Clarity

  • Private Community

  • 1.  LDAP/AD Question

    Posted Nov 10, 2015 12:13 PM

    CA Team:

     

    I have several LDAP/AD Questions for a client:

     

    1. When changing several items in AD (First Name, Last Name, email, Full Name
    these changes are not reflected in CA PPM after running the Sync job. Any
    Ideas?

     

    2. This client allows people to change the username in AD, this creates two
    resources in CA PPM after running the Sync job. Has anyone ever created a custom
    process to use the SID in AD as the unique identifier?

     

    3. When the customer makes someone inactive in AD but they do not remove them
    from the AD PPM Security Group the individual is not inactived in CA PPM after
    running the Sync Job. They think the resource should be made 'inactive' in CA
    PPM. Any Ideas?

     

    Thanks,

    Kathy Cairnes

    816-210-0610



  • 2.  Re: LDAP/AD Question

    Posted Nov 10, 2015 10:21 PM

    So I spend a few minutes thinking about this and I can up with three options:

     

    1. Replace the com.niku.security.directory.LDAPDirectoryService class that is most likely identified as the directoryServer in the properties.xml file.  One could create a class that inherits this class and would need to override the “doesUserExists” method to lookup a SID mapping – maybe on the externalID field.
    2. Manipulate the CMN_SEC_USERS table before and after the LDAP sync jobs run i.e. update the userName to the SID before the sync run and restore it after the sync run.
    3. Disable the LDAP sync jobs and build a custom service to handle the sync.  Again, you can prevent creating duplicate user but not sure how one updates the userName without doing a direct table update.

     

    So given that the userName field is most likely the key for all XOG transaction on the CMN_SEC_USERS table, option 2 and 3 would require doing direct table updates on the CMN_SEC_USERS to be able to change the userName without adding new users base on a changed SAMAccountName.

     

    So option 1 is probably the only way to handle a mapping a SID to an existing userName.  I am still not sure how to update a userName.  I suspect that there is a data layer method somewhere that provides that ability since one can do it via the UI.

     

    Just Thoughts,

    Gene



  • 3.  Re: LDAP/AD Question

    Posted Nov 11, 2015 10:31 AM

    I think this got double-posted, so just to keep things together:

     

    LDAP/AD Questions



  • 4.  Re: LDAP/AD Question

    Posted Nov 11, 2015 02:01 PM

    Just by the way, the username is sometimes read only in the UI.

     

    One example is for built-in users (those with ID's less than 100, currently), but there are a few other conditions as well - I don't have a list of them handy though **.

     

    At most other times it is an editable field.

     

    Edit: ** The main other reason than the internal ID is going to be when the resource gets financially enabled, which imposes a lock on both the username and resource ID fields.



  • 5.  Re: LDAP/AD Question

    Posted Nov 11, 2015 02:10 PM

    So I was digging into the nikuxog_user.xsd and found an attribute called oldUserName.  So my question is it possible to update the userName by referencing the oldUserName attribute?  Maybe a better question would be what is the oldUserName attribute used for?

     

    V/r,

    Gene



  • 6.  Re: LDAP/AD Question

    Posted Nov 11, 2015 02:20 PM

    It is to be considered internal-use only, not a public feature.  Its use at this time would not be supported.