This is a tip for Novell Identity Manager, and the Active Directory driver.

I ran across this while working in a test lab system, where there had been a typo made when the configuration was set up and the User Principal Name, UPN Name (Nice and redundant, like RAM Memory etc) and the value was incorrect. It turns out that Identity Manager when sending the event on a User create, can specify pretty much any value for User Principal Name. Even if it is incorrect and Active Directory will actually accept it. It is not clear to me of all the consequences of this error, but it is pretty clear it needs to be fixed.

As long as I needed to fix it, I decided I would use DirXML Script to write a sort of toolkit rule to change any attribute I might need changed, based on information already on the User. As it happens I had an immediate second use in mind, the client want to change the usernames for login (ultimately the SAM Account Name value) for all the users from their eDirectory CN to their eDirectory workforceID.). So I had a second case I could use it for right away.

I did what any true blue IDM'er would do, I brute forced it. Do a query for all objects in the tree (eDirectory Vault that is, since it is the faster directory, usually) and return the target users. Then inside a loop through each user, query the destination for their Association value, based on their DN in the eDirectory vault. (Using the Resolve token).

Now query Active Directory for the destination value, and if it matches my error case only, (since I wanted to be very careful and only modify users with this specific typo. It is possible they might have other values that I do not want to touch) then change it to the new correct values.

Try via Policy to modify userPrincipalName and DirXML-ADAliasName (aka sAMAccountName) and nothing happens.

On the remote loader trace this is what the event looks like.

DirXML: [08/13/08 11:30:28.04]: <nds dtdversion="3.5" ndsversion="8.x">
	<source>
		<product version="3.5.11.20080307 ">DirXML</product>
		<contact>Novell, Inc.</contact>
	</source>
	<input>
		<modify dest-dn="CN=Stephen Rose,OU=Fac,OU=21ST,DC=Test,DC=domain" event-id="ACMESMSLES10FS1#20080813155024#1#1">
			<modify-attr attr-name="userPrincipalName">
				<remove-all-values/>
				<add-value>
					<value>srose@test.domain</value>
				</add-value>
			</modify-attr>
			<modify-attr attr-name="sAMAccountName">
				<remove-all-values/>
				<add-value>
					<value>E123456</value>
				</add-value>
			</modify-attr>
		</modify>
	</input>
</nds>
DirXML: [08/13/08 11:30:28.04]: ADDriver: parse command
  className    
  destDN       CN=Stephen Rose,OU=Fac,OU=21ST,DC=Test,DC=domain
  eventId      ACMESMSLES10FS1#20080813155024#1#1
  association  
DirXML: [08/13/08 11:30:28.04]: ADDriver: parse modify class = 
DirXML: [08/13/08 11:30:28.04]: Loader: subscriptionShim->execute() returned:
DirXML: [08/13/08 11:30:28.04]: Loader: XML Document:
DirXML: [08/13/08 11:30:28.04]: <nds ndsversion="8.7" dtdversion="1.1">
	<source>
		<product version="3.5.1" asn1id="" build="20070823_095000" instance="\ACME-LAB\LAB\SERVICES\IDVAULT\Active Directory">AD</product>
		<contact>Novell, Inc.</contact>
	</source>
	<output>
		<status level="success" event-id="ACMESMSLES10FS1#20080813155024#1#1"/>
	</output>
</nds>
DirXML: [08/13/08 11:30:28.04]: 
DirXML Log Event -------------------
    Driver  = \ACME-LAB\LAB\SERVICES\IDVAULT\Active Directory
    Thread  = Subscriber Channel
    Object  = CN=Stephen Rose,OU=Fac,OU=21ST,DC=Test,DC=domain
    Level   = success
	
	

Then I figured, I know this can be done, something I am doing is wrong, so lets see what happens when the engine does the work for us. So I set the filter/map to sync sAMAccountName (DirXML-ADAliasName) and then tried to change the DirXML-ADAliasNameit in eDirectory. Here is the event. You can see the difference:

DirXML: [08/13/08 11:36:07.01]: Loader: Calling subscriptionShim->execute()
DirXML: [08/13/08 11:36:07.01]: Loader: XML Document:
DirXML: [08/13/08 11:36:07.01]: <nds dtdversion="3.5" ndsversion="8.x">
	<source>
		<product version="3.5.11.20080307 ">DirXML</product>
		<contact>Novell, Inc.</contact>
	</source>
	<input>
		<modify cached-time="20080813155636.361Z" class-name="user" event-id="ACMESMSLES10FS1#20080813155636#1#1" qualified-src-dn="O=LAB\OU=EMPLOYEES\OU=ACTIVE\CN=srose" src-dn="\ACME-LAB\LAB\EMPLOYEES\ACTIVE\srose" src-entry-id="61351" timestamp="1218642996#2">
			<association state="associated">94dc623e966669488b0738034e89efb6</association>
			<modify-attr attr-name="sAMAccountName">
				<remove-value>
					<value timestamp="1218642876#2" type="string">E123478</value>
				</remove-value>
				<add-value>
					<value timestamp="1218642996#2" type="string">E123456</value>
				</add-value>
			</modify-attr>
		</modify>
	</input>
</nds>
DirXML: [08/13/08 11:36:07.01]: ADDriver: parse command

  className    user
  destDN       
  eventId      ACMESMSLES10FS1#20080813155636#1#1
  association  94dc623e966669488b0738034e89efb6
DirXML: [08/13/08 11:36:07.01]: ADDriver: parse modify class = user
DirXML: [08/13/08 11:36:07.01]: ADDriver:   association
DirXML: [08/13/08 11:36:07.03]: ADDriver:     94dc623e966669488b0738034e89efb6
DirXML: [08/13/08 11:36:07.03]: ADDriver:   modify-attr
DirXML: [08/13/08 11:36:07.03]: ADDriver:     remove-value
DirXML: [08/13/08 11:36:07.03]: ADDriver:       value
DirXML: [08/13/08 11:36:07.03]: ADDriver:         e123478
DirXML: [08/13/08 11:36:07.03]: ADDriver:     add-value
DirXML: [08/13/08 11:36:07.03]: ADDriver:       value
DirXML: [08/13/08 11:36:07.04]: ADDriver:         E123456
DirXML: [08/13/08 11:36:07.04]: ADDriver: Connect using ldap_bind: user=idmuser, domain=test, password=***, method=negotiate, server=10.1.1.1, sign=yes, seal=yes ssl=no
DirXML: [08/13/08 11:36:07.04]: ADDriver: ldap_bind connection succeeded
DirXML: [08/13/08 11:36:07.06]: ADDriver: ldap_modify user CN=Stephen Rose,OU=Fac,OU=21ST,DC=Test,DC=domain
LDAPMod operations:
replace attribute sAMAccountName
>> EA12654
DirXML: [08/13/08 11:36:07.09]: Loader: subscriptionShim->execute() returned:
DirXML: [08/13/08 11:36:07.09]: Loader: XML Document:
DirXML: [08/13/08 11:36:07.09]: <nds ndsversion="8.7" dtdversion="1.1">
	<source>
		<product version="3.5.1" asn1id="" build="20070823_095000" instance="\ACME-LAB\LAB\SERVICES\IDVAULT\Active Directory">AD</product>
		<contact>Novell, Inc.</contact>
	</source>
	<output>
		<status level="success" event-id="ACMESMSLES10FS1#20080813155636#1#1"/>
	</output>
</nds>
DirXML: [08/13/08 11:36:07.09]: 
DirXML Log Event -------------------
    Driver  = \ACME-LAB\LAB\SERVICES\IDVAULT\Active Directory
    Thread  = Subscriber Channel
    Object  = \ACME-LAB\LAB\EMPLOYEES\ACTIVE\srose
    Level   = success
	
	

If you compare the modify event nodes, it becomes obvious. Here is my first attempt:

<modify dest-dn="CN=Stephen Rose,OU=Fac,OU=21ST,DC=Test,DC=domain" event-id="ACMESMSLES10FS1#20080813155024#1#1">

Then here is the engine generated event:

<modify cached-time="20080813155636.361Z" class-name="user" event-id="ACMESMSLES10FS1#20080813155636#1#1" qualified-src-dn="O=LAB\OU=EMPLOYEES\OU=ACTIVE\CN=srose" src-dn="\ACME-LAB\LAB\EMPLOYEES\ACTIVE\srose" src-entry-id="61351" timestamp="1218642996#2">

Some of the attributes inside the node are kind of unnecessary to compare, like event-id, cached-time, since they are system generated, and don't really matter. But there is definitely one extra attribute, class-name="user", which you would NOT expect to be needed!

If you look at the trace, in the first case, the shim trace shows:

DirXML: [08/13/08 11:30:28.04]: ADDriver: parse modify class = 

and then not much happens. If you look at the successful modify case in the trace, that same line looks a little different:

DirXML: [08/13/08 11:36:07.01]: ADDriver: parse modify class = user

There is that extra "user" at the end. Of course, then something actually happens instead of nothing much.

Thus it looks like it needs the object class specified. However why question these things? The set destination attribute token takes an object class, add it in, and tada it works.