IDM 3.6, eDir 8.8.3, 350K users in the tree.

I have a configuration which I have created where two parallel
eDir-eDir drivers are in place, a "Primary" pair and a "Priority" pair.
The filters between the two are mutually exclusive except for GUID.

The Priority driver has things like login disabled and
nspmDistributionPassword in it. It is also hosted on servers which have
filtered replicas with only those attributes in them. It is configured
with a unconditional veto in the match rule so nothing but modifies
should get through this driver.

The primary driver, upon an Add, Merge or an Add-Association, creates a
second association for the priority driver. This is working in both
directions. It also is configured to do a query of the priority driver,
read it's filter, and add in all the missing attributes during an add or
merge. The effect of this is that the primary driver handles all adds
and matches, and modifies to "lesser" attributes, the priority driver
handles the "greater" attributes.

So far so good. However, when I try to do a modify of login disabled,
it comes through the priority driver with the right association in state
associated, but when it gets to check the association, it's not finding
(checked it manually it's right). In the trace I see Resolving
Association References, No event transformation policies, No associated

What I'm guessing is that there is something critical missing from the
filter for this to work, I've made certain that both GUID and
DirXML-Associations is in the filter, but is there something else I need

rrawson's Profile:
View this thread: