When we do a reconciliation in ITIM, it is sometimes desirable to have the list of non-compliant attributes on accounts.
Unfortunately, this does not seems easy to have : the report gives us only the list of non-compliant accounts, but not the detail.
I discovered this morning that for AD account (objectclass=eradaccountitem), the non compliant attributes are stores in the ITIM LDAP directory, as separate entries under the account object.
For example, if the givenname attribute is not compliant on the AD account vs User, one can have such entry :
dn: erglobalid=5438921730163870300,erglobalid=533996249009324649,ou=0,ou=accounts, erglobalid=00000000000000000000,ou=MYCORP,o=ITIM ercreatedate: 201404101151Z erattributeaction: 3 erglobalid: 5438921730163870300 objectclass: top objectclass: erComplianceIssue erattributename: givenname erbigcustomdata: Dmitry eroverride: false
The ADaccount entry DN itself is :
Then, to have a list of all non-compliances, it is easy to build an ldap request, with these parameters :
- Base DN : ou=0,ou=accounts,erglobalid=00000000000000000000,ou=TENANT
- filter : objectclass=erComplianceIssue
What I discovered also is that seems to be valid only when the Enforcement Policy is set to "Alert".