OK, excluding fancy things like taking the time to write an IDM driver:

Let's say you have an old thing, like oh, I dunno, NIS+
And all you can get is an exported list of user objects that should be in a particular group.

Create the Group object is easy enough.

Populating said group object via, say, LDAP is mostly easy (two step process I think due to the attributes, I'll have to dig up my TID I printed out somewhere), anyway, that presupposes that you have the dn of the users.

Is there any magical (ie: quick and easy) way to take the cn and get the DN's so you can slap it into an LDIF file?

I mean, if i had an underling, I could make them just use traditional iManager interface to hunt/peck/search for the users in eDir and add them one at a time. But I don't have an underling.

Yes, all the users in the NIS+ database/export have userids that actually match eDir/AD.

No, we don't have the Unix driver for IDM.
No, can't stand up an LDAP interface (AFAIK) on the Sun Solaris servers (yes, it really is Sun Solaris something)--another division/unit.

Thanks for any glorious technological insight you may have.