Hi Wong,
Use the IMPS GUI and its etatrans logs for a SINGLE entry, to help guide you to building the CLI scripts with either etautil or using ldapmodify.
- This will give you the format for your particular endpoint, e.g. DN string.
Correlations are inclusions and typically are a two part command if using ldapmodify, but with etautil, you can do this in one command per each user.
Use the IMPS Manager GUI to drag-n-drop a correlation between the GU (global user) and the EA (endpoint account). This event will now be captured in the IMPS etatrans logs.
After you collect the information from the etatrans log, you can then build your spreadsheet with the following fields. After it looks correct, save this file to notepad/notepad++ and remove any extra double quotes. You can then feed this file of 10-100K lines directly to etautil.
The below diagram should help with the syntax.
Action (ADD/DEL) Variable (Base DN) Class Variable(Value) IN (inclusion marker) Variable (Base DN) Variable(Value) Semi-colon
For performance, you can break up large files into smaller ones, and submitted 2 to 3 batch to each provisioning server. They will be able to handle parallel load, and it will be done much faster.
Three (3) gotchas to manage for your script building.
1) Do NOT put etautil on each line, use the -f switch with etautil and an input file (with just the Action Verbs and data). Etautil has a 2-3 second error checking process, that would impact 100 lines with an extra 200-300 seconds delay if used without the -f switch.
2) For the input file, end each line with a semi-colon except for the very last line.
3) Ensure that the switch -DYN is used for any DYN endpoints, you will know when you see them in the etatrans log.
-##############-
As part of your process, please remember that correlated accounts will NOT un-correlate. If there are accounts that previously correlated to [default user], then using your script will assist.
Otherwise, you may wish to run a script to manage these incorrect correlations.
https://anapartner.com/2020/05/25/clean-up-orphans-and-refine-correlation-rules/
Cheers,
A.
------------------------------
Alan Baugher
ANA Technology Partner (anapartner.com)
------------------------------
Original Message:
Sent: 06-19-2021 03:11 AM
From: wong chi kin
Subject: Add inclusion/correlate between Unix Account and Global User
Hi All
I have to correlate the unix account with the Global user. Is there any way to do it using ETAUTIL ? If yes, how the command should look like ? I searched across the community and I found out they are discussed about AD account only. For a single user, I can use provisioning manager to correlate it back but I have a big number of users
Regards
CK