none
CN and attribute flow RRS feed

  • Question

  • Hello!

    I'm writing a sync rule wint DN attribute flow.

    It looks like this:

    IIF(Eq(employeeStatus,"0"),"cn="+displayName+",OU=NotActive,DC=test,DC=lab",

    IIF(Eq(employeeStatus,"1"),"cn="+displayName+",ounit_mv",

    "cn="+displayName+",OU=Disabled,DC=test,DC=lab")) ->dn

    ounit_mv generated in extension rule and looks like OU=Working,DC=test,DC=lab

    I get a error what CN is not correct.

    "cn=user1fn user1ln,ounit_mv" is not valid.

    How I need to change my sync rule?

    Thanks!


    1


    • Edited by alexiszp Tuesday, December 13, 2016 9:18 AM
    Tuesday, December 13, 2016 9:02 AM

Answers

  • Your quotes are off. It should be something like this:

    IIF(Eq(employeeStatus,"1"),"cn="+displayName+"," + ounit_mv, "cn="+displayName+",OU=Disabled,DC=test,DC=lab"))

    You should also wrap displayName in an EscapeDNComponent() call.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by alexiszp Wednesday, December 14, 2016 3:41 PM
    Wednesday, December 14, 2016 12:13 AM
    Moderator
  • Thanks for hint with EscapeDNComponent(), I don't know it.

    So, for history, in my case it will be like: IIF(Eq(employeeStatus,"1"),EscapeDNComponent("cn="+displayName)+","+ounit_mv


    1



    • Marked as answer by alexiszp Wednesday, December 14, 2016 3:41 PM
    • Edited by alexiszp Wednesday, December 14, 2016 3:42 PM
    Wednesday, December 14, 2016 3:41 PM

All replies

  • Your quotes are off. It should be something like this:

    IIF(Eq(employeeStatus,"1"),"cn="+displayName+"," + ounit_mv, "cn="+displayName+",OU=Disabled,DC=test,DC=lab"))

    You should also wrap displayName in an EscapeDNComponent() call.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by alexiszp Wednesday, December 14, 2016 3:41 PM
    Wednesday, December 14, 2016 12:13 AM
    Moderator
  • Thanks for hint with EscapeDNComponent(), I don't know it.

    So, for history, in my case it will be like: IIF(Eq(employeeStatus,"1"),EscapeDNComponent("cn="+displayName)+","+ounit_mv


    1



    • Marked as answer by alexiszp Wednesday, December 14, 2016 3:41 PM
    • Edited by alexiszp Wednesday, December 14, 2016 3:42 PM
    Wednesday, December 14, 2016 3:41 PM
  • I believe you'd want the cn= to be outside the function call:

    IIF(Eq(employeeStatus,"1"),"cn=" + EscapeDNComponent(displayName)+","+ounit_mv

    Also keep in mind the CN needs to be unique within the given parent OU. So if you had two John Doe's in an OU, you wouldn't be able to create the second one with the same CN. One way to work around this is to put their username (which is unique) in the DN so you'd do something like

    IIF(Eq(employeeStatus,"1"),"cn=" + EscapeDNComponent(displayName + " (" + accountName + ")")+","+ounit_mv


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Wednesday, December 14, 2016 5:49 PM
    Moderator
  • Case with cn outside looks better, thanks!

    Yes, I know about unique cn in one OU, but we have a naming rules, so I hope that there will not be such conditions (many OU's and users with initials).

    Thank you for helping, Brian!


    1

    Thursday, December 15, 2016 2:16 PM