Identity Manager stores an association value on each eDirectory object for each connected system.

The association value is meant to be connected in a system-specific way, and uniquely within it. Each driver handles this slightly differently.

I think it would be nice to have the complete list. Here are the ones I know about so far. If you know any more, please email me to add to the list! Or respond in the comments, or send me a personal message via Cool Solutions. All will work

Driver Association Value
eDirectory eDirectory GUID value
Active Directory Active Directory GUID
Lotus Notes UNID (Notes Universal ID) (32 char string), see Lothars comments down below for how to find the UNID value within Lotus Notes.
GroupWise NGW: GroupWise ID, this is a string with three parts, DOM.PO.UserName{xxx}GUIDValue I do not know what the {xxx} means, nor whose GUID but everybody in a GW system seems to have the same values.
Delimited Text email address, but you almost always change that
JDBC Primary Key value
PeopleSoft EMPLID (eDirs workforceID)
SAP HR PERNUM (eDir workForceID) for users, or one letter for object type followed by the OBJID (and leading zeroes are not removed, so an Position’s value might be S00001234)
Older SAP UM “USd” followed by the SAP username
Newer SAP UM With the CMP release, the SAP UM driver has a couple more modes. It still supports the old format, but now uses a new format of \SytemName\USdSAPUSERNAME which is the old value preceeded by the System name. Docs are here
Bidirectional AS400 USRPRF in the AS400 (basically the username)
Bidirectional Linux/Unix usernameUser (Username value followed by literal string “User” no spaces. Same for groups, just the string is “Group”
Bidirectional RACF (Mainframe) “USER\userid” or “GROUP\groupid”
Bidirectional TopSecret eDir CN
Fanout GUID of the user or group and then maintains its own “association”, a multi-valued field, one per platform, which is just the “CN”
Loopback/Null By default nothing, but you can add whatever you like
eXtend Composer shims Whatever you set it to be, no default
User Application Everybody gets the same value, “AnAssociation”
Scripting No real default, whatever you set it to be
LDAP LDAP DN of the user, like cn=bob,o=acme
JMS Driver GUID & Message ID
Avaya PBX /DRIVERNAME/workorderCN Time like /Avaya PBX/avaya.test07 01/19/2009 09:24:49:0756
Work Order Workorder driver name, the workorder CN + creation date/timestamp, e.g “\MyWorkorderDriver\MyWorkorder 1/14/2009 15:23
Remedy Schema name and request ID of the entry

Third Party Drivers

Third Party Driver Association Value
Google Apps by Concensus Consulting Older versions used Google Username. (now supports renames! Yay!)
Google Apps in IDM 4.01 by Concensus Consulting New versions use:
SIF v4 from Concensus Consulting SIF GUID, which is owned/generated by the Student Information System through its SIF agent.
Banner HR driver by Concensus Consulting Banners psID which is part of each SOAP message
Pulsen Snapshot Driver V3 by Pulsen LDAP: Any attribute value available in the application (including dn).
ODBC: Any column value available in the result set or a concatenated value from two or more columns (since the association is taken from one column in a result set and not a table it could be anything that a SQL statement can generate).
HL7 Driver from EST Group A derived value to insure uniqueness
Google Apps Driver from EST Group Full domain address of the destination domain
Tivoli Access Manager Driver from EST Group Source DN of the object, since there is nothing unique that TAM provides
SOAP When you remap the SOAP to XDS, you need to build the association value, so its whatever you choose, hopefully some kind of unique database ID.

Here are the known drivers we are missing values for:

Driver Association Value
SIF v3 Not sure, but driver deprecated

Did I miss any drivers? I know there are custom ones out there, so if you know of any let me know! But also lets focus on Novell provided ones

Shout out via the comments if you know one that we are missing! Feel free to email me, or send me a message via Cool Solutions if you would like.

2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply


  • tse7147 says:

    Driver: JDBC
    Association Value: Unique Key field value

  • florianz says:

    what is taken is the objectGUID (that´s the name of the ad-attribute).
    can be seen via adsiedit or sysinternals active directory explorer

    value of dirxml-ad-association

    sysinternals active directory explorer:

    0x84 0x7F …..

    • Alexander McHugh Alexander McHugh says:

      If you are using PowerShell, then here is a simple one-liner to get from the regular AD objectGUID/GUID to the association value.

      Note that it is not purely byte-flipped representation.

      [System.BitConverter]::ToString([System.GUID]::Parse('{6B29FC40-CA47-1067-B31D-00DD010662DA}').ToByteArray()).toLower() -replace '-'

      Just replace the value within the curly brackets with your own GUID.

      However if you want to do this manually (or in another programming language), the following is the plain English formula.

      1. Remove curly braces and hyphens.
      2. Reverse first 8 characters i.e. ‘6B29FC40′ becomes ’40fc296b’
      3. Reverse next 4 characters i.e. ‘CA47′ becomes ’47ca’
      4. Reverse next 4 characters i.e. ‘1067’ becomes ‘6710’
      5. Copy, unchanged the next 4 characters i.e. ‘B31D’ stays as ‘B31D’
      6. Copy, unchanged the next 12 characters i.e. ’00DD010662DA’ stays as ’00dd010662da’

      This example GUID {6B29FC40-CA47-1067-B31D-00DD010662DA} converts to: 40fc296b47ca6710b31d00dd010662da

      • florianz says:

        [System.BitConverter]::ToString([System.GUID]::Parse(@(Get-ADUser -LDAPFilter ‘(&(objectclass=person)(cn=user123))’ -Properties objectGUID | select -Property objectGUID).objectguid.guid).ToByteArray()).toLower() -replace ‘-‘

  • geoffc says:

    Bidirectional Linux-Unix driver users

    that is, it appends User or Group to the username in the Linux/Unix system.

    SAP HR driver uses the PERNUM (which we typically map to workforceID).

  • lhaeger says:

    The SAP UM driver uses an assocation value made of the fixed string “USd” + SAP username, so with a SAP username of “LHAEGER” my assocation would be “USdLHAEGER”

  • lhaeger says:

    The noted driver uses an association value that is a concatenation of thw first two ID values, as shown in the properties of any notes doc (on the tab with the propeller-helmet icon – or whatever it shall be). The first two letters (“OF” and “ON”) are left out, as well as the “:” in the middle of the IDs. So if your doc’s IDs are


    the association value will be 6D54E567C44A9B56678DE654A9845B44

  • florianz says:

    there´s an easier way to get the UNID in notes:

    click on the document (e.g. a person-document in names.nsf,..) and open the “meta”-tag (< +>). there is a string which contains the UNID in the second last field (as is in notes 7). take the last 32 numbers (just after the last “/”).

    full string:


  • jgdasilva says:

    The association value for the User Application driver is the text AnAssociation

  • geoffc says:

    Darn, I remember seeing that and thinking it was the other guy who did the UA drivers idea of a joke. Oh well. It does not need a unique value really, so any string would do I guess.

    I love funny names for variables, test users (Though my boss is awesome at those!), server names, etc.

  • vijaysat says:

    LDAP driver will use the object DN from the LDAP server.

    JMS server by default will use the Driver GUID & Message ID. if required this behavior can be changed.

  • lhaeger says:

    LDAP: DN of the object in the LDAP directory, e.g. “cn=surname\, givenname,dc=users,dc=acme”

    WorkOrder: name of the Workorder driver, the workorder + creation date/timestamp, e.g “\MyWorkorderDriver\MyWorkorder 1/14/2009 15:23”

  • lhaeger says:

    the leading letter indicating the SAP object type on non-user objects is added by an input transform in the default driver config (and not always removed in output transforms, which causes some queries to never return any results). The driver shim itself expects OBJID only, without any letter at the beginning.
    No idea why the default driver config adds the letters (human readability cannot be the only reason to unnecessarily complicate things that way, can it?), my driver works just fine with the unmodified values.

  • jkinney says:

    Association is the /DRIVERNAME/workorderCN Time

    i.e., – /Avaya PBX/avaya.test07 01/19/2009 09:24:49:0756

By: geoffc
Nov 6, 2009
6:50 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow