I was doing some research for a customer who had the following question:
How can I dynamically assign a role during user reconcilation from my authoritative source?
Here's the issue:
- IC has a defined Role called CHICAGO/DATA ENTRY/PRODUCTION that has an MSKEY of 100
- During reconcilation, the user entry from the authoritative source includes the name of the role.
We know that we could do a To Identity Store pass that includes the MSKEYVALUE of the user and the MSKEY of the role assigned to MXREF_MX_ROLE.
But that is hardly dynamic. I thought about doing a script but I did not want to get into the hassle of that, so I asked around and I got some good infomration. This can be easily done in IC. When doing the assignment to MXREF_MX_ROLE, pass the attribute holding the Role name, but encase it in < >. (i.e., <%ATTR_NAME%>)
What will happen is this: when the attribute is enclosed in <> IC knows that this is a potential MSKEYVALUE and will search the Identity store for this information and return its MSKEY.
Now this all seems very straight forward, but I could not get it working to save my life. After a lot of back and forth it was discovered out that I "fat-fingered" my test data.
Morals of the story:
- Start with simple test data and build it up as needed, even if it does not 100% match the test case.
- Always double check your typing
I had a chance to work with a gentleman who had worked on many of the LDAP RFCs and I asked him what percentage of LDAP errors are due to typos. He didn't hesitate in has answer: "85%". That was before he met me of course...
Thanks for all those out there who helped out and resisted knocking me silly!
No comments:
Post a Comment