Forcing a Mirror on AD Synchronization
Novell Cool Solutions: Tip
Digg This -
Posted: 5 Sep 2007
A Forum reader recently asked:
"I've noticed that when I do my initial sync, if the users are not in the same locations, it will find the user and associate the accounts, but the user will stay in its current location. If I move them after the initial sync, both accounts will end up in the same location. However, the accounts are in the correct location in AD already, and I would rather not have to verify the location of every account. Is there a way to force a move event when the DNs are not the same?"
And here's the response from Father Ramon ...
Assuming you are using IDM 3.5 and haven't significantly changed the matching policy from the default, you should be able to do what you want. Add something like the following action at the end of the rule named "match users based on NT logon name":
<do-if> <arg-conditions> <and> <if-association op="available"/> </and> </arg-conditions> <arg-actions> <do-set-local-variable name="desired-dest-container" scope="policy"> <arg-string> <token-replace-first regex="(.+)" replace-with="$1,"> <token-parse-dn length="-2" src-dn-format="dest-dn"> <token-op-property name="unmatched-src-dn"/> </token-parse-dn> </token-replace-first> <token-text xml:space="preserve">cn=Users,dc=novell,dc=com</token-text> </arg-string> </do-set-local-variable> <do-set-local-variable name="matched-dest-container" scope="policy"> <arg-string> <token-parse-dn dest-dn-format="dest-dn" length="-2" src-dn-format="dest-dn"> <token-resolve datastore="dest"> <arg-association> <token-association/> </arg-association> </token-resolve> </token-parse-dn> </arg-string> </do-set-local-variable> <do-if> <arg-conditions> <and> <if-local-variable mode="dest-dn" name="desired-dest-container" op="equal">$matched-dest-container$</if-local-variable> </and> </arg-conditions> <arg-actions> <do-move-dest-object> <arg-dn> <token-local-variable name="desired-dest-container"/> </arg-dn> </do-move-dest-object> </arg-actions> </do-if> <do-break/> </arg-actions> </do-if>
You'll have to change "cn=Users,dc=novell,dc=com" to whatever your base container is. I'm not sure why the default configuration doesn't put this value into a GCV.
If you aren't using 3.5, it can still be done but is somewhat more difficult:
- You must use a separate rule, because there's no if-then-else action.
- You have to use an XPath extension function call to get the matched destination DN, because there is no resolve token.
- You have to use XPath to compare containers, because there's no variable expansion. Make sure the DN strings match exactly, because XPath string comparisons are case- insensitive exact matches.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com