mmiltenberger <> wrote:
> We are a Medical School within a University, that also has a Hospital
> involved in our network environment.
> We all 3 have separate IDM environments (All Novell IDM), with 2 of
> them being connected together so that we have a shared user base. We
> are now getting ready to bring the third environment into the mix, as we
> have the need to have user accounts provisioned throughout all 3
> environments.
> However, this third environment has a substantial ID base. One of the
> parties involved doesn't seem to want to synch all of these accounts to
> their IDvault, as most likely, none of them will ever be provisioned for
> any reason. However, if the accounts are not synched, then we need
> some way of determining how to assign an available unique cn to a user
> in this environment.
> Has anyone ever NOT relied on utilizing their IDvault as their
> authoritative source for "Unique CN" in their account provisioning
> processes ?
> Right now, all three sites rely on their IDvault having all user
> accounts in their idvault, so when new users are provisioned, processes
> just look at the IDvault to see what the next available Unique CN there
> is to use.
> I would be interested in hearing any feedback/thoughts on if any other
> approaches are used... i.e. a database/web service that maintains a
> database of used cn's.
> Thanks!

I have done this several times, There are a couple of solutions.
One option is to create a dummy user object in the tree where you create
your user id's.
Then you can sync all the CN's values from the other trees to this object (
if that is the attribute you use for naming).
Another option is to query the other treees for the CN when generating the
ID. There is a forum post about how to do it that Father Ramon wrote and a
Cool Solution that I wrote based on that post.