Active Roles 7.3.3 - SPML Provider Administration Guide

Web Server requirements

Web Server requirements

Windows Server 2008 R2

On a Windows Server 2008 R2 based computer, ensure that the Web Server (IIS) server role with the following role services is installed:

  • Web Server/Common HTTP Features/
    • Static Content
    • Default Document
    • HTTP Errors
    • HTTP Redirection
  • Web Server/Application Development/
    • ASP.NET
    • .NET Extensibility
    • ASP
    • ISAPI Extensions
    • ISAPI Filters
  • Web Server/Security/
    • Basic Authentication
    • Windows Authentication
    • Request Filtering
  • Management Tools/IIS 6 Management Compatibility/
    • IIS 6 Metabase Compatibility

Use Server Manager to add the required role, role services, and features.

Windows Server 2012

On a Windows Server 2012 or Windows Server 2012 R2 based computer, ensure that the Web Server (IIS) sever role is installed, including:

  • Web Server/Common HTTP Features/
    • Default Document
    • HTTP Errors
    • Static Content
    • HTTP Redirection
  • Web Server/Security/
    • Request Filtering
    • Basic Authentication
    • Windows Authentication
  • Web Server/Application Development/
    • .NET Extensibility 4.6
    • ASP
    • ASP.NET 4.6
    • ISAPI Extensions
    • ISAPI Filters
  • Management Tools/IIS 6 Management Compatibility/
    • IIS 6 Metabase Compatibility
Windows Server 2016

On a Windows Server 2016 based computer, ensure that the Web Server (IIS) sever role is installed, including:

  • Web Server/Common HTTP Features/
    • Default Document
    • HTTP Errors
    • Static Content
    • HTTP Redirection
  • Web Server/Security/
    • Request Filtering
    • Basic Authentication
    • Windows Authentication
  • Web Server/Application Development/
    • .NET Extensibility 4.6
    • ASP
    • ASP.NET 4.6
    • ISAPI Extensions
    • ISAPI Filters
  • Management Tools/IIS 6 Management Compatibility/
    • IIS 6 Metabase Compatibility

Use Server Manager to add the required role, role services, and features.

Feature Delegation

Configure Internet Information Services (IIS) to provide Read/Write delegation for the following features:

  • Handler Mappings
  • Modules

Use Feature Delegation in Internet Information Services (IIS) Manager to verify that these features have delegation set to Read/Write.

Installing SPML Provider

Installing Active Roles SPML Provider

To install Active Roles SPML Provider

  1. Log on to the computer on which you want to install Active Roles SPML Provider.
  2. Navigate to the network location of the Active Roles SPML Provider installation files.
  3. Start the Active Roles SPML Provider Installation Wizard by double-clicking Setup.exe.
  4. On the Welcome page, click Next.
  5. On the License Agreement page, click I accept the license agreement, and then click Next.
  6. On the User Information page, enter the required user information, and then click Next.
  7. On the Select Features page, optionally, click Browse to specify a new installation folder. Click Next.
  8. On the Access to Active Directory page, specify how you want SPML Provider to access Active Directory. The following options are available:
    • Access through Active Roles (local Administration Service)  SPML Provider accesses Active Directory through the Active Roles Administration Service running on the computer where you install SPML Provider.
    • Access through Active Roles (specified Administration Service)  SPML Provider accesses Active Directory through the Active Roles Administration Service on a different network computer. Type the fully qualified domain name of that computer in the Administration Service on text box.
    • Direct access (local domain controller)  SPML Provider directly accesses Active Directory using domain controller running on the computer where you install SPML Provider.
    • Direct access (specified domain controller)  SPML Provider directly accesses Active Directory using domain controller running on a different network computer. Type the name of that domain controller in the Domain controller name text box.
  9. On the Ready to Install the Application page, click Next to begin installation.
  10. Click Finish to complete the installation.

The SPML Provider Installation Wizard creates a virtual directory under Default Web Site, with the name of the virtual directory set to ARServerSPML. This enables clients to access SPML Provider by using the following URL: http://<HostName>/ARServerSPML/SPMLProvider.asmx.

NOTE: The Installation Wizard installs SPML Provider and several sample HTML pages that demonstrate various SPML v2 operations.

Configuring Active Roles SPML Provider

Configuring Active Roles SPML Provider

Configuration settings allow the administrator to configure SPML Provider and its schema in order to adjust the SPML Provider behavior. Administrators can, for example, specify the required managed objects and attributes in the schema, or choose the type of execution (disabling or deprovisioning objects) for the Suspend operation.

Configuration settings in SPML.Config

Configuration settings in SPML.Config

The SPML Provider configuration settings can be found in the SPML.Config file located in the Web sub-folder of the SPML Provider installation folder. The SPML.Config file contains data in the XML format. You can open and edit the configuration file with a common text editor such as Notepad.

NOTE: After you modify configuration settings, the IIS application pool for the SPML Provider Web site must be restarted in order for the changes to take effect.

The following table describes the XML elements used in the SPML Provider configuration file.

 

Table 1: XML elements used in the SPML Provider configuration file

Element

Parent element

Description

service

configuration

In proxy mode, specifies the name of the computer running the Active Roles Administration Service. In direct access mode, specifies the name of the AD domain controller or AD LDS server. The name of the AD LDS server must be in the form <servername:portnumber>.

adsiProvider

configuration

Specifies the progID of the ADSI Provider. In proxy mode, the progID is EDMS. In direct access mode, the progID is LDAP.

schemaFile

configuration

Contains the name of the file that defines the DSML Profile schema for SPML Provider. By default, the file name is SPMLSchema.Config. The schema file must be located in the same folder as the SPML.Config file.

defaultMaxSelect

search

Specifies the maximum number of search results that SPML Provider can return without page splitting. The default value is 1000.

pageSize

search

Specifies the maximum number of search results per page. The default value is 25.

NOTE: If pageSize is set to 0, SPML Provider returns search results without page splitting.

class

password

Contains the LDAP display name of the schema class of objects on which SPML Provider is expected to perform the Password Capability-related operations such as setPassword and expirePassword.

class

suspend

Contains the LDAP display name of the schema class of objects on which SPML Provider is expected to perform the Suspend Capability-related operations such as suspend, resume, and active.

suspendAction

suspend

Possible values: disable or deprovision. The default value is disable.

If suspendAction is set to disable, SPML Provider disables the specified user account on the target.

If suspendAction is set to deprovision, SPML Provider deprovisions the specified user account in accordance with the deprovisioning policies defined by Active Roles.

checkOutput

configuration

Possible values: true or false. The default value is false.

true causes SPML Provider to check the string attribute values retrieved from the underlying directory before adding them to a response. If an attribute value contains illegal characters that could break the XML parser on the client side, SPML Provider converts the attribute value to the base64binary format and then adds the result of the conversion to the response. Note that this option may result in performance degradation of SPML Provider as checking every attribute value is a resource-intensive operation.

false causes SPML Provider not to check the string attribute values retrieved from the underlying directory. An attribute value is added to the response without any conversion even if the value contains illegal characters.

NOTE:In accordance with the XML specification, the legal character range is as follows: #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]. With checkOutput set to true, SPML Provider ensures that attribute values in a response contain only characters from the legal character range.
Related Documents