jspωiki
Avatier

After I would say 18 hours, here is where things stand: #

  • HR Driver connected from the SQL Server to Edir
  • AD Driver from Edir to AD
  • Driver form Edir to SLES Box (Some cert issue is topping operation)

How it works:#

  • If a user is added to the Employees table in the Northwind Database, the user, if he is active is created within Edir.
    • (There is one manual step that could be automated by creation of a stored procedure on the DB side)

Some of the items in the HR driver are worth noting:#

  • As there are many different naming items utilized in organizations, We create the user in Edir named by like: A100000. This will be a fixed length value (actually the "1" is the employeeID) and is designed to never change.
  • The driver sets CN as lastNameFirstInitial with the following rules:
    • CN will not exceed 8 characters
    • If the username already exist (a collision), a Numeric is appended to the end, still not to exceed 8 characters)
  • The Driver then creates the email as CN@(email-domain)
  • The Employees table has a "reportsTo" files that holds the employeeID of the user's manager, the driver interrupts this value and populates the manager attribute in Edir as the FDN of the manager the user reports to.
  • As the Employees Table only holds the extension of the "work" phone, the driver prepends a set value for the phone number
  • The Fax number is set to a fixed value for all employees.
  • The employeeID is transferred into WorkForceID in Edir
  • The emploplyeeStatus was added to the Employees table and will determine the loginDisabled values within all connected systems.
    • A employee with a employeeStatus<>"A" will not be created in Edir
    • If the employeeStatus changes from "A" the user is disabled in all "entitled" connected Systems
    • If the employeeStatus changes to "A" the user is enabled in all "entitled" connected Systems
  • If a user would be deleted from the Employees Table, the user is only disabled within the IDV. This would never be expected.

Linux Deployment#

Any user with the Title="IT Services" will automatically Entitled for Linux Host.
  • Passwords will be the same as they are in Edirectory.

Some of the items in the AD driver are worth noting:#

  • Entitlements are used to Create/Delete users in AD. (Currently all Active users from HR are Entitled)
  • Only users in the Edir Context of ou=people are considered
    • Only Active Employees are synchronized
    • Deactivated users are removed from AD
    • Currently password changes bi-directional for Edir and Ad. (Which implies the Linux password would be changed when Edir or AD password changes)
  • Groups created in the Edir Context of ou=group are created within AD
    • Membership on a Synchronized group is synchronized bidirectionally.
  • Appropriate settings are set and maintained in AD for user values
    • SamaccountName
    • UserPrincipleName
    • Firstname
    • LastName

Some of the items in the Linux driver are worth noting:#

When "entitled" the user is created within the /etc/passwd file.
  • Only "Entitled" users will be added to the Linux host (CarLicense=Unix)
  • Password change in Edir sets password on Linux Host.
  • Group membership of selected groups are maintained on Linux host.
  • NxSettings driver auto creates and sets the following:
    • uidNumber for users
    • primary gid (default is set in variable) on users
    • homeDirectory as /home/username
    • loginshell (set to default of /bin/bash)
    • gidNumbers on groups

Complete Documentation(info)#