Directory Object Search

Have you ever wanted to perform an LDAP search in a workflow to check for … well let’s just say a duplicate UNIX UID.
In this example the account add workflow is checking to make sure the Unix UID is not in use by another account. The requirements in this instance are that UNIX UID can only be used once in a service. Once the duplicate is found the next step is up to you but in this case the account add was rejected.

First thing you have to do is expose the dataservices model. Add the following line to*

Example Script in Workflow Script Node:

This script node is from an Account Add workflow. The script gets the service DN and erposixuid from the new account. The service DN and UNIX UID are used to verify the UNIX UID has not been used before in the same service. The Directory Object Search will search ITIM’s LDAP as you can see from the search base. There are also a couple examples to get the account attributes.

/* Search the current service for an account with the same unix uid */

var myAccount = account.get();
var myPerson = owner.get();

var unixUidMatch = ‘false’;
var dupAccountList = ”;

/* Get Service DN */
var myServiceDN = myAccount.getProperty(“erservice”)[0];

var myInputPosixUid = myAccount.getProperty(“erposixuid”);
if (myInputPosixUid != null && myInputPosixUid.length > 0)
myInputPosixUid = myInputPosixUid[0];
myInputPosixUid = “unknown”;

if (myInputPosixUid != “unknown”) {
/* Search Accounts within Service for unix UID */
var searchFilter = ‘(&(erservice=’ + myServiceDN + ‘)(erposixuid=’ + myInputPosixUid + ‘))’;
var searchBase = ‘ou=accounts,erglobalid=00000000000000000000,ou=XXX,O=XXX’;
var base = new;

var params = new;
var search = new;
var results = search.fetch(base, searchFilter, params).iterator();

while (results.hasNext()) {
/* Duplicate Unix UID Found */
var dirObj =;
/* Get Account Object */
var mySearchAccount = new Account(dirObj.getDistinguishedName().toString());

var mySearchEruid = mySearchAccount.getProperty(‘eruid’);
if (mySearchEruid != null && mySearchEruid.length > 0) {
mySearchEruid = mySearchEruid[0];
if (unixUidMatch == ‘true’)
dupAccountList = dupAccountList + ‘ ,’+ mySearchEruid;
dupAccountList = mySearchEruid;
unixUidMatch = ‘true’;


while (results.hasNext()) {
var dirObj =;
var myDupAccountID = dirObj.getAttribute(“eruid”);
if (myDupAccountID!=null) {
myDupAccountID = myDupAccountID.getValueString();

Processing Multiple Attribute Values with the TDI 7.1 FOR-EACH Attribute Connector

In previous versions of the IBM TDI product the task of processing a report or directory integration has been a challenge when working with attributes that may have more than one value.

One such example that we see frequently with the ISIM product is the erroles attribute assigned to the ISIM Person record. Luckily with IBM TDI 7.1 we have a new connector type that allows us to easily process these called the FOR-EACH Attribute loop. The following is a demonstration of how this function connector works in a simple report generating TDI.

In this example we will be Iterating all Person records contained in ISIM. The connector looks like this:


The Search Base & Search Filter should something along the lines of:


(Note: with a Search Filter of (erroles=*) only Person Records that contain at least 1 role will be selected).

The next step is to make use of the FOR-EACH Attribute connector. The iterator has already loaded the work.erroles object which may contain multiple values. This attribute contains the DN of the role assigned to the ISIM Person which we will need to translate into a Role Name (errolename).

We will need to define a Work Attribute Name & a Loop Attribute Name. The Work attribute is the incoming multi-value attribute from the iterator, in this case erroles. The Loop Attribute Name is the single value attribute at the coordinate for the current loop count.


Once this has been defined, we can add connectors below to lookup & then record the data for each pass of the Role Loop. First we do a lookup using the DN of the role (loopRole) to resolve the role’s name (errolename).



Since the work.errolename value will be over-written with each pass of the Role Loop, we will need to store, or write the value to file before finishing the loop & moving on to the next value of erroles. In this example I have inserted a File Connector to write the report as it is being passed through the loop. However there are other options available such as storing the values in an array eg. work.errolename & then looping through them using JavaScript in a connector further on in the TDI.


Mapping Manager DN in a Provisioning Policy

Below is a helpful little script that makes it possible for a provisioning policy (in this case AD) to map the correct DN for a manager:

/*AD Manager*/ 
var adDN = ''; 
var myServiceDN = service.dn; 
var mySupvDN = subject.getProperty('manager'); 
if (mySupvDN != null && mySupvDN.length >0){
    mySupvDN = mySupvDN[0];
    var globalid = mySupvDN.substring(mySupvDN.indexOf("=")+1,mySupvDN.indexOf(","));
    var myPersonSearch = new PersonSearch(); 
    var searchResult1 = myPersonSearch.searchByFilter("Person","(erglobalid="+globalid+")", 2);
    if (searchResult1 != null && searchResult1.length > 0) {
     var mySupv = new Person(mySupvDN);
     var supvUID = mySupv.getProperty('uid');
     if ((supvUID != null) && (supvUID.length > 0)){
         supvUID = supvUID[0];
         var myAccountSearch = new AccountSearch();
         var mySupvAccountList = myAccountSearch.searchByUid(supvUID, myServiceDN);
         if (mySupvAccountList!=null && mySupvAccountList.length > 0) {
             mySupvAccount = mySupvAccountList[0];
             var adDN = mySupvAccount.getProperty("eraddistinguishedname");
             if (adDN !=null && adDN.length >0) {
                adDN = adDN[0];
                return adDN;

Here is a list of steps that are being taken by this script to return the AD DN of the manager: Read more