Environment
Novell Identity Manager 3.0
Novell Identity Manager 3.5
Novell Identity Manager Driver - Active Directory
Microsoft Windows 2003 Server - Enterprise Edition
Situation
A query performed to Active Directory searching for an existing
user may fail for no obvious reason. No error is returned, but the
expected user is not retrieved.
If the same search filter is used to perform the search with ldapsearch, the search retrieves the desired object succesfully.
The object has been created specifying a user type of"InetOrgPerson" instead of "User".
If the same search filter is used to perform the search with ldapsearch, the search retrieves the desired object succesfully.
The object has been created specifying a user type of"InetOrgPerson" instead of "User".
Resolution
This behavior is working as designed. The class specified in the
query is taken as a "base class" (in eDirectory terminology) or
object type (in Active Directory terms) and not as a value for all
entries in the Object Class.
InetOrgPerson is a class that was introduced with Windows 2003. It inherits from User, which means that every InetOrgPerson object will have the class User defined in one of its ObjectClass values. When doing an LDAP search with a filter specifying (objectClass=User) all values present in the objectClass attribute are evaluated and since User is part of the superclasses defined in ObjectClass, the object is correctly retrieved.
If all users that are being created and synchronized will be of class InetOrgPerson, then you can simply map the eDirectory User class to the class InetOrgPerson in Active Directory.
If both classes will be used, the situation will need to be handled through Policy Builder to take in consideration the different scenarios.
InetOrgPerson is a class that was introduced with Windows 2003. It inherits from User, which means that every InetOrgPerson object will have the class User defined in one of its ObjectClass values. When doing an LDAP search with a filter specifying (objectClass=User) all values present in the objectClass attribute are evaluated and since User is part of the superclasses defined in ObjectClass, the object is correctly retrieved.
If all users that are being created and synchronized will be of class InetOrgPerson, then you can simply map the eDirectory User class to the class InetOrgPerson in Active Directory.
If both classes will be used, the situation will need to be handled through Policy Builder to take in consideration the different scenarios.