Creating Custom User Management Plug‑ins for iManager Eugene Baron Senior Consultant Novell Consulting eBaron@Novell.com Adam Ruth Senior Software Engineer Aruth@Novell.com Peter Strifas, CNI Senior Directory Engineer Mount Sinai NYU Health Peter.Strifas@msnyuhealth.org

Topics to Be Covered Introduction to iManager and custom plug-in programming Eugene Baron Mt. Sinai business environment and requirements Peter Strifas “WebConsole” custom plug-in demo Adam Ruth Development tools and methodology Questions and answers

iManager iManager is a new browser based directory management framework that was introduced by Novell in September 2001 “WebConsole” is a custom iManager plug-in written by Novell Consulting programmers specifically for MSNYU

iManager vs.ConsoleOne® Higher security (restrict login network address to web server) Ease of development Ease of deployment Low client hardware requirements Can be run from anywhere (including PDA) Task-oriented (not eDirectory™ object-oriented) Can enforce business logic

Disadvantages of iManager Limited out-of-the-box plug-in support (will change soon) Limitations of HTML interface vs. GUI Complements C1 Not designed to completely replace C1

iManager at BrainShare DCB 202—Developing to Novell iManager TUT 131—eDirectory Administration and Management Using iManager

Project Background Mount Sinai NYU Health Novell consulting An organization of six hospitals in New York City famous for expertise in medical research, medical education, and patient care Novell consulting Engaged to assist Mount Sinai in undertaking several phases of a large redesign within their network infrastructure One of the final phases was synchronization of information between three different directories Microsoft Active Directory (for Exchange Users), Oracle, and Novell eDirectory™ (three directories) using Novell DirXML™ technology

Novell Consulting Custom Development (NCCD) NCCD has built a custom browser-based console for Mt. Sinai, called WebConsole WebConsole is based on Novell’s iManage WebConsole allows administrators to add and edit users in eDirectory, while maintaining the strict control of data rules and formatting Mt. Sinai requires

iManager and Mount Sinai

iManager and Mt. Sinai DirXML project overview Data formatting rules (business logic) eDirectory Tree layouts iManager (WebConsole plug-in) users and requirements Create User process Modify User process 1)  iManager and Mount Sinai Before I get into the customization that Novell Consulting was able to put into iManager for us I’d like to describe for you the underlying infrastructure, the business rules and the iManager users. After that I believe a good demo of the actual implementation will be much easier to understand and Adam will be able to explain it from the coding side. During my turn, we’ll look at our DirXML project because this will give you that 50,000 ft overview of what we’re trying to accomplish. The business logic aspect – using the iManager to enforce data formatting as well as mandating data. A brief overview of our eDirectory tree layout which will give you a better understanding of some of the components of the customization. The next topic will be iManager user groups within MTSINAI and their requirements – how we worked to define both items and create a workable solution. And lastly we’ll move to Adam and a live demo of it all.

DirXML Project Overview = INF-TREE Servers, ZENworks® objects, etc. = WORKFORCE-TREE Authoritative for Mt. Sinai users = APPSERVICES-TREE NDS2NDS driver JDBC driver Active Directory driver Authoritative for e-mail address PIMS Authoritative for NYU School of Medicine Here is a simple graphic of our DirXML connectors. As you can see, the Workforce tree sits at the center acting as a “hub” for user data. The INF tree is our LAN/WAN environment with ZfD, NDS4NT and traditional network services. The AppServices tree supports our new enterprise portal solutions. Active Directory supports our Exchange2000 deployment while the Oracle database is a stand-alone system used within our organization for additional user data – primarily telephone and address info as well as other user data. Already we can see some how this basic design can impose requirements.

DirXML Project Overview (cont.) In order to create the central user and group object repository for all synchronized directories, the new (third) eDirectory tree—a workforce tree—was created Flat tree containing users, groups, and template objects only Workforce (WKF) tree will act as smart metadirectory Central source for all information consolidated from other directories and applications All user administration will originate from the WKF tree All modifications will be synchronized to the main NOS infrastructure (INF) tree The template objects in the WKF tree serve a simple purpose – they do not work in the normal fashion where a user is created and during that process is passed through the template absorbing certain attributes. In our case, the template objects in the WKF tree provide us a necessary attribute (the TemplateDN) that we use in conjunction with DirXML to place the user in the INF tree. Remember, we’re going from flat to hierarchical structure..

Enforcing Data Formatting Rules DirXML project has placed strict requirements on the data rules and formatting Novell utilities, ConsoleOne, and NWAdmin do not provide the kind of controls nor create the kind of consistent data that Mt. Sinai requires. Mt. Sinai was interested in a browser-based console that will allow administrators to add and edit users in eDirectory, that will meet the needs of DirXML for the “clean data” Mt. Sinai would like to enforce rules upon user objects that cannot be enforced through generic administration tools, such as ConsoleOne and NWAdmin Not only do the current Novell utilities not provide control, they are very difficult to modify/customize. Additionally both utilities allow an unencumbered view into NDS. While one can leverage NDS to maintain security over the data stored in the directory, you could not keep for example the Help Desk from view all objects within a container or spending too much time doing anything but the task at hand. Additionally we were very interested into moving to a browser-based utility that could leverage simple web technologies such as data validation and formatting.

Infrastructure Tree This is a visio drawing of our INF tree – as you can see its very hierarchical and complex.

Workforce Tree This is our WKF tree

WebConsole Users and Requirements Help desk Limited modification capabilities Troubleshooting information Security administration Create users Modify user data Expire/unexpire users*

Help Desk Requirements Make modifications to user attributes as required Help Desk can modify the following attributes: Contact phone number Primary affiliation Site group assignments Clear intruder lockout Edit grace logins remaining

Help Desk Requirements (cont.) Reset a user’s password Click RESET PASSWORD button In the pop-up window, change user’s password Check user’s environment settings Click ENVIRONMENT button In the pop-up window, view user data from INF tree

Help Desk Requirements (cont.) Help Desk can view the following information for verification purposes: First Name, Middle Initial, Last Name Title Last 4 digits of SSN (i.e., xxx-xx-1232) Remote Access and Web Application Group assignments

Security Administration Requirements SecAdmin can modify the following attributes: First Name, Middle Initial, Last Name Title E-mail Address Cost Center Mail Host SSN Contact Phone Number Life Number Dictation Code KerberosID Primary Affiliation Site, Remote Access and Web App Groups Account Locked Status Grace Logins Remaining

Security Administration (cont.) Reset a user’s password Click RESET PASSWORD button In the pop-up window, change user’s password Check user’s environment settings Click ENVIRONMENT button In the pop-up window, user data from INF tree appears

Security Administration Manager Expire a user’s account, click the EXPIRE button User Account is DISABLED/EXPIRED in WKF User account moved from ACTIVE container to INACTIVE container The move triggers DirXML Deletes the User account in APP tree DirXML disables the User account and removes the DirXML association in INF tree

Create User Process Identify the following information: User site Template (department) User type Group assignments Remote access and web app request User data

WebConsole Demonstration

Development Tools and Methodology eDirectory (NetWare®/Windows) Tomcat (WebLogic) Java Development Kit (JDK) 1.3.1 IntelliJ IDEA XP (eXtreme Programming)