Environment
NetIQ Identity Manager 4.0.2
NetIQ Identity Manager Driver - Active Directory
NetIQ Identity Manager Driver - Active Directory
Situation
Using the AD driver packages from IDM 4.0.2 to create a AD driver that synchronizes users to and from eDirectory, a new user created from AD does not have the uniqueID attribute on it. If you create a user in eDirectory using iManager, it does have the uniqueID attribute on it.
uniqueID is mapped to UID in the LDAP attribute mappings so not having that attribute populated with the username can cause problems.
uniqueID is mapped to UID in the LDAP attribute mappings so not having that attribute populated with the username can cause problems.
Resolution
The Driver is functioning as designed.
A request has been made to correct this in future driver configurations. You can enter an enhancement request as well, which will let engineering know how many customers are desiring the uniqueID attribute to be populated. An enhancement request can be entered at: www.novell.com/enhancement
Until the change is made to the Active Directory driver packages, you can add a rule similar to the following at the creation policy level on the publisher channel of the Active Directory driver to populate uniqueID.
Note that this policy does NOT guarantee the uniqueID attribute is actually unique. It simply populates the uniqueID attribute with the value from the CN attribute.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\Program Files\Novell\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201307181200\DTD\dirxmlscript4.0.2.dtd"><policy>
<rule>
<description>Populate uniqueID on user Add event</description>
<comment xml:space="preserve">Created by Dennis Christensen, NetIQ Support, 28 Jan 2014</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation mode="case" op="equal">add</if-operation>
<if-op-attr name="uniqueID" op="not-available"/>
<if-op-attr name="CN" op="available"/>
</and>
</conditions>
<actions>
<do-clone-op-attr dest-name="uniqueID" src-name="CN"/>
</actions>
</rule>
</policy>
A request has been made to correct this in future driver configurations. You can enter an enhancement request as well, which will let engineering know how many customers are desiring the uniqueID attribute to be populated. An enhancement request can be entered at: www.novell.com/enhancement
Until the change is made to the Active Directory driver packages, you can add a rule similar to the following at the creation policy level on the publisher channel of the Active Directory driver to populate uniqueID.
Note that this policy does NOT guarantee the uniqueID attribute is actually unique. It simply populates the uniqueID attribute with the value from the CN attribute.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\Program Files\Novell\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201307181200\DTD\dirxmlscript4.0.2.dtd"><policy>
<rule>
<description>Populate uniqueID on user Add event</description>
<comment xml:space="preserve">Created by Dennis Christensen, NetIQ Support, 28 Jan 2014</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation mode="case" op="equal">add</if-operation>
<if-op-attr name="uniqueID" op="not-available"/>
<if-op-attr name="CN" op="available"/>
</and>
</conditions>
<actions>
<do-clone-op-attr dest-name="uniqueID" src-name="CN"/>
</actions>
</rule>
</policy>
Additional Information
Note that this policy does NOT guarantee the uniqueID attribute is actually unique. It simply populates the uniqueID attribute with the value from the CN attribute.