Thursday, May 22, 2008

An IC Tip and a Lesson Learned

I was doing some research for a customer who had the following question:

How can I dynamically assign a role during user reconcilation from my authoritative source?

Here's the issue:
  • IC has a defined Role called CHICAGO/DATA ENTRY/PRODUCTION that has an MSKEY of 100
  • During reconcilation, the user entry from the authoritative source includes the name of the role.
We know that we could do a To Identity Store pass that includes the MSKEYVALUE of the user and the MSKEY of the role assigned to MXREF_MX_ROLE.

But that is hardly dynamic. I thought about doing a script but I did not want to get into the hassle of that, so I asked around and I got some good infomration. This can be easily done in IC. When doing the assignment to MXREF_MX_ROLE, pass the attribute holding the Role name, but encase it in < >. (i.e., <%ATTR_NAME%>)

What will happen is this: when the attribute is enclosed in <> IC knows that this is a potential MSKEYVALUE and will search the Identity store for this information and return its MSKEY.

Now this all seems very straight forward, but I could not get it working to save my life. After a lot of back and forth it was discovered out that I "fat-fingered" my test data.

Morals of the story:
  1. Start with simple test data and build it up as needed, even if it does not 100% match the test case.
  2. Always double check your typing
I had a chance to work with a gentleman who had worked on many of the LDAP RFCs and I asked him what percentage of LDAP errors are due to typos. He didn't hesitate in has answer: "85%". That was before he met me of course...
Thanks for all those out there who helped out and resisted knocking me silly!

No comments: