This topic has 4 replies, 2 voices, and was last updated 6 years ago by ssripathy.

  • Author
  • #5748

    I have problem in synchronization from managed user to system ldap account.
    Actual requirement,
    • Target needs to be updated with new uid in LDAP (target) since there is a user name change.

    We have sync to managedUser_systemLdapAccount , in this we are having the situation as MISSING and Action for this is UNLINK.
    What would really happen in this case,
    1 . Whether it will create the new record in LDAP ?
    2 . What would be the ACTION to perform in this SITUATION, since the user name (uid in target) is the only change but the other fields remains same.

    Can we use UPDATE in MISSING situation. ?


    A few more details would help. Is the DN in LDAP based on this uid? Do you have a correlation query?
    I see 2 situations potentially arising out of this for recon purpose: MISSING as the source does not a have a matching target for that link and UNQUALIFIED as the target does not have a source for the link.

    In any case, based on the bug resolution below UPDATE action should work on that account and change its DN.

    In terms of best practice, its a always a good idea to use an immutable unique ID as part of the LDAP DN and would keep your sync mapping much simpler instead of having to handle these situations.
    Hope that helps!


    If you are using a CREST LDAP connector you may not be able to update the DN anyway. See Ludo’s response at


    Yes DN is based on this uid and we transform the dn as below with uid (userName)
    “source” : “userName”,
    “target” : “dn”,
    “transform” : {
    “type” : “text/javascript”,
    “source” : “(‘PersonID=’ + source + ‘,ou=people,o=example’)”
    And there is another attribute in the mapping ,
    “source” : “userName”,
    “target” : “uid”
    Below is the correlation query.

    “correlationQuery” : {
    “type” : “text/javascript”,
    “source” : “var map = {‘_queryFilter’: ‘uid eq \”‘ + source.userName + ‘\”‘}; map;”

    In case of MISSING we used the action as UNLINK, this resulted in creating the another record instead of updating the existing record with UID change.
    And we are using LDAPConnector (org.identityconnectors.ldap.LdapConnector).

    We will try with UPDATE for this situation.
    Thanks for your response.


    Shouldn’t this be the dn expression in your transform statement above

    “source” : “(‘cn=’ + source.userName + ‘,ou=people,o=example’)”

    instead of what your snipped had below

    “source” : “(‘PersonID=’ + source + ‘,ou=people,o=example’)”

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?