Hello Lisa,
unfortunately in the standard ToLDAP pass it's not possible to use anything other then the DN. In theory a VB script (like the one which sets the password) would be possible but that won't survive an 8.x migration. Another idea would be to write your own connector using a Java class and a ToCustom pass. Yet, I think these are no realistic options and there is a quite easy solution.
What we did:
We have a similar setup as you described. Four domains and ongoing migrations in our Group domain. As we started with 7.1, we have the DN<repName> attributes containing the DN. The ACCOUNT<repName> attributes contain the samAccountName. Standard in 7.1, I don't know why they changed that. In your case it would be the other way round. Leaving the DN in the ACCOUNT attributes and adding another attribute for each domain. Z_SAMACCOUNTNAME<repName> or whatever prefix instead of Z you use for your own attributes. The repName should be included if you have more than one domain
We use nightly load jobs which read out all domains. We have jobs with 22 passes active, including AD group handling with triggers and everything. In the passes for the users we set the DN to the the DN<repName> attribute. Matching to the identity (MSKEY/MSKEYVALUE) works using the ACCOUNT<repName> with a script. Query in the script:
var sql = "SELECT DISTINCT s1.mskey FROM IDMV_VALUE_EXT s1 with (nolock) JOIN IDMV_VALUE_EXT s2 with (nolock) ON s1.MSKEY = s2.MSKEY WHERE s2.Attrname = 'MX_ENTRYTYPE' AND s2.Searchvalue = 'MX_PERSON' AND s1.Attrname = 'ACCOUNT" + repName + "' AND s1.Searchvalue = '" + userid + "'";
repName and userid (=samAccountname) are the parameters of the script.
The change of the samAccountName has to be done in the IdM (we have a request for that). So not that much problems missing out samAccountName changes. Well, there are a lot of provisioning errors due to no DN or wrong DN. Luckily we don't have to care that much about that. If someone misses something, they will open an incident anyway. A bit mean though, but compared to the total user number we handle in the IdM and the total incident numbers, we don't have that much trouble.
What may come in handy for you:
In the plugin (use your own plugin, modifying the SAP one isn't recommended) add another task / job with a ToGeneric pass. In that script use
var ldapEntry = uLDAPGetEntry(searchString, "%$rep.LDAP_LOGIN%", "%$rep.LDAP_PASSWORD%")
to search for the user using the samAccountName. Something like this should work for the searchstring:
var searchString = LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/??BASE?(samaccountname=<username>)
After that you can retrieve the dn using ldapEntry.get("distinguishedName"). At least I hope the uLDAPGetEntry function is capable of generic LDAP searching, haven't tried it out without the DN though.
I use with the DN to search for the homeMDB attribute, which determines if a user has a mailbox maintained by us. Depending on that I have a task with and a task without the mail attribute. You could do something similar and set the DN attribute with a uIS_SetValue before executing the ToLDAP. That would also be possible as a Source tab Entry script so you wouldn't have to add another task.
Best regards
Dominik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.