Mapping Manager DN in a Provisioning Policy
Below is a helpful little script that makes it possible for a provisioning policy (in this case AD) to map the correct DN for a manager:
/*AD Manager*/ var adDN = ''; var myServiceDN = service.dn; var mySupvDN = subject.getProperty('manager'); if (mySupvDN != null && mySupvDN.length >0){ mySupvDN = mySupvDN[0]; var globalid = mySupvDN.substring(mySupvDN.indexOf("=")+1,mySupvDN.indexOf(",")); var myPersonSearch = new PersonSearch(); var searchResult1 = myPersonSearch.searchByFilter("Person","(erglobalid="+globalid+")", 2); if (searchResult1 != null && searchResult1.length > 0) { var mySupv = new Person(mySupvDN); var supvUID = mySupv.getProperty('uid'); if ((supvUID != null) && (supvUID.length > 0)){ supvUID = supvUID[0]; var myAccountSearch = new AccountSearch(); var mySupvAccountList = myAccountSearch.searchByUid(supvUID, myServiceDN); if (mySupvAccountList!=null && mySupvAccountList.length > 0) { mySupvAccount = mySupvAccountList[0]; var adDN = mySupvAccount.getProperty("eraddistinguishedname"); if (adDN !=null && adDN.length >0) { adDN = adDN[0]; return adDN; } } } } }
Here is a list of steps that are being taken by this script to return the AD DN of the manager:
- Get service DN to be used in the Account Search
- Get the Manager DN from the ITIM Person (manager) attribute
- Locate the Manager’s GlobalID from their DN by:
- Find the index of the first = sign and the index of the first comma
- With these two points, use the substring method to pull out only the GlobalID
- Search for the Manager to make sure the person exists in ITIM Note: If you do a new Person using the Manager DN and it doesn’t exist you will get an error. If the manager doesn’t exist, do not continue in which case this mapping will return a null.
- Take the person (Manager) from the person search and get the UID of the manager
- Do an account search with the service DN and manager UID
The rule here is the Account eruid will match the person UID - Get the eraddistinguishedname from the account and return it to the provisioning policy.
Note: The eraddistinguishedname will not always exist if the AD Account has not been reconciled. But it would be unlikely that the manager is created on the same day as the persons reporting to the manager.
Leave a Reply
Want to join the discussion?Feel free to contribute!