A Forum reader asked the following question:

“I’m in the process of testing my IDM 3.0 deployment (eDirectory and AD). If I change the last name of a user account in eDirectory, the changes are sync’d over to AD just fine. However, viewing the user account in AD via ldp.exe shows that the CN and Name attribute are still using to the old last name. So, since the name attribute doesn’t get updated, the user shows up with the old last name when viewing the list of users in the AD OU. If you open the changed user account, you can see the new last name (I can see the helpdesk folks complaining about this …)

Where would I place a rule to rename the Name attribute? On the command transform? What would the rule look like for this? I have a feeling that changing the CN will be more involved. Any thoughts on how to accomplish this?

And here’s the reply from Peter Norris …


I have found that the only place AD will let me change the CN is by performing a RENAME on the NAME attribute on the OUTPUT Transformation policy.

Basically, I map FULLNAME to NAME and run a rule similar to the one below (not the full policy). This also updates the display name.

<description>Alter name change to rename</description>
<do-rename-dest-object when="after">
<token-op-attr name="name"/>
<do-clear-dest-attr-value name="displayName" when="before"/>
<do-set-dest-attr-value name="displayName">
<arg-value type="string">
<token-op-attr name="name"/>
<do-strip-op-attr name="name"/>
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: coolguys
Jun 28, 2006
12:00 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow