This discussion is archived
8 Replies Latest reply: Mar 27, 2013 12:12 PM by 442847 RSS

name change by overriding Identity Template

442847 Newbie
Currently Being Moderated
hi all,

I have user identity template DN "cn=$cn$,$dnpath$" and dnpath and cn are both IGNORE_ATTR in the mapping.

Currently I use RenameView to perform rename operation when the change in dnpath (I use dnpath part of distinguishedName attribute to get the existing value of dnpath) is detected between the HR feed record and the user's existing dnpath on the AD resource. cn is defined as "<firstname> <lastname>".
Now the additional requirement is that firstname and lastname change should be detected as well and if there is a change then rename operation should be performed to change account identity, but preserve the old value of cn attribute (as that attribute is used to name some other resource that belongs to the user and renaming it is not an option).

My question is: is it possible to do rename but leave cn attribute unchanged?

After reading the documentation I was thinking to, instead of changing identity through template using new values of cn and dnpath attributes, do it by overriding identity template only (using accounts[AD].identity attribute in rename view).
Will this approach (overriding identity template with e.g. "cn=<newcn>,<dnpath>") leave cn attribute on the resource unchanged, or overriding the template this way will automatically propagate the change back to cn attribute as well so cn will also be equal to <newcn>?

If later, is there another way to change the identity with rename View but ensure cn attribute is not changed?
  • 1. Re: name change by overriding Identity Template
    arjun.sengupta Newbie
    Currently Being Moderated
    Hi,

    You can explicitly set the CN by taking the old cn (take the old DN, split between cn= and ,) and put in the identity when calculating the new value

    i.e:
    Checkout renameview
    Make new dn by splitting the old DN
    set this value to identity
    set the $CN to old CN and $path to new path
    checkin .. That should work
    Regards
    Arjun
  • 2. Re: name change by overriding Identity Template
    442847 Newbie
    Currently Being Moderated
    hi,

    yes, that is what I originally thought is possible but after reading many AD related posts I found one expert saying it is not possible
    According to this there would be error reported or there would be no error but instead DN would change again based on this new (in this case old) value of CN due to the fact DN being derived from CN.
    Apparently, if this AD expert is right there is two-way dependency between DN and CN: if you rename DN by changing its CN part to cnNew, the CN attribute will change to the same value cnNew. And then if you rename CN attribute back to cnOld then automatically DN will change again which is not desired behavior in this case.
    I did not test this myself, though. Did you try this yourself or could you provide a link to rename view and/or AD documentation that says it is possible?

    regards,
    mile
  • 3. Re: name change by overriding Identity Template
    814094 Newbie
    Currently Being Moderated
    In AD the DN is always using CN by default. So if you change the CN you change the DN.

    It is possible to change the AD configuration globally so that DN is not based on CN but on some other unique attribute. But I would not recommend it since most LDAP apps, tools and libraries etc. do not support this well.

    As far as I remember the AD ressource adapter of SIM doesn't support such configurations either.
  • 4. Re: name change by overriding Identity Template
    442847 Newbie
    Currently Being Moderated
    Both propositions seem to be logical: if it was not possible to rename attributes like CN independently then why are there two ways to rename (through template and by overriding the template)? Isn't the purpose of overriding exactly that, to "break" the default behavior?
    The other proposition is also logical: DN is always derived from CN. But then Renaming is different operation than ordinary update. Thus maybe through Renaming it is possible to independently set CN and DN
  • 5. Re: name change by overriding Identity Template
    814094 Newbie
    Currently Being Moderated
    navrsale wrote:
    Both propositions seem to be logical: if it was not possible to rename attributes like CN independently then why are there two ways to rename (through template and by overriding the template)? Isn't the purpose of overriding exactly that, to "break" the default behavior?
    The other proposition is also logical: DN is always derived from CN. But then Renaming is different operation than ordinary update. Thus maybe through Renaming it is possible to independently set CN and DN
    What I described is the specific behavior of Active Directory. In the default configuration of AD the DN is always constructed by using the Common Name (CN) attribute.

    SIM cannot override that. As I said you could change the AD configuration for the construction of DNs (in AD) but SIM doesn't support that. Check out the description of the CN attribute in the Waveset documenation of the AD resource adapter. It states that CN is set from the CN value in the DN and is a read-only field.

    As for the template: this is a general feature of resource adapters. It doesn't mean that SIM can override the AD behavior. But many LDAP servers do not base their DN on CN but on UID or some other unique attributes by default. Though they also would not allow to have different values for the UID attribute in the UID attribute and the DN attribute.

    Edited by: tw on 26.03.2013 08:18
  • 6. Re: name change by overriding Identity Template
    442847 Newbie
    Currently Being Moderated
    I think you are missing the point. The Rename feature of IDM 8.1 can override the identity template and that is explicitly stated in the documentation. And the template in this case is "cn=$cn$,$dnpath$". Nobody here is claiming anything different than that as you may have implied. Maybe you didn't use identity template override via rename view?
    If the current DN is "<cnOld>,<dnpathOld>" the rename view can change it, with or without identity override, to "<cnNew>,<dnpathOld>". The question was if cn attribute can be set back to <cnOld> as part of the same rename operation:

    1. DN="<cnOld>,<dnpathOld>"
    CN="<oldCn>"

    2. Start Rename via identity template override:
    DN="<cnNew>,<dnpathOld>"
    CN="<cnNew>"

    3. Rename CN attribute back to old value:
    DN="<cnNew>,<dnpathOld>"
    CN="<cnOld>"

    4. Checkin Rename

    Second poster thinks that 3. CN="<cnOld>" is possible. He and I both agree that the following is possible and it is clear from the documentation for rename view:

    1. DN="<cnOld>,<dnpathOld>"
    CN="<oldCn>"

    2. Start Rename via identity template override:
    DN="<cnNew>,<dnpathOld>"
    CN="<cnNew>"

    3. Rename CN attribute back to old value:
    DN="<cnNew>,<dnpathOld>"


    But you seem to imply that above (overriding the template) is not possible either? If so that's why I cannot accept your final conclusion. But if you agree that the above is possible but disagree that CN="<cnOld>" in step 3. is possible than it is a different story. If so what will happen after CN="<cnOld>" is attempted in rename view? Will there be an error or DN will be changed back to DN="<cnOld>,<dnpathOld>" and no error reported?
  • 7. Re: name change by overriding Identity Template
    814094 Newbie
    Currently Being Moderated
    No this is not what I'm implying. You don't seem to understand that it doesn't matter how you configure IDM because we are talking about a limitation of Active Directory.

    What I'm saying is that Active Directory itself will just not allow to set the CN attribute to have a different value than it has in the CN= part of the DN.

    So what I was trying to explain was that CN is part of the object name of the user object class (LDAP class) in Active Directory. Every object class in AD has a naming attribute. For the user class this is CN. Thus CN forms the so called Relative Distinguished Name (RDN) for user objects. This is described in several knowledge base articles by Microsoft like this one:
    http://technet.microsoft.com/en-us/library/cc977992.aspx

    What this means is changing CN in AD is basically a renaming operation. So if you would change CN after renaming you are just doing a second renaming of the object. Which means you would change the DN again. You can try doing that but you will not get the result you want. Which as far as I understand is changing CN back to some old value after a renaming operation so that it has a different value than the CN= part in the DN.

    Before I understood how object naming in AD works I have tried doing exactly that using the IDM rename view, invoking ADSI scripts, invoking Powershell scripts and even by invoking my own C# assembly DLL. To no avail.

    But maybe I do not understand what you are trying to do.

    Good luck anyway.

    Edited by: tw on 27.03.2013 06:44
  • 8. Re: name change by overriding Identity Template
    442847 Newbie
    Currently Being Moderated
    So if you would change CN after renaming you are just doing a second renaming of the object. Which means you would change the DN again.

    >>>

    cn is derived attribute i.e. we can define it as "$firstname $lastname". When we perform rename operation of DN through template override then cn will not be affected (that is why it is called override). But if we perform rename operation of DN through template i.e. attributes then by renaming CN we will rename DN as well. That is why we have to set naming and other attributes separately after DN is renamed via template override (because they retail old values). Otherwise, why would there be two different ways to perform rename operation, one via template and the other via template override. If you were right then there would be no need for template override approach, wouldn't it?

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points