NetIQ Documentation: Identity Manager 4.0.1 Fan-Out Driver for SAP User Managment Implementation Guide

2.2 DN Format

The legacy SAP User driver did not have a concept of DNs. Placement was not done using the DN, and the username of an account in SAP was not determined through the destination-dn, but from the value of the USERNAME:BAPINAME attribute. This attribute was required and contained a value for every add event going to the SAP system.

The User Management Fan-Out driver introduces the concept of a DN in a format similar to the one already used by the association. The DN format is \<LSNAME>\<USERNAME>, where <LSNAME> is the name of the logical system where events are sent and <USERNAME> is a unique identifier and username in the SAP system.

The DN format does not contain a class identifier. To determine the correct object type when only a destination DN is available, the driver relies on the class-name attribute of the event.

Placement is done through regular placement policies. The placement policies specify the logical system and the username, then the driver places the account in the correct system with the correct name.

For backward compatibility, the driver still supports the legacy way of naming new accounts in SAP. If an add event contains an attribute USERNAME:BAPINAME, the value of the attribute always takes precedence over the leaf portion of the destination DN. The policies in the driver packages use the new destination DN placement method exclusively. The USERNAME:BAPINAME attribute is not populated on outgoing events.

The following is an example of the DN format in a trace:

<nds dtdversion="3.5" ndsversion="8.x"> 
  <source> 
    <product version="3.6.0.4294">DirXML</product> 
    <contact>Novell, Inc.</contact> 
  </source> 
  <input> 
    <add class-name="US" dest-dn="\S7ICLNT800\ABERG" event-id="metaserver1#20090513131408#1#2#0" src-dn="\META\data\company\users\aberg"> 
      <add-attr attr-name="UCLASS:LIC_TYPE"> 
        <value timestamp="1235208846#1" type="string"/> 
      </add-attr> 
      <add-attr attr-name="ADDRESS:FULLNAME"> 
        <value timestamp="1234481823#65" type="string">Berg Andrea</value> 
      </add-attr> 
      <add-attr attr-name="ADDRESS:FIRSTNAME"> 
        <value timestamp="1241800246#8" type="string">Andrea</value> 
      </add-attr> 
      <add-attr attr-name="ADDRESS:LASTNAME"> 
        <value timestamp="1234410222#28" type="string">Berg</value> 
      </add-attr> 
      <add-attr attr-name="LOGONDATA:USTYP"> 
        <value type="string">A</value> 
      </add-attr> 
      <add-attr attr-name="LOCKUSER"> 
        <value type="state">0</value> 
      </add-attr> 
      <password><!-- content suppressed --></password> 
    </add> 
  </input> 
</nds>