AD Provider: Manager attribute handling across CreateIdentity and EnsureAttribute

[blindzero]

Summary

Provide reliable, explicit handling for the Manager attribute in the AD provider across steps:

• CreateIdentity (New-ADUser)
• EnsureAttribute (Set-ADUser)

Today, Manager may not work (or be silently ignored) due to missing/incorrect mapping and because manager is a DN-valued link attribute that often benefits from dedicated parameter handling.

This issue is intentionally separate from the broader “attribute contract + strict validation” work.

Motivation

Manager is commonly required in Joiner/Mover workflows. AD treats it as a link attribute (DN reference). Generic -Replace @{ manager = ... } is error-prone and requires correct DN formatting. Cmdlets also provide dedicated -Manager parameters which are usually the correct path.

We need:

• A clear expected value format
• Deterministic behavior
• Consistency between create and ensure

Proposed Behavior (defaults)

Supported input format (default)

• Manager value MUST be a Distinguished Name (DN) string.
  • Example: "CN=Jane Doe,OU=Users,DC=contoso,DC=com"

Rationale: avoids hidden resolution logic and keeps provider behavior deterministic and testable.

Optional future enhancement (not required for this issue)

• An opt-in resolve mode that accepts UPN/sAMAccountName/GUID and resolves to DN.
  • This is out-of-scope unless explicitly required.

Proposed Implementation

CreateIdentity

When With.Attributes.Manager is provided:

• Pass it via New-ADUser -Manager <DN> (dedicated parameter)
• Ensure it is not attempted via generic OtherAttributes or ignored.

EnsureAttribute

When EnsureAttribute targets Manager:

• Use Set-ADUser -Manager <DN> (dedicated parameter), not generic -Replace.

Validation

• Validate DN format (lightweight validation):
  • must be a non-empty string
  • should contain at least one "=" and "," (basic heuristic)
• If invalid, throw a clear error:
  • “Manager must be a DistinguishedName (DN).”

(Strict validation of supported attributes is handled in the separate issue; this issue focuses on Manager-specific handling.)

Edge Cases

• Clearing Manager:
  • Define an explicit way to clear:
    • EnsureAttribute with Value = $null clears manager (implementation: Set-ADUser -Clear 'manager')
  • Must be documented and tested.

Code Locations (current)

• src/IdLE.Provider.AD/Private/New-IdleADAdapter.ps1
  • Add/extend mapping for Manager in NewUser and SetUser
• src/IdLE.Provider.AD/Public/New-IdleADIdentityProvider.ps1
  • Ensure step/provider methods route Manager correctly

Acceptance Criteria

1. CreateIdentity supports Manager

   • With.Attributes.Manager sets the manager via New-ADUser -Manager.

2. EnsureAttribute supports Manager

   • Ensuring Manager uses Set-ADUser -Manager.
   • Clearing Manager is supported and documented.

3. Validation

   • Invalid Manager values fail fast with an actionable message.

4. Tests

   • Unit tests verify correct cmdlet parameter usage for create + ensure.
   • Tests cover set + clear behavior.

5. Docs + Examples

   • AD provider docs include:
     • expected DN format
     • example for CreateIdentity + EnsureAttribute
     • example for clearing Manager