Update AD manager attribute

yashpalsingh · November 29, 2022, 3:03pm

Hello Folks,

We have a use case where we need to update manager attribute in Active Directory from Forgerock IDM. The attribute value in AD should in DN format. Could anyone help?

Regards,
Yashpal

gery.ducatel · November 29, 2022, 6:33pm

Welcome to the forum Yashpal,

I am going to assume that this is a synchronisation question.
The value for the manager attribute appears to be a full Distinguished Name (DN), see this link: Manager attribute - Win32 apps | Microsoft Learn
You can use a transformation script in your mapping properties to build the DN. This may look like this example (please adapt):
"cn=" + source.userName + "ou=people,dc=example,dc=com"
Please check the documentation about mappings:
Configure a resource mapping :: IDM 7.2.1

yashpalsingh · November 30, 2022, 4:13am

You are right, we have construct the DN but the manager value is stored user’s manager attribute. How can we call that value in transformation script?

Regards,
Yashpal

gery.ducatel · November 30, 2022, 10:23am

If you have a direct report → manager relationship in IDM you can get the data with the following:
openidm.read("managed/user/" + source.userName, null, ["*", "manager"])
This will return a JSON object which you will need to parse in order to get the manager’s username.
I hope this helps.

yashpalsingh · November 30, 2022, 11:54am

Hi Gery,

This is what I see in the logs

Failed to build manager attribute out of {_rev=c5cfc736-f3da-4ba6-906f-6b8f326d05d8-195726, _id=IrminaZomba, userName=IrminaZomba, password={PBKDF2-HMAC-SHA256}10:8UsGpB9FddY4zs+XhtH09xAEyuVcBKLMWEDsljMU5z/UZE0Nqr6Le96KskgNY1PR, accountStatus=active, description=CN=Irmina,OU=users,DC=test,DC=com, givenName=Irmina, sn=Zomba, mail=dominikmajda@test.com, personalNumber=199001014332, crmMemberID=0297f411-1a6f-ed11-9561-000d3a2e47ed, lastSync={managedUser_systemAdconnectorAccount={effectiveAssignments=[], timestamp=2022-11-30T11:48:56.863344}}, manager={_ref=managed/user/b38d0554-e97c-4f02-96f3-607ad9ae49e2, _refResourceCollection=managed/user, _refResourceId=b38d0554-e97c-4f02-96f3-607ad9ae49e2, _refProperties={_id=2bbc6c01-ef47-4313-a6dd-e2fa1f5f4b29, _rev=c5cfc736-f3da-4ba6-906f-6b8f326d05d8-194841}}}

Could you help to parse this JSON? I want to read user’s manager’s description and pass it.

Regards,
Yashpal

gery.ducatel · November 30, 2022, 10:57pm

For the record, here are some possible steps, note this is not code but it is an illustration of what you can use in your code. As a matter of fact, this is not functional because it does not include any error handling. You may also experience performance challenges because this example includes two read operations which might be costly. But if the data is not too large, and the synchronisation is not too intensive it could be useful.

const managerRelationshipObject = openidm.read("managed/user/" + source.userName, null, ["*", "manager"])
const managerURI = managerRelationshipObject.manager._ref
const managerObject = openidm.read(managerURI)
const managerUserName = managerObject.userName    
"cn=" + managerUserName + ",ou=people,dc=example,dc=com"

An alternative to this which should be more performant would be to explore Relationship Derived Virtual Properties (RDVP) but this is beyond the scope of what can be done in this forum. This feature is documented here:
https://backstage.forgerock.com/docs/idm/7.2/objects-guide/managed-object-virtual-properties.html#relationship-derived-virtual-properties