Hi,

I've been developing our eDir to AD IDM driver and we are now ready to test
in live. Initially I need to limit the driver to only carry out operations
on a certain AD OU, and we are going to roll it our further once confidence
increases. I've managed to get the susbriber channel to do this using:-

<actions>
<do-find-matching-object scope="subtree">
<arg-dn>
<token-text
xml:space="preserve">OU=TESTING,OU=IS,OU=GB,DC=GB, DC=GROUP,DC=TEST</token-text>
</arg-dn>
<arg-match-attr name="Internet EMail Address"/>
</do-find-matching-object>
</actions>

This works fine but it's the publisher channel I am struggling with. We
have large, 30,000+, account AD tree and I really don't want the driver to
start *#!%ing things up elsewhere!

I've tried this in the publisher event transformation's but it breaks the
driver:-

<conditions>
<and>
<if-src-dn
op="not-in-container">"OU=TESTING,OU=IS,OU=GB,DC=GB,DC=GROUP, DC=TEST"</if-src-dn>
</and>
</conditions>
<actions>
<do-veto/>
</actions>

Any suggestions?

Also whilst I've got your attention I'm deploying this driver into our
main AD tree with an IDM3.5 driver already connected to a different eDir
tree. This 3.5 driver is syncing password's and we have the filter loaded
on all our DC's. My new driver is connected to a DirXML2.01 system and will
not be syncing passwords, just account information. Will this be a problem?
Can I even use the same remote loader or will I need a seperate one on a
different DC?

Thanks for any replies,

Matt (CNE)