Driver_Girl Frequent Contributor.
Frequent Contributor.
452 views

eDir to AD one Attribute snyc


Situation: I have users on eDirectory that have different phone number
than what is in AD.

What I want to do: Force a sync of just the Telephone number over to AD
to correct this problem.

Looking through all the posts on syncing I really have not seen just
syncing one attribute. I was wondering if anyone had any experience on
this situation.

I was going to avoid doing a whole migration of the users container
because it's time consuming, so any other suggesting would be greatly
appreciated

Driver Girl


--
Driver_Girl
------------------------------------------------------------------------
Driver_Girl's Profile: http://forums.novell.com/member.php?userid=30126
View this thread: http://forums.novell.com/showthread.php?t=448186

Labels (1)
0 Likes
9 Replies
Anonymous_User Absent Member.
Absent Member.

Re: eDir to AD one Attribute snyc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So the eDirectory settings are correct, right? Are all of the phone
numbers wrong or just a subset that you can identify?

If it's all of the phone numbers (or even if it is just a subset) you
could do something crazy like export all of the phone numbers from
eDirectory (via LDAP) with something like ldapsearch (should take a
couple seconds.... trivial stuff) and then delete and re-add the
attribute in eDirectory. This "change" (adding a new one) will then
synchronize over to MAD and all will be synchronized. You could also do
more IDM-centric things like watch for a migrate or modification of
something unimportant with a specific value "Description attribute
add-value of 'fixPhoneNumber' for example) and then have a new rule pull
the phone number and send it across to MAD for any objects modified with
the description set to 'fixPhoneNumber', even removing this new bogus
description for you. Anyway... just a couple silly ideas.

Good luck.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOwT3EAAoJEF+XTK08PnB5oD0QAJ1sn2hj2Lz1GyjfVrVEpfcg
sZjS9X419mAQFn8eNHpoj/xPUXSO+ZGM2D3pGN/VUkC6VegA/iI11TGtSM9AulwV
H6in+0q/3lr3m9tFC7R9ZjkZyhid/2o9PUQvaeQMTz+Su1bLoQ9E8zM8YO3uSyvi
0d0SbBIbTvPAkUrNeo4VOY8ZwhVa6AVVxt7tC8y86v9w7tjshtOTgJyN1li2zpNq
cz+Xgi/4/sEZStxoSGPxz+KXVkZX+TQs8zqEgbtCEz8cWwHe/VLkRkfY4BmnC14G
oSL+FjpdIIFSoVIkKKuNuh9LDhWa41G0f0tBI8xpu0KgQ4ZICyR+Gnd+8l2Nwy6u
BaXMQ5mXXHzmeEmqFfHJJeGTU2qobLsW0W4KlulI2qoPFg4aKbyl/As/l0GsQZol
tRN57HK2IvoYBB0icl/M27ai9LUARckB6YeWagOX7OBwexXHHv4Psnb7etWZ9O9E
nCCrtE1H1I8Izy5BnTy/mv/pBOjx0CWuxrhzm43csc7lXuuEbiIukEVqb+GTL42m
+zApcldIR9pHjEPrhvdEZLJoyCc7VhEJNfSeAf7BvPlVI6Za7aKtmZjl7JQ/a4FT
D1vOJEXEc29vVhQ06HP1VTKFe0o71b9SWDB+EZTGtoUaZjfrCFFibTLN/kPTYLSv
sSsS4x1yAVhkBtYxOjwv
=syyt
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir to AD one Attribute snyc

Driver Girl wrote:

> I was going to avoid doing a whole migration of the users container
> because it's time consuming, so any other suggesting would be greatly
> appreciated


Add a sub event policy to catch sync events and send a modify of the attr
you're after instead. Something like:

<rule>
<description>Force sync single attr (IDV to App)</description>
<conditions>
<and>
<if-operation mode="case" op="equal">sync</if-operation>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="Telephone Number">
<arg-value type="string">
<token-src-attr name="Telephone Number"/>
</arg-value>
</do-set-dest-attr-value>
<do-veto/>
</actions>
</rule>

Now start a migration as usual... (don't forget to remove/disable the policy
when the migration has completed)

--

0 Likes
Driver_Girl Frequent Contributor.
Frequent Contributor.

Re: eDir to AD one Attribute snyc


Thank you very much for all the suggestions

I was thinking about the script of deleting and re-adding the phone
number, we have done something similiar to that in the past. The second
suggestion sounds like it much more applealing. So some questions on
this; 1. Could I add it as one of the first policies on the
eventTransform, not in the eventTransform.EventTransform rules ? We do a
fair amount of processing for entitlements on the eventTransform first
few rules, so I wanted to avoid all of that.

But that sounds like a very realistic rule to sync an attribute, thanks
for the advice.


--
Driver_Girl
------------------------------------------------------------------------
Driver_Girl's Profile: http://forums.novell.com/member.php?userid=30126
View this thread: http://forums.novell.com/showthread.php?t=448186

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir to AD one Attribute snyc

I'd add a new event transform policy to the policy set, just with this rule in
it. Make it the first policy in the set and all subsequent rules that work on
entitlelments should not kick in.

Thinking about it, I'd also add another condition (class=User) to the rule and
wrap the set-dest-attr in an token-if to check if the phone attr is actually
populated before trying to copy it over to the app:

<rule>
<description>Force sync single attr (IDV to App)</description>
<conditions>
<and>
<if-operation mode="case" op="equal">sync</if-operation>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-src-attr name="Telephone Number" op="available"/>
</and>
</arg-conditions>
<arg-actions>
<do-set-dest-attr-value name="Telephone Number">
<arg-value type="string">
<token-src-attr name="Telephone Number"/>
</arg-value>
</do-set-dest-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
<do-veto/>
</actions>
</rule>
0 Likes
Driver_Girl Frequent Contributor.
Frequent Contributor.

Re: eDir to AD one Attribute snyc


I have put this in my driver, disabled of course for the time being. I
just have one question, I creating this in Imanager and I am doing the
"If" statement, currently I have the do-veto in the else statement.
Would I want to put a veto in right after set destination attr value
along with the veto in the else statement ? That way it does not process
any futher ?

rule disabled="true">
<description>Force sync single attr (IDV to App) </description>
<conditions>
<and>
<if-operation op="equal">sync</if-operation>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-src-attr name="Telephone Number" op="available"/>
</and>
</arg-conditions>
<arg-actions>
<do-set-dest-attr-value name="Telephone Number">
<arg-value type="string">
<token-src-attr name="Telephone Number"/>
</arg-value>
</do-set-dest-attr-value>
</arg-actions>
<arg-actions>
<do-veto/>
</arg-actions>
</do-if>
</actions>
</rule>
</policy>


--
Driver_Girl
------------------------------------------------------------------------
Driver_Girl's Profile: http://forums.novell.com/member.php?userid=30126
View this thread: http://forums.novell.com/showthread.php?t=448186

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir to AD one Attribute snyc

place the do-veto outside and after the do-if token so that it will always stop
the sync.
0 Likes
Driver_Girl Frequent Contributor.
Frequent Contributor.

Re: eDir to AD one Attribute snyc


So I hate to ask this but I just want to clarify, I have the do-if token
then right after that I will add another rule that says do veto, which
is not included in the if statement.

I know about Imanager and Designer 🙂


--
Driver_Girl
------------------------------------------------------------------------
Driver_Girl's Profile: http://forums.novell.com/member.php?userid=30126
View this thread: http://forums.novell.com/showthread.php?t=448186

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir to AD one Attribute snyc

Driver Girl wrote:

> I will add another rule that says do veto


you'll add another *token* do-veto, not a rule (sorry for being pedantic about
the difference between policy/rule/token)

> which is not included in the if statement.


Well, I've actually posted the full rule earlier in this thread:

<rule>
<description>Force sync single attr (IDV to App)</description>
<conditions>
<and>
<if-operation mode="case" op="equal">sync</if-operation>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-src-attr name="Telephone Number" op="available"/>
</and>
</arg-conditions>
<arg-actions>
<do-set-dest-attr-value name="Telephone Number">
<arg-value type="string">
<token-src-attr name="Telephone Number"/>
</arg-value>
</do-set-dest-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
<do-veto/>
</actions>
</rule>

You need to make sure, ALL user sync events get vetoed (not just the ones where
a phone number exists), so the do-veto has to be outside the do-if token or you
have to have two of them in both the "then" branch of the do-if AND the "else"
branch.

Good luck, Lothar
--

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir to AD one Attribute snyc

Driver Girl wrote:

> I creating this in Imanager


Oh, Designer is much nicer, but you probably know that already. And it allows
you to simulate the rule without risk for production data...

Imanager (like designer) also allows you to edit the policy XML directly. Just
copy/paste the rule in, no need to rebuild it from scratch.

Cheers, Lothar
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.