PERL Code designed to produce a list of IDM Driver associations and Driver totals for any eDirectory Tree.

This program allows you to identify which user accounts do and do not have DirXML association values stored as attribute data on the user object. It also allows you to identify how many association values exist for a given DirXML driver and which accounts do and do not have an association value for each driver.

The program will also add a ‘reverse RDN’ field to the data so that it can be sorted in to container / OU order.

v1.1 has added functionality and will produce 2 additional output files:-

  • Exceptions – Objects without any DirXML associations *
  • Errors – Objects with more than one association for a driver

*Dependant on using the extraction filter ‘objectclass=user’


There are 2 versions of the program. One which builds database files ( and one which does not ( builds 2 database files in order to provide the results. You will need approximately 200mb of disk space per 146,000 DirXML Association values input to the program. This program will not run on Microsoft Windows due to the use of the PERL module ‘NDBM_File’. does not use the ‘NDBM_File’ module, creating files only in memory. This program will run on Microsoft Windows and is the faster of the 2 programs. Unless you want access to the database files you should use this program version.

This program accepts LDIF files as formatted by ConsoleOne and iManager ONLY. Lines longer than 78 characters MUST wrap at the 79th column.

To analyze ALL objects with and without associations use this LDAP extraction search filter:-


To analyze only objects with associations use this extraction search filter:-


Choose to extract only the attribute class ‘DirXML-Associations’. This will produce an input file containing only the ‘dn’ and ‘DirXML-Associations’ attributes. There is an example input file at the end of this document.

PDF documents showing how to extract the LDIF data using ConsoleOne and iManager have been created to accompany this program. They should be available from the same location as the PERL program:-

  • Using ConsoleOne To Export IDM Attribute Data to An LDIF File.pdf
  • Using iManger To Export IDM Attribute Data to An LDIF File.pdf

The program is designed to accept LDIF data relating to the class ‘user’, but it should work with any class of object that can have a DirXML Association Attribute.

The program has been tested on SUSE Linux 10 on x86 using Perl v5.8.8.

The programs has also been tested on Windows 2000 SP4 using ActivePerl.


*Name of input file [Default=associations.txt]:

     By default the program will look for a file called associations.txt (lower-case on Linux/Unix).


Output File: Driver_Totals.txt

Driver Name                                                              Total
------------------------------------------------------------------------ Assocs

cn=PeopleSoft40,cn=driverset1,ou=dirxml,ou=EMEA,o=MyCompany              26,691
cn=ActiveDir,cn=driverset1,ou=dirxml,ou=EMEA,o=MyCompany                 23,221
cn=NT Domain,cn=driverset1,ou=dirxml,ou=EMEA,o=MyCompany                 19,661
cn=ORACLE DB,cn=driverset1,ou=dirxml,ou=EMEA,o=MyCompany                 23,324
cn=LDAPtoNotes,cn=driverset2,ou=dirxml,ou=APAC,o=MyCompany               24,918
cn=SunOneDB,cn=driverset3,ou=dirxml,ou=USA,o=MyCompany                   25,831
cn=LDAP Store,cn=driverset3,ou=dirxml,ou=USA,o=MyCompany                  2,718
cn=NewProjectDB,cn=driverset3,ou=dirxml,ou=USA,o=MyCompany                    6

                                                        Grand Total:   146,370

Objects with no associations: 4 (Exceptions.txt)

Objects with duplicate associations: 1 (Errors.txt)

Output File: Associations_By_Account.csv

The field layout for this csv file is as follows:-

<object CN> <Object Full DN> <Object Reverse RDN> <Association Data> <Association Data> <Association Data>

There will be a set of <Association Data> for each unique IDM driver found in the input LDIF file.

Each set of <Association Data> contains 3 data fields:-

  1. Will contain the word ‘Present’ if an association exists for this driver.
  2. A number which represents the Association’s State
  3. If the association has been completed, this field will contain the GUID of the associated object in the target application

Each of these fields may or may not be populated depending on the presence of an association for that driver and the state of the association.

Because the output file contains a ‘Reverse RDN’ field, you will be able to sort the output in to container order, useful for non-flat Trees and ‘Data Vaults’.

NOTE: Make sure to exclude the IDM Driver names heading line when sorting the CSV output.

Output File: Associations_By_Account_(Compact).csv

This report shows the DirXML driver association in alphabetical object order.

<object CN> <Association GUID> <Association GUID> <Association GUID>

Output File: Associations_By_Account_ShortDRName.csv

NOTE: The only difference between this report and the first report is that the DirXML driver names are shown as the CN only and not the full RDN. This was almost not worth creating but it’s easy enough to churn out at the same time and is a little easier to view than the main report.

<object CN> <Object Full DN> <Object Reverse RDN> <Association Data> <Association Data> <Association Data>

Output File: Exceptions.txt

This file contains a list of objects without any DirXML associations.

Output File: Errors.txt

This file contains a list of objects that have multiple associations for the same driver.


The ACCOUNTS and ASSOCS databases created by this program are of the standard PERL NDB type and may be of use to other programmers. Rough file descriptors for these databases appear at the end of the program pl file.
The program can accept a file with lines terminated by carriage-return+newline (ascii 13 & 10) or with just newline (ascii 10) or a mixture of both.

This program DOES NOT accept CSV (comma separated value) files as input.

WARNING: The program will delete any files matching the following names from the program ‘run’ directory WITHOUT prompting you:-


Example Input File:

version: 1
dn: cn=s114969,ou=people,o=Novell
DirXML-Associations: cn=PeopleSoft40,cn=driverset1,ou=dirxml,ou=EMEA,o=MyCompa
DirXML-Associations: cn=ActiveDir,cn=driverset1,ou=dirxml,ou=EMEA,o=MyCompany#
DirXML-Associations: cn=NT Domain,cn=driverset1,ou=dirxml,ou=EMEA,o=MyCompany#
DirXML-Associations: cn=ORACLE DB,cn=driverset1,ou=dirxml,ou=EMEA,o=MyCompany#
DirXML-Associations: LDAPtoNotes,cn=driverset2,ou=dirxml,ou=APAC,o=MyCompany#
DirXML-Associations: cn=Notes3,cn=driverset,ou=dirxml,o=services#1#DC90EF89D71

NOTE: This input file has been modified. Do not take the GUIDs as en example of how the specific applications represent their association values.
NOTE: The program will accept input files with or without ‘changetype’ lines.
NOTE: When using ConsoleOne to create the LDIF file, it is normal for the lines to wrap at column 79. The program expects this wrap so do not modify the input LDIF file. A file called ‘Fixed.txt’ will be created by the program. This is a modified version of the input LDIF file with the ‘wrapped’ lines joined in to single lines.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
Dec 13, 2007
11:58 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow