Identity Manager and Converting Multi-Valued Attributes to Single-Valued Attributes

This is an article on how to combine multiple values from a multi-valued attribute into a single valued attribute. This is required when you have multiple values in for example the Location or Room Number in eDirectory.


We are first going to see what goes wrong:

One value

When we populate the location field in iManager for a synchronized user the value gets synced as well: Enter the single value in iManager: idmmultivalue01.jpg
And the value get synced to Active Directory: idmmultivalue02.jpg

Two values

Now we first remove the original value (make sure the removal of the attribute gets synchronized) and then add two values to the attribute: idmmultivalue03.jpg
But the value doesn't sync through: idmmultivalue04.jpg
But in the dstrace log we see an error:

13:07:48 AD-driver ST:
DirXML Log Event -------------------
Driver: \SHIFT-TREE\shift\AD-driver\AD-driver
Channel: Subscriber
Object: \SHIFT-TREE\shift\SHIFTUSERS\SjoerdH
Status: Error
Message: <ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
   <client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
   <server-err>00002081: AtrErr: DSID-030F10D6, #1:
   0: 00002081: DSID-030F10D6, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 13 (physicalDeliveryOfficeName)
   <server-err-ex win32-rc="8321"/>


To solve this issue we need to create a new policy, and in that policy we have to create three rules:

  • Setup Local Variable
  • Concatenate Values
  • Remove Values If Needed

First I'll show you each rule individually and after that the end result.

Create Policy

The policy has to be created in the “Event Transformation Policies”: idmmultivalue05.jpg
Click 'Insert' and provide the required values: idmmultivalue06.jpg

Setup Local Variable

We first create a simple rule that creates a local variable that is a nodeset of the L (location) attribute: idmmultivalue07.jpg

Concatenate Values

The second rule is a bit more complex. The conditions are still simple: idmmultivalue08.jpg

But the actions are a bit more complicated. Below I show you first the complete action list, and then I explain the first and third one a bit more in depth: idmmultivalue09.jpg

The first action is not even entirely visible. Click on the 'Edit the Actions' button. Now you see that 'for each' value you create a local variable called lvlocationoffice: idmmultivalue10.jpg

And again, this time the arguments, are not entirely visible. Click on the 'Edit the arguments'. Here you set the variable to itself, followed by a comma, a space, and a special value called 'current-node'. The current-node is the attribute value for the specific increment the loop is on: idmmultivalue11.jpg

The third actions needs a more in depth view of the arguments, if you click 'Edit the arguments' you can edit the verb 'Replace First'. Don't forget that you're replacing a comma and a space: idmmultivalue12.jpg

Remove Values If Needed

Needed in case it's a “remove all values” event“: idmmultivalue13.jpg

End Result

iManager view



<?xml version="1.0" encoding="UTF-8"?><policy>
		<description>Setup Local variable</description>
				<if-op-attr name="L" op="available"/>
				<if-op-attr name="L" op="changing"/>
			<do-set-local-variable name="locationoffice">
					<token-src-attr name="L"/>
		<description>Concatenate Values</description>
				<if-local-variable name="locationoffice" op="available"/>
				<if-src-attr name="L" op="available"/>
					<token-local-variable name="locationoffice"/>
					<do-set-local-variable name="lvlocationoffice">
							<token-local-variable name="lvlocationoffice"/>
							<token-text xml:space="preserve">, </token-text>
							<token-local-variable name="current-node"/>
			<do-strip-op-attr name="L"/>
			<do-set-dest-attr-value class-name="User" name="L">
				<arg-value type="string">
					<token-replace-first regex=", " replace-with="">
						<token-local-variable name="lvlocationoffice"/>
		<description>Remove Values If Needed</description>
				<if-src-attr name="L" op="not-available"/>
			<do-strip-op-attr name="L"/>
			<do-clear-dest-attr-value name="L"/>


Now the values in eDirectory give these values in Active Directory: idmmultivalue15.jpg
But also, these values sync back: idmmultivalue16.jpg


Last modified: 2013/03/05 06:58 by sjoerd