i am looking for a way to generate a veto if a modified or created user is not a member of a special AD group.

Background: on the application side (Active Directory) only members of a group should be synched to the Identity vault.

There is a fine document that describes it when you want to do that on the eDir Side, but i found no way to find a match to a group membership in AD. There simply is no attribute like "group membership". Only an attribute like "tokengroups" that has the SID of the groups a user is member of. But it doesnt find a match then..

Anybody here who did that?

kind regards

Gerd Zobel
The NetWorker GmbH