Okay, yesterday I've received message from the customer, saying that some of the update process to Active Directory failed and it causing the virtual user status to update needed. Turn out that the connection test to the Active Directory server is failed, with the error message 'ADsOpenObject(): 0X8007203A', although there's no changes in the Active Directory server. The ping and telnet test work out fine too.
Turn out the problem is in the gateway services. The services run just fine, the status is started. But after we restarted the gateway service, the connection test is working fine, strange. I still don't know what the cause is, maybe there's bug in 6.0sp1 or what I'm not sure. Have to upgrade to version 8.1 fast...
Selasa, 08 September 2009
Kamis, 30 April 2009
lessons learn : Reboot
Okay, this got nothing to do with Identity Management. Its just when you, or someone from your team decide to reboot couple of servers. You need to check the servers type. Because i've got a partner that reboot 3 servers, we already ask for permission. But because 2 of the servers are desktops (sun ultra 40) it turn out that it didn't reboot properly. The cause is, it need a keyboard and monitor attached to the machine in order to do that.
So i have to go to the data center, and make sure the servers is up. But the permission to go to the data center can be a pain , thanks god for the guys here that really helpful and didn't give much comment on the incident.
~stressfullweek
So i have to go to the data center, and make sure the servers is up. But the permission to go to the data center can be a pain , thanks god for the guys here that really helpful and didn't give much comment on the incident.
~stressfullweek
Sabtu, 18 April 2009
OpenSSO Express 7 is released
Yeah .. its a bit confusing since , the previous release of OpenSSO is OpenSSO enterprise 8.0. But the express release is a shorter cycle release (3 month) that also supported by sun. This releases would also be included in the enterprise release (OpenSSO enterprise 8.1). So i think the only difference is the release cycle.
The image on this link probably explain it better.
The image on this link probably explain it better.
Kamis, 02 April 2009
OpenSSO using OpenDS as UserStore
I Finally succeded, installing OpenSSO using OpenDS as UserStore. I'm using OpenSSO 8, OpenDS 1.2.0 and glassfish v2 with 2 domains. The problem is there's no fullguide to implement this. The Docs is scatered all over the internet. I'll try to put a simple guide, and maybe if i have the time i would update it with the detail step :)
Basically what you need to do is this :
OpenDS installation
- prepare your FQDN (using localhost or 127.0.0.1 won't work)
- install OpenDS
- using dc=opensso,dc=java,dc=net as your base context will make the setup easier
- follow this steps in indira's blog so OpenDS have the available schema needed by OpenSSO
- some notes on the guide, since i'm using OpenDS console to manage the directory, the inetuser is added as an auxilary attribute. I've created the OpenSSOUser and ldapUser but i'm still using the Directory Manager as the binding user and it worked. the ldif file that you need to load is only am_remote_opends_schema.ldif and configure_opends_userstore.ldif
OpenSSO installation
the general step is listed here, the detail can be seen in here.
- unzip the open sso zip
- copy the opensso.war to the staging directory for opensso
- login to glassfish administrator and deploy the war
- login to localhost using your FQDN NAME
- follow the wizzard :
-- use the dc=opensso,dc=java,dc=net for your base context
-- when setting up the user store for external ds. use the generic schema
-- if you found the error, cn=mapping tree,cn=config does not exist; matchedDN = cn=config. Copy "98-opends_user_schema.ldif" and "99-am_sm_ds_schema.ldif" from indira's blog. But it shouldn't be necessary , since the ldif file from the OpenDS setup is newer.
- if all went well you can login as amadmin with the password that you've given in the installation steps.
Installing Sample Application
follow these steps to install the mini apps . It shouldn't be a problem and then you can test login to the mini application
Basically what you need to do is this :
OpenDS installation
- prepare your FQDN (using localhost or 127.0.0.1 won't work)
- install OpenDS
- using dc=opensso,dc=java,dc=net as your base context will make the setup easier
- follow this steps in indira's blog so OpenDS have the available schema needed by OpenSSO
- some notes on the guide, since i'm using OpenDS console to manage the directory, the inetuser is added as an auxilary attribute. I've created the OpenSSOUser and ldapUser but i'm still using the Directory Manager as the binding user and it worked. the ldif file that you need to load is only am_remote_opends_schema.ldif and configure_opends_userstore.ldif
OpenSSO installation
the general step is listed here, the detail can be seen in here.
- unzip the open sso zip
- copy the opensso.war to the staging directory for opensso
- login to glassfish administrator and deploy the war
- login to localhost using your FQDN NAME
- follow the wizzard :
-- use the dc=opensso,dc=java,dc=net for your base context
-- when setting up the user store for external ds. use the generic schema
-- if you found the error, cn=mapping tree,cn=config does not exist; matchedDN = cn=config. Copy "98-opends_user_schema.ldif" and "99-am_sm_ds_schema.ldif" from indira's blog. But it shouldn't be necessary , since the ldif file from the OpenDS setup is newer.
- if all went well you can login as amadmin with the password that you've given in the installation steps.
Installing Sample Application
follow these steps to install the mini apps . It shouldn't be a problem and then you can test login to the mini application
Senin, 30 Maret 2009
SAP Future Data
In SAP, employee information is partition into more than one InfoType. Each Infotype has its own use. And betwen each Infotype the data could also be redundant. SAP data could be sent to IDM using two ways. PFAL and Change Pointer. PFAL is a manual action where all of the info type will be sent.While Change Pointer, is a scheduled action where only the changed infotype (delta changes) that will be sent.
By implementation time SAP data can be categorized into two, current and future data. Curent Data is the data that the changes will be executed immediately, while current data is the data that effective changes will happened in the future.
We found a bug in our previous implementor code when handling future data, it treat future data the same as current data. To fix this we'll need to put the data from the active synch form to the deffered task. Each object will be stored plain (SAP Plain XML data). When the deferred task is run, then we assign the plain data to a workflow to process the resource. This approach is better than assigning the workflow from the start. Because if something happened with the workflow (bug, changes) the Deffered Task that hasn't been run will Immediately affected. We didn't need to clear the deffered task and put the object all over again.
By implementation time SAP data can be categorized into two, current and future data. Curent Data is the data that the changes will be executed immediately, while current data is the data that effective changes will happened in the future.
We found a bug in our previous implementor code when handling future data, it treat future data the same as current data. To fix this we'll need to put the data from the active synch form to the deffered task. Each object will be stored plain (SAP Plain XML data). When the deferred task is run, then we assign the plain data to a workflow to process the resource. This approach is better than assigning the workflow from the start. Because if something happened with the workflow (bug, changes) the Deffered Task that hasn't been run will Immediately affected. We didn't need to clear the deffered task and put the object all over again.
Selasa, 17 Maret 2009
IDM 8.1
Hi, did you know that IDM 8.1 has been released ?
Other than bug fixes and patch , there are 5 new feature. The one that interest me much is "External Resource Management". This feature would let you provision external resource that didn't connect directly with Identity Manager, like Laptop and Handphone. Interesting, to but i haven't got the time to explore it yet :)
Other than bug fixes and patch , there are 5 new feature. The one that interest me much is "External Resource Management". This feature would let you provision external resource that didn't connect directly with Identity Manager, like Laptop and Handphone. Interesting, to but i haven't got the time to explore it yet :)
Minggu, 01 Maret 2009
Selective update in bulk action
I find this finding on IdM 6.0sp1, and haven't tested it yet in other IdM version.
Consider this, you want to do bulk action to update bunch of user, but not all the user you want to update share the same attributes. Rather then making separate bulk action to update the attribute, you can 'ignore' update to the attribute by providing an empty value (,,), not empty string(,"",) on your script.
Take this example:
-user01: firstname="locco", lastname="creamer", email="locco.creamer@example.com"
-user02: firstname="nartha", lastname="rover", email="nartha.rover@example.com"
Then we run the followin bulk action script:
"command","user","global.firstname","global.lastname","global.email"
"update","user01","rocco","","rocco.mate@example.com"
"update","user02","martha",,"martha.rover@example.com"
This is the result:
-user01: firstname="rocco", lastname="", email="rocco.mate@example.com"
-user02: firstname="martha", lastname="rover", email="martha.rover@example.com"
Remember, always test your script on your development environment first to avoid any unwanted case.
Consider this, you want to do bulk action to update bunch of user, but not all the user you want to update share the same attributes. Rather then making separate bulk action to update the attribute, you can 'ignore' update to the attribute by providing an empty value (,,), not empty string(,"",) on your script.
Take this example:
-user01: firstname="locco", lastname="creamer", email="locco.creamer@example.com"
-user02: firstname="nartha", lastname="rover", email="nartha.rover@example.com"
Then we run the followin bulk action script:
"command","user","global.firstname","global.lastname","global.email"
"update","user01","rocco","","rocco.mate@example.com"
"update","user02","martha",,"martha.rover@example.com"
This is the result:
-user01: firstname="rocco", lastname="", email="rocco.mate@example.com"
-user02: firstname="martha", lastname="rover", email="martha.rover@example.com"
Remember, always test your script on your development environment first to avoid any unwanted case.
Langganan:
Komentar (Atom)