Anonymous_User Absent Member.
Absent Member.
232 views

AD Placement Policy


We create our users in Oracle (JDBC) which then creates in our Identity
vault and then our eDir Tree and Active Directory. GroupWise Accounts
are also created. Currently our IDM system places new users in only one
OU in Active Directory /USERS. We would like to create several new OUs
in Active Directory such as; IT, Administration, Audits etc. We want
our new users to be placed in the applicable Active Directory OU based
on a company code. In our Identity Vault our Users are created in
/USERS/ACTIVE and then created in Active Directory in /USERS. Is there
a way I can edit the Subscriber Placement Policy on the AD driver to
have the Users placed in the applicable OU based on their company code.
Is it that simple? If not can you pretty please point me in the right
direction. Here is the current placement policy on the Active Directory
Subscriber channel: Thank you!!
<?xml version="1.0" encoding="UTF-8"?><policy>
<rule>
<description>Mirrored Placement for all objects</description>
<conditions>
<or>
<if-src-dn op="in-subtree"
xml:space="preserve">DOAAWF\USERS\ACTIVE</if-src-dn>
</or>
</conditions>
<actions>
<do-set-op-dest-dn>
<arg-dn>
<token-unmatched-src-dn convert="true"/>
<token-text xml:space="preserve">,</token-text>
<token-text
xml:space="preserve">cn=Users,dc=audits,dc=ga,dc=gov</token-text>
</arg-dn>
</do-set-op-dest-dn>
</actions>
</rule>
</policy>


--
kbannister
------------------------------------------------------------------------
kbannister's Profile: https://forums.netiq.com/member.php?userid=2831
View this thread: https://forums.netiq.com/showthread.php?t=49062

Labels (1)
0 Likes
2 Replies
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: AD Placement Policy

On Fri, 25 Oct 2013 19:44:03 +0000, kbannister wrote:

> Is there
> a way I can edit the Subscriber Placement Policy on the AD driver to
> have the Users placed in the applicable OU based on their company code.
> Is it that simple?


Yes, you can do that. Yes, it's that simple.

I have something like this, where we do hierarchical placement based on
employee department number (from HR). Since we have several hundred
departments, I built a mapping table that contains department number and
destination container information to be used in a placement rule like:

<rule>
<description>Employees Placement</description>
<conditions>
<and>
<if-class-name op="equal">user</if-class-name>
</and>
</conditions>
<actions>
<do-set-op-dest-dn>
<arg-dn>
<token-text xml:space="preserve">CN=</token-text>
<token-attr name="CN"/>
<token-text xml:space="preserve">,</token-text>
<token-map dest="MAD Placement" src="Department Number" table="\[root]
\NIU\DirXML\Data Library\Placement Table">
<token-attr name="departmentNumber"/>
</token-map>
</arg-dn>
</do-set-op-dest-dn>
</actions>
</rule>


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Placement Policy


Thank you! Was pulled off this project for awhile, as usual. Hope to
get back on it next week and will try the mapping tables.


--
kbannister
------------------------------------------------------------------------
kbannister's Profile: https://forums.netiq.com/member.php?userid=2831
View this thread: https://forums.netiq.com/showthread.php?t=49062

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.