none
MIM Synchronization to ADAM - CN update deletes and recreates user RRS feed

  • Question

  • Hello everyone,

    Does anyone know why when i change a dn/CN for a user in my AD,  MIM Synch deprovisions and reprovisions the user in my ADAM MA ? is there a way to avoid it ?

    this is causing issues as my user is being deleted from the groups he belonged to (local ADAM created groups)

    Thanks!

    Hicham


    Hitch Bardawil

    Friday, May 17, 2019 2:53 PM

Answers

  • Hi,

    As you noted yourself, your problem is the following code:

    else if (csentry["cn"].Value != mventry["cn"].Value)
                        {
                            csentry.Deprovision();
                        }

    Yes, try removing it.

    Br,

    Leo


    Did my post help? Please use "Mark as answer" or "Propose as answer". Thank you!

    • Marked as answer by HitchB52 Monday, May 20, 2019 8:25 AM
    Monday, May 20, 2019 8:18 AM

All replies

  • Hi,

    We need some more information to be able to help you.

    Could you please provide what type of Connector used to integartion to ADAM (Name and version)?

    What does your provision and deprovision rules look like? How are they implemented (portal rules or code?)

    Br,

    Leo


    Did my post help? Please use "Mark as answer" or "Propose as answer". Thank you!

    Monday, May 20, 2019 6:55 AM
  • Hello Leo, 

    Thanks for your answer, 

    i'm using the MIM 2016 Synchronization service, (no Portal)

    synchronizing from AD to ADAM with the default AD LDS Connector (MIM 2016 V 4.5.286)

    the rule is pretty straight forward, i'm joining on the SamAccountName, and doing Direct Provisioning

    importing from AD to MV, exporting from MV to a New Object type i called Userproxyfull i created in ADAM

    the deprovisioning rule it set to delete, but if i set it to disconnect it doesnt join back and tell me that the object upn already exists on the next export to ADAM.

    to tell you the truth the MV provisinoning code was written by someone else i'm trying to figure it out but i think this might be the problem, we are deprovisioning here : 

    else if (csentry["cn"].Value != mventry["cn"].Value)
                        {
                            csentry.Deprovision();
                        }
    can i just delete this line ?
    if ((mventry["cn"].IsPresent && mventry["sn"].IsPresent) && (mventry["givenName"].IsPresent && (mventry["mail"].IsPresent | mventry["employeenumber"].IsPresent)))
                        {
                            str2 = "CN=" + mventry["cn"].Value;
                            gBaseDnUsersAdamGis = this.gBaseDnUsersAdamGis;
                            referenceValue = dma.EscapeDNComponent(new string[] { str2 }).Concat(gBaseDnUsersAdamGis);
                            csentry = dma.Connectors.StartNewConnector("userProxyFull");
                            csentry["ObjectSID"].Value = mventry["g_ObjectSid"].Value;
                            csentry.DN = referenceValue;
                            try
                            {
                                csentry.CommitNewConnector();
                            }
                            catch (Exception exception1)
                            {
                                ////ProjectData.SetProjectError(exception1);
                                Exception exception = exception1;
                                csentry.Deprovision();
                                ////ProjectData.ClearProjectError();
                            }
                        }
                    }
                    else
                    {
                        csentry = dma.Connectors.ByIndex[0];
                        if (!mventry["g_ObjectSid"].IsPresent)
                        {
                            csentry.Deprovision();
                        }
                        else if (csentry["ObjectSID"].Value != mventry["g_ObjectSid"].Value)
                        {
                            csentry.Deprovision();
                        }
                        else if (!mventry["cn"].IsPresent)
                        {
                            csentry.Deprovision();
                        }
                        else if (csentry["cn"].Value != mventry["cn"].Value)
                        {
                            csentry.Deprovision();
                        }
                        else if (csentry.ObjectClass[0].ToString() == "userProxy")
                        {
                            csentry.Deprovision();
                        }
                    }
    


    Hitch Bardawil

    Monday, May 20, 2019 7:47 AM
  • Hi,

    As you noted yourself, your problem is the following code:

    else if (csentry["cn"].Value != mventry["cn"].Value)
                        {
                            csentry.Deprovision();
                        }

    Yes, try removing it.

    Br,

    Leo


    Did my post help? Please use "Mark as answer" or "Propose as answer". Thank you!

    • Marked as answer by HitchB52 Monday, May 20, 2019 8:25 AM
    Monday, May 20, 2019 8:18 AM
  • Thanks a lot for the Help :)

    Hitch Bardawil

    Monday, May 20, 2019 8:26 AM
  • Small update to this thread,

    it happens that the CN is a Schema Owned resource and we cannot change it by direct flow.

    i get an error on export that says that the CN is owned by the Schema.

    do you have any suggestion on how to change that through mim ? 

    Thanks

    Hicham


    Hitch Bardawil

    Tuesday, May 21, 2019 8:24 AM