We want to synchronize the Global User Manager with the Active Directory Account Manager attribute of the user,
we already know how to add the manager to the user's active directory account, but we cant obtain the Distinguished name of the user Manager.
We tried to obtain the Manager DN using a data element of the type Account Values by Account Identifier using the Manager Account Identifier. all the times this data element returns an empty value
How can we obtain an specific user Distinguished Name from their Active Directory Account
You can use combination of BLTH and PX for getting UserDN via Logical Attribute. Please check attached file for that. Instead of Logical Attribute, you can also use Session Attribute if you don't want to update Profile Screen.
I think you forgot to attach the file
The specific case that we are trying to apply is an user modification where we want to synchronize the manager with the AD manager attribute, if I understand well what you are suggesting is to use BLTH to obtain the User´s Manager DN?
Yeah my example was to get UserDN from User Store for Subject User/User's Manager. This DN would be different from AD DN. Via PX, try to search AD Account (which is Manager) and then in return get its distinguishedName value.
Yes we are trying to search the Manager AD Account via PX to obtain the distinguishedName value, but we always obtain an empty value
we only can obtain the distinguishedName value of the same User that we are modifying not another user (the manager)
Please open a support ticket if you continue to have issues with your PX Policy screenshots, IDM version # and we will be happy to take a look
Support Delivery Manager
I've done this in the past with PX. Use an "LDAP search" element within PX to search AD. Assuming that the user id in the user store matches the sAMAccountName in the AD, then the search attribute is sAMAccountName and the value is the manager's uid. The attribute you want to return is "distinguishedName". This will give you the manager's full AD DN, which you can then store as a user attribute against the user and map to a provisioning server attribute and then the AD attribute.
The LDAP search element only allows one server name. So to ensure HA, I just enter the domain name instead of an FQDN for an individual domain controller (e.g. just enter "ca.com" rather than "dc1.ca.com")