Uniqueness Check for AD Source

Hello Everyone,

I am using a before provisioning rule to check for DN uniqueness during OU moves using accountExistsByNativeIdentity method of IdnRuleUtil. Few things that we have observed is:

  1. accountExistsByNativeIdentity checks within IDN - AD source only and does not check directly against AD
  2. accountExistsByNativeIdentity does not check against uncorrelated AD accounts.

So we are constantly getting error “Object already exists” during OU moves.

We wanted to know if isUniqueLDAPValue method in IdnRuleUtil class would directly check against AD instead of checking the onboarded AD source, as this would help fix the issue we have.

If anyone has used isUniqueLDAPValue method in rule, please do let us know your insights.

Thanks in Advance

Hi @supi890,

I don’t think any of the methods in the IDNRuleUtil wrapper class checks for values directly in the source (AD here).They only look at the data that are already aggregated into IDN.

The method attrSearchCountAccounts looks at the uncorrelated accounts as well. That could be an option you can consider.

Hi Jesvin,

Thanks, will check it out.

@supi890 you can check this post in a topic I posted on a similar subject to see if this works for you

Hi @supi890,

I can confirm that isUniqueLDAPValue performs a direct call.

In your scenario, you can use isUniqueLDAPValue to perform a call against AD specifying the attribute and value to be used as an LDAP filter.

From there java-docs:

boolean isUniqueLDAPValue(java.lang.String identityNameOrId,
java.lang.String applicationNameOrId,
java.lang.String attributeName,
java.lang.String attributeValue)

A method that can be used to call LDAP type connectors to look for unique values. The connector is called with a specific search filter based on the attributeName and value that is passed into this method. If there is a value returned the values is considered to be non-unique.

Something else to note is that if you wish to specify a specific search base when performing the LDAP search in AD, you can set the following connector attribute in your AD/LDAP source:

“op”: “replace”,
“path”: “/connectorAttributes/cloudUniqueSearchDN”,
“value”: “DC=contoso,DC=com”

Hope this helps!

Thank you Mark and Jonathan, will try it out and update here.