Novell is now a part of Micro Focus

Moving an Account when User's Affiliation Changes

Novell Cool Solutions: Tip
By William C Schneider

Digg This - Slashdot This

Posted: 16 Jun 2005

The purpose of this rule set is to move an account in a hierarchical directory from one OU to another, when the user's attributes indicate an affiliation change in a flat Identity Directory. This is a continuation of a previous Cool Solutions article ( that explains how to place the users initially in a hierarchical structure.

For this example, we will use a flat eDirectory for the Identity Directory and a hierarchical Active Directory for the application. The same rules could be used on other drivers as well, however. The affiliation information is stored in the OU attribute of the user class in eDirectory. (This maps to Department in the ConsoleOne GUI.)

To use this example, you should make a new rule set in the subscriber command transform. Each of these rules will be contained within that.

Step One: Determine if we need to evaluate the rest of the rules

Break: No Move Processing on Adds and Merges if operation equal "add"
if XPATH expression true "@from-merge"
Or  if operation attribute 'OU' not changing

The first condition of this rule determines if a sync has been issued for the object. In our case, we don't want a sync to move accounts; however, you may remove this condition depending on the functionality desired. The second condition looks at the OU attribute to see if a change is occurring. Since the OU attribute is the one that holds the affiliation information, if it is not changing, then we do not need to evaluate the rest of the rules, as they will all fail anyway. This makes the rule set more efficient.

Step Two: If the affiliation information is changing, move the account to the new OU

Move to GADM
if operation equal "modify"
And  if class name equal "User"
And  if source attribute 'OU' equal "Administrative Support"
move destination object(dn("ou=gadm,ou=People,dc=uthsc,dc=edu"))

In the third condition of this rule, we are testing to see if the object should be moved to the GADM container. In our case, users in Administrative Support are located in an OU called GADM in the Active Directory. The "move destination object" action will place the user into the specified container. The break is then issued so the remaining unneeded rules are not processed. You would repeat Step Two for each container in Active Directory that you want to move users into. Place the most frequently used containers at the top of the list to improve processing time.

Note: In the creation rule, you are actually building the full distinguished name for the user object. Here, you are only specifying the distinguished name of the container to move the object to. Do not include the full user distinguished name here.

To handle users with multiple affiliations, you would use the same pattern discussed in the previous Cool Solutions article. Just substitute the actions listed here.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates