README revision a7ec807bab8748db44e9d810c37ca48613128066
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * Copyright (c) 2014 ForgeRock AS. All rights reserved.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * The contents of this file are subject to the terms
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * of the Common Development and Distribution License
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * (the License). You may not use this file except in
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * compliance with the License.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * You can obtain a copy of the License at
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * See the License for the specific language governing
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * permission and limitations under the License.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * When distributing Covered Code, include this CDDL
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * Header Notice in each file and include the License file
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * If applicable, add the following below the CDDL Header,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * with the fields enclosed by brackets [] replaced by
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync * your own identifying information:
930b5f872e89407f445d4000d4e4aaecaa6a0998vboxsync * "Portions Copyrighted [year] [name of copyright owner]"
930b5f872e89407f445d4000d4e4aaecaa6a0998vboxsyncSample 5b - "All-or-Nothing" Synchronization of Two Resources
930b5f872e89407f445d4000d4e4aaecaa6a0998vboxsync-------------------------------------------------------------
930b5f872e89407f445d4000d4e4aaecaa6a0998vboxsyncThis sample demonstrates flowing data between external resources just as
930b5f872e89407f445d4000d4e4aaecaa6a0998vboxsyncin the regular sample 5 on which it is based. It simulates two directory
930b5f872e89407f445d4000d4e4aaecaa6a0998vboxsyncresources using XML files. It extends sample 5 in that it configures a
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsynccompensation script that attempts to ensure either all the synchronization
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncor none of the synchronization is performed after making a changed to a
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncWhenever a change is made to managed/user resource, OpenIDM implicitly
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncattempts to synchronize external resources according to the object mapping
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncin sync.json where managed/user is the source. Typically, if the
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncsynchronization fails--owing to a policy validation for the target,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncmissing required properties for the target, or simply that the target
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncis unavailable--the synchronization stops, leaving the managed/user
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncresource updated and any targets synchronized before the one that
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncfailed also updated. The target that failed, and any targets specified
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncin mappings subsequent to the one that failed have not been updated.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncNormally, you now have a set of systems that are out of sync, and the
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsynconly to re-synchronize them is a reconciliation. Reconciliations can
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncOpenIDM 3.0 enhances the synchronization to multiple targets by providing
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncsynchronization details to an "onSync" script after successfully synchronizing
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncall targets or failing one target. This script hook can be used to "revert"
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncthe partial change to managed/user and the corresponding external resources
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsyncSample 5b includes a script that demonstatrates compensating for a
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsynchttp://openidm.forgerock.org/doc/install-guide/index.html#more-sample5b
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync Steps 1 and 2 are optional, and only necessary if you'd like to receive emailed recon summaries.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync 1. Copy the samples/misc/external.email.json file into samples/sample5b/conf
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync $ cp samples/misc/external.email.json samples/sample5b/conf
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync Edit this file to have your email server SMTP details. See http://openidm.forgerock.org/doc/integrators-guide/index.html#chap-mail for more information.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync 2. Edit samples/sample5b/script/reconStats.js and change these values to your own email addresses:
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync var params = {
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync //UPDATE THESE VALUES
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync _from : "openidm@example.com",
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync _to : "idmadmin1@example.com",
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync _cc : "idmadmin2@example.com,idmadmin3@example.com",
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync _subject : "Recon stats for " + global.reconName,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync 3. Start OpenIDM with the configuration for sample 5b.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync $ ./startup.sh -p samples/sample5b
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync When you start OpenIDM, it creates a data in the new external resource
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync file that represents an AD directory, samples/sample5/data/xml_AD_Data.xml.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync The new file is empty until you run reconciliation.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync 4. Run reconciliation.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser"
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync {"reconId":"b149f0e3-4bb9-4790-9266-fab2e5c80ec6"}
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync $ cat /path/to/openidm/samples/sample5b/data/xml_AD_Data.xml
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <?xml version="1.0" encoding="UTF-8"?>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <icf:OpenICFContainer xmlns:icf="http://openidm.forgerock.com/xml/ns/public/resource/openicf/resource-schema-1.xsd"
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync xmlns:ri="http://openidm.forgerock.com/xml/ns/public/resource/instances/resource-schema-extension"
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync xsi:schemaLocation="http://openidm.forgerock.com/xml/ns/public/resource/instances/resource-schema-extension samples/sample5b/data/resource-schema-extension.xsd http://openidm.forgerock.com/xml/ns/public/resource/openicf/resource-schema-1.xsd samples/sample5b/data/resource-schema-1.xsd">
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <ri:__ACCOUNT__>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <ri:firstname>Darth</ri:firstname>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <icf:__DESCRIPTION__/>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <icf:__GROUPS__/>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <icf:__UID__>68077c05-32ae-4438-b250-d23be784ea07</icf:__UID__>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <icf:__NAME__>DDOE1</icf:__NAME__>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <ri:email>mail1@example.com</ri:email>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <icf:__PASSWORD__>initial_Passw0rd</icf:__PASSWORD__>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <icf:__ENABLE__/>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <ri:lastname>Doe</ri:lastname>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync </ri:__ACCOUNT__>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync </icf:OpenICFContainer>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync 6. Create a new user in the source external resource file,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync samples/sample5b/data/xml_LDAP_Data.xml, and run reconciliation again
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync to see the result show up in samples/sample5b/data/xml_AD_Data.xml.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync 7. Login to the UI at https://localhost:8443/openidmui. You can use openidm-admin/openidm-admin for admin access or
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync DDOE1/TestPassw0rd2 for non-admin access. Updates to DDOE1 will be synced backed to both XML files.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync 8. Now make the LDAP xml file unavailable by changing it's permission so it is unreadable. You may need to have
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync $ sudo chmod 000 /path/to/openidm/samples/sample5b/data/xml_LDAP_Data.xml
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync 9. Perform an update to the DDOE1 user. It will be updated in managed/user, the synchronization to AD will be successful,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync but the synchronization to LDAP should fail. The compensate.js script will be invoked and will attempt to revert
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync the change by performing another update to DDOE1 in managed/user, which will, in turn, perform the sync to AD and LDAP.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync On the second time through, the sync will again fail to LDAP, which will trigger the compensate.js again. The script
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync this time will recognize we were originally called from compensation and will abort. The original sync error on the first
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync update will be thrown from the script and the UI should display an error.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync Note that if you are making these updates from the UI, the UI screen does not referesh after the failure. It will still
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync show the "pending update" that has not taken effect. Go back to the Users tab and start over and you will see the old
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync managed/user data has been restored. View the xml_AD_Data.xml file and you will see that DDOE1 has also been reverted
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync 10. If you have configured the recon email summary in steps 1 and 2, you should have gotten an email
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync that lists the details for the reconciliation.