Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
328 views

Manager sync from IDVault to AD


Hi,

I need to do a user synchronisation, and one of the attributes that need
sync is the manager (the manager's DN).

My question is: do I have to built the new manager's DN or NIM does the
convertion to the AD form once I add "manager" in the synchronisation
filter? I ask because the entries CN is not the same on the IDVault and
on AD, so it's not a simple remplacement of the DN string.

If it doesn't convert, I assume that I have to not put it in the filter
and do a rule that writes it if it's available, right?


Thanks in advance for your help,
Marc


--
MuadDib_II
------------------------------------------------------------------------
MuadDib_II's Profile: https://forums.netiq.com/member.php?userid=8754
View this thread: https://forums.netiq.com/showthread.php?t=53975

Labels (1)
0 Likes
9 Replies
Knowledge Partner
Knowledge Partner

Re: Manager sync from IDVault to AD

On 8/5/2015 11:44 AM, MuadDib II wrote:
>
> Hi,
>
> I need to do a user synchronisation, and one of the attributes that need
> sync is the manager (the manager's DN).
>
> My question is: do I have to built the new manager's DN or NIM does the
> convertion to the AD form once I add "manager" in the synchronisation
> filter? I ask because the entries CN is not the same on the IDVault and
> on AD, so it's not a simple remplacement of the DN string.
>
> If it doesn't convert, I assume that I have to not put it in the filter
> and do a rule that writes it if it's available, right?


IDM knows and deals with this. But you have to understand the rules.

An value, that is specified as <value type="dn">\O\OU\CN</value>

will be run through the association processor, (Post sub-command, and
post ITP).

Then if the DN referenced has an association value, it will look like
<value association-ref="association-value" type="dn">\O\OU\CN</value>

Then the shim will ignore the raw value (in eDir format) and use the
association value instead, which will work.

If you do this AFTER those two policies, you are responsible to get the
association-ref yourself into the <value> node.

If the object referenced does not have an association then the engine
will comment "Could not resolve reference to ObjectNAME". And so on.



0 Likes
Knowledge Partner
Knowledge Partner

Re: Manager sync from IDVault to AD


Hi Marc,
1. Yes, you need add "manager" to the filter
2. If you have manager object associated, AD DN will be correctly
resolved and user object in AD will have right DN to manager object in
AD

>If it doesn't convert, I assume that I have to not put it in the filter

and do a rule that writes it if it's available, right?
3. You don't need create your own policy - driver/engine will do it for
you!

Thank you,
Alex


--
al_b
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=53975

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Manager sync from IDVault to AD


Thanks for the answers geoffc and al_b. 🙂

To see if I understood correctly, let's suppose that :

- I don't let the manager attribute on the filter
- The manager in IDVault is mapped to the manager in AD
- I do a rule in the command policies (subscriber channel) that adds the
IDVault manager to the current operation
- The manager is present in both AD and IDVault with a correct
association

In this case the manager will correctly sync with AD with the correct DN
when passing to my rule, thats it ?


--
MuadDib_II
------------------------------------------------------------------------
MuadDib_II's Profile: https://forums.netiq.com/member.php?userid=8754
View this thread: https://forums.netiq.com/showthread.php?t=53975

0 Likes
Knowledge Partner
Knowledge Partner

Re: Manager sync from IDVault to AD


Hi Marc,
> - I don't let the manager attribute on the filter
> - The manager in IDVault is mapped to the manager in AD
> - I do a rule in the command policies (subscriber channel) that adds the
> IDVault manager to the current operation

You can do it (and fight with situation, when filter will "strip"
manager info from the doc).

Like we already mentioned many times: IDM is very flexible, powerful
product and we can have may "different" ways to get same result!

Personally I can't see good reason to work hard, fight against engine
(to return manager info, that will be be cut by filter), create
additional rules ( in Subscriber Command Transformation) just to get
same result, that you will get "by default" (with doing nothing).
:confused:

You just need *Schema mapping* for Manager attribute and allow to
Manager attribute go thru in the *Filter* (Subscriber Synchronize).


--
al_b
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=53975

0 Likes
Knowledge Partner
Knowledge Partner

Re: Manager sync from IDVault to AD

al b <al_b@no-mx.forums.microfocus.com> wrote:
> Hi Marc,


> You can do it (and fight with situation, when filter will "strip"
> manager info from the doc).
>
> Like we already mentioned many times: IDM is very flexible, powerful
> product and we can have may "different" ways to get same result!
>
> Personally I can't see good reason to work hard, fight against engine
> (to return manager info, that will be be cut by filter), create
> additional rules ( in Subscriber Command Transformation) just to get
> same result, that you will get "by default" (with doing nothing).
> :confused:
>
> You just need *Schema mapping* for Manager attribute and allow to
> Manager attribute go thru in the *Filter* (Subscriber Synchronize).
>


I am inclined to agree.

The one problem we have seen with letting the engine handle the manager
sync is where the actual manager syncs to AD after some or all direct
reports are already synced to AD

When the direct reports are synced in advance of the manager, the engine
can't resolve the manager reference and discards it (which is correct
behaviour)

When the manager finally gets synced the engine doesn't automatically fix
these discarded manager references and you need to add a rule to handle
this.

I generally add isManager attribute as subscriber notify in the filter and
then use this to tag the operation with op-data. Then in input transform I
detect the tagged success (from add or merge) and iterate over all
associated direct reports updating manager on these.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
I'm
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Manager sync from IDVault to AD


That is very good advice.
I expect that could happen when a new manager is hired or changed
depending on how and when things are written from the HR system.

So to conclude:
1 add Manager to the filter and schema mapping.
2. add isManager to the filter as notify, tag the operation.
3. add code in the ITP policyset and iterate through all direct reports
when tag is detected.

direct reports do not need to be in the filter since AD calculates those
and adds them automaticly when manager is written. I wonder though if
direct reports would be added in the filter, could that take care of the
situation when the special ITP rule is needed?


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=53975

0 Likes
Knowledge Partner
Knowledge Partner

Re: Manager sync from IDVault to AD

joakim ganse <joakim_ganse@no-mx.forums.microfocus.com> wrote:
>
> direct reports do not need to be in the filter since AD calculates those
> and adds them automaticly when manager is written. I wonder though if
> direct reports would be added in the filter, could that take care of the
> situation when the special ITP rule is needed?
>


As direct reports is also an AD backlinked attribute (like group
membership) I don't think the AD shim can be notified via filter reliably
for this attribute.

Haven't tested though. Just a hunch.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Manager sync from IDVault to AD

On 8/6/2015 8:10 AM, Alex McHugh wrote:
> al b <al_b@no-mx.forums.microfocus.com> wrote:
>> Hi Marc,

>
>> You can do it (and fight with situation, when filter will "strip"
>> manager info from the doc).
>>
>> Like we already mentioned many times: IDM is very flexible, powerful
>> product and we can have may "different" ways to get same result!
>>
>> Personally I can't see good reason to work hard, fight against engine
>> (to return manager info, that will be be cut by filter), create
>> additional rules ( in Subscriber Command Transformation) just to get
>> same result, that you will get "by default" (with doing nothing).
>> :confused:
>>
>> You just need *Schema mapping* for Manager attribute and allow to
>> Manager attribute go thru in the *Filter* (Subscriber Synchronize).
>>

>
> I am inclined to agree.
>
> The one problem we have seen with letting the engine handle the manager
> sync is where the actual manager syncs to AD after some or all direct
> reports are already synced to AD
>
> When the direct reports are synced in advance of the manager, the engine
> can't resolve the manager reference and discards it (which is correct
> behaviour)


directReports is a fake attr in AD I thought. It is like memberOf, and
is a dynamic query, only when you look.

> When the manager finally gets synced the engine doesn't automatically fix
> these discarded manager references and you need to add a rule to handle
> this.
>
> I generally add isManager attribute as subscriber notify in the filter and
> then use this to tag the operation with op-data. Then in input transform I
> detect the tagged success (from add or merge) and iterate over all
> associated direct reports updating manager on these.
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Manager sync from IDVault to AD

Yes, also as Alex McHugh pointed out. systemOnly = TRUE is the key on
these pages, I believe:

https://msdn.microsoft.com/en-us/library/Cc221482.aspx


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.