• State Suggested Answer
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 7832 views
  • Users 0 members are here
Options
Related

How to move computer objectDN using with SPML

Naotaka Wada
over 6 years ago

I'm new to using SPML provider and wandering how to move computer object one to other.

For example, I tried below XML to move computer1 object which is in under test1ou.test.com to test2ou.test.com but not working property.

----------------------

[move.xml]

<?xml version="1.0"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
        <spml:modifyRequest xmlns:spml="urn:oasis:names:tc:SPML:2:0">
                <spml:psoID ID="CN=computer1,OU=test1ou,DC=test,DC=com"/>
                <spml:modification>
                        <modification name="edsvaParentDN" operation="replace" xmlns="urn:oasis:names:tc:DSML:2:0:core">
                                <value>"OU=test2ou,DC=test,DC=com"</value>
                        </modification>
                </spml:modification>
        </spml:modifyRequest>
</soap:Body>
</soap:Envelope>

----------------------

Below are the response I got.

I can see Access denied message but I could move object from ActiveRoles Console GUI and 100% sure I have right permission. 

---------------------

$ curl -k --header "Content-Type: text/xml;charset=UTF-8" --data @move.xml https://arsserver/ARServerSPML/SPMLProvider.asmx -u DOMAIN\test -p test

<?xml version="1.0" encoding="utf-8"?>

<soap:Envelope xmlns:soap="schemas.xmlsoap.org/.../" xmlns:xsi="www.w3.org/.../XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<soap:Body>

<modifyResponse status="failure" xmlns="urn:oasis:names:tc:SPML:2:0">

<error>unsupportedOperation</error>

<errorMessage>Access is denied.</errorMessage>

</modifyResponse>

</soap:Body>

</soap:Envelope>

---------------------

  • 0 over 6 years ago
    Hi,

    Does anyone have any idea one this?

    Thanks,

    Naotaka Wada
  • 0 over 4 years ago

    Waking the dead!

    as there is no answer to the question as posed … a simpler one then.

    Can you trigger an object move between AD OU's based on modification of any attribute - native or virtual - in SOAP/ARS SPML ?

  • 0 over 4 years ago in reply to dyannic

    Hi Dyannic(/Naotaka)

    In response to the original question, try something like the below:

    I couldn't paste the SPMl request in the code block below, so just add it between $Body = @" and @"

    <?xml version="1.0" encoding="utf-8"?>
    <soap12:Envelope xmlns:xsi="">www.w3.org/.../XMLSchema-instance" xmlns:xsd="">www.w3.org/.../XMLSchema" xmlns:soap12="">www.w3.org/.../soap-envelope">
    <soap12:Body>
    <spml:modifyRequest xmlns:spml="urn:oasis:names:tc:SPML:2:0">
    <spml:psoID ID="###Object DN###" />
    <spml:modification>
    <modification name="edsvaParentDN" operation="replace" xmlns="urn:oasis:names:tc:DSML:2:0:core">
    <value>###Destination OU DN###</value>
    </modification>
    </spml:modification>
    </spml:modifyRequest>
    </soap12:Body>
    </soap12:Envelope>

    Clear-host
#$Cred = Get-Credential -Message "Enter your username and password"

$body = "@

@"

[xml]$webRequest = Invoke-RestMethod -Uri $SMPLURL -Credential $cred -Body $body -Method Post -ContentType 'application/soap+xml; charset=utf-8'



If($($webRequest.Envelope.Body.modifyResponse.status) -ne "success")
{
    Write-Host "FAILURE" -ForegroundColor Red
    Write-Host "`t$($webRequest.Envelope.Body.modifyResponse.error)" -ForegroundColor Red
    Write-Host "`t$($webRequest.Envelope.Body.modifyResponse.errorMessage)"
}
Else
{
    Write-Host "SUCCESS" -ForegroundColor Green
}

    And to move an object by a change to a property, yes this can be done, you'd just need a workflow within Active Roles which is triggered on the appropriate change to an object, and know where the object needs to be moved to.

  • 0 over 3 years ago in reply to Stu.Pollock

    Ok, back to this.   dumb question beyond my skillset.    I've created a VA, not stored in DB, on 'Computer' object to temporarily hold the destination DN.

    I have a workflow setup to trigger the 'move' operation on detection of a value in the target object properties update.

    how would I test that the destination OU stored in that virtual attribute exists in the directory 

    ... assuming an update to the destination OU attribute  - of the move operation - using the value updated to the virtual attribute would be the logical, poorly stated route?

    I was refreshing my mind - about setting up a workflow initialization script to do this piece - but … I failed amazingly well.

    update to edsva_MyPrecious triggers workflow

    [workflow initialization script]

    $toOU =  $Request.getPropertyItem("edsva_MyPrecious")

    if([adsi]::Exists(LDAP://$toOU)){return $true}

    <magic>

    if success, move activity started with destination equal to $toOU …

  • 0 over 3 years ago in reply to dyannic

    I thought this link would transport me where I needed to go - but it's one more dead link … tease!

    https://www.oneidentity.com/community/active-roles/w/wiki/102/user-management-move

  • 0 over 3 years ago in reply to dyannic

    If you look in the SDK, there's a method for changing the parent container of an operation if you search for "Altering the parent container of the operation target object"

    So:

    $Request.ChangeParentDN($MyNewOU)

    ...you can do this in a workflow script activity.

    Hope this is what you are after.

  • 0 over 3 years ago in reply to JohnnyQuest

    I'll test.  If the net result is the object moved from Windows2012Servers\SPecialOU3 to Windows2019Servers\SpecialOU3 based on the value in $myNewOU - then it would be precisely what I was tempting to over-complicate.

  • 0 over 3 years ago in reply to dyannic

    One other thing you should do is "tell" AR the "new" location of the object - I know this sounds strange but if you only force the new parent container into the $Request, I have found that (sometimes?) AR will "lose track" of the object and throw an error.

    So as a mitigation, I always add this after the above:

    $Request.PutOutControl($Constants.EDS_CONTROL_OBJECT_DN, $Constants.EDSTYPE_DN_STRING, $MyNewOU )

  • 0 over 3 years ago in reply to JohnnyQuest

    I found that too -oddly, calling it simply with the value stored in the temporary VA - it ended up storing the object DN  as such "CN=workstationename," which  isn't what was posted in the tempVA.  "ou=winservers\servers2019\specialityOU"

    stretching that out to include the formula above to test.

     

  • 0 over 3 years ago in reply to dyannic

    Actually, I believe I misspoke above.  The value that you need send the control is the FULL new DN of the object.