Symantec IGA

  • 1.  Problems with strong synch towards AD

    Posted Jun 26, 2019 07:13 AM
    we are using Identity Suite 14.2 on Virtual Appliance to provision users to Active Directory (incl. Exchange)
    Some Account Templates are set-up with strong sync. with the purpose to ensure that the AD group memberships assigned to users are aligned with the Account Templates.
    But this causes a problem for us:
    The attribute proxyAddresses in AD is wiped out for the users who get the Account Templates that has strong sync (which is not good).
    I suspect that this is caused by the fact that the attribute eTADSproxyAddresses in the AD connector definition is set to IsPolicySync: yes.
    Could that be the cause? If so - why is that attribute set to strong sync? I might change that using ConnectorXpress, but then if we make an upgrade/patching then that might get reversed again.

    I also googled around and found that an environment variable called ADS_SYNC_BYPASS (found here could be set to contain the AD attributes that should not be subject to strong sync, but I cannot find this in any product documentation. Is this variable still supported (on the vApp as well)?

    Any inputs on this?


    Senior Architect
    HCL Enterprise Studio

  • 2.  RE: Problems with strong synch towards AD

    Broadcom Employee
    Posted Jun 26, 2019 01:03 PM
    ADS_SYNC_BYPASS is still valid for product usage. Please try that and see if it avoids the problem.

  • 3.  RE: Problems with strong synch towards AD

    Posted Jun 26, 2019 02:09 PM
    Hi Ken,
    thanks for your reply.

    Do you think that it is enough to set this variable on the Windows Server where the Connector Server (JCS and CCS) is installed?
    Or do I need to set it on the Provisioning Server as well? The problem is that the Provisioning Server is running on the vApp so setting this variable there could be a bit problematic...


    Sent from my iPhone
    The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects.

  • 4.  RE: Problems with strong synch towards AD
    Best Answer

    Broadcom Employee
    Posted Aug 20, 2019 03:46 PM
    The ADS_SYNC_BYPASS should be set on both the C++ Connector Server service and on the Provisioning Server.

    If the Provisioning Server is running on Linux you would need to set the variable in the profile of the ID used to start the Provisioning Server.

    With VAPP for example you would do the following:

    1. Log into the vapp with config user
    2. su - imps
    3. vi /etc/.profile_imps
    4. add the export ADS_SYNC_BYPASS=AttributeName1;AttributeName2;
    5. exit out of the su - imps
    6. stop_ps
    7. start_ps