[email protected]

Hi,

so far, I’ve only tested the migration to prepare for my production upgrade. It worked fine and I really like it. I’m considering changing the database-backend, that’s the only reason I haven’t upgraded yet.

Best regards
Patrick

Hi Fabrizio,

I’m aware of two possibilities.

a) I’ve seen a forgerock demo, where the Identity Gateway is used to enforce such policies. Basically, your browser talks to the gateway, which detectes “User is HR” and modifies the search to include some “and departement eq ‘hr'”. Quite generic, should work with the default ui.

b) develop your own…[Read more]

IMHO IDM is lacking regarding retries (might have improved with 6.x). So if you try to delete in postDelete, your LDAP-server might be unavailable and deletion in LDAP might fail. But even if you had a hundred retries, eventually deletion would fail, resulting in orphaned entries in LDAP.

Therefore, I would prefer to handle this issue in the…[Read more]

If an entry is deleted in your source database, a simple livesync won’t be able to detect it. You can work around this by setting a “deleted” flag instead of actually deleting, if you need fast reactions by IDM.

And of course “should” is not “will work”. If there is any issue, missing an entry with livesync is a possibility. A regular…[Read more]

Does “all the methods” contain “query”?

I suppose methods should be “read,query”.

In order to minimize update, manual checking using condition scripts should not be necessary. OpenIDM should automatically check and avoid unnecessary update operations if source and target are equal.

However, the comparison of source and target cat be tricky. I once had a similar issue due to using the wrong datatype. Something along the lines…[Read more]

In my experience, the Save button is enabled, when a change to the value is detected, but the javascript is not evaluated when you actually change a value, but when you leave a field.

Try changing a value and select a different usereditable field next, e.g. givenName.

Your endpoint does not seem to return (valid) json. Try detectResultFormat=false.

Basically, you’d create some groups in AD to control access to your fileshare (sharpoint-sites, shared mailboxes, etc.). Then you can assign those groups using OpenIDM.

I’d prefer a fine granularity with a “capability”-style and groups like “mayReadDirectory” and assigning multiple groups using OpenIDM, instead of creating a role-style like…[Read more]

You are running IDM 5.5? In earlier versions (at least including 4.5) REST calls could only be performed using http but not using https. forgerock suggested using stunnel.
I’m not sure https is supported in 5.5, perhaps you should try http and stunnel instead?

Hi Chris,

regarding option 1: don’t get the fullobject and the properties-table out of sync. And don’t forget about possible policy-settings which OpenIDM would enforce but go unchecked if you change the repository directly.
I’d prefer option 2, but keep in mind that every modification will trigger a sync for all mappings defined from…[Read more]

Hi,

you are supposed to perform an in-place-upgrade. I have to admit that I would feel more comfortable if I had an opportunity to run old and new side-by-side, but that’s the way it is.

For upgrade from 3.1 to 4.0 there was a scripted-connector enabling you to run 3.1 and 4.0 and migrating managed/user, but you had to create your own scripts to…[Read more]

given the trace, you probably try to do some logging in triggerEmailNotification line 10. It has to be “logger.warn” in javascript, groovy would use log.warn.

Depends on what you want to accomplish. I regularly send messages to a queue when certain events in OpenIDM trigger, that’s simple and does not require a connector at all. Just calling the java-code from javascript.
Having OpenIDM listening to activemq and reacting to messages is a different story.

Hi Johan,

OpenIDM supports elasticsearch as backend for audit-data, though I don’t know if graylog can interpret that format. Anyway, upgrading to 4.5 to get the elasticsearch backend and perhaps modifying/customizing the format would be a reasonable approach.

Regards,
Patrick.

If you access the admin ui like I described and toggle “Enable LiveSync for this mapping” like I described, you toggle “enableSync” for the specific mapping, which will enable or disable the mapping, regardless of LiveSync or implicit sync. https://backstage.forgerock.com/docs/openidm/4.5/integrators-guide/#disabling-automatic-sync

I agree that…[Read more]

I appologise for my poor wording. To clarify: accessing one of the mappings, looking at the tab “scheduling”, section “LiveSync” the option “Enable LiveSync for this mapping” is activated, which means that “implicit sync” should trigger. Which it does not for most of my mappings.

Looking at activity.csv I see my changes (also on openidm0.log.0…[Read more]

Hmmmm, it’s like “14 mappings stopped working”, while one seems to work… very strange. Nothing in common, some are powershell, some LDAP, some database table (postgresql, sqlserver, oracle, mysql), some scripted database….
However, I just discovered issues regarding queries against managed/user. Possibly live sync involves similar queries, so…[Read more]