With UMRA, solutions can be created for the delegation of one or more
user management tasks. Forms & Delegation includes two separate applications,
the UMRA Console and UMRA
Forms. In this document, it is assumed that you already have basic
knowledge of working with UMRA. If this is not the case, please make yourself
familiar first with the UMRA basics.
The UMRA Console is used by
systems administrator to build an interface for the end user and to add
and configure built-in script actions for the delegation project. The
interface is created using forms which can be fully customized with your
own titles, text fields, user input fields, buttons, tables, graphics,
etc. Once the form project has been properly set up, the delegate user
can run it in the UMRA Forms application to perform a specific user management
task. The underlying scripting intelligence is neither accessible nor
visible for the delegate user.
Selecting data using form tables
In a form, the administrator can also add form tables. Form tables are
used to display user resource data from Active Direcory and other information
systems.
LDAP table showing users
in Active Directory as part of a Reset Password delegation form
In the UMRA Console, the administrator specifies which script actions
should be run on the selected table entries. The execution of these script
actions can be assigned to a button (e.g. "Reset Password").
In UMRA, a wide variety of script actions is included to create, manage
and delete Active Directory objects. Finally, the administrator also specifies
who has priviliges to run the project.
In the following two figures, the use of a form table is shown in more
detail. As part of a delegation project to reset passwords, an LDAP table
is inserted in the form window to retrieve all users in a specific organizational
unit in Active Directory using the query
(&(objectClass=user)(!(objectClass=computer)))
with a binding to LDAP://OU=<NameOU>,
DC=MyDomain, DC=local.
Defining an LDAP query for an
LDAP table
This query retrieves all objects of the "user" object class
in the OU "<NameOU>". Computer accounts are exempted from
the results. In the resulting form table, a user can be selected for whom
the password needs to be reset. The script action Edit
User logon takes the user input to reset the password for the selected
user and is executed when the button Reset
Password is clicked. In the lower screen of the figure below, the
resulting form for the delegate user is shown.
Reset password delegation
project. The result of the LDAP query is displayed in the LDAP table (shown
here with a red marquee)
In a project form, several table types are available which are shown
in the table below:
Table type
Subtype
Description
Network table
Used to obtain the user accounts of an OU,
global group, domain or single computer using an NT network call
Fixed table
Used to display a list of fixed content in
a table (e.g. a list of department names)
Generic table
LDAP
Used to show the results of an LDAP query
in a table
Generic table
Database
Used to show the results of a database query
in a table
A network table is used for Windows NT 4 environments and can be of
one of the following network data types:
User accounts of an OU,
User accounts of a global group,
User accounts of a domain
User accounts of a single computer.
Network
table type
Scope
Arguments
Columns
OU
User accounts of one or more OUs (including
child OUs)
<Domain>/<OU>/<OU> or LDAP
name of the object.
Common name
Description
Username
Display name
Domain
OrganizationalUnit
Object distinguished name
Global group
User accounts that are a member of one or
more groups
<Domain>\<GlobalGroup> or <DomainController\<GlobalGroup>
Full name
Description
Username
Global group
Domain
Domain
User accounts in a domain
Domain name (NETBIOS or DNS format)
Full name
Description
Username
Domain
Single computer
User accounts that are maintained on a computer
(not necessarily a domain controller).
Computer name (NETBIOS or DNS format)
Full name
Description
Username
Computer
Domain
Type
Specifying the network data type only determines the scope of the network
calls to be executed by UMRA and the columns that can be shown for the
corresponding network data table. To determine the data that must be collected,
you must specify the actual parameters or arguments that are used to collect
the network data. These are different for each network data type (see
the table below).
The columns can be assigned to a variable. When a delegate user selects
an entry in the resulting network table, the name of the variable and
the corresponding value will be passed to the UMRA service. See the section
Processing user input for more information.
Fixed table
The content of this table is either entered directly in UMRA or taken
from a flat text file. It is used to to present the end user with specific
fixed content in a form, such as a division, department, OU, domain etc.
The characteristics of a fixed table are that the information is not derived
from Active Directory, that it only contains 1 column and that it always
has the same contents.
Simple fixed table (list
of entries)
Generic table - LDAP query
This powerful generic table type allows you to query Active Directory
and show the results in a form table. To run a (complex) LDAP search,
the following information should be specified:
LDAP binding
- the scope of the LDAP search;
LDAP filter
- the objects you wish to filter on;
Attributes
- the attributes you wish to retrieve for these objects. These components
will be individually discussed.
LDAP binding
Starting with Windows 2000, the LDAP provider is used to access Active
Directory. This binding method requires a binding string, which can be
defined in three different ways in UMRA:
Binding method
Description
Global Catalog
The global catalog is a searchable master
index containing directory data of all domains in a forest. It contains
an entry for every object in the forest, but it does not include all properties
of each object. The Global Catalog is used to improve the response time
of LDAP searches. The properties included in the Global Catalog are generally
useful for searches and are considered static.
Active Directory root
This option will bind to the Active Directory
root of a domain controller. The Active Directory contains all the network
information for the forest. This binding method is suitable for retrieving
dynamic properties.
Binding string
You can also enter a binding string yourself.
This binding string is the AdsPath of an object in Active Directory, consisting
of the LDAP provider moniker (LDAP://) appended to the Distinguished Name
of the object. The Distinguished Name specifies both the name and the
location of an object in the Active Directory hierarchy.
LDAP filter
An LDAP search filter can be defined as a clause specifying the conditions
that must be met by Active Directory objects. Only those objects meeting
the requirements are returned.
A condition takes the form of of a conditional statement, such as "(cn=TestUser)".
Each condition must be enclosed in parenthesis. In general, a condition
includes an attribute and a value, separated by an operator.
Conditions can be combined using the following operators (note that
the operators "<" and ">" are not supported).
Operator
Description
=
Equal to
~=
Approximately equal to
<=
Less than or equal to
>=
Greater than or equal to
&
AND
|
OR
!
NOT
Conditions can also be nested using parenthesis. Furthermore, you can
use the "*" wildcard character in the search filter.
An example of an LDAP filter is shown in the figure below :
This filter, used to obtain disabled user objects, includes 3 conditions,
which should all be met (indicated by the AND ("&") operator).
The userAccountControl attribute
in this example needs some further explanation. This is a so called bitmask
attribute, a single attribute containing numerous property values for
controlling user account behaviour. A bitmask attribute can be evaluated
using an LDAP matching rule using the following syntax:
attributename:ruleOID:=value
where attributename is the
LDAPDisplayName of the attribute, ruleOID
is the object ID (OID) for the matching rule control, and value is the
decimal value you want to use for comparison. In the example above, the
string "1.2.840.113556.1.4.803=2" represents an LDAP matching
rule for disabled user accounts.
Attributes
Each object in Active Directory has a set of attributes, defined by
and depending on its type and class. Using the LDAP
filter you have filtered on some objects representing single entities
(users, computers, printers, applications, etc.) and their attributes.
In the Attributes tab you can
define the LDAP display name for
the attributes you wish to return for the filtered objects. In the example
shown below, the attributes Name,
Description and sAMAccountName
are specified as the attributes to be returned.
The final result of an LDAP search is displayed in a generic table (see
figure below). In the same way, you can retrieve user accounts in a specific
OU, show a list of groups, etc.
To process selected table entries, the column holding the attribute
values can be assigned to a variable and used as input for a script action.
For more information, see section Processing
user input.
Generic table - Database query
IIn a large enterprise environment, not all user resource data are stored
in Active Directory. Other information systems, an HR system or a phone
system for example, may also hold user related information. In an UMRA
project form, a generic table can be inserted to display information from
these systems. As part of the table setup, the administrator needs to
specify the database to connect to, as well as a database query to define
which data should be retrieved and shown in the table.
The generic table for databases can be used to connect to any database
or information system. MS Access databases can be accessed directly through
the Jet engine. Other databases (SQL, ERP, HR systems, PeopleSoft, etc.)
can be accessed through OLE DB. The number of available OLE DB providers
will depend on your local configuration (see figure below).
List of available OLE
DB database connections
The option to connect to other databases is an extremely powerful feature
in UMRA, since it allows you to combine Active Directory with user data
from a wide range of other information systems. Figures 9 and 10 show
an example where a generic form table is configured to connect to an HR
system (SQL server). When the connection settings have been specified
correctly, the message "Test connection succeeded" will be displayed
when you click the Test Connection button.
Setting up a SQL database
connection
When the connection data have been specified, a binding string is created
to connect to the database.
Binding string to connect
to the database
Once the connection has been properly set up, a SQL query can be created.
In the example below, a SQL query has been specified to retrieve names
of employees, locations and phone numbers for the IT department from the
EmployeePhone table:
SELECT
Employee, Department, Location, Phone FROM EmployeePhone WHERE Department='IT'.
Specifying the database
query
In the figure below, the result of this database query is shown. The
query has returned the data in the columns Employee, Department, Location
and Phone for all rows where Department is equal to "IT".
Result of a database
query is shown in an UMRA form
