Release : 14.X
Component : CA Identity Suite (Virtual Appliance)
Component : CA Identity Manager (Standalone Appliance)
Following the documentation can be tricky as some valuable information is not currently present. The most common problem with the PxPolicy is the declaration of the group itself. Most times the DN value is configured incorrectly.
Please see the below guide on how to create your DN value appropriately.
Connect to the IM Provisioning Server via LDAP Browser (Jxplorer)
Copy the DN Value of your AD group:
Example: eTADSGroupName=MyTestGroup,eTADSOrgUnitName=Organization3,eTADSOrgUnitName=Organization2,eTADSOrgUnitName=Organization1,eTADSOrgUnitName=Organization,eTADSDirectoryName=MyActiveDirectoryName,eTNamespaceName=ActiveDirectory,dc=im,dc=eta
The next step is to convert this DN Value to an accepted value within Identity Manager there are a few changes to be made.
1) Remove leading 'eT' and trailing 'Name' on the attributes.
Example: eTADSOrgUnitName=Organization becomes ADSOrgUnit=Organization
2) Modify the trailing DN value to be proper config. ADSDirectory is now renamed to EndPoint as well as dc=im,dc=eta becomes Domain=im,Server=Server
Example: eTADSOrgUnitName=Organization,eTADSDirectoryName=MyActiveDirectoryName,eTNamespaceName=ActiveDirectory,dc=im,dc=eta
Becomes: ADSOrgUnit=Organization,EndPoint=MyActiveDirectoryName,Namespace=ActiveDirectory,Domain=im,Server=Server
Example of completed DN Conversion:
{"memberOf" : "ADSGroup=MyTestGroup,ADSOrgUnit=Organization3,ADSOrgUnit=Organization2,ADSOrgUnit=Organization1,ADSOrgUnit=Organization,EndPoint=MyActiveDirectoryName,Namespace=ActiveDirectory,Domain=im,Server=Server"}
See Action Item Example Below: