cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active directory Reconciliation

Former Member

on ‎10-01-2012 3:27 PM

0 Kudos

Hello experts,

I am running idm 7.2 sp5 patch 1 and facing some trouble around reconciliation...

Basically my point is to reconcile users, groups and privileges between idm and my target system (ie an active directory).

My trouble comes when writing the missing users in the ids. I used the pass used in the ADS initial load, just changing the initial query. so i read my users and then write them to my identity store, giving them the priv system and priv only. But it then triggers provisioning and so try to create the user... if i use a changetype add, it fails because the user already exists in AD (resulting in a failed assignment of the priv:ad:only and so no further assignment possible), if i use a changetype modify it also fails except if i disable some attributes that i want to have when a really create a new user...

Do you know anyway to avoid this or should i just create a csv file where i write that the user exists in AD but not in IDM but do nothing?

Thanks a lot for your answers,

Clotilde

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎10-02-2012 2:13 PM
0 Kudos

ok, i found my answer. I deleted the line changetype and then for every attribute I changed it to write them only when writing the entry, this way my pass doesn't fail. The only trouble left is that going through provisioning again, it creates a new password for the user but since it is sent to a generic adress, there is no big problem here.

Thanks a lot,

Clotilde

Show replies
Show replies
former_member2987
Active Contributor
‎10-03-2012 2:06 PM
0 Kudos

Clothilde,

Note that if you are doing on going reconciliations this will not be a good solution since you will need to keep updating the identity store with information from AD (or the other way around)

Matt

Former Member
‎10-03-2012 2:15 PM
0 Kudos

Hi Matt,

thankfully, my client doesn't need a lot of attributes to be updated and those can go through without the 'write only when adding entry' (like name, surname, etc...).

Would you happen to have a better way to do it?

Actually i'm having trouble with every bit of reconciliation with AD, especially when it comes to user to group assignment or missing groups in idm since the provisioning is always triggered and always fails (the AssignUserToADSGroup for example fails because the assignment already exists in the AD).

Do you know how i could manage to do this without errors?

Thank you,

Clotilde

former_member2987
Active Contributor
‎10-03-2012 7:12 PM
0 Kudos

Clothilde.

I'm working on writing something now for the blog.  Hopefully it will be up by the end of the week.

Matt

Ask a Question