This post is primarily so I remember how I do every client's AD. The point of saving AD values as Identity Attributes is twofold: first, to indicate if the user has an AD account (this can literally be done for any target, but AD is the one that almost everyone uses for their primary provisioning target). Second, it allows you the OPTION of saving the values for all time, which would allow you to ensure that no duplicates be created.
I create 5 Identity Attributes:
adLogin (AD Login) which derives from sAMAccountName
adEmailAddress (AD Email Address) which derives from mail
adDistinguishedName (AD Distinguished Name) which derives from distinguishedName
adUserPrincipalName (AD User Principal Name) which derives from userPrincipalName
adObjuctGuid (AD Object Guid) which derives from objectguid
Any or all of these can be backed up with a global rule I normally call IdentityAttribute-PersistOldValue whose source is literally return oldValue;
You have to decide on your own which if any are sortable. Make a value sortable if you plan to do a search on it using any search method.
If you use the global rule then your values will not be removed if the user loses their AD Account. Be careful and aware of this.
No comments:
Post a Comment