I am attempting to add a user to a group when the user add comes across
the subscriber channel. I've successfully added the user to the
eDirectory group, but I have not been able to add them to the AD group.
The eDirectory and AD groups are associated. Here is my rule, which is
in the subscriber command transformation policies:


Code:
--------------------
<rule>
<description>Add user to IDM TESTING GROUP on user adds</description>
<comment name="author" xml:space="preserve">Adam Bradley</comment>
<comment name="version" xml:space="preserve">1</comment>
<comment name="lastchanged" xml:space="preserve">11/7/12</comment>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-operation op="equal">add</if-operation>
</and>
</conditions>
<actions>
<do-add-src-attr-value name="Group Membership">
<arg-value type="string">
<token-text xml:space="preserve">\XYZ_TREE\XYZ\GROUPS\IDM TESTING GROUP</token-text>
</arg-value>
</do-add-src-attr-value>
<do-add-src-attr-value name="Security Equals">
<arg-value type="string">
<token-text xml:space="preserve">\XYZ_TREE\XYZ\GROUPS\IDM TESTING GROUP</token-text>
</arg-value>
</do-add-src-attr-value>
<do-add-src-attr-value name="Member">
<arg-dn>
<token-text xml:space="preserve">\XYZ_TREE\XYZ\GROUPS\IDM TESTING GROUP</token-text>
</arg-dn>
<arg-value type="string">
<token-src-dn/>
</arg-value>
</do-add-src-attr-value>
<do-add-src-attr-value name="Equivalent To Me">
<arg-dn>
<token-text xml:space="preserve">\XYZ_TREE\XYZ\GROUPS\IDM TESTING GROUP</token-text>
</arg-dn>
<arg-value type="string">
<token-src-dn/>
</arg-value>
</do-add-src-attr-value>
<do-add-dest-attr-value name="member">
<arg-dn>
<token-text xml:space="preserve">CN=IDM TESTING GROUP,OU=GROUPS,OU=XYZ,OU=0migrated,DC=AD,DC=XYZ,D C=local</token-text>
</arg-dn>
<arg-value type="string">
<token-dest-dn/>
</arg-value>
</do-add-dest-attr-value>
</actions>
</rule>
--------------------



The driver trace shows that the add member is included:



Code:
--------------------
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.14.5471">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="user" dest-dn="CN=Spaghetti\, Alexander@XYZ,OU=NSS,OU=ITB10,ou=XYZ,ou=0migrated, dc=AD,dc=XYZ,dc=local" event-id="HQDC3-NDS#20121107225819#7#1" qualified-src-dn="O=XYZ\OU=ITB10\OU=NSS\CN=testuser11078" src-dn="\XYZ_TREE\XYZ\ITB10\NSS\testuser11078" src-entry-id="48561">
<add-attr attr-name="givenName">
<value>Alexander</value>
</add-attr>
<add-attr attr-name="sn">
<value>Spaghetti</value>
</add-attr>
<add-attr attr-name="userPrincipalName">
<value>testuser11078@ad.XYZ.ca.gov</value>
</add-attr>
<add-attr attr-name="sAMAccountName">
<value>testuser11078</value>
</add-attr>
<add-attr attr-name="dirxml-uACAccountDisable">
<value>false</value>
</add-attr>
<add-attr attr-name="displayName">
<value>Spaghetti, Alexander@XYZ</value>
</add-attr>
<add-attr attr-name="extensionAttribute1">
<value>0</value>
</add-attr>
<password><!-- content suppressed --></password>
<operation-data attempt-to-match="true" unmatched-src-dn="CN=testuser11078,OU=NSS,OU=ITB10">
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</add>
<modify dest-dn="CN=IDM TESTING GROUP,OU=GROUPS,OU=XYZ,OU=0migrated,DC=AD,DC=XYZ,D C=local" event-id="HQDC3-NDS#20121107225819#7#1">
<modify-attr attr-name="member">
<add-value>
<value type="string">CN=Spaghetti\, Alexander@XYZ,OU=NSS,OU=ITB10,ou=XYZ,ou=0migrated, dc=AD,dc=XYZ,dc=local</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
--------------------



I noticed that when I just add a user to that group in eDirectory, the
driver trace looks like this:


Code:
--------------------
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.14.5471">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20121107231157.326Z" class-name="group" event-id="HQDC3-NDS#20121107231157#6#1" qualified-src-dn="O=XYZ\OU=GROUPS\CN=IDM TESTING GROUP" src-dn="\XYZ_TREE\XYZ\GROUPS\IDM TESTING GROUP" src-entry-id="48551" timestamp="1352329917#1">
<association state="associated">d8b54a39d528d542ac53bf3dd45cd21 7</association>
<modify-attr attr-name="member">
<add-value>
<value association-ref="504f2ed06d0a1044a1969fa783aea093" timestamp="1352329917#1" type="dn">\XYZ_TREE\XYZ\ITB10\NSS\ABRADLEY</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
--------------------


Which has a number of differences, specifically that the DNs are still
in eDirectory format and there are association values for both the group
and member, as well as a timestamp for the member. Does that timestamp
represent when the user was created, when the association was created,
or when the user was added to the group?

In any case, do I need to reformat mine so it looks like that? If so,
how do I insert the association values into the document?


--
ambradley
------------------------------------------------------------------------
ambradley's Profile: https://forums.netiq.com/member.php?userid=177
View this thread: https://forums.netiq.com/showthread.php?t=46110