AD is the authoritative data source. All administration takes place in
AD. My goal is to limit synchronization to edir from one sub-container
in AD. My problem is that none of the deletes for users and groups in
AD get through to delete the object in the vault. I need the object
deleted in AD and the vault. Since deleted objects are in the
'CN=Delete Objects' container, my logic in the Input Transformation
below is wrong. I ended up here because if I just look for the
sub-container, then the driver doesn't startup since that does not take
place in the selected container. I can't believe this is that
difficult. :-)

<rule>
<description>MHP Container only</description>
<conditions>
<and>
<if-src-dn op="available"/>
<if-src-dn op="not-in-subtree">OU=mhp,DC=mhs,dc=hpa,dc=org</if-src-dn>
<if-src-dn disabled="true" op="not-in-subtree">CN=Deleted
Objects,DC=mhs,DC=hpa,DC=org</if-src-dn>
</and>
<and>
<if-operation mode="case" op="equal">add</if-operation>
<if-operation mode="case" op="equal">delete</if-operation>
<if-operation mode="case" op="equal">modify</if-operation>
<if-operation mode="case" op="equal">modify-password</if-operation>
<if-operation mode="case" op="equal">move</if-operation>
<if-operation mode="case" op="equal">rename</if-operation>
<if-operation mode="case" op="equal">sync</if-operation>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>

I need the driver to start, synchronize objects to eDir from a selected
sub-container in AD (adds, modifies, deletes, passwords, etc.) The rest
of my driver appears to be working fine. Just deletes are giving me a
headache.