Creating a Set based on the occurance of a certain value in AD DN
Hi, I am trying to create a Set based on a certain value in one of the parts of the DN of the user object. Say the DN is something like "CN=UserName,OU=May,OU=Trash,DC=<domain>". I only want the users in the Set that have "Trash" in the DN. I know that it is not possible to use the Contains operator in a Set neither is there something similar to use that I know of. I did notice though that if the FIM portal attribute used to store the AD DN is defined as multi-value the "Contains" operator is avaibale, but it does'nt work either. When one looks at the XPath Fliter it is created like an "is" operator and not as one would expect a "Contains" operator. I have searched the web up and down and could not find any clear answer as to how to do this. Any ideas or advice of how to handle this would be appreciated. Currently we have ILM 2007 in production with quite a couple of these type of rules. I am doing the redesign on FIM 2010 R2 RC Thanks Johan Marais    JkM6228
May 3rd, 2012 8:41am

I would use an advanced flow (using " csentry.DN.Subcomponents (x,y)" ) to break the DN into pieces so the OU value can be stored as an attribute which you could then use in your set criteria. here's an example I used private void IAFOuSite( CSEntry csentry, MVEntry mventry ) { mventry["ouSite"].Value = csentry.DN.Subcomponents(0, 1).ToString().Replace("OU=", ""); }Frank C. Drewes III - Senior Consultant: Oxford Computer Group
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2012 11:08am

Depends what hotfix version you're on. In rollup 2 they restored the % wildcard, after much complaining from all of us. So you can do "starts-with %OU=Trash%" in your set definition.http://www.wapshere.com/missmiis
May 3rd, 2012 11:42pm

Frank, Thanks, will try this. Haven't thought of that. Regards Johan Marais JkM6228
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2012 12:52am

Carol, Thanks for your reply. I have already tried that, it doesn't work, unless it only works with specific operators - will try again. I am working on FIM 2010 R2 RC. According to the release notes all wildcard characters are now treated as literals. Think a bit more of complaining is required to get some usable alternatives, and moving half of your business rules to legacy REs is not a proper alternative. it wil result in a messy solution and nightmare to support. Regards Johan Marais JkM6228
May 4th, 2012 12:59am

You've got a good point about where you keep your business rules. I try to keep the policy items in the Portal side and the execution of the the policy in the Sync side. Sometimes there are technical challenges that make it difficult. Then it becomes a judgement call. It's also easy to lose visibility when business rules 'hide' in custom activites. It takes a conscious decision to keep things a 'clean' as possible, but I believe it's worth taking the time to do. Frank C. Drewes III - Senior Consultant: Oxford Computer Group
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2012 1:12am

We'll need to wait until R2 is final to be sure, but I recall hearing somewhere that the wildcard functionality will work in R2. Frank C. Drewes III - Senior Consultant: Oxford Computer Group
May 4th, 2012 1:16am

Frank, Just tried Carol's suggestion, it does not work in R2 RC either. (not sure if there is later build that will support this). When the filter is defined it put [] around the wild card character which makes the filter then look like [%]OU=Trash[%]. Still does not work. Regards Johan JkM6228
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2012 1:28am

Right, the 4.1.1906 build (RC) didn't have the wildcard functionality, it was after the RC release that MS changed the approach to wildcards, so it wouldn't have made it into the RC. The last time I worked with MS on a bug, the build numbers were in the 2200's so there are at least 300 builds and probably lots of changes since the RC.Frank C. Drewes III - Senior Consultant: Oxford Computer Group
May 4th, 2012 1:39am

I am not talking about R2. It was fixed in Rollup 2 for R1. It also previously worked. It is only the hotfix version prior to rollup 2 where it was broken. I have this exact thing currently working in a prod environment. http://www.wapshere.com/missmiis
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2012 2:14am

Also - regarding my original idea - The main benefit to using the sync version I posted up at the top had to do with where in the DN the value appeared. In my particular case, a value could appear at different levels of the dn and they were depth sensitive. If you know that what you're looking for would appear in one place only, then a simple portal-side query would be fine.Frank C. Drewes III - Senior Consultant: Oxford Computer Group
May 4th, 2012 2:22am

Carol, We have just started our migration from ILM to FIM 2010 and you know that it is good practise to install all SPs and fixes - resulting in my installation been braken from the start - very frustrating to no be able to get basic stuff done. But I had lots of problems with that installation, not sure whether it was because of the fact that I was running on virtual servers or something else. Had basically to rebuild the whole environment once a week - very frustrating and time wasting to re-enter all rules and changes. I decided to reinstall everything on FIM 2010 R2 RC, and touch wood, much more stable and I am making good progress with the redesign. Guess for now I have use a workaround for wildcard issue. Currently busy testing my sets with Frank's first suggestion - will provide feedback soon. Regards Johan MaraisJkM6228
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2012 2:24am

Frank, I have implimented and tested you original idea, except that instead of breaking the DN up in a RE, I used an advanced flow in the sync rule which I had in the FIM portal. Also had to create a few extra attributes in the metaverse and the FIM portal to store the different parts of the DN. The rule looks something like: Word(dn,3,",")=>OuLevel1. About you last remark, we are fortunate that when we designed the AD structure back in the day we put down a standard for the OU structure wich accommodates about all requirements. There are not many changes to the structure. I only extracts about three levels which will be adequate for my needs. Will remove the workaround when wildcards are supported in the production release of FIM 2010 R2. Thanks again for everybody's suggestions on this matter. Regards JohanJkM6228
May 4th, 2012 2:54am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics