none
IFF multiple DN in provisioning the groups in AD

    질문

  • Hi All,

    I have two OU Bangalore and Pune in AD and need to provisioning the group in AD on the basis of location.Created a location attribute and bind the attribute to the group in FIM portal.

    Stuck in mapping the group to DN in the Synchronization Rule.

    Below is the custom expression used in mapping it to DN.

    IIF(Eq(Location,"Bangalore"),"CN="+displayName+",OU=Bangalore,DC=XXXX,DC=com",IIF(Eq(Location,"Pune"),"CN="+displayName+",OU=Pune,DC=XXXX,DC=com"))

    Kindly advice.

    Regards,
    Anirban Singha(Bangalore,India)

    2013년 6월 24일 월요일 오후 10:18

답변

  • Hi Anirban,

    Your second IIF statement is missing the third "else" parameter.  If neither location matches, you still need to have supply a parameter.   Null() will signal FIM to not provide any value (i.e. do nothing).  For example:

    IIF(Eq(Location,"Bangalore"),"CN="+displayName+",OU=Bangalore,DC=XXXX,DC=com",IIF(Eq(Location,"Pune"),"CN="+displayName+",OU=Pune,DC=XXXX,DC=com"), Nul())

    You could also supply a "default" OU where accounts should go if there's are no matches on Location.

    Note, you should look at escaping the CN component as well, in case invalid characters are defined in the displayName.  For example:

    IIF(Eq(Location,"Bangalore"),EscapeDNComponent("CN="+displayName)+",OU=Bangalore,DC=XXXX,DC=com",IIF(Eq(Location,"Pune"),EscapeDNComponent("CN="+displayName)+",+",OU=Pune,DC=XXXX,DC=com"), Nul())

    Cheers,

    Marc


    Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
    http://www.avaleris.com

    • 답변으로 표시됨 AnirbanSingha 2013년 6월 25일 화요일 오후 9:02
    2013년 6월 25일 화요일 오후 1:05

모든 응답

  • Hi Anirban,

    Your second IIF statement is missing the third "else" parameter.  If neither location matches, you still need to have supply a parameter.   Null() will signal FIM to not provide any value (i.e. do nothing).  For example:

    IIF(Eq(Location,"Bangalore"),"CN="+displayName+",OU=Bangalore,DC=XXXX,DC=com",IIF(Eq(Location,"Pune"),"CN="+displayName+",OU=Pune,DC=XXXX,DC=com"), Nul())

    You could also supply a "default" OU where accounts should go if there's are no matches on Location.

    Note, you should look at escaping the CN component as well, in case invalid characters are defined in the displayName.  For example:

    IIF(Eq(Location,"Bangalore"),EscapeDNComponent("CN="+displayName)+",OU=Bangalore,DC=XXXX,DC=com",IIF(Eq(Location,"Pune"),EscapeDNComponent("CN="+displayName)+",+",OU=Pune,DC=XXXX,DC=com"), Nul())

    Cheers,

    Marc


    Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
    http://www.avaleris.com

    • 답변으로 표시됨 AnirbanSingha 2013년 6월 25일 화요일 오후 9:02
    2013년 6월 25일 화요일 오후 1:05
  • Hi Marc,

    Thanks was able to sort out the issue with your post.

    IIF(Eq(location,"Bangalore"),"CN="+displayName+",OU=Groups,OU=Bangalore,DC=XXX,DC=com",IIF(Eq(location,"Pune"),"CN="+displayName+",OU=Groups,OU=Pune,DC=XXX,DC=com",Null()))

    Regards,
    Anirban Singha(Bangalore,India)

    2013년 6월 25일 화요일 오후 9:04