Dynamic Organizational Unit provisioning with ILM 2007/MIIS 2003

System administrators are often facing task of creating OU structure in a corporate LDAP directory(es), such as Active Directory, ADAM/ADLDS, OpenLDAP, eDirectory etc. In the organization where administrator is asked to place user account object in the OU corresponding to user’s department, title or any other dynamically calculated container based on the user’s attributes, (s)he must know (and therefore hardcode) values of target containers/organizational units in the LDAP connected directory in question.

MIIS 2003/ILM 2007 developer reference is rich with examples of placing user account within pre-defined OU based on the OU’s name. In the event when parent OU if not available administrator is expected to create an organizational unit object manually. In the same time, should organization extend list of the departments (and therefore list of the corresponding OUs), the provisioning code will have to be augmented to include new values (path) and provisioning/de-provisioning business logic for newly added target OUs.

To avoid this practice of re-compiling of provisioning code for every adjustment in the organizational structure of an enterprise administrator could implement a mechanism to create parent organizational units dynamically, based on the attribute values of the user object in the Metaverse.

This code example also provides clear path for de-provisioning of the user account in the future. To illustrate challenge of dynamic provisioning of OUs based on the "user" object-type provisioning cycle, we will need to understand the initial provisioning logic of the first user account that encountered the condition where parent OU was missing. Code will "detect" that parent OU is missing and it will generate the CSEntry object of "organizationalUnit" type in the target management agent. Consequently the organizational unit object will become (and remain) connected to the user (person) MVEntry object. All consecutive provisioning attempts of any other user objects to the previously dynamically-generated OU will be successful.
However problem could arise when "first" user in this dynamically generated OU is ready to be de-provisioned. Since the OU object is still connected to that user object de-provisioning routine could de-provision the organizational unit object along with the user object, which will leave all other users, provisioned to the same OU, without a "parent". To avoid this unwanted condition provided code example disconnects an "organizationalUnit" object from "user" object during next synchronization cycle of the Sync Engine. It is important to make sure that your configuration is not set to leave disconnectors of the "organizationalUnit" type as "normal disconnector".

Administrators are strongly encouraged to review de-provisioning logic for all types of objects while implementing this dynamic OU provisioning routine.

You can find code for the "Dynamic Organizational Unit provisioning with ILM 2007/MIIS 2003" here

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: