During a move user operation in an AD driver, I want to remove a user's
group memberships. So I request the memberOf attribute from AD to get the
list of groups so I can remove the memberships from the groups. I get back
a document like this:

<nds dtdversion="1.1" ndsversion="8.7">
<product asn1id="" build="20080229_143300" instance="AD"
<contact>Novell, Inc.</contact>
<instance class-name="user" event-id="0"
src-dn="CN=blah,OU=USERS,OU=something,DC=,DC=blah,DC=c om">
<attr attr-name="memberOf">
<value association-ref="5fd0e71d5eafa94b968db74e725ed5be" naming="true"
type="dn">CN=TestGroup2,OU=Groups,OU=something,DC= ,DC=blah,DC=com</value>
<value association-ref="118b8eeb159c444dbcb32eb1141f43e7" naming="true"
type="dn">CN=TestGroup1,OU=Groups,OU=something,DC= ,DC=blah,DC=com</value>
<status event-id="0" level="success"/>

Which I can then do a for-each to step through the groups and individually
remove the membership. The problem I have is that in the move event, I
don't have the user's DN in AD, which I need to remove the group memberships
(the DN's between eDir and AD don't match). Is there any way I can get to
it with XPATH from the output above? Or is there another way I can get the
user's DN in AD easily (Destination DN returns nothing since it is a move

This is the action I'm trying to build:

<token-dest-attr name="memberOf"/>
<do-remove-dest-attr-value class-name="Group" name="member"
<token-local-variable name="current-node"/>
<token-text xml:space="preserve">NEED AD DN HERE!</token-text>