Mulit valued internet email address on AD account Creation

IDM structure

Live tree - eDir to eDir driver - IDM tree - MAD driver - AD Domain

We have recently added first.last@ as our preferred email address, but still publish username@. and are now having issues when new accounts are created in eDirectory, they are not being created in AD due to the multiple values in the Internet email address attribute (Constraint Violation on the mail attribute).

If an account is manually created in eDirectory (providing username, given name, surname and password) all works fine.  If I manually create the account in eDirectory, omitting the given name, then adding the given name after the email attribute is populated, the account won't be created in AD.  Thus recreating the issue.

We use jrbimprt for the creation of accounts in eDirectory, which does not seem to provide the given name at the time of the account creation.  The eDir-eDir driver logs show repeated vetos due to the given name missing, by the time the given name is populated, so is the Internet email address attribute (by GroupWise).  Thus the account that is created in the IDM tree, has the multiple values in the email attribute, so the MAD driver kicks up the constraint violation error.

Unfortunately, our jrb guy is no longer with the organization, so we are not sure if there is an argument that we can use so that jrbimprt will set the given name on initial creation.  Currently we are manually ignoring Internet Email Addresses in the MAD filter, migrating the accounts, setting Internet Email Addresses back to synchronize in the filter and migrating the accounts again.

Is there a way that I can have IDM ignore the Internet email address on an Add event, and trigger a sync after the account is created in AD?

Thanks

  • Verified Answer

    I would probably create a rule to remove the username@ email address in the MAD driver so there is only one email value.  It looks like you may need to use xpath to remove just one value.  It looks like this has an example removing one value: https://community.microfocus.com/cyberres/idm/w/identity_mgr_tips/16495/xpath-examples

    This might do what you want: ldapwiki.com/.../DirXML Code Snippets

  • You can do this with XPATH or with tokens...

    if op attr Internet EMail Address is changing, then for-each over Op Attr Internet EMail Address

       Inside, use XPATH to substring-before($current-node,"@") and check if it equals source name. 

          If so, strip by XPATH $current-node

    Then only the Username@email.com will be stripped.

  • Thanks, the link got me going in the right direction.  The code as is did not work, as when starting the driver I got messages that do-strip-op-attr and do-for-each cannot be within do-set-local-variable; however, I just moved those two sections ahead of the do-set-local-variable and that worked, in my test environment.

    I have a change window for Thursday to implement it in Live.  Below is the xml policy that I have working in test.

    <policy>
    	<rule>
    		<description>Only one email address</description>
    		<conditions>
    			<and>
    				<if-operation op="equal">add</if-operation>
    				<if-op-attr name="Internet EMail Address" op="available"/>
    			</and>
    		</conditions>
    		<actions>
    			<do-strip-op-attr name="Internet EMail Address"/>
    			<do-clear-dest-attr-value name="Internet EMail Address"/>
    			<do-for-each>
    				<arg-node-set>
    					<token-xpath expression="$eMailAddresses[1]"/>
    				</arg-node-set>
    				<arg-actions>
    					<do-add-dest-attr-value name="Internet EMail Address">
    						<arg-value>
    							<token-local-variable name="current-node"/>
    						</arg-value>
    					</do-add-dest-attr-value>
    				</arg-actions>
    			</do-for-each>
    			<do-set-local-variable name="eMailAddresses">
    				<arg-node-set>
    					<token-op-attr name="Internet EMail Address"/>
    				</arg-node-set>
    			</do-set-local-variable>
    		</actions>
    	</rule>
    </policy>

  • Your Set Local variable for eMailAddresses is at the end, and should be at the beginning.  You need to set it before you Strip it out of the op-doc.

    Also, would it make more sense to use the Source Attribute, and read the first value?  Or do you want to use the last one, in which case, maybe XPATH of $eMailAddresses[last()] from either Source Attribute or Op Attr. 

    (Also it is most likely that Op Attr Internet EMail Address changing would olnly have one value.  Rare to see a single event adding two values...  Possible, but unlikely).

  • Following Geoffrey's suggestion above, I would try a rule like this one:

    <rule>
    	<description>Only one email address</description>
    	<conditions>
    		<and>
    			<if-operation op="equal">add</if-operation>
    			<if-op-attr name="Internet EMail Address" op="available"/>
    		</and>
    	</conditions>
    	<actions>
    		<do-for-each>
    			<arg-node-set>
    				<token-op-attr name="Internet EMail Address"/>
    			</arg-node-set>
    			<arg-actions>
    				<do-if>
    					<arg-conditions>
    						<and>
    							<if-local-variable mode="nocase" name="current-node" op="equal">[username]@domain.com</if-local-variable>
    						</and>
    					</arg-conditions>
    					<arg-actions>
    						<do-strip-xpath expression="$current-node"/>
    					</arg-actions>
    					<arg-actions/>
    				</do-if>
    			</arg-actions>
    		</do-for-each>
    	</actions>
    </rule>

    You would need to replace the [username]@domain.com with a variable for the email address you don't want to keep.

  • Which value (first or last) doesn't matter, as once the account is created in AD, the follow up modify message will put the correct value in mail and proxyAddress. In reality, I may even be able to just strip out the email attribute completely (on the add event) and have a follow up modify event publish the email.

    We are seeing this on every account creation (with an email account) performed by our account automation, which is using jrbimprt, since our preferred email address was changed a couple weeks ago.