How to Write Standard Resource Adapter-Specific Methods (Sun Identity Manager Deployment Guide)

Sun Identity Manager Deployment Guide

How to Write Standard Resource Adapter-Specific Methods

Standard resource adapter-specific methods are specific to the resource you are updating to synchronize with Identity Manager.

The body of a resource adapter consists of resource-specific methods. Consequently, the resource adapter provides methods that are only generic placeholders for the specific methods that you will write.

This section describes how the methods used to implement operations are categorized. The information is organized into the following sections:

Note –

When writing a custom adapter

Call the setdisabled() method on any WSUser object that is returned by a custom method.
If the adapter implements the AsynchronousResourceAdapter class, then note that this adapter might be working with users that are partially initialized. (These users are created outside Identity Manager, but not fully populated with attributes.) The Provisioner does not automatically convert a Create operation to an Update operation if the WSUser already exists on the resource. Your resource adapter must distinguish this case.

Creating the Prototype Resource

The following table describes the methods used to create a Resource instance.

Table 9–14 Methods Used to Create a Resource Instance


Method	Description
`staticCreatePrototypeResource`	Creates a Resource instance, usually from the predefined `prototypeXML` string defined in the resource adapter. Because it is a static method, it can be called knowing only the path to the Java class which is the resource adapter.
`createPrototypeResource`	A local method that can be executed only if you already have an instance of a Java object of the resource adapter class. Typically, the implementation of `createPrototypeResource()` is to just call the `staticCreatePrototypeResource()` method. If extending an existing adapter, you can add resource attributes to specify different default values programmatically based on the super class’s prototype resource.

Connecting with the Resource

The following methods are responsible for establishing connections and disconnections as an authorized user. All resource adapters must implement these methods.

startConnection
stopConnection

Checking Connections and Operations

ResourceAdapterBase provides methods that you can use to check the validity of an operation, such as whether the connection to the resource is working, before the adapter attempts the actual operation.

The following table describes methods you can use to verify that your adapter is communicating with the resource and that the authorized account has access.

Table 9–15 Methods Used to Check Communication


Method	Description
`checkCreateAccount`	Checks to see if an account can be created on the resource. The following features can be checked: Can basic connectivity to the resource be established? Does the account already exist? Do the account attribute values comply with all (if any) resource-specific restrictions or policies that have not been checked at a higher level? This method does not check whether the account already exists. It contains the account attribute information needed to create the user account such as account name, password, and user name. After confirming that the account can be created, the method closes the connection to the resource.
`checkUpdateAccount`	Establishes a connection and checks to see if the account can be updated. This method receives a user object as input. It contains the account attribute information needed to create the user account such as account name, password, and user name. The user object specifies the account attributes that have been added or modified. Only these attributes are checked.
`checkDeleteAccount`	Checks to see if an account exists and can deleted. The following features can be checked: Can basic connectivity to the resource be established? Does the account already exist? Do the account attribute values comply with all (if any) resource-specific restrictions or policies that haven’t been checked at a higher level? This method does not check whether the account already exists. It receives a user object as input. It contains the account attribute information needed to delete the user account such as account name, password, and user name. After checking to see if the account can be deleted, the method closes the connection to the resource

Defining Features

The getFeatures() method specifies which features are supported by an adapter. The features can be categorized as follows:

General features
Account features
Group features
Organizational unit features

The ResourceAdapterBase class defines a base implementation of the getFeatures() method. The Enabled in Base? column in the following tables indicates whether the feature is defined as enabled in the base implementation in ResourceAdapterBase.

Table 9–16 General Features


Feature Name	Enabled in Base?	Comments
`ACTIONS`	No	Indicates whether before and after actions are supported. To enable, override the `supportsActions` method with a `true` value.
`RESOURCE_PASSWORD_CHANGE`	No	Indicates whether the resource adapter supports password changes. To enable, override the `supportsResourceAccount` method.

Table 9–17 Account Features


Feature Name	Enabled in Base?	Comments
`ACCOUNT_CASE_INSENSITIVE_IDS`	Yes	Indicates whether user account names are case-insensitive. Override the `supportsCaseInsensitiveAccountIds` method with a `false` value to make account IDs case-sensitive.
`ACCOUNT_CREATE`	Yes	Indicates whether accounts can be created. Use the remove operation to disable this feature.
`ACCOUNT_DELETE`	Yes	Indicates whether accounts can be deleted. Use the remove operation to disable this feature.
`ACCOUNT_DISABLE`	No	Indicates whether accounts can be disabled on the resource. Override the `supportsAccountDisable` method with a `true` value to enable this feature.
`ACCOUNT_EXCLUDE`	No	Determines whether administrative accounts can be excluded from Identity Manager. Override the `supportsExcludedAccounts` method with a `true` value to enable this feature.
`ACCOUNT_ENABLE`	No	Indicates whether accounts can be enabled on the resource. Override the `supportsAccountDisable` method with a `true` value if accounts can be enabled on the resource.
`ACCOUNT_EXPIRE_PASSWORD`	Yes	Enabled if the expirePassword Identity Manager User attribute is present in the schema map for the adapter. Use the remove operation to disable this feature.
`ACCOUNT_GUID`	No	If a GUID is present on the resource, use the put operation to enable this feature.
`ACCOUNT_ITERATOR`	Yes	Indicates whether the adapter uses an account iterator. Use the remove operation to disable this feature.
`ACCOUNT_LIST`	Yes	Indicates whether the adapter can list accounts. Use the remove operation to disable this feature.
`ACCOUNT_LOGIN`	Yes	Indicates whether a user can login to an account. Use the remove operation if logins can be disabled.
`ACCOUNT_PASSWORD`	Yes	Indicates whether an account requires a password. Use the remove operation if passwords can be disabled.
`ACCOUNT_RENAME`	No	Indicates whether an account can be renamed. Use the put operation to enable this feature.
`ACCOUNT_REPORTS_DISABLED`	No	Indicates whether the resource reports if an account is disabled. Use the put operation to enable this feature.
`ACCOUNT_UNLOCK`	No	Indicates whether an account can be unlocked. Use the put operation if accounts can be unlocked.
`ACCOUNT_UPDATE`	Yes	Indicates whether an account can be modified. Use the remove operation if accounts cannot be updated.
`ACCOUNT_USER_PASSWORD_ON_CHANGE`	No	Indicates whether the user’s current password must be specified when changing the password. Use the put operations if the user’s current password is required.

Table 9–18 Group Features


Feature Name	Enabled in Base?	Comments
`GROUP_CREATE,GROUP_DELETE, GROUP_UPDATE`	No	Indicates whether groups can be created, deleted, or updated. Use the put operation to if these features are supported on the resource.

Table 9–19 Organizational Unit Features


Feature Name	Enabled in Base?	Comments
`ORGUNIT_CREATEORGUNIT_DELETEORGUNIT_UPDATE`	No	Indicates whether organizational units can be created, deleted, or updated. Use the put operation to if these features are supported on the resource.

If your custom adapter overrides the ResourceAdapterBase implementation of the getFeatures method, add code similar to the following:

public GenericObject getFeatures() {
GenericObject genObj = super.getFeatures();
genObj.put(Features.ACCOUNT_RENAME, Features.ACCOUNT_RENAME);
genObj.remove(Features.ACCOUNT_UPDATE, Features.ACCOUNT_UPDATE);
.. other features supported by this Resource Adapter …
return genObj;
}

To disable a feature by overriding a different method (such as supportsActions) add code similar to the following:

public boolean supportsActions() {
   return true;
}

The following tables describe the methods used to create, delete, and update accounts on Resources.

Table 9–20 Creating Accounts on the Resource


Method	Description
`realCreate()`	Creates the account on the resource. Receives a user object as input, and contains the account attribute information needed to create the user account (such as account name, password, and user name)

Table 9–21 Deleting Accounts on the Resource


Method	Description
`realDelete()`	Deletes one or more accounts on the resource. Receives a user object or list of user objects as input. By default, this method creates a connection, calls `realDelete`, closes the connection for each user object in the list.

Table 9–22 Updating Accounts on the Resource


Method	Description
`realUpdate()`	Updates a subset of the account attributes. By default, this method creates a connection, calls `realUpdate`, and closes the connection for each user object in the list. NOTE: User account attributes from the resource are merged with any new changes from Identity Manager.

Table 9–23 Getting User Information


Method	Description
`getUser()`	Retrieves information from the resource about user attributes. Receives a user object as input (typically with only an account identity set), and returns a new user object with values set for any attribute defined in resource schema map.

You can use list methods to establish processes that adapters use to retrieve user information from the resource.

Table 9–24 List Methods


Method	Description
`getAccountIterator()`	Used to discover or import all the users from a resource. Implements the Account Iterator interface to iterate over all users of a resource.
`listAllObjects ()`	Given a resource object type (such as `accountID` or group), returns a list of that type from the resource. Implement this method to generate lists that are used by the resource, such as a list of resource groups or distribution lists. This method is called from the user form (not called by provisioning engine).

Best Practice

When writing an AccountIterator interface implementation for a custom adapter, try to do the following:

Have the AccountIterator.next() method return a user that contains all attributes in the schema map when getAccountIterator() is called. The reconciler will trim the schema (in a cloned resource used for the getAccountIterator() request) to request only those attributes the reconciler needs. Generally, the reconciler needs only the accountId attribute; but there are cases when the reconciler has additional attributes in the schema. Other getAccountIterator() users, such as Load From Resource, potentially need all of the schema attributes.

Try to create a “smart” adapter that does the right thing based on what is in the schema map. If your adapter can just list the accounts and get the requested information, then the adapter should just do those tasks. Otherwise, the adapter might have to fetch an account to get the required attributes. Adapters that are not smart always get all the attributes.
Make your adapter as scalable as possible, which generally means the adapter does not list or fetch all of the accounts at once. Instead, your adapter should iterate over the accounts as the AccountIterator.next() method is called. Avoid having your adapter do much in the AccountIterator constructor.

The following example shows code for retrieving information from a resource and converting that information into information that Identity Manager can work with.

Resource Adapters: Retrieving Information on a Resource

public WSUser getUser(WSUser user)
 throws WavesetException {
    String identity = getIdentity(user);
     WSUser newUser = null;
    try {
         startConnection();
        Map attributes = fetchUser(user);
         if (attributes != null) {
             newUser = makeWavesetUser(attributes);
         }
     } finally {
         stopConnection();
     }
     return newUser;
 }

Table 9–25 Enable and Disable Methods


Method	Description
`supportsAccountDisable()`	Returns `true` or `false` depending on whether the resource supports native account disable.
`realEnable()`	Implements native calls that are needed to enable the user account on the resource.
`realDisable()`	Implements native calls that are needed to disable the user account on the resource.

Disabling User Accounts

You can disable an account by using the disable utilities supported by the resource or the account disable utility provided by Identity Manager.

Note –

Use native disable utilities whenever possible.

Native support for disabling an account: Certain resources provide a separate flag that, when set, prevents users from logging in. Example utilities include User Manager for Active Directory Users and Computers for Active Directory, and ConsoleOne or Netware Administrator for NDS/Netware. When an account is enabled, the user’s original password is still valid. You can determine whether native support for account disable is available on your resource by implementing the supportsAccountDisable method.
Identity Manager disable utility: If the resource does not support disabling an account, or supports disable by means of resetting the user’s password, the Identity Manager provisioning engine disables the account. You can perform the disable by setting the user account to a randomly generated, non-displayed, non-retained password. When the account is enabled, the system randomly generates a new password, which is displayed in the Identity Manager Administrative interface or emailed to the user.

Enabling Pass-Through Authentication for Resource Types

Use the following general steps to enable pass-through authentication in a resource type:

To Enable Pass-Through Authentication on a Resource Type

Ensure that the adapter’s getFeatures() method returns ResourceAdapter.ACCOUNT_LOGIN as a supported feature.

If your custom adapter overrides the ResourceAdapterBase implementation, add the following code.

public GenericObject getFeatures() {
GenericObject genObj = super.getFeatures();
genObj.put(Features.ACCOUNT_RENAME, Features.ACCOUNT_RENAME);
.. other features supported by this Resource Adapter …
return genObj;
}

If your custom adapter does not override the getFeatures() implementation in the ResourceAdapterBase class, it will inherit the getFeatures() implementation that is exported for ACCOUNT_LOGIN by default.

Add the <LoginConfigEntry> element to the adapter’s prototypeXML.

Implement the adapter’s authenticate() method.

The authenticate() method authenticates the user against the resource by using the authentication property name/value pairs provided in the loginInfo map. If authentication succeeds, be sure that the authenticated unique ID is returned in the WavesetResult by adding a result as follows:
result.addResult(Constants.AUTHENTICATED_IDENTITY, accountID);
If authentication succeeded, but the user’s password was expired, then in addition to the identity added above, also add the password expired indicator to the result to be returned. This will ensure that the user will be forced to change their password on at least resource upon next login to Identity Manager.
result.addResult(Constants.RESOURCE_PASSWORD_EXPIRED, new Boolean(true));
If authentication fails (because the user name or password is invalid), then:
throw new WavesetException("Authentication failed for " + uid + ".");