Hello,

With my AD driver, I populate users from Identity Vault to AD.
So I am working on the subscriber channel.

I have been trying to make user a member of a group on AD via my AD
driver when a user is created in the Identity Vault
or when a user is modified in Identity Vault without affecting the
group direclty via iManager to the user.
I would like to associate groups to my user depending on user
modification event for example.

I tried to update the memberOf attribute in the following way.

*** FILTER RULE
<filter-class class-name="Group" publisher="sync"
publisher-create-homedir="true" publisher-track-template-member="false"
subscriber="sync">
<filter-attr attr-name="CN" merge-authority="default" publisher="sync"
publisher-optimize-modify="true" subscriber="sync"/>
<filter-attr attr-name="Description" merge-authority="default"
publisher="sync" publisher-optimize-modify="true" subscriber="sync"/>
<filter-attr attr-name="Member" publisher="sync" subscriber="sync"/>
</filter-class>

<filter-class class-name="User" publisher="sync"
publisher-create-homedir="true" publisher-track-template-member="false"
subscriber="sync">
<filter-attr attr-name="CN" merge-authority="default"
publisher="ignore" publisher-optimize-modify="true"
subscriber="sync"/>
...
...
<filter-attr attr-name="Group Membership" merge-authority="default"
publisher="sync" publisher-optimize-modify="true" subscriber="sync"/>
</filter-class>

*** MATCHING RULE
<rule>
<description>concordance sur uniqueID</description>
<conditions>
<and>
<if-class-name mode="case" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-find-matching-object scope="subtree">
<arg-match-attr name="uniqueID"/>
</do-find-matching-object>
</actions>
</rule>
<rule>
<description>concordance des groupes</description>
<conditions>
<and>
<if-class-name op="equal">Group</if-class-name>
</and>
</conditions>
<actions>
<do-find-matching-object scope="subtree">
<arg-match-attr name="CN"/>
</do-find-matching-object>
</actions>
</rule>
*** CREATION RULE
<rule>
<description>Groupes depuis template</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-src-attr name="Group Membership">
<arg-dn>
<token-text>alpha\groupes\groupesAD\template1_user</token-text>
</arg-dn>
</token-src-attr>
</arg-node-set>
<arg-actions>
<do-add-dest-attr-value name="Group Membership">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
</do-for-each>
</actions>
</rule>
*** COMMAND TRANSFORMATION RULE
<rule>
<description>Add new user to associated groups</description>
<conditions>
<and>
<if-operation disabled="true" notrace="true"
op="equal">add</if-operation>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-local-variable name="groupAssociations">
<arg-node-set>
<token-xpath expression="empty"/>
</arg-node-set>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-src-attr name="Group Membership"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="groupAssociations">
<arg-node-set>
<token-local-variable name="groupAssociations"/>
<token-xpath expression="query:readObject($srcQueryProcessor, '',
$current-node, 'Group','')/association/text()[. != '']"/>
</arg-node-set>
</do-set-local-variable>
</arg-actions>
</do-for-each>
<do-for-each>
<arg-node-set>
<token-local-variable name="groupAssociations"/>
</arg-node-set>
<arg-actions>
<do-add-dest-attr-value class-name="Group" name="Member">
<arg-association>
<token-local-variable name="current-node"/>
</arg-association>
<arg-value type="string">
<token-dest-dn/>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
</do-for-each>
</actions>
</rule>
*** SCHEMA MAPPING
<class-name>
<nds-name>Group</nds-name>
<app-name>group</app-name>
</class-name>
<attr-name class-name="Group">
<nds-name>CN</nds-name>
<app-name>cn</app-name>
</attr-name>
<attr-name class-name="Group">
<nds-name>Description</nds-name>
<app-name>description</app-name>
</attr-name>
<attr-name class-name="Group">
<nds-name>Member</nds-name>
<app-name>member</app-name>
</attr-name>
<class-name>
<nds-name>User</nds-name>
<app-name>user</app-name>
</class-name>
<attr-name class-name="User">
<nds-name>CN</nds-name>
<app-name>cn</app-name>
</attr-name>
...
...
<attr-name class-name="User">
<nds-name>Group Membership</nds-name>
<app-name>memberOf</app-name>
</attr-name>
...
...
*** OUTPUT TRANSFORMATION RULE
Nothing special.

What is the right way of providing group memberships on AD on creation
or on modification of a user in Identity Vault?
Do you see what is wrong in my rules ? or something missing ?
I've spend a lot of time on this problem but I don't see the solution
for the moment.
I give you logs bellow.
Many thanks in advance for your help,

Christine

[04/26/08 16:12:28.546]:c:\alpha\logs\tracesAD.log ST:ADDriver: Add
user cn=Abert
CLE,ou=Zone_POLK,ou=Zones_Géographiques,ou=Poles, dc=alpha,dc=fr
LDAPMod operations:
add attribute objectClass
>> user

add attribute objectCategory
>> CN=Person,CN=Schema,CN=Configuration,DC=alpha,DC=f r

add attribute telephoneNumber
>> 02 02 02 02 02

add attribute sAMAccountName
>> abert.cle

add attribute cn
>> Abert CLE

add attribute sn
>> CLE

add attribute givenName
>> Abert

add attribute department
>> Accueil & Services Clients

add attribute title
>> CDI

add attribute l
>> POLK

add attribute name
>> Abert CLE

add attribute mail
>> abert.cle@alpha.com

add attribute displayName
>> Abert CLE

add attribute mail
>> abert.cle@alpha.com

add attribute memberOf
>>

CN=groupe2,OU=Zone_POLK,OU=Zones_Géographiques,OU =Poles,DC=alpha,DC=fr
add attribute memberOf
>>

CN=groupe1,OU=Zone_POLK,OU=Zones_Géographiques,OU =Poles,DC=alpha,DC=fr
add attribute sAMAccountName
>> abert.cle

add attribute userPrincipalName
>> abert.cle@alpha.fr

add attribute description
>> POLK


[04/26/08 16:12:28.546]:c:\alpha\logs\tracesAD.log
ST:SubscriptionShim.execute() returned:
[04/26/08 16:12:28.546]:c:\alpha\logs\tracesAD.log ST:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20070823_095000"
instance="\alpha_TREE\alpha\system\Ensemble Pilote Dev\Active Directory
Dev" version="3.5.1">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="MigrationInitiale#Publisher#0" level="error"
type="driver-general">
<ldap-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">
<client-err ldap-rc="53"
ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">Incapable
d'exécuter</client-err>
<server-err>0000209A: SvcErr: DSID-031A0D6B, problem 5003
(WILL_NOT_PERFORM), data 0
</server-err>
<server-err-ex win32-rc="8346"/>
</ldap-err>
</status>
</output>
</nds>


--
coves
------------------------------------------------------------------------
coves's Profile: http://forums.novell.com/member.php?userid=4568
View this thread: http://forums.novell.com/showthread.php?t=325728