A Forum reader recently asked:
"I am trying to create an account on active directory and have it synchronized to IDM. The Driver filter has the surname, given name, and various other fields set to Publisher Reset and Subscriber Synchronize.
When the account is created in Active Directory, you can see in the trace that the values are there. Then, later in the trace, the values get reset before IDM gets to the placement policy. At that point, a MISSING MANDATORY error is generated. When I change the filter to Synchronize on
both the Publisher and the Subscriber, the account is created in IDM.
How do I prevent users from chaining values in AD and synchronizing to IDM? I need those values to be reset in AD so that IDM is the "keeper" of information, and the values in AD always reflect those in IDM. This works with existing accounts but not with new accounts."
And here's the response from Father Ramon ...
Filters are somewhat of an all or nothing kind of thing. What you are trying to do is make AD (or your policies) authoritative on create, but not on modify. To get the behavior you want, you are basically left with two options:
- Remove reset from the filter and implement it yourself in policy.
- Leave reset in the filter, but bypass it for adds by forcing the operation to be direct instead of letting it go through the notify/reset filter.
I would think that the latter would be the easiest. What you probably want is something like the following rule, in the last policy of your publisher command transformation:
<description>Perform adds directly to bypass the reset
<do-set-xml-attr expression="." name="direct">
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.