This is my first time attempting to post so I hope I am in the right place. Please direct me to where I need to be if I am not.
We run IDM 3.0 with eDirectory 8.9.x. We have a production tree and a stand alone IDM tree on its own server. The drivers attached to IDM are eDirectory, Active Directory and the (AS/400) I5OS 2.0 driver. We use IDM primarily to create users in AD and synchronize account passwords. We are a fairly straight out of the box, vanilla implementation with structured trees everywhere except our AS/400 systems, (Flat by necessity).
Problem: I get the following when the i5OS Driver attempts to sync a user’s password.
Status: Error Message: Code(-9063) Object matching policy found an object that is already associated
My issue arises, (I think), because when importing users in IDM we added users from our production tree across to the IDM Vault and to AD. However, the i5OS drivers for our AS/400 systems allowed only a subset of users via the Event Transformation Policy so, (please correct me if I am wrong), it seems no associations were generated with any AS/400 objects except those originally allowed by the policy. I think this because that subset of users seems to be working.
Now I am trying to do password updates across to our AS/400 systems and the i5OS driver is rejecting them because the command comes across, (from the meta-directory engine?), as an ‘Add’ but the driver matching policy, (on the Subscriber channel?), which simply matches on User CN, finds a match and thinks the association exists, so it kicks back a -9063 message.
How can I get the IDM to create or fix an association to the object on the AS/400? Please keep in mind I know very little XML coding and use the Policy Builder in IDM to generate all of my policies and rules. I’m basically a "newbie" in this area.
Maybe the better (easier) question is: How can I conditionally change an “Add” command to a “Modify” command?