Today I had a little chat on e-mail with Alex Tcherniakhovski which was about following topic: how to create export only attribute with Extensible MA to set initial password for newly provisioned account? (OK, this wasn't exactly such topic but this is what it was about 🙂 ).
So problem is:
- we are provisioning new account to some system using MIIS 2003 and custom developed agent
- this account has to have some initial password set on the time of creation.
One of possible solution is to expose password as connector space object attribute, and than use MA mechanisms to set this password for an object. This will work, but another problem will arise. We are setting password in a clear way in this case, just by writing \ flowing some value to CS attribute which is representation of user's password. Beside security issues we have a problem that most of systems will hash this value and will give us (if it will show it at all) hashes value during the import. This will result in export-entry-not-reimported warning.
So we are not very secure (as password is exposed in CS), and we have warning on next import – at least two reasons to look for different solution.
Fortunately MIIS 2003 is giving us solution for this 🙂 if we are able to write password management extension for our MA and implement SetPassword in this extension.
Each CS object in out MA will have export only attribute added automatically by MIIS 2003 called export_password. What we need to know is that writing some value in this attribute (from MV extension code on the moment of object provisioning or through flow) will trigger SetPassword method in our password extension. We can leverage this in our scenario to safely set initial password for newly provisioned object.
So .. in our code we have to do something like this:
csentry = ourMA.Connectors.StartNewConnector("type");
csentry.DN = DN;
csentry["uid"].StringValue = someuid;
set some initial values here if needed
csentry["export_password"].StringValue = <some method to generate password or mventry attribute value>;
Looks nice, but … our object doesn't exist and we are just provisioning it. So how SetPassword will be triggered for it? MIIS is smart here and sequence of event in such case will look like this:
- User is being provisioned with MV extension. Password value was set in export_password attribute.
- New user is being exported to connected data source.
- If export in step 2 was successful SetPassword will be triggered just after export, with value of password set in step 1.
As You can see this is perfect (almost) solution for our problem. Why "almost"? Because some systems requires password to be set for user object when it is created in this system – in our case during the export. How we can solve this?
In fact we can use only some kind of workaround – if we are using Extensible MA technology we can generate password for new object in ExportEntry method, and export it for new object without exposing it as a CS object attribute. After successful export this password will be replaced with our password set in step 2 of procedure presented above.
Maybe not the best what we can get, but hey … it works :).
With this good news I'm leaving You here till next meeting with MIIS newbie.