Currently, any change which affects the Common Name or Distinguished Name of an object will be performed, but the SPML Provider will lose track of the changed object and return an error. This includes the actions performed by the default User Deprovisioning policy.
This has been identified as product defect TF00430254.
In the case of Deprovisioning a User object, you may choose to modify the Deprovisioning policy so that the Distinguished Name of the target object is not changed.
In the case of Deprovisioning a User object, it is possible to change the default Suspend action for the SPML Provider so that it performs a Deprovision instead.
On the machine hosting the SPML Provider, edit the SPML.config file. By default, this is located in C:\Program Files\Quest Software\SPML Provider\Web
Find the following section:
Change to match the following:
Now, instead of the actions taken previously, send a Suspend command to a User object when a Deprovisioning is needed. For more information, please reference the documentation included with the SPML Provider.WORKAROUND 3
It is possible to include a flag with the SPML command so that it does not wait for the results of the request, but instead will return a success as long as the command is received by the SPML Provider.
The SPML command will contain a line similar to this:
<spml:modifyRequest xmlns:spml="urn:oasis:names:tc:SPML:2:0">Modify it to match the following:
<spml:modifyRequest xmlns:spml="urn:oasis:names:tc:SPML:2:0" returnData="nothing">
This Product Defect (TF00352811) has been fixed in version 7. The deprovisioning of the user is competed successfully through SPML in Active Roles 7.0, but no response is provided because during the process the DN of the user gets changed and SPML provider will lose track of the changed user’s DN.
Further development is being considered to enhance/improve this behavior (TF00683756). This will be included in a future release of Active Roles.