It's all about the answers!

Ask a question

How to change the UserID from commandline in an LDAP integrated environment?


0
1
Guido Schneider (3.4k1486115) | asked Dec 07 '15, 5:20 p.m.
Dear all,

our company is moving all user objects from one AD forest into another AD forest. One effect of this, all the users are also getting new userID's in AD (UserPrincipleName in our case).
Because this process will last for a few month until all the thousends of users are moved, we cannot sit daily to the WebUI JTS Admin page, change the advanced property of LDAP type to UNSASSIGNED, edit the userID's and set the property back to LDAP. We also had often to restart JTS when we did this operation in the past for single users, because we lost token server connection (!).

The process must be automated by a scripts or application.

With repotool-jts I have not found a possibility to change a UserID. Only modify the User attributes and create new users.

Question:
- Did I missed something possible in repotools so I can change userID's on the fly during runtime?
- Is there another possibility to do this online?
- Is there already a Enhancement Request for such a functionality against repotools-jts, if it is not able to do it yet?

Any idea is welcomed.

regards
Guido

2 answers



permanent link
Georg Kellner (840378108) | answered Dec 09 '15, 5:10 a.m.
Hi Guido,

have you seen this article?
https://rsjazz.wordpress.com/2012/10/12/changing-the-jazz-user-id-using-the-rtc-plain-java-client-libraries/

greetings georg.

Comments
Guido Schneider commented Dec 09 '15, 7:28 a.m.

Thanks.

I missed this article at rsjazz


permanent link
Donald Nong (14.5k414) | answered Dec 07 '15, 5:49 p.m.
How about just keep the LDAP type as "unassigned" for this long period? I believe you only lose the user synchronization feature for doing it. You may not want the users to be synchronized during this transition anyway.

What I'm interested is, are you going to configure both the old and new AD forests in the application server? If so, what if there are duplicate user IDs?

Comments
Guido Schneider commented Dec 07 '15, 7:33 p.m.

Ok. If having the property permanet on "unsupported" has no other impacts than loosing the synch, I can live with. The user synch I do not need anyway, because it cannot synch from two LDAP registries. For the synch I have an external script which reads the JazzUsers group of both forests, merges this and call repotools -createusers. Works perfekt. Better than built in synch.


To verify against two LDAP registries I have configured a federated Realm. There I can filter users based on AD attributes e.g disabled. 

The approach of the IT to rename the UPN and samAccountName should prevent double userId's.


Guido Schneider commented Dec 07 '15, 7:36 p.m.

But with having the property on unsupported I'm still missing a command to rename the user.


Ok. I could write e.g. a curl script or somthing similar and simulate the manual work.
Do you know an other approach or an API (e.g. Rest or Java). It must not be supported and not stable.
 


Donald Nong commented Dec 07 '15, 10:15 p.m.

I'm not aware of such APIs or commands. IIRC, even the renaming of user is "unsupported", so I doubt that any APIs or commands would support such "feature".

Your answer


Register or to post your answer.