ILM2 Unique Name Workflow Activity

March 31, 2009 at 2:29 PMHenrik Nilsson

I’m currently working with ILM2 for a customer and realized there was no way to ensure usernames are unique except by writing a custom workflow activity, my first except for the LDAP search activity that resides in the same library and is used by the unique name activity. It has been a struggle to complete this because of enormous problems with the Workflow Designer in VS2008 so I decided to go ahead write a code only activity. It turns out the problem with an evil MessageBox within the designer that showed up until I killed the VS2008 task was because I had set the DesignerSerializationVisibility attribute to DesignerSerializationVisibility.Content instead of DesignerSerializationVisibility.Visible.

Writing an activity for ILM2 isn’t rocket science, you first decide what information it needs and create Dependency properties and bind these to usual properties, you create a web UI with whatever logic it needs and finally you write the activity that does the work.

This is how it looks…


So what is is good for then…
Looking at the picture you see that it first take an ILM Target attribute, this is for example “AccountName” and this is where the first found unique value will be written.

The Expression Evaluator makes it possible to a number of different values to be evaluated from top to bottom, if the first attribute value shows up to already be existing in the target LDAP catalog the next one is tested for. After a little peeking inside the ILM2 assemblies I managed to find out how to add the lookup button that when pressed shows up this familiar dialog…


The control is named ProcessParameterPicker and could easily be added to your activity UI by calling base.DesignerHostProvider.CreateParameterPickerControl() and then give it a TextBox object to write to.

The Remove Characters checkbox and the Remove Characters Regex Textbox allows you to remove special characters that might sneak into the source values, for example the sAMAccountName attribute doesn’t allow characters like /\@+*? and so on. Just check the checkbox and add a regular expression for finding the invalid characters and they are trimmed away before the evaluation is made.
The sAMAccountName attribute is also a little bit picky about the length that can’t exceed 20 characters but how to sort that out is up to you.

The Normalize Diacritics checkbox is especially useful in countries like Sweden where I live and where non ASCII characters like ÅÄÖ needs to be normalized before used in for example email addresses.

Then there are a bunch of LDAP attributes that are used to make up the search for the attribute value within a catalog…

  • LDAP Search Root – Where in the catalog you wish to begin you search.
  • LDAP Object Class – If you wish to filter your search to a special object type (currently only supports a single object class).
  • LDAP Target Attribute – The attribute you wish to check for uniqueness.
  • LDAP Server – Self explaining.
  • LDAP Server Port – Self explaining, 389 by default and currently there is no support for LDAPS.
  • LDAP User Name – Self explaining.
  • LDAP Password – Self explaining.
  • Last but not least a button that enables you to try LDAP connectivity.

I’ll publish the library with source code as soon as I been able to test it more but if you would like to help me test it out send me a mail from the contact page and I’ll send it to you.

Posted in: Forefront Identity Manager | Identity Management | Workflow

Tags: , , ,

Comments (2) -

Joe Zamora
Joe Zamora says:

Great job, Henrik.  I wish I had discovered that ProcessParameterPicker months ago!  Your branding is outstanding, and this is a very handy activity.  Congrats!


did you ever publish the source code?


Add comment

  Country flag

  • Comment
  • Preview