Novell is now a part of Micro Focus

Associating Users Based on Group Membership

Novell Cool Solutions: Tip

Digg This - Slashdot This

Posted: 5 Jul 2007


A Forum reader recently asked:

"I have a scenario where users are already created in the Identity Vault (IDV). If a user gets added as a member to a group in the IDV tree, I need that user to get created in the remote LDAP database. I found TID 10096124, but in my case, the Group object is not getting synchronized. Here's the fun part ... the Group object is not your typical eDirectory group. The group object has an objectclass of "daldapgroup". The object attribute that stores the user membership is "Member". The group object is the only place where membership is realized. The user object does not contain an attribute that points back to the group object."

And here's the response from Father Ramon ...


1. Add the "daldagroup" object class to your filter and set it to sync on subscriber and ignore on publisher.

2. Add the Member attribute to daldagroup and set it to notify on the subscriber channel and ignore on the publisher channel.

3. Add a subscriber event transformation rule:

if class-name equal 'daldapgroup'
and source dn equal 'name of group'
do for each operation attribute 'Member'
  do append xml element 'sync'
  do set xml attribute 'src-dn' = local variable("current-node")

if class-name equal 'daldapgroup'
do veto

4. Add a subscriber creation policy rule:

if class-name = 'User'
do set local variable 'member' = source attribute('Member', DN('dn of 

if class-name equal 'User'
and if XPath 'not($member = @src-dn)'
do veto

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates