I know that the User object referenced below test001 is already
associated with an object in the destination system (in this case AD -
CN=test001,OU=External,OU=Users,OU=CUSTOMER,DC=TES T,DC=com).

If one has a modify operation in your subscriber channel that looks like
this:


<modify class-name=Group" event-id="AD-CUSTOMER##13a26a81a9f##0">
<association>d0b80a8ec39d4a46bf030313b1b5e778</association>
<modify-attr attr-name="Member">
<add-value>
<value association-ref="a185d26785356e45ac636cce47c2dedb"
type="dn">CUSTOMER\External\People\test001</value>
</add-value>
</modify-attr>
<operation-data>
<entitlement-impl id="" name="Group"
qualified-src-dn="O=CUSTOMER\OU=External\OU=People\CN=test001" src="UA"
src-dn="CUSTOMER\External\People\test001" src-entry-id="40691"
state="1">{"ID":"d0b80a8ec39d4a46bf030313b1b5e778" ,"ID2":"CN=ADM_All_Active_Users,OU=Groups,OU=CUSTO MER,DC=TEST,DC=com"}</entitlement-impl>
</operation-data>
</modify>

After passing through the "Fixing up association references." and schema
mapping, shouldn't the Outbound Association Reference Processor convert
the member DN in the modify-attr entry so it looks like this?

<modify-attr attr-name="member">
<add-value>
<value association-ref="a185d26785356e45ac636cce47c2dedb"
type="dn">CN=test001,OU=External,OU=Users,OU=CUSTO MER,DC=TEST,DC=com</value>
</add-value>
</modify-attr>


In my case, it doesn't convert the member DN and I can't work out why.
<modify-attr attr-name="member">
<add-value>
<value association-ref="a185d26785356e45ac636cce47c2dedb"
type="dn">CUSTOMER\External\People\test001</value>
</add-value>
</modify-attr>

I see that the modify operation still succeeds (based on the
association-ref value), but the lack of member DN conversion seems
counter-intuitive. I've seen plenty of other cases where a type="dn"
attribute value is translated automatically.

Am I wrong in my belief that this should occur? Is it somehow related to
the fact that the parent group object itself doesn't exist in the IDVault