Format for the Account Tracking attribute DirXML-Accounts

  • 7005550
  • 26-Mar-2010
  • 25-Mar-2013


Novell Identity Manager 3.6.1
Novell Compliance Management Platform 1.0
NetIQ Identity Manager 4.0


What is the format for the Account Tracking attributes used in NCMP 1.0 ?
What is the structure of the DirXML-Accounts attribute?
How do I create the Account Tracking attribute in my custom driver?


The DirXML-Accounts attribute is used to hold the information that will be used by the Sentinel driver and the Identity Table to perform Identity Tracking. In NCMP 1.0 only the AD and LDAP drivers provide back this information.

The Schema for the attribute and the auxiliary class it is part of are available below:

-- DirXML-Accounts
-- Holds information about accounts in other systems like the system name,
-- account name and account status
"DirXML-Accounts" ATTRIBUTE ::=
Operation ADD,
LowerBound 0,
UpperBound 64512,
ASN1ObjID {2 16 840 1 113719 1 14 4 1 2409}

-- **DirXML-Identity: 2060-2069
-- DirXML-Identity
-- Holds information about this identity and accounts it has in other systems
"DirXML-Identity" OBJECT-CLASS ::=
Operation ADD,
MayContain {"DirXML-Accounts"},
ASN1ObjID {2 16 840 1 113719 1 14 6 1 2060}

The DirXML-Accounts attribute, to be used in the Identity Table, need to be formatted in an special way. Each value should be a string composed of 6 parts, delimited by a pound "#" sign. The fields are:

<driver guid>#<account id type>#<account id>#<idv account status>#<app account status>#<app Name>


Some examples of values (one per line):

The field definitions are as follows:

Driver ID (driver guid)

The driver identifier uniquely identifies a driver within the enterprise. It is based on the driver's eDirectory object GUID which is unique within the tree and not expected to change. This accounts for scenarios when the multiple drivers connect to the same application. An example is using two Active Directory Drivers to sync accounts from the same domain.

Account Identifier Type (account id type)

An account might have login id's or unique account identifiers per application. This field indicates the type of login id or account identifier that is used in the account identifier field. E.g, in Active Directory accounts can be identified by and users can login using the sAMAccountname attribute, the userPrincipalName attribute or its object distinguished name (DN).

Account Identifier

The identifier that uniquely identifies this account in an application. An account might have multiple unique identifiers per application. E.g. in Active Directory an account is identified by its sAMAccountName, userPrincipalName and LDAP DN. And in the IDM world the account is known by its association. So each AD account is represented with 4 entries in the DirXML-Accounts table.

Identity Vault Account Status

This indicates whether an account is active (A), inactive (I), or undefined (U) in the application and that that status has been triggered by the subscriber channel (identity vault).

Application Account Status

This indicates whether an account is active (A), inactive (I), or undefined (U) in the application and that that status has been triggered by the application (publisher channel). In order for this field to be updated correctly, the attribute of interest has to be in the driver's publisher filter and set to either synchronize or notify only.

Application Name

The application name, domain or realm this account is associated with. This typically identifies an application or system within the enterprise.
Account Identifier Breakdown by Application
Driver/Application Account Identifier Type Account Identifier Sample Data Comments
AD sAMAccountName flastname
AD userPrincipalName
AD DN cn=flastname,cn=users,dc=novell,dc=com
AD association 5de77f84f3ab534babbf13edd6540d77
LDAP DN cn=flastname,cn=users,dc=novell,dc=com Since the LDAP driver uses the DN as the association value, we only need one entry per LDAP application