A Forum reader recently asked:

“We have an IDM 3.5 IDVault with a flat tree, and it is connected to another IDVault with an eDirectory tree with many OUs. Off of the flat tree vault, we have a remote loader connection to an Active Directory that is a mirror of the EDir tree with many OUs in organizational structure. When we move a user to a new container on either system, the eDirectory or Active directory, we want the user to move to the new container on the other system.”

And here’s the response from David Gersic …


That’s doable, but not directly. You have to have some way of passing this information through the vault. I’m doing something along these lines here, so I know it can be done. You just have to do your own work, rather than allowing the engine to do the work for you.

For example, on my eDir to eDir driver between the hierarchical tree and the vault tree, I have a policy like this on the Publisher Event Transform (vault tree):

if class = group
if operation = move

set destination attr value (niuGroupDN), when=after, source-dn

The niuGroupDN attribute is then updated with the (new) DN of the moved object. Then, on my eDir
to MAD driver, I have something like this on the Subscriber Event Transform:

if operation = modify
if class = group
if attribute niuGroupDN is changing

set operation dest DN(dn(transform(niuGroupDN))
rename destination object when=after Destiation Name()
set destination attr value (niuMoveTargetDN) = transform(niuGroupDN)

The transform step here maps the eDir DN format to the MAD DN format, and it is specific to our trees. Later, on the Subscriber Output Transform, there is this:

if operation = modify
if operation attribute niuMoveTargetDN is changing

move destination object dn(operation attribute(niuMoveTargetDN))
strip operation attribute niuMoveTargetDN

This should be enough to get you going – it’s working for me here.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: dgersic
Aug 29, 2007
11:15 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow