Discussion:
TDI 7.1.1 - Sync data from Domino to Active Directory - ISSUE when Syncing manager field.
(too old to reply)
m***@gmail.com
2017-07-06 06:25:49 UTC
Permalink
Hi Eddie, I am a avid follower of your blog and tutorials.

I have a small issue where I need some advise. We are Syncing data from IBM Domino to Active Directory, and I cannot figure out how to sync the Domino Manager field with Active Directory as the Active Directory does not accept the Domino value. I understand that the Active Directory manager value is "computed" from the CN.

Can you guide me in the right direction? I was thinking about adding some Java functions into the Before Execute Hook, but not sure what to do.

Regards

Mouritz Opperman
Franzw
2017-07-06 09:54:11 UTC
Permalink
Post by m***@gmail.com
Hi Eddie, I am a avid follower of your blog and tutorials.
I have a small issue where I need some advise. We are Syncing data from IBM Domino to Active Directory, and I cannot figure out how to sync the Domino Manager field with Active Directory as the Active Directory does not accept the Domino value. I understand that the Active Directory manager value is "computed" from the CN.
Can you guide me in the right direction? I was thinking about adding some Java functions into the Before Execute Hook, but not sure what to do.
Regards
Mouritz Opperman
You need to perform a lookup in AD to retrieve the distinguished name of the manager in AD and then use that.

In IBM Security Identity Manager you have a similar problem which is described here : http://www-01.ibm.com/support/docview.wss?uid=swg21215037

HTH
Regards
Franz Wolfhagen
Eddie Hartman
2017-07-06 20:11:38 UTC
Permalink
Post by Franzw
Post by m***@gmail.com
Hi Eddie, I am a avid follower of your blog and tutorials.
I have a small issue where I need some advise. We are Syncing data from IBM Domino to Active Directory, and I cannot figure out how to sync the Domino Manager field with Active Directory as the Active Directory does not accept the Domino value. I understand that the Active Directory manager value is "computed" from the CN.
Can you guide me in the right direction? I was thinking about adding some Java functions into the Before Execute Hook, but not sure what to do.
Regards
Mouritz Opperman
You need to perform a lookup in AD to retrieve the distinguished name of the manager in AD and then use that.
In IBM Security Identity Manager you have a similar problem which is described here : http://www-01.ibm.com/support/docview.wss?uid=swg21215037
HTH
Regards
Franz Wolfhagen
Franz is right, Mouritz. So you could use the connection opened by the AD Connector to perform the lookup. For example, in the After Initialize Hook of the AD(LDAP) connector you have code like this:
---
ad = thisConnector.connector;
---
Then you could look up the manager in AD given some attribute you assume is unique, like uid or even CN (if that works). This you could do in any block of script prior to writing to AD, for example in the Before Execute Hook of the AD connector:
---
foundEntry = ad.findEntry("cn", work.getString("Fullname")); // or whatever Domino att with CN value
if (foundEntry != null) {
work.manager = foundEntry.getString("$dn");
}
---
Hope this helps!

-Eddie
m***@gmail.com
2017-07-18 07:08:44 UTC
Permalink
Hi Eddie and Frans

Thank you for the reply, apologies for only responding now, I was on leave.

I need a bit of assistance with the above mentioned solution. Do you mind having a quick look at my assembly line, and show me how I must include the above into it?

In short, the manager field in Domino is already populated with eg. CN=Mouritz Opperman. So now I need to write this value to AD. So it needs to find the value in domino manager for a user eg. "User A" manager= "CN=Mouritz Opperman". Then it needs to find CN=Mouritz Opperman in AD, convert it to full AD "Distinguished Name" and write it to the target user AD Manager field.

So my assembly line consists of the following:

FEED:
- LDAP Lookup into Domino (Iterator) (Here i grab the various fields we want to push to AD,)

Data Flow:
- Script to customize Domino name (I replace the $dn "," with "/") for Directory Assistance Single Sign On
- LDAP Connector to AD (Update
- Before Execute Script (To log and continue if Customize script finds empty "mail" field. (Which is our link criteria)
- After Modify Script (To log Successful modification if the target field was changed)
- After Add Script (To log Successful update if the target field was empty.)
- Default on Error Script (Also logs ERROR when a user is skipped)

How should I integrate the above mentioned solution into my assembly line? I am not a scripting guru so please be gentle.

Regards

Loading...