How to change the UserID from commandline in an LDAP integrated environment?
Dear all,
our company is moving all user objects from one AD forest into another AD forest. One effect of this, all the users are also getting new userID's in AD (UserPrincipleName in our case).
Because this process will last for a few month until all the thousends of users are moved, we cannot sit daily to the WebUI JTS Admin page, change the advanced property of LDAP type to UNSASSIGNED, edit the userID's and set the property back to LDAP. We also had often to restart JTS when we did this operation in the past for single users, because we lost token server connection (!).
The process must be automated by a scripts or application.
With repotool-jts I have not found a possibility to change a UserID. Only modify the User attributes and create new users.
Question:
- Did I missed something possible in repotools so I can change userID's on the fly during runtime?
- Is there another possibility to do this online?
- Is there already a Enhancement Request for such a functionality against repotools-jts, if it is not able to do it yet?
Any idea is welcomed.
regards
Guido
our company is moving all user objects from one AD forest into another AD forest. One effect of this, all the users are also getting new userID's in AD (UserPrincipleName in our case).
Because this process will last for a few month until all the thousends of users are moved, we cannot sit daily to the WebUI JTS Admin page, change the advanced property of LDAP type to UNSASSIGNED, edit the userID's and set the property back to LDAP. We also had often to restart JTS when we did this operation in the past for single users, because we lost token server connection (!).
The process must be automated by a scripts or application.
With repotool-jts I have not found a possibility to change a UserID. Only modify the User attributes and create new users.
Question:
- Did I missed something possible in repotools so I can change userID's on the fly during runtime?
- Is there another possibility to do this online?
- Is there already a Enhancement Request for such a functionality against repotools-jts, if it is not able to do it yet?
Any idea is welcomed.
regards
Guido
2 answers
How about just keep the LDAP type as "unassigned" for this long period? I believe you only lose the user synchronization feature for doing it. You may not want the users to be synchronized during this transition anyway.
What I'm interested is, are you going to configure both the old and new AD forests in the application server? If so, what if there are duplicate user IDs?
What I'm interested is, are you going to configure both the old and new AD forests in the application server? If so, what if there are duplicate user IDs?
Comments
Ok. If having the property permanet on "unsupported" has no other impacts than loosing the synch, I can live with. The user synch I do not need anyway, because it cannot synch from two LDAP registries. For the synch I have an external script which reads the JazzUsers group of both forests, merges this and call repotools -createusers. Works perfekt. Better than built in synch.
To verify against two LDAP registries I have configured a federated Realm. There I can filter users based on AD attributes e.g disabled.
The approach of the IT to rename the UPN and samAccountName should prevent double userId's.
But with having the property on unsupported I'm still missing a command to rename the user.
Ok. I could write e.g. a curl script or somthing similar and simulate the manual work.
Do you know an other approach or an API (e.g. Rest or Java). It must not be supported and not stable.
I'm not aware of such APIs or commands. IIRC, even the renaming of user is "unsupported", so I doubt that any APIs or commands would support such "feature".