4 Replies Latest reply on Jan 13, 2012 5:36 AM by 910554

    Identity template change


      We are changing the identity template of a LDAP resource from like 'uid=$accountId$,ou=test,dc=abc,dc=com' to 'uid=$accountId$,ou=new,dc=xyz,dc=com'.

      We already got the accounts in the new container(ou=new,dc=xyz,dc=com) in LDAP. But the LDAP account is not updated in SIM (even after a update of the user) based on the changed identity template. ie, the LDAP account in SIM is not pointing to the correct account in LDAP based on the identity template change.

      Please let me know how we can make the accounts in SIM get changed as per the new identity template and point to the actual accounts in LDAP. An early response is highly appreciated.

      Thanks in advance.
        • 1. Re: Identity template change
          You can prove the issue by looking at one of the actual user objects from the debug URL. List objects of type user. You'll see in the object that the resource account still points to the old DN in LDAP. I think there are a few ways this can be remedied but it will depend on what works best for you.
          • 2. Re: Identity template change
            Thanks for your reply.

            Yes, it still pints to the old DN value. Is there any way to correct that value for all the users? All suggestions are welcome.

            One way I think is to use the rename view to point to the new DN. But running the workflow for all the users is pretty complex. Is there any way like bulk action to achieve this? Anything at the backend also can be done. Thanks
            • 3. Re: Identity template change
              How about deleting only the waveset accounts in IDM and then performing a full reconciliation with the resource in question. I think that will rebuild the account index and the users should then have the correct information. Obviously you'll want to test this out thoroughly.
              • 4. Re: Identity template change
                Thanks again. I am trying a similar one as below

                - Disabled all the operations on the resource (the requirement is to keep the resource in readOnly mode only after chaning the identity template).
                - Thorugh bulk action deleted all the accounts in SIM. Since the resource operations are disabled it deleted only from the SIM
                - Updated the user again and it assigns the account again with the correct DN based on the new identity template (because the account was assigned through a role).

                As you are also suggesting a similar one I presume that I am going in the right way :-)

                Please let me know if any other better ways.

                Edited by: 907551 on Jan 12, 2012 9:32 PM

                Edited by: 907551 on Jan 12, 2012 9:35 PM