You may have configured your policy xpress policy to set a user as part of an active directory group, but you're receiving an error message indicating that there was an "[color=#f10000]Error setting account attribute ; Not a valid IAM handle[color]" We've implemented a similar PX on IM R12.5 SP8 and it is working. These are the steps taken to achive the goal:
The valus should be something like:ADSGroup=Administrators,ADSContainer=Builtin,EndPoint=im1251_SSL,Namespace=ActiveDirectory,Domain=im,Server=Server
After performing the above steps, you may then receive an JIAM Exception indicating that there's "No Such Object", if so, please consider the following:
On native ADS, the group DN is in OU, not CN containers.
So the proper format to use in PX Policy would be:ADSGroup=x,ADSOrgUnit=x,EndPoint=x,Namespace=ActiveDirectory,Domain=im,Server=Server
If you use ADSContainer, it will resolve to cn instead of ou. In some cases you may need to use a combination of them depending on what the actual DN is on the native ADS system.
Please post with any questions or concerns. Thank you. Regards,
Chris Thomas CA Technologies Principal Support Engineer Identity Manager Reporting Expert Tel: +1-631-342-4360 Chris.Thomas@ca.com
Is there way to get the IdM DN dynamically based on the group name? For instance can I do search for the group name ***, get back the DN ADSGroup=***,Container_ADSOrgUnit=Regions,EndPoint=XX_AD,Namespace=ActiveDirectory,Domain=IDENTITY_MANAGER,Server=Server
Brilliant! It is obvious, that you put a lot of work into this solution.
Agreed with Alan.