I'm doing some blue sky thinking, and haven't managed to find anything
on this...
We have an ID vault and a File and print tree, both using Edir. The ID
vault is flat, and the File and Print tree is geographically structured.
Users are managed from the FP tree into the ID vault tree with an edir
to edir driver. I am starting to populate the ID vault with organisation
data from HR (SAP to be precise, but I don't think it matters). What I
would like to do is to have group memberships in the File and Print tree
that reflect the HR structure, but without tree walking - we have some
painfully slow WAN links.

Historically we have made no attempt to map groups in the F&P Tree to
the ID vault. Apart from anything else there are about twenty times more
than there should be, not to mention groups that have no relationship
with teh org structure. We also have plenty of teams that span
geographical areas. Traditionally what we have done where a team spans
geographical areas is to create a group at each OU. Thus there might be
cn=widgets,ou=depta,ou=office1,ou=county1,o=compan y ,
cn=widgets,ou=depta,ou=office5,ou=county1,o=compan y
and cn=widgets,ou=depta,ou=office4,ou=county2,o=compan y. In the HR
system, and thus the flat ID vault, there would only be

I'm sure we can't be unique... What tricks have people managed to
ensure that a name or attribute change in the one ID vault object are
reflected in all four in the F&P tree. Something clever with find
matching object, so there's no permananet relationship between the
objects or what?

