We think we understand why the following doesn't work, but we need to know
how to evaulate all the multivalue group memberships and based on a
paticular one send that user over to the other tree: Here is what we have
now, and it is not working:

The overall goal is to sync members of a paticular group to the new tree:


09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST:Start transaction.
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST:Processing events for
transaction.
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.10.20070918 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<sync cached-time="20080627134435.462Z" class-name="User"
event-id="idm2#20080627134435#2#1"
qualified-src-dn="O=utc\OU=Users\CN=tqj124"
src-dn="\LIBERTY\utc\Users\tqj124" src-entry-id="46968" timestamp="0#0">
<association state="manual"></association>
</sync>
</input>
</nds>
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST:Applying event transformation
policies.
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST:Applying policy: Limit Scope.
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST: Applying to sync #1.
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST: Evaluating selection criteria
for rule 'Limit to IT Personnel Only'.
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST: Query from policy
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.10.20070918 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="User" dest-dn="\LIBERTY\utc\Users\tqj124"
dest-entry-id="46968" scope="entry">
<read-attr attr-name="Group Membership"/>
</query>
</input>
</nds>
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST: Pumping XDS to eDirectory.
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST: Performing operation query for
\LIBERTY\utc\Users\tqj124.
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST: Query from policy result
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.10.20070918 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="User" qualified-src-dn="O=utc\OU=Users\CN=tqj124"
src-dn="\LIBERTY\utc\Users\tqj124" src-entry-id="46968">
<association state="manual"></association>
<attr attr-name="Group Membership">
<value timestamp="1212077886#83"
type="dn">\LIBERTY\utc\Groups\STUDENTS</value>
<value timestamp="1212077886#84" type="dn">\LIBERTY\utc\Groups\ITD</value>
<value timestamp="1212077886#85"
type="dn">\LIBERTY\utc\Groups\portaldesign</value>
<value timestamp="1212077886#86"
type="dn">\LIBERTY\utc\Groups\TestAlias</value>
<value timestamp="1212077886#87"
type="dn">\LIBERTY\utc\Groups\SysNet</value>
<value timestamp="1212077886#88" type="dn">\LIBERTY\utc\Groups\TIC</value>
<value timestamp="1212077886#89" type="dn">\LIBERTY\utc\Groups\nofwd</value>
</attr>
</instance>
<status level="success"></status>
</output>
</nds>
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST: (if-src-attr 'Group Membership'
not-equal "utc\Groups\ITD") = TRUE.
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST: Rule selected.
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST: Applying rule 'Limit to IT
Personnel Only'.
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST: Action: do-veto().
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST:Policy returned:
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.10.20070918 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
09:44:35 D5B62BA0 Drvrs: Vault-2-ITServ ST:End transaction.