Reading the DN without Mapping the Attribute

By: coolguys

January 10, 2007 4:26 am

Reads: 151




A Forum reader recently asked:

“I’m using a modify operation on the subscriber channel of my AD-Driver. My current operations object is associated. What I need to know is the distinguished name in my destination object (the object in the AD). When I have a look at the object with LDAP, it looks somewhat like “cn=users name, ou=something, ou=something other, dc= …” This is what I built up in placement rule when the object was created. Now I want to read this thing from AD via the assoc in my operation. I tried it several ways but didn’t find a way.”

And here’s the response from Identity Manager expert Father Ramon …


The query to the application produces an eDirectory DN. That’s because IDM automatically marshalls referential attributes between the application and eDirectory namespaces, as that is what is needed for the synchronization of the same.

Here’s an example of a rule in an input transformation that would allow you to use the destination attribute token and not have the attribute automatically mapped to corresponding eDir object before you get it:

   <do-reformat-op-attr name="distinguishedName">
    <arg-value type="string">
     <token-local-variable name="current-value"/>

For an example of querying from XPath to get the DN, see:

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , ,
Categories: Identity Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.