Friday, October 21, 2011

Reference membership of a set in FIM Portal

Sometimes you may want to have a group or set in the FIM portal be calculated from another group or set.

Unfortunately, the source can’t be a group, so stop there.  But if it’s a set then you’re OK.  The great thing about sets is that you can have both criteria based and manual users in it. Once you have it in a group export it to AD.  Now you have a solution a group with criteria based and manual users that can be administered from the FIM Portal.


  At this point create your target group (or set), go to members tab and do the following:


By choosing ResourceID ‘in’ <source set> it’ll do the trick.

Of course you could always go back the XPath filter, something like this:  /Person[ObjectID = /Group[DisplayName = 'sourceSet']/ComputedMember, but why when you can use the GUI.

Thursday, October 20, 2011

How to export AD LDS schema

Working for a client I needed to stand up an LDAP client and create a new class and attributes.  It was about 35 new attributes and take take a while when you have to do each one manually.  Now it’s time to move it to QA.  There ain’t a whole lot out there for exporting LDAP schema and of course the old LDIFE was giving me grief.  So after more searching I stumbled on a TechNet article and there it was.

It’s already installed if you set up ADLDS.  Look in \windows\ADAM it’s called ADSchemaAnalyzer.  I think it’s purpose is to compare different schema, but it also exports them to LDIF – Sweet!

First ‘load target schema’, then ‘load base schema’  I don’t know why, I didn’t have time to find out.  Then walk the tree and you’ll see all the object classes and attributes.  Now if you created an object class and new attributes just for that object, just select the new object class and the attributes will come along automatically.


Now Create LDIF file and away you go.  Very awesome!

Wednesday, September 7, 2011

Hmm. Windows Live Writer


So I’m trying out this new program called Windows Live Writer, I guess the idea is to use this little application that will then upload the content to the blog site??

Be right back11-09-01 Frank Rodgers 012 

Recently went to visit a old fraternity buddy on mine.  Haven’t seen (or heard from him) in 19 years.  Wow time really flies.  Luckily he found me in LinkedIn.  It was great visiting with him.

Monday, August 29, 2011


I'm sure most of you by now have had the chance to see how great the FIM Portal is. I remember when I first saw it; I couldn't believe how slick the interface looked. I thought, what a great place for a User Directory! How many times have clients asked for an interface that offered the ability to view employees, and even a place where employees can update some of their own information.

To this day, I still feel this is one of the best selling points for the FIM Portal. However, clients are always looking to customize those pages and offer up possible attributes that aren't out of the box. FIM doeslet you extend the schema and then you can add those attributes to pages, or RCDCs, so those new attributes come through. Good stuff until you actually see what it looks like to edit the RCDC. As the song goes, 'Could make a grown man cry...'

The way the RCDC looks and behaves is all done through XML and hence an xml file; an ugly, unforgiving and complicated file. After you play around with it for a while, you might finally figure out how it works. Unfortunately all it takes is a single typo and FIM barfs by not rendering the page and offers no explanation as to why it doesn't like what you did. Then it's a matter of going back over and over and over just to figure out what you did wrong. I've spent hours working on these just making small changes each time to make sure it works. Unfortunately, it consumes a lot of time, especially if you're a consultant and it starts burning too many hours on the project. You wonder what was Microsoft thinking when they put FIM together and fell short on some easy way to manipulate these pages! Microsoft, always the king of wizards configurations and WYSIWYG GUI.

Recently I discovered a tool, that does just that! It's a WYSIWYG tool that lets you manipulate RCDCs by dragging attributes around the page, and to other tabs. In addition, it offers easy to use wizards to add new attributes or tabs, or change the properties of existing attributes. After exporting the full FIM configuration, you load it into the tool, called RCDC Editor, and it loads the RCDC configuration and renders the page just like it was the FIM Portal.

Now you can move things around anyway you wish. Once you're finished, you save the project and it creates the needed xml file to be imported back to FIM. Run IISreset and that's it, you're done! Imagine sitting there with your client and decided together exactly what they'd like to see in the FIM Portal.

All the controls that are available in FIM are available through the RCDC Editor like: TextBox, Label, Check Box, Radio Button, etc. When adding new controls, the creators have tried to guide you in the right direction by pre-populating certain properties that you will probably want, this in turn makes using the tool that much easier and reduces the risk that the RCDC won't work. For example, let's say you created a new user attribute in the FIM database called 'User Laptop #', using the RCDC editor you click on Add New Control and you are offered a list of attributes that aren't currently used in the RCDC. You find 'User Laptop #' and click it, then decide what sort of control you want. Whether it's TextBox or MultiValue Control, etc, it immediately populates the control with what you might typically want, like Caption to be User Laptop #, and the Control Value to come from the FIM Database and from that actual attribute.

Now that being said, it does have an advanced option that will allow you to change any attribute property you want. Of course at this point you're on your own whether it'll work on not. The tool will let you enter any sort of information or gibberish, at that point.

Check it out, you can find it on You can download and play around with it, but until you buy a license, you can't save any of your work.

One final trick up this tool's sleeve is the Resultant Rights Evaluator. This is a nifty way of querying FIM and lets you see who will, and will not have rights to certain RCDC attributes. You want to know who can see or modify attributes in the RCDC. You define the requestor and the target and it'll return whether that requestor can Create, Delete, Modify or Read, it's very granular. I'll talk more about this piece of the tool next time.

Friday, August 26, 2011

OpenLDAP and password sync

Recently at a client's site and they wanted to flow passwords from AD to their OpenLDAP directory.

Went out to SourceForge and downloaded their latest OpenLDAP XMA which can be found here: Very impressed with it's packaging, just run the MSI installer and puts everything where it needs to be. Even includes some handy user guides. For the most part you configure according to the guides and it works. Except if you want to do password sync. Instead you get a warning 6901: The password extension does not implement the entry point.

This will explain what you need to do to get the password sync functionality working. After cruising around I finally found an entry in the sourceforce forum where Randy Weimer mentions an error with password sync that he had to add some missing code. But this was May of 2010 (over a year ago), I'm sure this has been fixed - but it smells the same. Unfortunately it is the same issue. So here's what you have to do.

1. download the code from Sourceforge which is not an intuitive task. Luckily Carrol explains it nicely here: Though it seems when you read her post there was no nice msi installer like there is now. But you can figure out how to get the latest code: Read Get the Right Source Code section.

Now I did the rest on my laptop (without FIM installed).
2. Open up the solution OpenLDAPXMA.sln in Visual Studio and choose the PasswordExtension.cs. Search for the following phrase

ConnectionSecurityLevel GetConnectionSecurityLevel

You'll find the function really doesn't do anything. so you'll need to comment out the throw statement and add a return statement within the function like this:

return ConnectionSecurityLevel.Secure;

See below for Randy's entry and the code.

3 Add the missing reference.
Since I was using my laptop, I needed to copy the Microsoft.MetadirectoryServicesEx.dll file from the FIM server over to my laptop. You can find it at ..\Microsoft Forefront Indentity Manager\2010\Synchronization Service\Bin\Assemblies\ folder.
Then add it as a reference. Build the whole solution. Which by the way is just one file called OpenLDAPXMA.dll. There is no extra password DLL file as the user guide mentions.

4. Put the newly compiled dll in the \extensions\ folder and that's it. All should work.

If by chance you don't want to do through all this just contact me at my hotmail account (pjalaff).

I want to give full credit to Carroll Wapshere - who has save me more times than I want to admit, and to Randy Weimer who figure'd out this bug. If anything this blog puts both pieces together.

Randy's original post:

Sunday, April 17, 2011

troubleshooting EREs and provisioning

Just a quick note. I was having some problem with codeless provisioning and couldn't figure it out. the ERE was pending, it was being imported, the user object was reference. searching through the internet, I found this little gem. Finally I figured out my FIM MA was the culprit. The AIF for the ERE attribute was missing from the user object . Added it back in and viola, all is well.