By: scauwe


You all know the DAModifier tool? Nice tool, but it depends on the Client and Windows. Attached is a designer plug-in that allows you to do similar actions: import, modify or export IDM driver associations.


Cool tools does not allow upload of jars, so rename the attached zip to .jar and copy the jar to the plugins folder of your designer. Delete any previous version you had installed and restart designer if already running. I tested this with Designer 4.0.1 and 4.0.2 in Linux and Windows. Version 0.4 was tested with Designer 4.6 LDAP and non-LDAP.


Right click on a driver object in the outline view or the driver connection in the modeler view and select Live ? Association Editor or right click on the application (in modeler or outline view) and select Driver ? Live ? Association Editor.

New menu entry: Association Editor

A dialogue will pop-up where you can select what you want to do.

Export associations.

Export associations will export the associations of the selected driver to a tab separated file. This file will contain the object DN (lpdap format), the associations state and the association value. Enter the required information (search base, ldap filter, association status and the target file) and press Start.

Export associations dialog

Modify associations

This allows modification of the association status. Enter the required information (search base, ldap filter, ‘from’ association status, ‘to’ association status) and press Start. Optionally, a log file is generated. This log file (tab separated) contains the object DN, the old state, the association value and the action taken.

Modify associations dialog

Import associations

This allows for importing associations. Enter the required information (file to import) and press Start. Optionally, you can limit the import to a ‘test only’. This will generate a log file of the actions it would take. The file to import is a tab separated file with the following columns: object dn (ldap), association state, association value (same format as the export option). Optionally (unless ‘validate only’ is checked) a log file is generated. This log file (tab separated) is the same as the input file, but adds an action column containing the action taken (or that would be taken in case of ‘validate only’). Note: when ‘validate only’ is not selected, importing will always delete the current associations for the object. It does not add associations to the existing objects.

Import associations dialog


After pressing start, a monitor dialog is displayed, showing the progress. Upon completion, a summary dialog is shown. Note: processing can be run in the background, allowing you to continue your work. The progress view will display the result. Clicking the link will display the same summary as above (when running in the foreground).

Job status

New features and fixes

Version 0.4, 04-Feb-2018

  • Made the plugin compatible with the LDAP Designer. Tested with IDM 4.6 LDAP and non LDAP.

Version 0.3.1, 23-June-2015

  • Bug fix: fixed issue with backslash during import of associations.

Version 0.3.0, 21-June-2015

  • Bug fix: fixed NPE during import of associations.

Version 0.2.0, 5-March-2014

  • Bug fix: fixed issues with modifying the state of not-associated objects.
  • Enh.: remember last settings.

Version 0.1.0, 14-SEPT-2012

  • First release (beta).

Know limitations

ldap paged search is somehow not fully implemented in eDirectory. Some ldap searches will return duplicate entries when using paged searches. This is a known eDirectory issue. In order to work around this somehow, the search is sometimes split up into multiple searches. Still, no guarantee is given that objects will not be synchronized twice.


The previous post on Qmunity will not be updated, since that does not seem to be editable. This cool tool post is editable.

3 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 5 (3 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply


  • geoffc geoffc says:

    This is a great tool, it works well, and adds needed functionality to Designer. Well done Stefaan!

  • slavat says:

    If IDM server has LDAP configured with “Require TLS for all operations” the search fails with a NullPointer exception and

    LDAPException: Confidentiality Required (13) Confidentiality Required
    LDAPException: Server Message: This server requires a TLS connection

    Is there any work around or where to look since in most environments these days TLS is a must.

    • scauwe says:

      Did you configure your vault to use SSL?
      In Designer, select the Vault object, in the properties view: set useLDAPSecureChannel to TRUE.

      • ukrause says:

        sorry, can you specify this a bit more clearer? I cannot remeber nor can I find such a setting in designers vault properties. May be I am a little bit behind… Using version 4.5 and 4.0.2 to verify…

      • ukrause says:

        sorry, found it – property view and not properties – have to read carefully

  • mjuricek says:

    Hi, I am trying to use this tool in Designer 4.5.1 to export associations in Demo but I got the following error:

    Stoping job at 2015-Jun-11 15:44:46.411
    Exception :java.lang.NullPointerException-null
    Getting ldap connection
    Searching for objects
    Starting job at 2015-Jun-11 15:44:46.391
    Job details:
    From state:ANY_ASSOCIATION
    Search base:OU=users,O=data
    Export associations

    Did you try this tool in Designer 4.5.1? Do you have any idea what is wrong?

    • scauwe says:

      I tried it with designer 4.5 and Not yet with 4.5.1. I tried installing 4.5.1, but it keeps telling me that I have version Using the off-line update option reports designer “4.5”.
      Can you provide me a stacktrace? One should be available either in Eclipses log file either in the Error ‘view’.

      • mjuricek says:

        !ENTRY info.vancauwenberge.associationeditor 4 0 2015-06-17 16:05:37.865
        !MESSAGE Exception while getting LDAP connection:class com.novell.ldap.LDAPException-Confidentiality Required
        !STACK 0
        LDAPException: Confidentiality Required (13) Confidentiality Required
        LDAPException: Matched DN:
        at com.novell.ldap.LDAPResponse.getResultException(Unknown Source)
        at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)
        at com.novell.ldap.LDAPConnection.chkResultCode(Unknown Source)
        at com.novell.ldap.LDAPConnection.bind(Unknown Source)
        at com.novell.ldap.LDAPConnection.bind(Unknown Source)
        at info.vancauwenberge.idm.association.job.AbstarctLDAPJob.getLDAPConnection(
        at info.vancauwenberge.idm.association.job.AbstractLDAPSearchProcessingJob.doJob(

        !ENTRY info.vancauwenberge.associationeditor 4 0 2015-06-17 16:05:37.882
        !MESSAGE Exception :java.lang.NullPointerException-null
        !STACK 0
        at info.vancauwenberge.idm.association.job.AbstractLDAPSearchProcessingJob.pagedSearch(
        at info.vancauwenberge.idm.association.job.AbstractLDAPSearchProcessingJob.doJob(

    • mjuricek says:

      ok, this is the same issue as “slavat” had.
      I set the useLDAPSecureChannel to TRUE in the properties view of the Vault object.

  • joer999 says:

    I have tried the tool in Designer 4.02 and 4.5. In both cases, when I first make an export of 1 user, I get a .CSV with:
    “cn=1001,ou=st,ou=users,o=data” “3” “data\users\st\1001”
    When I remove the above association in iManager (Connected Systems) and try an import with the same file, I get “Task completed with success, Associations 0, Objects 0.” So nothing happens. I seem to be missing something.

    • scauwe says:

      I found an issue with the import. Do you see the following in the error log view:
      Error importing associations from file.
      at info.vancauwenberge.idm.association.job.LogAndImportStrategy.processEntry(
      at …
      If so, I’ll fix this in version 0.3.0 asap.

      • joer999 says:

        There is a distinct error log, different from the log I can specify in the interface? That one remains empty in my case. The interface juist says “Success, Associations 0, Objects 0”. I have the distinct feeling that i’m overlooking some little stupid thing but there aren’t that many options in testing. Export, remove the association in iManager, import with the earlier on generated export file and the association should be there again. Right?
        Btw. are you Dutch or Belgian or is it just the name? I’m Dutch.

      • scauwe says:

        Fixed in version 0.3.0

  • joer999 says:

    This weekend we migrated from legacy (non-NetIQ) provisioning to NetIQ IDM402. I imported 30,000+ objects from MAD into the ID Vault. After that, I used the snap-in to create the necessary associations with the SOAP driver. Worked like a charm. Great tool.

  • feltham says:

    Hi Stefaan,
    Great tool, needs to be in everyone’s toolkit !

    When you are think about new features, it would be nice to export associations from the base container and select if you want “in container” , or “in subtree”; right now subtree is the only option.

    Second during IDM testing, it would be nice to pick a single object in the tool to adjust the association for. This would be much faster than iManager.

    Thanks again for all the hard work, Robert.

  • jlmasmit says:

    Sorry, but I don’t see any option to download the plugin. Where is it?

  • rreid says:

    This is an awesome tool. I have found that the ldap filter fails when there are parenthesis in the driver name IE “MyDriver (JDBC)”

  • Hi Stefaan,

    It this (v0.3.1) meant to be compatible with Designer for NetIQ Identity Manager (LDAP) Version: 4.6.2??

    I’m getting “The selected driver () is either not deployed or not reachable. Unable to continue the action.” – which is a lie, a compare of the driver works fine.

    • scauwe says:

      Hi ScorpionSting,

      I did not yet try my plugin’s in IDM 4.6 LDAP. I know my trace plugin has an issue, and apparently also this plug in.
      In order to integrate with Designer, all plugins (and this one as well) depend a lot on undocumented/unpublished java classes from NetIQ. Since these are not documented, they are also not communicating any changes…
      I’ll try to have a look ASAP to find out what has/might have changed, so I can adapt accordingly.

By: stefaanv
Mar 11, 2014
12:24 pm
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow