Renaming User Accounts, eDirectory to AD

By Peter Norris

Posted: 28 Jun 2006


A Forum reader asked the following question:

"I'm in the process of testing my IDM 3.0 deployment (eDirectory and AD). If I change the last name of a user account in eDirectory, the changes are sync'd over to AD just fine. However, viewing the user account in AD via ldp.exe shows that the CN and Name attribute are still using to the old last name. So, since the name attribute doesn't get updated, the user shows up with the old last name when viewing the list of users in the AD OU. If you open the changed user account, you can see the new last name (I can see the helpdesk folks complaining about this ...)

Where would I place a rule to rename the Name attribute? On the command transform? What would the rule look like for this? I have a feeling that changing the CN will be more involved. Any thoughts on how to accomplish this?

And here's the reply from Peter Norris ...


I have found that the only place AD will let me change the CN is by performing a RENAME on the NAME attribute on the OUTPUT Transformation policy.

Basically, I map FULLNAME to NAME and run a rule similar to the one below (not the full policy). This also updates the display name.

<description>Alter name change to rename</description>
<do-rename-dest-object when="after">
<token-op-attr name="name"/>
<do-clear-dest-attr-value name="displayName" when="before"/>
<do-set-dest-attr-value name="displayName">
<arg-value type="string">
<token-op-attr name="name"/>
<do-strip-op-attr name="name"/>

