I am using a before provisioning rule to check for DN uniqueness during OU moves using accountExistsByNativeIdentity method of IdnRuleUtil. Few things that we have observed is:
accountExistsByNativeIdentity checks within IDN - AD source only and does not check directly against AD
accountExistsByNativeIdentity does not check against uncorrelated AD accounts.
So we are constantly getting error “Object already exists” during OU moves.
We wanted to know if isUniqueLDAPValue method in IdnRuleUtil class would directly check against AD instead of checking the onboarded AD source, as this would help fix the issue we have.
If anyone has used isUniqueLDAPValue method in rule, please do let us know your insights.
I don’t think any of the methods in the IDNRuleUtil wrapper class checks for values directly in the source (AD here).They only look at the data that are already aggregated into IDN.
The method attrSearchCountAccounts looks at the uncorrelated accounts as well. That could be an option you can consider.
A method that can be used to call LDAP type connectors to look for unique values. The connector is called with a specific search filter based on the attributeName and value that is passed into this method. If there is a value returned the values is considered to be non-unique.
Something else to note is that if you wish to specify a specific search base when performing the LDAP search in AD, you can set the following connector attribute in your AD/LDAP source: