I had an AD driver, from eDir to AD where the users all existed in both.

Since they did not want to muck with the data we set Merge Auth to none
for all attributes.

On a migrate from eDir, we got a <sync> event for each user. Ok so far.

They matched, merged, nothing to do, event ends, right after the Match
policy set.

However, I need to add two attrs to each user as it matches.

Docs say there are two error cases and dest-dn is set to those cases
(Funky Unicode values that Shon posted about a while back, and I have
used. Matched user already associated to another object, and multiple
matches found) and if a match is found, the dest-dn is set.

In fact, this is how you chain the Find Matching Object rules.

However, when I did this event, I tried in the same policy object to
detect if dest-dn is available, and that failed to ever fire on a match.

Then I tried a second policy object, after the first one that succeeds
at matching, matches, and then test for if dest-dn available, and in
fact, the <add> event does NOT visibly get a dest-dn.

IDM 4.01, but not engine patch. AD shim is 3.5.16.

Two questions: 1) This as it should be?
2) IF so, how do catch such an event to add stuff needed?