Symantec IGA

you must declare ad attributes you want to manage in the text file PS_HOME\data\ADS\schema.ext.

Look at this bookself article:


Connector Guides › Connectors Guide › Connecting to Endpoints › Active Directory Services Connector › Connector-Specific Features › Program Exits › Creating Custom ADS Attributes
Previous Topic: Passing Global User Attributes

Next Topic: Example Files

Creating Custom ADS Attributes
The file PS_HOME\data\ADS\schema.ext is used to create custom ADS attributes.

Note: You must first create this file.

Custom ADS attributes are placed one per line in the text file PS_HOME\data\ADS\schema.ext. This file is used to specify any custom ADS account attributes that have been added to the ADS schema and any ADS account attributes that do not actually exist in the ADS schema but are used in ADSExitUsrPreAdd.txt and ADSExitUsrPostAdd.txt. For more information on extending the ADS schema, see the topic Extending the ADS Schema in the ADS Defaults section.

To let the ADS connector know that the custom ADS account attribute being added is to be used for exit processing and does not exist in ADS, the attribute name in schema.ext must begin with eTADSExitOnly. This prefix lets the ADS connector know that the custom attribute can be passed to the ADS connector command line interface. Since the attribute does not exist in the ADS schema, the syntax and the single or multi-value indicator must be included in the schema.ext. These two values follow the attribute name and are delimited with a colon (:). An example of a line in schema.ext follows:

eTADSExitOnlyDiskSize:2.2.5.12:T
The syntax of the attribute is 2.2.5.12. These syntaxes are defined at the following website:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/mapping_active_directory_syntax_to_adsi_syntax.asp

The following characters indicate the value of the attribute:

T indicates that the attribute is single-valued.
F indicates that the attribute is multivalued.
Note: Any changes to the schema.ext require a restart of the CA Identity Manager Provisioning service and the Provisioning Manager.

By default, any attribute listed is assumed to exist for both contacts and accounts. To indicate that a given attribute is to be defined for accounts or contacts only, add an optional prefix (account) or (contact) to the attribute name. Optionally, you can use the prefix (both) to indicate an attribute is valid for both accounts and contacts.

For example, your installation added three new attributes to the schema. BirthDate is valid for accounts only. SSN is valid for accounts and contacts. DoNotCall is valid for contacts only. You can add these entries into your schema.ext file as follows:

(account)BirthDate
(both)SSN
(contact)DoNotCall

I saw this in the bookshelf but that file in that location doesn't exist.

D:\Program Files (x86)\CA\Identity Manager\Provisioning Server\data\ads

the only file in there is directory-name.dns

"Note: You must first create this file."

is just a text file, you must create it

I have created schema.ext file and added one attribute "msRTCSIP-ArchivingEnabled".

Recycled provisioning and C++ services but i am not able to see any additional attribute on account template custom section .

Any thoughts appreciated !

Thanks ! could you please explain more how to do that as documentation is not very much clear .

 

After extending the schema, do an Explore/Correalate (E/C) with option to update Global User.

Using an LDAP browser, to your IMPS directory using:

Your IMPS hostname

Port 20391

Base DN: dc=etadb

Bind DN: eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb

navigate to :

eTADSAccountName=SomeUserAccount,eTADSContainerName=Users,eTADSDirectoryName=YourEndpointName,eTNamespaceName=ActiveDirectory,dc=im,dc=etadb

Look at the value for the: eTADSPayload attribute.

You would see see something like:

extendedAttribute1:01:0006=value1;extendedAttribute2:01:0007=value10;extendedAttribute2:01:0008=value100

You now need to take the appropriate offset from that value. E.g.: etadspayload[27,6]  // start at the 27 charcter and go for 6.

 

Dudley, Do you know of any way this could work with custom attributes that do not have a fixed length?

Currently instead of using the eTADSpayload attribute we're attempting to write a policy Xpress reverse sync policy that uses an LDAP query to get the value of the attribute, but it seems there's no way outside of custom java code to set that value in the user store. It seems the reverse sync policy xpress policies have no concept of 'user' objects and instead only understand 'account' information. This is important because it limits the actions we're able to perform and inhibits us from setting a user attribute. In combination with this limitation we are also unable to set values using LDAP in an action rule preventing the attempted scenario described above from working.