Anonymous_User Absent Member.
Absent Member.
464 views

synching dirxml-adcontext from AD


Hi,

We have NetIQ IDM 4.0.2 on windows having an AD driver connecting to AD
via remote loader installed on AD domain.

#1. When we create new user from IDM to AD the account is created in AD
and dirxml-adcontext is set correctly in IDM (cn=user1,DC=test,DC=com).
If the new user created in IDM, is already exist in AD, it finds a
matching based on workforceid. And its getting associated to the AD
account but dirxml-adcontext
not getting updated. it has the value of
\tree\user\employees\user1 (which is of eDir context).

Please help how to sync this attribute whenever there is a match /
whenever we do sync.

Thanks,
DK


--
dinatechmnovell
------------------------------------------------------------------------
dinatechmnovell's Profile: https://forums.netiq.com/member.php?userid=6777
View this thread: https://forums.netiq.com/showthread.php?t=51511

Labels (1)
0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: synching dirxml-adcontext from AD

As always, post a trace (level three, engine side) of at least what is
perceived to NOT be working (matching and the resulting dixml-adcontext
value being set). Also, what is the history of this driver? Did it ever
work? Do others like it in other environments (test/stage/prod) work?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: synching dirxml-adcontext from AD

dinatechmnovell wrote:

>
> Please help how to sync this attribute whenever there is a match /
> whenever we do sync.


This is not the default behaviour of the driver.
Partly this is by design as the DirXML-ADContext attribute is intended purely as a way of distinguishing whether an event from AD was a move or rename

That said, I do think this may be a bug or design oversight.

Add the following as a rule in subscriber command transform and try the match/merge again.
<rule>
<description>Set DirXML-ADContext on merge</description>
<conditions>
<and>
<if-operation mode="case" op="equal">modify</if-operation>
<if-class-name mode="regex" op="equal">User|Group</if-class-name>
<if-xml-attr mode="nocase" name="from-merge" op="equal">true</if-xml-attr>
</and>
</conditions>
<actions>
<do-set-local-variable name="ADContext" scope="policy">
<arg-string>
<token-resolve datastore="dest">
<arg-association>
<token-association/>
</arg-association>
</token-resolve>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="regex" name="ADContext" op="equal">.+</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-add-src-attr-value name="Object Class">
<arg-value type="string">
<token-text xml:space="preserve">DirXML-ApplicationAttrs</token-text>
</arg-value>
</do-add-src-attr-value>
<do-set-src-attr-value name="DirXML-ADContext">
<arg-value type="string">
<token-local-variable name="ADContext"/>
</arg-value>
</do-set-src-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>



--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.