README revision bf6cd65c9f82497fc6e31697670d42bd65ee0182
2788N/A/**
2788N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
2788N/A *
2788N/A * Copyright (c) 2014 ForgeRock AS. All rights reserved.
2788N/A *
2788N/A * The contents of this file are subject to the terms
2788N/A * of the Common Development and Distribution License
2788N/A * (the License). You may not use this file except in
2788N/A * compliance with the License.
2788N/A *
2788N/A * You can obtain a copy of the License at
2788N/A * http://forgerock.org/license/CDDLv1.0.html
2788N/A * See the License for the specific language governing
2788N/A * permission and limitations under the License.
2788N/A *
2788N/A * When distributing Covered Code, include this CDDL
2788N/A * Header Notice in each file and include the License file
2788N/A * at http://forgerock.org/license/CDDLv1.0.html
2788N/A * If applicable, add the following below the CDDL Header,
2788N/A * with the fields enclosed by brackets [] replaced by
2788N/A * your own identifying information:
2788N/A * "Portions Copyrighted [year] [name of copyright owner]"
2788N/A */
2788N/A
2788N/ASample 5b - "All-or-Nothing" Synchronization of Two Resources
5061N/A-------------------------------------------------------------
2788N/A
2788N/AThis sample demonstrates flowing data between external resources just as
2788N/Ain the regular sample 5 on which it is based. It simulates two directory
3853N/Aresources using XML files. It extends sample 5 in that it configures a
3853N/Acompensation script that attempts to ensure either all the synchronization
3853N/Aor none of the synchronization is performed after making a changed to a
3853N/Amanaged user.
3853N/A
3853N/AWhenever a change is made to managed/user resource, OpenIDM implicitly
3853N/Aattempts to synchronize external resources according to the object mapping
3853N/Ain sync.json where managed/user is the source. Typically, if the
3853N/Asynchronization fails--owing to a policy validation for the target,
3853N/Amissing required properties for the target, or simply that the target
3853N/Ais unavailable--the synchronization stops, leaving the managed/user
3853N/Aresource updated and any targets synchronized before the one that
3853N/Afailed also updated. The target that failed, and any targets specified
3853N/Ain mappings subsequent to the one that failed have not been updated.
3853N/ANormally, you now have a set of systems that are out of sync, and the
3853N/Aonly to re-synchronize them is a reconciliation. Reconciliations can
3853N/Abe expensive with large data sets.
3853N/A
3853N/AOpenIDM 3.0 enhances the synchronization to multiple targets by providing
3853N/Asynchronization details to an "onSync" script after successfully synchronizing
3853N/Aall targets or failing one target. This script hook can be used to "revert"
3853N/Athe partial change to managed/user and the corresponding external resources
3853N/Aper the object mappings.
3853N/A
2788N/ASample 5b includes a script that demonstatrates compensating for a
4618N/Asynchronization failure.
2788N/A
2788N/AFor documentation pertaining to this example see:
4865N/Ahttp://openidm.forgerock.org/doc/install-guide/index.html#more-sample5b
2788N/A
3853N/ATo try the sample, follow these steps.
3853N/A
3853N/A Steps 1 and 2 are optional, and only necessary if you'd like to receive emailed recon summaries.
2788N/A
2788N/A 1. Copy the samples/misc/external.email.json file into samples/sample5b/conf
2788N/A $ cd /path/to/openidm
2788N/A $ cp samples/misc/external.email.json samples/sample5b/conf
2788N/A
3853N/A Edit this file to have your email server SMTP details. See http://openidm.forgerock.org/doc/integrators-guide/index.html#chap-mail for more information.
3853N/A
4153N/A 2. Edit samples/sample5b/script/reconStats.js and change these values to your own email addresses:
2788N/A
2788N/A var params = {
2788N/A //UPDATE THESE VALUES
2788N/A _from : "openidm@example.com",
2788N/A _to : "idmadmin1@example.com",
2788N/A _cc : "idmadmin2@example.com,idmadmin3@example.com",
2788N/A _subject : "Recon stats for " + global.reconName,
2788N/A _type : "text/html"
2788N/A }
2788N/A
2788N/A 3. Start OpenIDM with the configuration for sample 5b.
3853N/A $ cd /path/to/openidm
3853N/A $ ./startup.sh -p samples/sample5b
3853N/A When you start OpenIDM, it creates a data in the new external resource
3853N/A file that represents an AD directory, samples/sample5/data/xml_AD_Data.xml.
3853N/A The new file is empty until you run reconciliation.
3853N/A
3853N/A 4. Run reconciliation.
3853N/A $ curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser"
2788N/A {"reconId":"b149f0e3-4bb9-4790-9266-fab2e5c80ec6"}
2788N/A
2788N/A 5. Check
2788N/A $ cat /path/to/openidm/samples/sample5b/data/xml_AD_Data.xml
2788N/A <?xml version="1.0" encoding="UTF-8"?>
4865N/A <icf:OpenICFContainer xmlns:icf="http://openidm.forgerock.com/xml/ns/public/resource/openicf/resource-schema-1.xsd"
2788N/A xmlns:ri="http://openidm.forgerock.com/xml/ns/public/resource/instances/resource-schema-extension"
2788N/A xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
2788N/A xsi:schemaLocation="http://openidm.forgerock.com/xml/ns/public/resource/instances/resource-schema-extension samples/sample5b/data/resource-schema-extension.xsd http://openidm.forgerock.com/xml/ns/public/resource/openicf/resource-schema-1.xsd samples/sample5b/data/resource-schema-1.xsd">
2788N/A <ri:__ACCOUNT__>
2788N/A <ri:firstname>Darth</ri:firstname>
2788N/A <icf:__DESCRIPTION__/>
2788N/A <icf:__GROUPS__/>
2788N/A <icf:__UID__>68077c05-32ae-4438-b250-d23be784ea07</icf:__UID__>
2788N/A <icf:__NAME__>DDOE1</icf:__NAME__>
2788N/A <ri:email>mail1@example.com</ri:email>
2788N/A <icf:__PASSWORD__>initial_Passw0rd</icf:__PASSWORD__>
4865N/A <icf:__ENABLE__/>
2788N/A <ri:lastname>Doe</ri:lastname>
2788N/A </ri:__ACCOUNT__>
2788N/A </icf:OpenICFContainer>
2788N/A
2788N/A 6. Create a new user in the source external resource file,
4865N/A samples/sample5b/data/xml_LDAP_Data.xml, and run reconciliation again
2788N/A to see the result show up in samples/sample5b/data/xml_AD_Data.xml.
2788N/A
2788N/A 7. Login to the UI at https://localhost:8443/openidmui. You can use openidm-admin/openidm-admin for admin access or
2788N/A DDOE1/TestPassw0rd2 for non-admin access. Updates to DDOE1 will be synced backed to both XML files.
2788N/A
2788N/A 8. Now make the LDAP xml file unavailable by renaming it so it is unreadable. You may need to have
2788N/A root or sudo access to do this:
2788N/A $ mv /path/to/openidm/samples/sample5b/data/xml_LDAP_Data.xml /path/to/openidm/samples/sample5b/data/xml_LDAP_Data.xml.bak
2788N/A
2788N/A 9. Perform an update to the DDOE1 user. It will be updated in managed/user, the synchronization to AD will be successful,
2788N/A but the synchronization to LDAP should fail. The compensate.js script will be invoked and will attempt to revert
2788N/A the change by performing another update to DDOE1 in managed/user, which will, in turn, perform the sync to AD and LDAP.
2788N/A On the second time through, the sync will again fail to LDAP, which will trigger the compensate.js again. The script
2788N/A this time will recognize we were originally called from compensation and will abort. The original sync error on the first
2788N/A update will be thrown from the script and the UI should display an error.
2788N/A
2788N/A Note that if you are making these updates from the UI, the UI screen does not referesh after the failure. It will still
4865N/A show the "pending update" that has not taken effect. Go back to the Users tab and start over and you will see the old
2788N/A managed/user data has been restored. View the xml_AD_Data.xml file and you will see that DDOE1 has also been reverted
2788N/A to it's "pre-step-9" condition.
2788N/A
2788N/A 10. If you have configured the recon email summary in steps 1 and 2, you should have gotten an email
2788N/A that lists the details for the reconciliation.
3194N/A