openIDM sync for custom object

Tagged: ,

This topic has 9 replies, 3 voices, and was last updated 6 years, 10 months ago by ssripathy.

  • Author
    Posts
  • #6224
     bindu
    Participant

    I created a custom user object in ForgeRock openIDM. While creating user in openIDM it is synced in openDJ. But user data is not getting synced when I do update.

    When I remove the mappings for openIDM and openDJ and create new mappings, sync works fine for some time and later it stops working. Again I have to remove old mappings and create new mappings. Is there any way to solve this issue? Please help me if some one knows the fix.

    My Sync.json mapping for managed/user to system/ldap/account in openIDM looks like this

    {
    “enableSync” : true,
    “source” : “managed/user”,
    “onCreate” : {
    “source” : “target.dn=’uid=’+source.loginId+’,’+source.ou”,
    “type” : “text/javascript”
    },
    “name” : “managedUser_sourceLdapAccount”,
    “target” : “system/ldap/account”,
    “properties” : [
    {
    “source” : “givenName”,
    “target” : “givenName”
    },
    {
    “source” : “description”,
    “target” : “description”
    },
    {
    “source” : “familyName”,
    “target” : “familyName”
    },
    {
    “source” : “gender”,
    “target” : “gender”
    },
    {
    “source” : “mobilePhone”,
    “target” : “mobilePhone”
    },
    {
    “source” : “emailAddress”,
    “target” : “mail”
    },
    {
    “source” : “homePhone”,
    “target” : “homePhone”
    },
    {
    “source” : “workPhone”,
    “target” : “workPhone”
    },
    {
    “source” : “_id”,
    “target” : “userUUID”
    },
    {
    “source” : “middleName”,
    “target” : “sn”
    },
    {
    “source” : “birthDay”,
    “target” : “birthDay”
    },
    {
    “source” : “country”,
    “target” : “pcountry”
    },
    {
    “target” : “cn”,
    “source” : “”,
    “transform” : {
    “source” : “source.displayName||(source.givenName+’ ‘+source.familyName)”,
    “type” : “text/javascript”
    }
    },
    {
    “target” : “userPassword”,
    “transform” : {
    “source” : “openidm.decrypt(source)”,
    “type” : “text/javascript”
    },
    “source” : “password”,
    “condition” : {
    “source” : “object.password!=null”,
    “type” : “text/javascript”
    }
    },
    {
    “source” : “displayName”,
    “target” : “displayName”
    }
    ],
    “policies” : [
    {
    “action” : “CREATE”,
    “situation” : “ABSENT”
    },
    {
    “action” : “IGNORE”,
    “situation” : “ALL_GONE”
    },
    {
    “action” : “EXCEPTION”,
    “situation” : “AMBIGUOUS”
    },
    {
    “action” : “UPDATE”,
    “situation” : “CONFIRMED”
    },
    {
    “action” : “UPDATE”,
    “situation” : “FOUND”
    },
    {
    “action” : “EXCEPTION”,
    “situation” : “FOUND_ALREADY_LINKED”
    },
    {
    “action” : “EXCEPTION”,
    “situation” : “LINK_ONLY”
    },
    {
    “action” : “UNLINK”,
    “situation” : “MISSING”
    },
    {
    “action” : “IGNORE”,
    “situation” : “SOURCE_IGNORED”
    },
    {
    “action” : “EXCEPTION”,
    “situation” : “SOURCE_MISSING”
    },
    {
    “action” : “IGNORE”,
    “situation” : “TARGET_IGNORED”
    },
    {
    “action” : “EXCEPTION”,
    “situation” : “UNASSIGNED”
    },
    {
    “action” : “DELETE”,
    “situation” : “UNQUALIFIED”
    }
    ]
    }

    #6226
     Bill Nelson
    Participant

    The behavior you are describing (it works for a time and then stop working) doesn’t make sense – especially if you are attempting to perform the same actions on the same managed object.

    Your situation/actions appear to be fine, but I would need to see the log entries generated when you attempt this failed action and then compare them with a successful attempt.

    If you are running on a Linux box, I would suggest that you tail the following files: audit/activity.csv, logs/openidm0.log.0, and (if you are running in a non interactive mode – headless) logs/server.out. It also appears that you are writing to an LDAP server, you may want to look at its log files to see if it is complaining about anything (i.e. schema errors) when you perform the update action.

    #6227
     ssripathy
    Participant

    I can suggest you could do a few things here to help:
    -put in a correction query
    -after you do the sync to create the object look at the links table to see if the manger user is linked to the ldap acct
    Also check the OpenIDm logs for errors so your issue can be narrowed down to specifics.
    Good luck!

    #6228
     ssripathy
    Participant

    Sorry I meant correlation query above.

    #6229
     Bill Nelson
    Participant

    It depends on how you write your correlation query. I may need to be corrected after all. ;-)

    #6230
     ssripathy
    Participant

    Bill, no correction intended ! Your suggestions as always are on the mark and by the way you have a great blog going.

    #6233
     Bill Nelson
    Participant

    Well, garsh (and thank you for the kind words).

    Bindu, sorry for hijacking this posting, let us know if you are able to provide the log information and we can attempt to help you from there.

    #6234
     bindu
    Participant

    Thanks Bill and Sripathy.Let me try out your suggestions:)

    #6267
     bindu
    Participant

    Actually we set password policy stating password to be updated should not be there history. But our sync.json updates password also each time we update values in openIDM which tries to sync in openDJ also.So this issue can be fixed by moving password field to on Create trigger

    #6269
     ssripathy
    Participant

    Yes, OpenIDM will sync all the mapped fields unless there are conditions against a particular field to prevent its sync. If your rules require sync to DJ or other target systems upon password update in IDM, then your solution wouldn’t work. There are other ways to work around the issue you have.
    If its just 1-time pwd set like you just did with onCreate, then yes, you are all good.

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?