None
To add the Scripted Host resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.ScriptedGatewayResourceAdapter
The Sun Identity Manager Gateway (gateway.exe) must be installed on the host specified in the Host field for the adapter.
The Scripted Gateway adapter allows you to create a set of actions that perform basic provisioning functions such as creating, updating, deleting, and retrieving user accounts. Each of these actions is defined in a Windows batch file.
The adapter supports the following provisioning actions:
Purpose |
Required? |
|
---|---|---|
create |
Creates a new user. |
No, but if not provided, users cannot be created. |
delete |
Deletes an existing user. |
No, but if not provided, users cannot be deleted. |
getAllUsers |
Gets information about all users on the resource |
Yes. |
getUser |
Fetches attributes for an existing user. |
Yes. |
update |
Updates attributes for an existing user. |
No, but if not provided, users cannot be updated. |
The $WSHOME/sample/ScriptedGateway directory contains a set of sample resource action definitions that could be used to provision users to a theoretical gateway script-based host application. You must customize these definitions to your environment.
For general information about resource actions, see Chapter 50, Adding Actions to Resources.
The Scripted Gateway adapter implements actions as batch files that execute on the gateway. These scripts must be written to run on the version of Windows that has been installed on the machine running the scripts. The same account that runs the Gateway also runs the scripts.
Scripts should follow Windows conventions and exit with a return code of 0, which indicates success. Returning a non-zero code (chosen by the script writer) indicates the operation may not have been correctly completed.
Scripts may output text to the Windows standard error or standard output stream. Depending on the nature of the operation, the context of the operation, and the type of failure, the text may be displayed in the results for that operation.
For the getUser and getAllUsers operations, this text is parsed in the standard output stream to determine the attributes of each user.
The following types of environment variables can be exported to the scripts:
Any account attribute defined in the Identity System Resource Attribute column of the schema map can be made available to the script by prefixing the account attribute with WSUSER_. For example, if an account attribute is named Full Name, the environment variable is named WSUSER_Full Name.
Adapter configuration settings can be passed with environment variables that begin with WSRSRC_. The most important variable is WSRSRC_Name, which defines the name of the adapter. If you are running the same script on different resources, this variable can be implemented to avoid maintaining multiple copies of scripts that do the same thing on different gateways.
The WSOBJ_ID and WSOBJ_NAME variables define the account ID and name, respectively. These variables are available to the Scripted Gateway adapter only.
The following example illustrates an example generated environment:
WSUSER_Email=testuser@waveset.com WSUSER_First Name=JUnit WSUSER_Full Name=JUnit TestUser WSUSER_Last Name=TestUser WSUSER_User ID=USER5647 WSUSER_ws_action_type=WindowsBatch WSOBJ_ID=testuser WSOBJ_NAME=testuser WSRSRC_NAME=Scripted Gateway WSRSRC_CLASS=com.waveset.adapter.ScriptedGatewayResourceAdapter WSRSRC_Host=localhost WSRSRC_List Objects Timeout=900000 WSRSRC_Request Timeout=30000 WSRSRC_TCP Port=9278 WSRSRC_connectionLimit=10
Generally, if an attribute’s value is null, the corresponding environment variable may be omitted instead of having a value of a zero-length string.
For more information about the variables available in a script, see Chapter 50, Adding Actions to Resources.
The AttrParse mechanism processes the results returned by the getUser and getAllUsers actions through the standard output stream. See Chapter 49, Implementing the AttrParse Object for details about implementing AttrParse objects.
For getUser actions, AttrParse returns a map of user attributes. For the getAllUsers action, it generates a map of maps. Each entry for the returned map contains the following.
A value that is a map of user attributes like typically returned by AttrParse.
A key that is the account ID, or if that is not known, the name.
The collectCsvHeader and collectCsvLines AttrParse tokens must be used to determine attributes and values. Do not use other AttrParse tokens that perform similar operations.
The Scripted Gateway adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.
You must manually add this attribute to the Resource object as follows:
<ResourceAttribute name=’Hang Timeout’ displayName=’com.waveset.adapter.RAMessages:RESATTR_HANGTIMEOUT’ type=’int’ description=’com.waveset.adapter.RAMessages:RESATTR_HANGTIMEOUT_HELP’ value=’ NewValue’> </ResourceAttribute>
The default value for this attribute is 0, indicating that Identity Manager will not check for a hung connection.
This section provides information about supported connections and privilege requirements.
The Sun Identity Manager Gateway is required.
The administrative account that the gateway runs under must be authorized for all operations defined in the scripts.
The following table summarizes the provisioning capabilities of the Scripted Gateway adapter.
Feature |
Supported? |
---|---|
Create account |
Yes |
Update account |
Yes |
Delete account |
Yes |
Enable/disable account |
Yes |
Rename account |
No |
Pass-through authentication |
No |
Before/after actions |
No |
Data loading methods |
Import directly from resource Reconciliation |
The Scripted Gateway adapter does not provide default account attributes because the account attributes vary greatly.
You must define an account attribute in which the Identity System user attribute is named accountId.
None. You must supply the identity template with a valid value.
None
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.ScriptedGatewayResouceAdapter