Active Directory "gidNumber" extended attribute gets reset.

book

Article ID: 41351

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

Issue:

We have extended the Active Directory schema to support AIX environment so including the "gidNumber" attribute.

To provision Active Directory accounts, we defined Active Directory Account Template with Strong Synchronization mode and mapped the extended "gidNumber" attribute (within "Custom" tab) to Global User Custom Field 5 (%UCU05%).

The Active Directory accounts are created with the expected "gidNumber" attribute value.

But whenever there is Account Synchronization triggered the "gidNumber" attribute gets erased (empty).

This is the only attribute where we notice this behavior.

The other extended custom attributes defined through the Account Template do not suffer this trouble.

 

Environment:  

Applies to all the specified CA Identity Manager versions.

 

Cause:

Trouble with the "gidNumber" attribute which is then handled by 2 configurations : 

- the extended attribute (handled through eTADSPayload which is not capability one) defined through the "Custom" tab of the Active Directory Account templates ; 

- the eTADSgidNumber attribute (which is a capability one) as defined in the "Primary Group Name/GID" field of the "Unix attributes" tab of the Active Directory Account templates ; 

Because of the Strong Synchronization process the "gidNumber" attribute that has been initially set through the extended configuration (eTADSPayload) is overwritten by the value from the eTADSgidNumber attribute from the templates (which do not have any value set). 

 

Resolution:

There are 2 ways to handle the situation :

1- Switch off the Active Directory Templates Strong Synchronization mode.

The Strong Synchronization process forces the Account's attribute value to match the value from the Account Template.

The Weak Synchronization process updates the Account's attribute when value is less than the value from the Account Template.

In Weak mode, it will not erase the existing value.

2- Define the ADS_SYNC_BYPASS system variable with "eTADSgidNumber" attribute and recycle the Provisioning Server and Connector Server services.

This removes the "eTADSgidNumber" attribute from the Synchronization process.

This feature and the ADS_SYNC_BYPASS system variable have been included with CA Identity Manager 12.5 SP13 version.

 

Additional Information:  

In reference of "CA Identity Manager Connector Guides › Connectors Guide › Connecting to Endpoints › Microsoft Exchange Connector › Managing Exchange Users › Bypass ADS Account Attributes during Account Synchronization

Bypass ADS Account Attributes during Account Synchronization 

To bypass ADS predefined capability attributes during account synchronization, define the system variable on the Provisioning Server and the Connector Server in the CA Identity Manager environment as follows: 

ADS_SYNC_BYPASS 

Lists the ADS account attribute names. The attribute names are separated with a semicolon (;). 

Environment

Release: CAIDMB99000-12.6.7-Identity Manager-B to B
Component: