Setting Up Identity Manager 5.0 SP1 and Earlier (Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide)

Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Setting Up Identity Manager 5.0 SP1 and Earlier

Identity Manager installations prior to 5.0 SP2 require a modification to the workflow for coexistence with Identity Synchronization for Windows. These changes facilitate propagation of updates from other Identity Manager resources to Directory Servers (provisioning) and to Active Directory (passwords and provisioning). Administrators must install the Identity Manager component pwsync on all domain controllers where password synchronization is desired with all other Identity Manager-managed resources (except Directory Server).

This workflow change will result in an error during the end-user password change. However, the change is propagated to Directory Server.

To modify the workflow:

Install pwsync on all Active Directory domain controllers.

Modify the Identity Manager task definition for Change User Password, which can be done from the /debug page or the Configuration Editor.

Add a new activity to remove the Directory Server resources that should not have the password reset.

Replace the string NAME DS RESOURCE with the names of these Directory Server resource. This can be done by adding the following activity:

<Activity id='1' name='RemoveLDAP'\>
   <Variable name='userObject'/\>
   # checkout user #
   <Action id='0' application='com.waveset.session.WorkflowServices'\>
      <Argument name='op' value='checkoutObject'/\>
      <Argument name='type' value='User'/\>
      <Argument name='name' value='$(accountId)'/\>
      <Argument name='authorized' value='true'/\>
      <Return from='object' to='userObject'/\>
   </Action\>
   <Action id='1'\>
      <expression\>
         <block\>
            # Get pending changes for Directory Server resource #
               <defvar name='resourceInfo'\>
                  <invoke name='getResourceInfo'\>
                     <ref\>userObject</ref\>
                     <s\>NAME DS RESOURCE</s\>
                  </invoke\>
               </defvar\>

               # Clears pending password change #
               <invoke name='setPassword'\>
                  <ref\>resourceInfo</ref\>
                  <null/\>
               </invoke\>
               # Get other pending resource changes #
               <defvar name='resourceInfoAttributes'\>
                  <invoke name='getAttributes'\>
                     <ref\>resourceInfo</ref\>
                  </invoke\>
               </defvar\>
               #  removes expire password flag #
                  <invoke name='remove'\>
                     <ref\>resourceInfoAttributes</ref\>
                     <s\>expirePassword</s\>
                  </invoke\>
               # Set cleared attributes for check in #
                  <invoke name='setAttributes'\>
                     <ref\>resourceInfo</ref\>
                     <ref\>resourceInfoAttributes</ref\>
                  </invoke\>
               </block\>
         </expression\>
      </Action\>
      # Check in user #
      <Action id='2' application='com.waveset.session.WorkflowServices'\>
         <Argument name='op' value='checkinObject'/\>
         <Argument name='object' value='$(userObject)'/\>
      </Action\>
   <Transition to='Reprovision'/\>
</Activity\>