objectGUID as matching attribute for reconciliation between AD and IdM
I want to use the AD attribute objectGUID as matching attribute between AD and IdM. It is one of the attribute which will never be changed (in case of name changes of a person or similiar changes).
Our IdM can read this attribute and save it (with the help of a java script). This works fine.
But if I want write back something to AD I do not know how the "To LDAP directory" path must be configured. I get always the error that the account can not be found in the AD. Maybe the attribute must be changed with a java script ...
Has anyone already used this attribute?
Matt Pollicove replied
Michael, I have done this many times in pretty much the same way you have indicated. While DN is good for basic LDAP / AD operations, ObjectGUID is preferred for ModRDN operations or if you want to change the user's DN. I have written about these operations in a blog, Using modRDN with SAP NW IDM.
Hope it helps!