[email protected]

Home Members [email protected]

Learn more about our upcoming Identity Summits

show less show more
Profile picture of patrick.hagen@kit.edu

@patrick-hagenkit-edu

active 3 months, 1 week ago
Points balance: 426 ♪
Rank: [email protected]
  • Activity
  • Profile
  • Groups 0
  • Forums
  • Personal
  • Mentions
  • Favorites
  • Groups
  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic Data Migration Service in Forgerock IDM6.5 in the forum Identity Management 1 year, 4 months ago

    Hi,

    so far, I’ve only tested the migration to prepare for my production upgrade. It worked fine and I really like it. I’m considering changing the database-backend, that’s the only reason I haven’t upgraded yet.

    Best regards
    Patrick

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic Search User Visibility in the forum Identity Management 2 years, 1 month ago

    Hi Fabrizio,

    I’m aware of two possibilities.

    a) I’ve seen a forgerock demo, where the Identity Gateway is used to enforce such policies. Basically, your browser talks to the gateway, which detectes “User is HR” and modifies the search to include some “and departement eq ‘hr'”. Quite generic, should work with the default ui.

    b) develop your own…[Read more]

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic Best way to handle deleted user reconciliation with ldap account in the forum Identity Management 2 years, 3 months ago

    IMHO IDM is lacking regarding retries (might have improved with 6.x). So if you try to delete in postDelete, your LDAP-server might be unavailable and deletion in LDAP might fail. But even if you had a hundred retries, eventually deletion would fail, resulting in orphaned entries in LDAP.

    Therefore, I would prefer to handle this issue in the…[Read more]

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic Reconciliation needed? in the forum Identity Management 2 years, 4 months ago

    If an entry is deleted in your source database, a simple livesync won’t be able to detect it. You can work around this by setting a “deleted” flag instead of actually deleting, if you need fast reactions by IDM.

    And of course “should” is not “will work”. If there is any issue, missing an entry with livesync is a possibility. A regular…[Read more]

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic new managed object read in the forum Identity Management 2 years, 6 months ago

    Does “all the methods” contain “query”?

    I suppose methods should be “read,query”.

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic only update in ldap if attribute is changed in the forum Identity Management 2 years, 10 months ago

    In order to minimize update, manual checking using condition scripts should not be necessary. OpenIDM should automatically check and avoid unnecessary update operations if source and target are equal.

    However, the comparison of source and target cat be tricky. I once had a similar issue due to using the wrong datatype. Something along the lines…[Read more]

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic OpenIDM 4.5.0 — Save button disabled in Admin View in the forum Identity Management 2 years, 10 months ago

    In my experience, the Save button is enabled, when a change to the value is detected, but the javascript is not evaluated when you actually change a value, but when you leave a field.

    Try changing a value and select a different usereditable field next, e.g. givenName.

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic OpenIDM 5.5 external/rest call throws No content to map due to end-of-input in the forum Identity Management 2 years, 10 months ago

    Your endpoint does not seem to return (valid) json. Try detectResultFormat=false.

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic How do I assign permissions for directories to a role with AD in the forum Identity Management 2 years, 10 months ago

    Basically, you’d create some groups in AD to control access to your fileshare (sharpoint-sites, shared mailboxes, etc.). Then you can assign those groups using OpenIDM.

    I’d prefer a fine granularity with a “capability”-style and groups like “mayReadDirectory” and assigning multiple groups using OpenIDM, instead of creating a role-style like…[Read more]

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic external REST call in the forum Identity Management 3 years ago

    You are running IDM 5.5? In earlier versions (at least including 4.5) REST calls could only be performed using http but not using https. forgerock suggested using stunnel.
    I’m not sure https is supported in 5.5, perhaps you should try http and stunnel instead?

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic Large (bukl) updates to correct user data in the forum Identity Management 3 years ago

    Hi Chris,

    regarding option 1: don’t get the fullobject and the properties-table out of sync. And don’t forget about possible policy-settings which OpenIDM would enforce but go unchecked if you change the repository directly.
    I’d prefer option 2, but keep in mind that every modification will trigger a sync for all mappings defined from…[Read more]

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic OpenIDM data migration between servers in the forum Identity Management 3 years, 1 month ago

    Hi,

    you are supposed to perform an in-place-upgrade. I have to admit that I would feel more comfortable if I had an opportunity to run old and new side-by-side, but that’s the way it is.

    For upgrade from 3.1 to 4.0 there was a scripted-connector enabling you to run 3.1 and 4.0 and migrating managed/user, but you had to create your own scripts to…[Read more]

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic Send email to Manager on new User Creation in the forum Identity Management 3 years, 2 months ago

    given the trace, you probably try to do some logging in triggerEmailNotification line 10. It has to be “logger.warn” in javascript, groovy would use log.warn.

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic I’m trying to link ActiveMQ with openIDM in the forum Identity Management 3 years, 3 months ago

    Depends on what you want to accomplish. I regularly send messages to a queue when certain events in OpenIDM trigger, that’s simple and does not require a connector at all. Just calling the java-code from javascript.
    Having OpenIDM listening to activemq and reacting to messages is a different story.

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic Audit Log in the forum Identity Management 3 years, 4 months ago

    Hi Johan,

    OpenIDM supports elasticsearch as backend for audit-data, though I don’t know if graylog can interpret that format. Anyway, upgrading to 4.5 to get the elasticsearch backend and perhaps modifying/customizing the format would be a reasonable approach.

    Regards,
    Patrick.

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic live-sync broken in my installation in the forum Identity Management 3 years, 6 months ago

    If you access the admin ui like I described and toggle “Enable LiveSync for this mapping” like I described, you toggle “enableSync” for the specific mapping, which will enable or disable the mapping, regardless of LiveSync or implicit sync. https://backstage.forgerock.com/docs/openidm/4.5/integrators-guide/#disabling-automatic-sync

    I agree that…[Read more]

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic live-sync broken in my installation in the forum Identity Management 3 years, 6 months ago

    I appologise for my poor wording. To clarify: accessing one of the mappings, looking at the tab “scheduling”, section “LiveSync” the option “Enable LiveSync for this mapping” is activated, which means that “implicit sync” should trigger. Which it does not for most of my mappings.

    Looking at activity.csv I see my changes (also on openidm0.log.0…[Read more]

  • Profile picture of patrick.hagen@kit.edu

    [email protected] replied to the topic live-sync broken in my installation in the forum Identity Management 3 years, 6 months ago

    Hmmmm, it’s like “14 mappings stopped working”, while one seems to work… very strange. Nothing in common, some are powershell, some LDAP, some database table (postgresql, sqlserver, oracle, mysql), some scripted database….
    However, I just discovered issues regarding queries against managed/user. Possibly live sync involves similar queries, so…[Read more]

  • Profile picture of patrick.hagen@kit.edu

    [email protected] started the topic live-sync broken in my installation in the forum Identity Management 3 years, 6 months ago

    Hi all,

    while mappings source->managed/user seem to work fine, updates are missing from managed/user->target.
    Like: new user in sap is detected and manged/user is created, but managed/user->activeDirectory does not seem to trigger at all. Started on Friday, there was an AD-issue, but it is fixed now. Staring a reconciliation manually, all changes…[Read more]

  • Profile picture of patrick.hagen@kit.edu

    [email protected] started the topic preserveLastSync: is it required? in the forum Identity Management 3 years, 7 months ago

    Hi all,

    after upgrading from 3.1 to 4.5 I notice an increased load on our repository, which is mostly due to “require(‘ui/onUpdateUser’).preserveLastSync(object, oldObject, request);” in managed_onUpdate.

    In the past it took one insert operation to managedobjects to create a new user, now it is one insert and 15 updates, due to 15 mappings, each…[Read more]

  • Load More
Profile Photo [email protected] Profile Photo Neil Madden

Search the forums

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.

Recent blog posts

  • Using an Authentication Tree Stage to Build a Custom UI with the ForgeRock JavaScript SDK February 26, 2020
  • Identity Workflow with AM using Zeebe and Cloud Functions February 19, 2020
  • IDM: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 23, 2020
  • DS: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
  • AM and IG: Zero Downtime Upgrade Strategy Using a Blue/Green Deployment January 22, 2020
Visit our blog

Recent Topics

  • Sync with Roles and Assignment are not working
  • Multiple attributes configuration in SAML response
  • Custom Backend Documentation/Sample
  • Add New Link on Self Service Screen in IDM
  • OpenIDM 6.5.1.0 and java 11

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

  • Blog
  • Documentation
    • OpenAM / Access Management
    • OpenDJ / Directory Services
    • OpenIDM / Identity Management
    • OpenIG / Identity Gateway
    • OpenICF / Open Connector Framework
    • Intro to Identity
  • Forums
    • General Discussion
    • ForgeRock Products
      • OpenAM
      • OpenIDM
      • OpenDJ
      • OpenIG
      • OpenUMA
    • DevOps
    • Internet of Things
    • Documentation
    • Groups
  • Twitter
  • Facebook
  • Linkedin
  • Youtube

Log in with your credentials

Lost your password?

Forgot your details?

I remember my details