CA Identity Manager: Rename the CN of an Active Directory account through Identity Manager
search cancel

CA Identity Manager: Rename the CN of an Active Directory account through Identity Manager

book

Article ID: 97181

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

The CN value of an AD account is the name of the object in Identity Manager, therefore it cannot be changed like a typical attribute.

What are the options for changing the CN value for Active Directory endpoint accounts through Identity Manager? 

Environment

All versions of Identity Suite (Identity Manager)

Resolution

It is possible to change the CN directly through Provisioning Manager, by looking up the account and changing the value. The downside to this is that it must be done one account at a time. 

It is also possible to change the CN through the command line, but doing so requires the user to be synced with their account templates after the change occurs or risk losing track of the account. 

Please keep in mind that once an account is moved or renamed it no longer matches the Account Template and therefore the system will think there is an extra account and a missing account and likely will at some point try to add any missing accounts and delete any extra accounts so it is important that this be handled by proper Templates. 

This is what the ldapmodrdn.exe against the Provisioning Server would look like for a rename. You would need to replace PROV_SERVER_HOST, BIND_USER, BIND_PWD, ORIGINAL_ACCOUNT_NAME, NEW_ACCOUNT_NAME, and MY_AD_ENDPOINT to be values proper for your systems. 

ldapmodrdn.exe -h PROV_SERVER_HOST -p 20389 -D "eTGlobalUserName=BIND_USER,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w BIND_PWD -r "eTADSAccountName=ORIGINAL_ACCOUNT_NAME,eTADSContainerName=Users,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory,dc=im,dc=eta" "eTADSAccountName=NEW_ACCOUNT_NAME" 

This results in: 

Rename Result: Success (0) 
Additional info: :ETA_S_00283<MAC>, Active Dir. Account 'ORIGINAL_ACCOUNT_NAME' on 'MY_AD_ENDPOINT' renamed successfully 

And the Provisioning Server etatrans log (level=7) would show: 

20171005:113339:TID=002604:Rename :E124:----:S: External Rename (eTADSAccountName=ORIGINAL_ACCOUNT_NAME) Requested by User BIND_USER - TenantNotSet 
20171005:113339:TID=002604:Rename :E124:----:P: dn: eTADSAccountName=ORIGINAL_ACCOUNT_NAME,eTADSContainerName=Users,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory,dc=im 
20171005:113339:TID=002604:Rename :E124:----:P: new-rdn: eTADSAccountName=NEW_ACCOUNT_NAME 

20171005:113340:TID=002604:Rename :E124:----:F: SUCCESS: External Rename (eTADSAccountName=ORIGINAL_ACCOUNT_NAME) 
20171005:113340:TID=002604:Rename :E124:----:F: msg: :ETA_S_00283<MAC>, Active Dir. Account 'ORIGINAL_ACCOUNT_NAME' on 'MY_AD_ENDPOINT' renamed successfully 

You can also invoke this code through a PX Policy to automate the process. Please review the below Tech Doc further to see an example of a PX Policy calling java code which could invoke an ldapmodrdn command such as: 

https://knowledge.broadcom.com/external/article/36219/explaining-px-policies-invoking-of-exter.html

ldapmodrdn.exe -h PROV_SERVER_HOST -p 20389 -D "eTGlobalUserName=BIND_USER,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w BIND_PWD -r "eTADSAccountName=ORIGINAL_ACCOUNT_NAME,eTADSContainerName=Users,eTADSDirectoryName=MY_AD_ENDPOINT,eTNamespaceName=ActiveDirectory,dc=im,dc=eta" "eTADSAccountName=NEW_ACCOUNT_NAME" 


 

Additional Information

https://knowledge.broadcom.com/external/article?articleId=36078