I would like to know if there is some way to make a filtered explore. I have an AD connector which explores an OU, which in turn has a lot of users.
I need to do some kind of filtered exploration, for example, looking for users who has sAMAccountName=js* or individual users like sAMAccountName=jsosa. This is because we have to explore and correlate some users and do now want to explore (for now) the rest of the users in that OU.
Is there some configuration point to do that?
Partial explore using wildcard on account name is available only for AD endpoint starting from release 12.6.8 of Identity Manager.
See our release notes:
New Features - CA Identity Manager - 12.6.8 - CA Technologies Documentation
If customization is ok, following can be executed from Provisioning Server/Directory machine. This will explore all accounts starting with LoginID 'i'. Same can be updated for AD:
ldapsearch -h <PROV_HOSTNAME> -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w <PASSWORD> -b "eTSQLDirectoryName=mssqlserver,eTNamespaceName=MS SQL Server,dc=im,dc=eta" -s sub "eTSQLLoginName=i*" eTExploreUpdateEtrust
Another benefit of executing the explore/correlate/update via ldapsearch command instead of via IM is that if in an environment with multiple Provisioning Servers you can point the ldapsearch against the non-primary Provisioning Server while the IM Server is using the primary Provisioning Server for its workload. This will also keep the inbound notifications generated by the Explore/Correlate/Update on the secondary Provisioning Server.