First off, what is new in the 3.5 rules, that I would need to worry
about in terms of the AD driver during an upgrade? I.e. If defaults
were used, do I need to get the new 3.5 defaults? (Of course I
customized, like everyone else does).

Specifically, I notice a nice Veto if operational attribute
nspmDistribution password is not there on a create in the Sub-Create
rule. (Good idea!)

More specifically, the Subscriber Command transform has an extra rule
now called Sub-GroupMember Resolution that if clearly 3.5 syntax, and is
included below.

Any idea why they need this rule? (I can see WHAT it is doing, reading
the group membership list from eDir then adding it in AD), but WHY is
that rule needed now, when we did not have it before?

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
"policy-builder-dtd"
"/data/programs/designer.rc1/designer/eclipse/plugins/com.novell.designer.idm.policybuilder_2.0.0.200702 271030/DTD/dirxmlscript.dtd"><policy
xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQueryProcessor">
<description>Resolve group memberships on an add user</description>
<rule>
<description>Add new user to associated groups</description>
<conditions>
<and>
<if-operation op="equal">add</if-operation>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-local-variable name="groupAssociations">
<arg-node-set>
<token-xpath expression="empty"/>
</arg-node-set>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-src-attr name="Group Membership"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="groupAssociations">
<arg-node-set>
<token-local-variable name="groupAssociations"/>
<token-xpath expression="query:readObject($srcQueryProcessor, '',
$current-node, 'Group','')/association/text()[. != '']"/>
</arg-node-set>
</do-set-local-variable>
</arg-actions>
</do-for-each>
<do-for-each>
<arg-node-set>
<token-local-variable name="groupAssociations"/>
</arg-node-set>
<arg-actions>
<do-add-dest-attr-value class-name="Group" name="Member">
<arg-association>
<token-local-variable name="current-node"/>
</arg-association>
<arg-value type="string">
<token-dest-dn/>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
</do-for-each>
</actions>
</rule>
</policy>