LDAP: Are UID and CN mutually exclusive?
Hi Guys,The problem:I feel I'm being forced to choose either the CN or UID as the account name, despite the fact that I should be able to use both at different levels.- Source UID -> DestinationsAMAccountName- Source CN -> Destination CN (which is represented by the DN inside of ILM)The scenario:- Using an iPlanet 5.1 directory server as the source,- Two inbound MAs (from iPlanet) have been configured using the ILM console: 1. To import users with the l attribute set to "exportContact", 2. Toimport users with the l attribute set to "exportUser".- An ILM MA has been configured. In this MA, there is no ILM attribute for CN or UID, just AccountName,- There is also no l attribute, so I had to map this to the ILM CostCentreName attribute,- Two export MAs (Active Directory) have been configured using the portal: 1. To align metabase "person" objects with CostCentreName = "exportContact" with the Contact sync rule in the ILM portal, 2. To align metabase "person" objects with CostCentreName = "exportUser" with theUser sync rule in the ILM portal.The problem I have by the time I get to the sync rules is that I can't use the properties of the metabase's person object, I have to use the fields of the ILM Person object, and there just isn't enough of them when compared to the amount in the metabase. Specifically, this is forcing me to drop the original UID, which is what I want to use for the sAMAccountName, whilst preserving the source CN as the destination CN.Is there any way - excluding using another unused field in the ILM Person object (as this is messy and doesn't scale) - that I can extend the schema of the ILM Person object?Cheers,Lain
September 10th, 2009 4:34am

The ILM schema is fully extensible. You can add attributes and then bind them to the Person / User object. Within the synchronization engine, you will likely want to add the same attributes to the metaverse schema as well. To get data to flow between the ILM portal and the metaverse, you will need to refresh the schema from within the ILM Management Agent and you will need to manually add the inbound and outbound attribute flows (to the ILM MA). Be sure that you backup both the Portal and Metaverse databases before you start playing with any of this. If you want the new attributes to appear in the UI of the portal (so you can view and edit data) you will need to update the Object Visualization Configuration (OVC) XML data. (This and the schema configuration are found under the "Administration" link on the portal. You will likely also need to update the search scopes and permissions to include your new attributes. Note that if you need to, you can create entire new object types as well. (If contact objects need to be imported, stored, and exported as separate & distinct objects from Users, you could create a contact object type in the portal and keep the data separated all the way through. I would ask yourself if this is really what you want though. It would depend on if Users and Contacts are completely separate forms of identity or just two different states of the same identity pool)
Free Windows Admin Tool Kit Click here and download it now
September 10th, 2009 6:02am

Thanks Rex.Cheers,Lain
September 10th, 2009 6:26am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics