Symantec IGA

Hi all,

Customer wants the AD attribute mailNickname filled with the sAMAccountName. But for some reason, I can't store any values in the AD attribute mailNickname. I now have an AD account template with the attribute in Custom (see screenshot attached), but this doesn't get propagated to the AD...

Am I missing something?

If there is no Exchange detected as part of that AD endpoint the connector will not perform updates on the mailnickname attribute. If you do not have Exchange as part of that domain then you will need to send updates to the domain controller directly to update the mailnickname attribute.

You could look at implementing custom IM Event Listener code or perhaps look at using a PX Policy to launch custom external java code which would then perform some type of activity. You can review the following links related to IM API and PX Policies running java code.

https://docops.ca.com/ca-identity-manager/14-2/EN/programming/programming-guide-for-java/event-listener-api

https://comm.support.ca.com/kb/explaining-px-policies-invoking-of-external-code/kb000036219

Note that since you are using the virtual appliance the IM Server is running on linux which means if you were atttempting to use powershell or dsmod they would not be available and you would need to SSH to a Windows Server. Other options might be to implement JNDI java code to the domain controller.

Note that this would be a customized solution and outside the scope of support.

I don't understand this behavior. The attribute is present in AD, the Exchange attribute scheme is in AD, so how does the system detect that no Exchange is present? 

The domain controller could have the Exchange schema without actually having Exchange in the domain.

In order for the AD Connector to be able to update the Exchange schema attributes the connector needs to detect that there is an Exchange in the domain. The connector will end send a subtree ldap search against the domain controller with a BaseDN of  "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=***,DC=yyy,DC=zzz" and a filter of "(objectClass=msExchAdminGroupContainer)" and the connector needs to find a result. The ID used to acquire the connector also needs to have certain permissions as mentioned in the product doc link:

Privileges Required to Connect to the Exchange Endpoint - CA Identity Management & Governance Connectors - CA Technologi… 

Assuming the ID has the proper permissions and there is an Exchange in the Domain and that ID can find an object in the above mentioned search then you can run the command mentioned in the below KB to cause the AD Connector to retry the above mentioned search and refresh the endpoint to detect Exchange:

How to register a New or additional Exchange Serve - CA Knowledge 

AD connector will ignore to update any exchange attributes if we not going to provisioning exchange using it.