I had a urgent request come in to automatically add AD users to group
membership based on an attrib in the IDV. We're between versions of
the IDM engine, production is 3.5, lab is 3.5.1. I'm able to get the
group membership to work with no issues in our lab, but if I implement
the rule in production the trace fails to find the dest-dn. Is this
not possible with the 3.5 engine?

Below is the rule I have in place, working with 3.5.1, not 3.5. I'll
post a trace in a minute.

<rule>
<description>If ssmADUserFlag changing to yes, add user to acct pro
group.</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-op-attr name="ssmADUserFlag" op="changing-to">Yes</if-op-attr>
</and>
</conditions>
<actions>
<do-add-dest-attr-value class-name="Group" name="member"
when="after">
<arg-dn>
<token-text xml:space="preserve">CN=G999-AcctUser,OU=Account
Provisioning,OU=SharePoint,OU=Resource,OU=Groups,O U=SSMHC,DC=ds,DC=ad,DC=ssmhc,DC=com</token-text>
</arg-dn>
<arg-value type="dn">
<token-dest-attr class-name="User" name="distinguishedName"/>
</arg-value>
</do-add-dest-attr-value>
</actions>
</rule>


--
brent756
------------------------------------------------------------------------
brent756's Profile: http://forums.novell.com/member.php?userid=3639
View this thread: http://forums.novell.com/showthread.php?t=314004