Is there a way to configure the Directory Services connector in PAM to retrieve more than 1000 results?
So the default Directory Services wont help you, as you could imagine and you probably saw this:
I don't know what kind of operation you are trying to do, but you could easily create your own connector using ldap sdk and process automation eclipse plugin.
I did something like that to sync ldap users with service catalog database, using pam. I'll post what I had to do in the near future, as it is not finished as I wish
Thanks for the response. I am trying to do the same, synchronizing Active Directory users with Service Desk contacts. The issue I'm facing that for some of the OUs, there are more than 1000 users. I would be very interested to see what you have done in making your own connector.
try to import the user from Ldap to SDM with pdm_ldap_import this is a specific SDM command.
The doc show how to mapping LDAP attributes to SDM
How to integrate CA SDM with LDAP - CA Service Management - 14.1 - CA Technologies Documentation
The doc has examples to use the command.
Create Contacts in Batch Mode Using LDAP Data - CA Service Management - 14.1 - CA Technologies Documentation
I am very familiar with the pdm_ldap_import and pdm_ldap_sync utilities in Service Desk but the requirements for this synchronization are beyond what they can provide.
What i did is retrieve users by OU, by SN.
for each OU :
ldap call : (sn=A*)
ldap call : (sn=B*)
And you can add this ldap filter as an input variable. This way, when a users is modified in your directory, you can call your pam process to update a single user.
So once the complete sync is done, it will run several times trough the day for every modification in your directory.
This is what we did here.
I had this same issue and ended up using powershell script operators which query ad and the sdm database, generating a Csv output from each source and them running a comparison to see the differences. From there I loop through the missing users to add them one by one to sdm. This ensures that we don't have duplicate users in sdm (we have a lot of username changes). This process runs once daily and keeps everything in order..
Let me know if this solution would work for you.. If so I can look into sharing it.
Thanks Grant. Please share.
I need some time to build a new version without hard coded values. I'll likely be able to share it next week.
In the environment that you're working in is there a unique value in AD that can be used to see if a user has changed their name? For instance, we use the employeeID attribute as that is set when a user is onboarded and never changes. My process checks the employeeID of all users who are not in service desk to determine whether to add or update a contact in sdm.
Retrieving data ...