I have some strange behavior with an Active Directory driver. We do not
directly synchronize groups from eDir to AD due to stale/dirty data (we
don't want all the members in the equivalent eDir group coming into AD). I
created a rule to manually add a user to the AD Employees group if they are
a member of the eDir Employees group (I have attached an export of this
When I user is first created in AD the policy works wonderfully and the user
is added to each group that they are currently in on the eDirectory
equivalent. My problem comes when a user is added to a group after they
already exist in AD. I do not directly map the Group Membership eDir
attribute anywhere in AD, but I set the Subscriber channel to synchronize
for that attribute so that it would register when the attribute is modified
in eDirectory (at one point I even had my actions executing only if
Operational Attribute Group Membership is changing). This allows the driver
to register that a change has occured. The conditions are evaluated (the
user is a member of the group in eDir) and it kicks off the same action as
it did when a user is first created (add them to the AD group).
The problem is that, based on what I'm seeing in the trace (attached), it's
not seeing the destination side values of anything for the user in question.
When it tries to add the destinationDN attribute to the AD group attribute
member, it is empty. I changed it around several times to try to retrieve
destination information (pull destination attribute CN for example) and
everytime it comes back empty. I don't understand why it's not seeing the
destination side of things (AD) for this change, but it can execute the same
rule and get the values it needs when the user is first created.
Any help is appreciated.