characteristics:
Table 4-37 Find Resources Performance Characteristics
Expected Behavior in the Interface
If not...
You can set all attributes you expect from the Resources > Find Resources page
Check all <ObjectType> elements and associated <ObjectAttribute> elements.
A find resource request returns the appropriate resource objects
Double-check the query arguments to ensure that the appropriate set of resource objects will match that query. If it still doesn’t work, try the same query through another LDAP browser to ensure that it is not a problem with the query.
You can edit and/or delete objects returned from your find request.
Check to ensure that the <ObjectFeatures> section of the <ObjectType> in question includes the Update feature, which enables editing or the Delete feature, which enables deletion.
Viewing a Resource Object
You can view a resource object from the Debug page. To open the Debug page, enter http://build_name/idm/debug.
All resource adapter and Active Sync-enabled adapter classes are based on the existing Identity Manager Resource classes.
To view the resource object:
Typical Errors
Typical errors include:
Form-Related Errors
Typical errors with Active Sync-enabled adapters are form-related. These often result from a required field, such as password or email, not being set.
Form validation errors are printed after the final xml of the view. A typical error resembles:
20030414 17:23:57.469: result from submit (blank means no errors):
20030414 17:23:57.509: Validation error: missing required field password
All messages are also printed out, and they specify the creation and update times of accounts, adapter errors, and a summary of the schema map data.
Resource adapters store information about the last change they processed in the SYNC.resourceName XMLData object.
Missing Authentication Properties
If you are missing the required authentication property values, make sure the property name is in the set of names dumped in the trace for the specified data source type.
No Identity Manager User with Matching Resource Account is Found
The resource adapter authentication succeeds, but the exception thrown indicates that no Identity Manager user could be found with a matching resource account ID. Confirm that the resource accountId associated with the user is the same as the one returned by your resource adapter’s authenticate method.
You can check the Identity Manager user’s resource accountIds through the Debug page. If there is a mismatch, you will either have to change the content of the name being returned by your authenticate method or change your resource’s ID template to ensure its generating a resource accountId that will match the one being returned by authenticate.
Debugging LoginConfig Changes
To debug LoginConfig-related changes to your adapter, you must
Enabling Identity Manager Trace
Enable Identity Manager level 1 trace for the following classes:
Testing Single Sign-On (SSO) Pass-Through Authentication
After you have correctly configured the SSO login module, you can telnet directly to the http port and send an http request to login.jsp.
You can paste the following request into your telnet session:
HEAD /idm/login.jsp HTTP/1.0
Accept: text/plain,text/html,*/*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0
Host: LOCALHOST
sm_user: Configurator
This request includes an SSO login module that is looking for the HTTP header sm_user. After pasting this information in the telnet screen, you should see trace indicating that your user has logged in correctly.
For example, see Code Example 4-17:
Code Example 4-17 Sample Output
2003.07.08 14:14:16.837 Thread-7 WSResourceLoginModule#checkForAuthenticatedResourceInfo()
Found authenticated resource accountId, 'Configurator@Netegrity SiteMinder' on Identity Manager user 'Configurator'. null null 2003.07.08 14:14:16.837 Thread-7
WSResourceLoginModule#checkForAuthenticatedResourceInfo()
Exit null null 2003.07.08 14:14:16.837 Thread-7 WSResourceLoginModule#login()
Exit, return code = true null null 2003.07.08 14:14:16.847
Thread-7 LocalSession#login() Login succeeded via Netegrity SiteMinder null null
2003.07.08 14:14:16.847 Thread-7 LocalSession#login() Overall authentication
succeeded null null 2003.07.08 14:14:16.897 Thread-7 LocalSession#checkIfUserDisabled() Entry null null 2003.07.08 14:14:16.897 Thread-7 LocalSession#checkIfUserDisabled() Exit null null 2003.07.08 14:14:16.927 Thread-7 LocalSession#login() Exit null null
