Okay, my best guess is that this is somehow tied to something in the
driver shim.

There is a GUI option (greyed out) in Designer on the General pane for
driver properties with the name: "Supported DN Format"

The help text for this says "Displays the format (for example, LDAP)
that is supported for each driver. This DN information is important for
policy building and simulation."

It also says that if the import wizard hasn't yet been run - then the
format will be "none".

Now, the AD driver shows this value as "ldap", most other drivers
(including the Null driver) say slash.

I'd like to know how to change this to another supported DN format -
for example "dot" or "ldap" for a null driver so I can correctly take
advantage of the "token-escape-for-dest-dn" token in policy.

Where is this saved/set? My guess was maybe it derived this from the
application schema (where one can define the application's DN format).
I'm now leaning towards it being some sort of hard-coded mapping in the
driver shim.

However I've tried tweaking driver exports and package initial settings
and can't make the value budge from "slash" for a null driver.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...