A Forum reader recently asked:
“My goal is to create a User in eDirectory based on a specific ADS (W2K3) GroupMembership. The problem: the ADS is Member “Attribute” in ADS is just a Query, not an Attribute. Therefore, if a User becomes Member of a Group, there is no REAL Attribute at the User Side which changes, therefore NO event happens at the UserSide. The Only visible Event is the one at the GroupSide.
It would be nice if the User were deleted from eDirectory. I don’t mind if this is done through the similar EDIR Group, as we could handle this event from the eDir side. The GroupMembership is removed at eDir side as well, so this should not be a problem to handle at this stage – remove the User from eDirectory, not just its membership.”
And here’s the response from Father Ramon …
Starting with a generic IDM 3.5 install of AD driver:
1. Add Group Membership to the filter for User.
<filter-attr attr-name="Group Membership" merge-authority="app" publisher="sync" publisher-optimize-modify="true" subscriber="ignore"/>
2. Add this at the beginning of the InputTransform:
<rule> <description>Trigger Reevaluation of SyncGroup members when membership changes</description> <conditions> <and> <if-class-name mode="nocase" op="equal">group</if-class-name> <if-src-dn op="equal">CN=SyncGroup,CN=Users,DC=my,DC=org</if-src-dn> <if-op-attr name="member" op="changing"/> </and> </conditions> <actions> <do-for-each> <arg-node-set> <token-op-attr name="member"/> </arg-node-set> <arg-actions> <do-add-dest-attr-value class-name="user" name="memberOf"> <arg-association> <token-xpath expression="$current-node/@association-ref"/> </arg-association> <arg-value type="string"> <token-text xml:space="preserve">People\SyncGroup</token-text> </arg-value> </do-add-dest-attr-value> <do-set-xml-attr expression="../modify[last()]" name="src-dn"> <arg-string> <token-local-variable name="current-node"/> </arg-string> </do-set-xml-attr> </arg-actions> </do-for-each> </actions> </rule>
3. Add this to the beginning of the Matching Policy on the Publisher Channel:
<rule> <description>veto users that are not members of the sync group</description> <conditions> <and> <if-class-name mode="nocase" op="equal">User</if-class-name> <if-attr mode="dest-dn" name="Group Membership" op="not-equal">People\SyncGroup</if-attr> </and> </conditions> <actions> <do-veto/> </actions> </rule>
4. Add this to the beginning of the Command Transform on the Publisher Channel
<rule> <description>Delete Users who are being removed from SyncGroup</description> <conditions> <and> <if-dest-dn op="equal">People\SyncGroup</if-dest-dn> </and> </conditions> <actions> <do-for-each> <arg-node-set> <token-removed-attr name="Member"/> </arg-node-set> <arg-actions> <do-remove-association> <arg-association> <token-resolve datastore="dest"> <arg-dn> <token-local-variable name="current-node"/> </arg-dn> </token-resolve> </arg-association> </do-remove-association> <do-delete-dest-object class-name="User"> <arg-dn> <token-local-variable name="current-node"/> </arg-dn> </do-delete-dest-object> </arg-actions> </do-for-each> </actions> </rule>
The controlling Group in AD is CN=SyncGroup,CN=Users,DC=my,DC=org and is associated and synchronized with People\SyncGroup in eDirectory. Policies will have to be edited to include the actual DN’s of the groups in your systems.
If at all possible, enable the new “DirSync Incremental Values” option available in the latest patch of AD driver. This allows the member attribute to report the actual change instead of remove-all-values and add all remaining values. You can find this patch at:
Without this, every time someone is added or removed from the group, every single user that remains in the group will be re-evaluted.