README revision a0c5554ae15c3bfc8dcd69408c2bbac4af6505fc
0N/A/**
0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
0N/A *
0N/A * Copyright (c) 2014 ForgeRock AS. All rights reserved.
0N/A *
0N/A * The contents of this file are subject to the terms
0N/A * of the Common Development and Distribution License
0N/A * (the License). You may not use this file except in
0N/A * compliance with the License.
0N/A *
0N/A * You can obtain a copy of the License at
0N/A * http://forgerock.org/license/CDDLv1.0.html
0N/A * See the License for the specific language governing
0N/A * permission and limitations under the License.
0N/A *
0N/A * When distributing Covered Code, include this CDDL
0N/A * Header Notice in each file and include the License file
873N/A * at http://forgerock.org/license/CDDLv1.0.html
0N/A * If applicable, add the following below the CDDL Header,
0N/A * with the fields enclosed by brackets [] replaced by
0N/A * your own identifying information:
0N/A * "Portions Copyrighted [year] [name of copyright owner]"
0N/A */
873N/A
0N/ASample 5b - "All-or-Nothing" Synchronization of Two Resources
0N/A-------------------------------------------------------------
0N/A
0N/AThis sample demonstrates flowing data between external resources just as
0N/Ain the regular sample 5 on which it is based. It simulates two directory
0N/Aresources using XML files. It extends sample 5 in that it configures a
0N/Acompensation script that attempts to ensure either all the synchronization
0N/Aor none of the synchronization is performed after making a change to a
0N/Amanaged user.
0N/A
0N/AWhenever a change is made to a managed/user resource, OpenIDM implicitly
0N/Aattempts to synchronize external resources according to the object mapping
0N/Ain sync.json where managed/user is the source. Typically, if the
0N/Asynchronization fails--owing to a policy validation for the target,
0N/Amissing required properties for the target, or simply that the target
0N/Ais unavailable--the synchronization stops, leaving the managed/user
0N/Aresource, and any targets that were synchronized before the failure,
0N/Aupdated. The target that failed, and any targets specified
0N/Ain mappings subsequent to the one that failed are not updated.
0N/AThis situation would usually result in a set of systems that are out of
0N/Async. The only way to re-synchronize them would be a reconciliation operation.
0N/AReconciliations can be expensive with large data sets.
0N/A
0N/AOpenIDM 3.0 enhances synchronization to multiple targets by providing
0N/Asynchronization details to an "onSync" script, after successfully synchronizing
0N/Aall targets or failing one target. This script hook can be used to "revert"
0N/Athe partial change to managed/user and the corresponding external resources
0N/Aper the object mappings.
0N/A
0N/ASample 5b includes a script that demonstrates compensating for a synchronization
0N/Afailure.
0N/A
0N/AFor documentation pertaining to this example see:
0N/Ahttp://openidm.forgerock.org/doc/install-guide/index.html#more-sample5b
0N/A
0N/ATo try the sample, follow these steps.
0N/A
0N/A Steps 1 and 2 are optional, and only necessary if you'd like to receive emailed
0N/A recon summaries.
0N/A
0N/A 1. Copy the samples/misc/external.email.json file into samples/sample5b/conf
0N/A $ cd /path/to/openidm
0N/A $ cp samples/misc/external.email.json samples/sample5b/conf
0N/A
0N/A Edit this file to have your email server SMTP details.
0N/A See http://openidm.forgerock.org/doc/integrators-guide/index.html#chap-mail
0N/A for more information.
0N/A
0N/A 2. Edit samples/sample5b/script/reconStats.js and change these values to your
0N/A own email addresses:
0N/A
0N/A var params = {
0N/A //UPDATE THESE VALUES
0N/A from : "openidm@example.com",
0N/A to : "idmadmin1@example.com",
0N/A cc : "idmadmin2@example.com,idmadmin3@example.com",
0N/A subject : "Recon stats for " + global.mappingName,
0N/A type : "text/html"
0N/A }
0N/A
0N/A 3. Start OpenIDM with the configuration for sample 5b.
0N/A $ cd /path/to/openidm
0N/A $ ./startup.sh -p samples/sample5b
0N/A When you start OpenIDM, it creates data in the new external resource file
0N/A that represents an AD directory, samples/sample5b/data/xml_AD_Data.xml.
0N/A The new file is empty until you run reconciliation.
0N/A
0N/A 4. Run reconciliation.
0N/A $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser"
0N/A {"reconId":"b149f0e3-4bb9-4790-9266-fab2e5c80ec6"}
0N/A
0N/A 5. Check
0N/A $ cat /path/to/openidm/samples/sample5b/data/xml_AD_Data.xml
0N/A <?xml version="1.0" encoding="UTF-8"?>
0N/A <icf:OpenICFContainer xmlns:icf="http://openidm.forgerock.com/xml/ns/public/resource/openicf/resource-schema-1.xsd"
0N/A xmlns:ri="http://openidm.forgerock.com/xml/ns/public/resource/instances/resource-schema-extension"
0N/A xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
0N/A xsi:schemaLocation="http://openidm.forgerock.com/xml/ns/public/resource/instances/resource-schema-extension samples/sample5b/data/resource-schema-extension.xsd http://openidm.forgerock.com/xml/ns/public/resource/openicf/resource-schema-1.xsd samples/sample5b/data/resource-schema-1.xsd">
0N/A <ri:__ACCOUNT__>
0N/A <ri:firstname>Darth</ri:firstname>
0N/A <icf:__DESCRIPTION__/>
0N/A <icf:__GROUPS__/>
0N/A <icf:__UID__>68077c05-32ae-4438-b250-d23be784ea07</icf:__UID__>
0N/A <icf:__NAME__>DDOE1</icf:__NAME__>
0N/A <ri:email>mail1@example.com</ri:email>
0N/A <icf:__PASSWORD__>initial_Passw0rd</icf:__PASSWORD__>
0N/A <icf:__ENABLE__/>
0N/A <ri:lastname>Doe</ri:lastname>
0N/A </ri:__ACCOUNT__>
0N/A </icf:OpenICFContainer>
0N/A
0N/A 6. Create a new user in the source external resource file,
0N/A samples/sample5b/data/xml_LDAP_Data.xml, and run reconciliation again
0N/A to see the result show up in samples/sample5b/data/xml_AD_Data.xml.
0N/A
0N/A 7. Login to the UI at https://localhost:8443/openidmui. You can use
0N/A openidm-admin/openidm-admin for admin access or DDOE1/TestPassw0rd2 for
0N/A non-admin access. Updates to DDOE1 will be synced backed to both XML files.
0N/A
0N/A 8. Now make the LDAP xml file unavailable by renaming it so it is unreadable.
0N/A You may need to have root or sudo access to do this:
0N/A $ mv /path/to/openidm/samples/sample5b/data/xml_LDAP_Data.xml /path/to/openidm/samples/sample5b/data/xml_LDAP_Data.xml.bak
0N/A
0N/A 9. Perform an update to the DDOE1 user. It will be updated in managed/user,
0N/A the synchronization to AD will be successful, but the synchronization to
0N/A LDAP should fail. The compensate.js script will be invoked and will
0N/A attempt to revert the change by performing another update to DDOE1 in
0N/A managed/user, which will, in turn, perform the sync to AD and LDAP.
0N/A On the second time through, the sync will again fail to LDAP, which will
0N/A trigger the compensate.js again. The script this time will recognize
0N/A that the change was originally called from compensation and will abort.
0N/A The original sync error on the first update will be thrown from the
0N/A script and the UI should display an error.
0N/A
0N/A Note that if you are making these updates from the UI, the UI screen does
0N/A not refresh after the failure. It will still show the "pending update"
0N/A that has not taken effect. Go back to the Users tab and start over and
0N/A you will see the old managed/user data has been restored. View the
0N/A xml_AD_Data.xml file and you will see that DDOE1 has also been reverted
0N/A to its condition prior to update.
0N/A
0N/A 10. If you have configured the recon email summary in steps 1 and 2, you
0N/A should have received an email that lists the details for the reconciliation.
0N/A