Prevent matched users in ou from associating

"Interesting" one

IDM 473 , AD driver 4.1.2 

Trying to figure out a way to "veto" the association of certain users in a buried OU 

\domain\ou1\ou2\ user1 should match normally, but  domain\ou1\ou2\ou3\user2 should not . I have a gcv with the non syncing ou, and the ou is visible in the match, but that "@src-dn"  attached to the success,do-find-matching-object is inaccessible. I'm sure I'm not the first one to run into this, but I've been trying different matches, and or examining the destination dn without success. 

Thanks in Advance

/dg

  • The association is set without the means to intercept. All you can do is a filter on dirxmlassociations and policy to remove. Or something simular. When your matching find the object it will associate.

    Best regards
    Michiel Los
  • The other thing you can do is pre-filter in etp.

    So implement your own query to see if the user is contained in one of the OUs that can’t be matched against. Then tag (or veto) the event so that it never runs the do matching policy at all in this scenario.
  • Verified Answer

    Can you post a level 3 trace of the matching policy for this case?

    After do-find-matching-object you should be able to do a resolve association to get the DN of the AD account that matched:

    <do-set-local-variable name="destDN" scope="policy"> <arg-string> <token-resolve datastore="dest"> <arg-association> <token-association/> </arg-association> </token-resolve> </arg-string> </do-set-local-variable>

     

  • that was what I was looking for, thanks!  I had forgotten that the association is written as soon as the match completes.  So I did this in the CTP along with some manipulation to find the parent ou and act on it .

    Thanks!

     

    <do-set-local-variable name="var-query" scope="policy"> <arg-node-set> <token-parse-dn dest-dn-format="slash" length="1" src-dn-format="dest-dn" start="-2"> <token-resolve datastore="dest"> <arg-association> <token-association/> </arg-association> </token-resolve> </token-parse-dn> </arg-node-set> </do-set-local-variable>