A Forum reader recently asked:

“I am trying to create an account on active directory and have it synchronized to IDM. The Driver filter has the surname, given name, and various other fields set to Publisher Reset and Subscriber Synchronize.

When the account is created in Active Directory, you can see in the trace that the values are there. Then, later in the trace, the values get reset before IDM gets to the placement policy. At that point, a MISSING MANDATORY error is generated. When I change the filter to Synchronize on
both the Publisher and the Subscriber, the account is created in IDM.

How do I prevent users from chaining values in AD and synchronizing to IDM? I need those values to be reset in AD so that IDM is the “keeper” of information, and the values in AD always reflect those in IDM. This works with existing accounts but not with new accounts.”

And here’s the response from Father Ramon …


Filters are somewhat of an all or nothing kind of thing. What you are trying to do is make AD (or your policies) authoritative on create, but not on modify. To get the behavior you want, you are basically left with two options:

  • Remove reset from the filter and implement it yourself in policy.
  • Leave reset in the filter, but bypass it for adds by forcing the operation to be direct instead of letting it go through the notify/reset filter.

I would think that the latter would be the easiest. What you probably want is something like the following rule, in the last policy of your publisher command transformation:

  <description>Perform adds directly to bypass the reset 
    <if-operation op="equal">add</if-operation>
   <do-set-xml-attr expression="." name="direct">

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: kmillecam
Sep 5, 2007
6:35 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow