During a move user operation in an AD driver, I want to remove a user's
group memberships. So I request the memberOf attribute from AD to get the
list of groups so I can remove the memberships from the groups. I get back
a document like this:

<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20080229_143300" instance="AD"
version="3.5.2">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="user" event-id="0"
src-dn="CN=blah,OU=USERS,OU=something,DC=,DC=blah,DC=c om">
<association>c82d3459eefc634a8ab1f38c4616e0df</association>
<attr attr-name="memberOf">
<value association-ref="5fd0e71d5eafa94b968db74e725ed5be" naming="true"
type="dn">CN=TestGroup2,OU=Groups,OU=something,DC= ,DC=blah,DC=com</value>
<value association-ref="118b8eeb159c444dbcb32eb1141f43e7" naming="true"
type="dn">CN=TestGroup1,OU=Groups,OU=something,DC= ,DC=blah,DC=com</value>
</attr>
</instance>
<status event-id="0" level="success"/>
</output>
</nds>


Which I can then do a for-each to step through the groups and individually
remove the membership. The problem I have is that in the move event, I
don't have the user's DN in AD, which I need to remove the group memberships
(the DN's between eDir and AD don't match). Is there any way I can get to
it with XPATH from the output above? Or is there another way I can get the
user's DN in AD easily (Destination DN returns nothing since it is a move
event).

This is the action I'm trying to build:

<do-for-each>
<arg-node-set>
<token-dest-attr name="memberOf"/>
</arg-node-set>
<arg-actions>
<do-remove-dest-attr-value class-name="Group" name="member"
when="after">
<arg-dn>
<token-local-variable name="current-node"/>
</arg-dn>
<arg-value>
<token-text xml:space="preserve">NEED AD DN HERE!</token-text>
</arg-value>
</do-remove-dest-attr-value>
</arg-actions>
</do-for-each>


Thanks.

Matt