Overview

Distinguished Names are used widely through Identity Broker for a number of different purposes. Adapter entities are uniquely identified by their Distinguished Name (DN). Identity Broker can be configured to use LDAP for communicating with identity management platform engines, and as such requires each entity be marked with a distinguished name attribute. Many transformations use distinguished names to reference entities within Identity Broker.

To some capacity, these distinguished names need to come from somewhere. In Identity Broker, these distinguished names are generated through a provided format; this format is the Distinguished Name (DN) Template. The DN template is a single string which describes how to generate a distinguished name for an entity. At its core, the DN template could look like the following:

CN=[DisplayName],OU=Person,DC=Organization,DC=local

Everything there should look very familiar to anyone who's written a distinguished name before, but of particular note is the [DisplayName] part. This states that for any provided entity, place the DisplayName field in place of that section. So for an entity with a display name of "Robb Baron", the resulting distinguished name would be:

CN=Robb Baron,OU=Person,DC=Organization,DC=local
WARNING: When the DN configuration for an adapter or a transformation is modified, the entity repository will not be updated until the entity is cleared or changed. Change detection is also not triggered by changing the DN configuration. As such, any changes to the DN configuration once an adapter is populated should be followed by clearing and reimporting the adapter to ensure all DNs are immediately updated and kept consistent throughout the solution.

Identity Broker Entity Distinguished Names

In Identity Broker, entities which are available though enabled adapters have distinguished names in the following format.

[RDN],OU=[Container Name],DC=IdentityBroker

RDN

The RDN is comprised of one or more DN template parts as described in the following section which is configured as part of the adapter.

OU Level

Following the configurable components, all Identity Broker distinguished names contain an OU level element created using the adapters container name, set during adapter configuration.

DC Level

The top level component is not configurable and all entities and containers reside under it.

Distinguished Name Template Generator

When configuring an adapter, or on select adapter transformations, Identity Broker features an interactive interface for configuring a distinguished name template. This tool allows the simple creation of one or more template component which will form the RDN component of the Identity Broker Distinguished Name as described above.


Special distinguished name template characters can be used when manually entering values by escaping them with a backslash (\) character. The special distinguished name template characters are:

Plus Symbol +
Equals Symbol =
Comma ,
Square Brackets [ ]
At Symbol @

General Usage

DN components can be added with the Add button, rearranged by click-draging a component or removed with the x button. If more than one component is being configured, the separator can be the default or changed to a , indicating a multi-part component. The entire template can be cleared with the Clear button. When configuration is complete, the Commit button should be clicked to save any changes made.

Dynamic Value Template Component

By selecting a value for both the left and right selection field dropdown menues, a dynamic value template component can be created. The left selection field choice bares the following considerations.

Choice Description
Schema Field Evaluates the entity value for this field and uses its value. The selected field should be Required in the schema or the adapter will be unable to be enabled.
@IdBID Uses the adapter entities internal Identity Broker identification GUID as a component value.
@Key @Key has a dual functionality and is common in upgrading environments. When the adapter key is marked as required, @Key writes the values of the schema key of the entity to the DN as a multipart component. If any field in the adapter key is not required, the Entity ID will be written instead.

Constant Value Template Component

By selecting a value from the left selection field dropdown menu and manually entering a value in the right, a constant value template component can be created. This component will be the same for all distinguished names generated by the template.



Distinguished Name Schema Field Template Component

If the adapter schema contains a distinguished name typed field, the name of this field surrounded by square brackets can be manually entered in the left selection field. This will remove the right selection field and when an entities distinguished name is generated, the value of the specified distinguished name typed field will be used directly.

Is this article helpful for you?