A Forum reader recently asked:

“I am trying to get users that come from eDirectory to MAD to be assigned to specific groups. I have over 100 schools. The MAD Network Admin created 5 groups per campus. Each Group name starts with the School OU name. The rest of name is the same for each school. The MAD Network Admin wants me to have the users automatically assigned to group membership.”

And here’s the response from Jim Willeke …


I would suggest that you shy away from using DNs to base driver logic. You may want to place a value on the group that represents the School OU name and simply do a search for the groups you wish to work with. AFAIK, the location attribute “L” should work for this.

Below is some code we use (Father Ramon helped with this) to do placement. Based on an attribute in the IDV, we needed to place the entry within different OU’s. You should be able to adapt this to work for groups.

In this example, there is a custom “locationID” attribute with a matching value on the OU. For instance, with an OU with LocationID=Sales, we could put all users with the values of “Sales” for a locationID on the user, to the OU that possesses the same locationID attribute. Note that the OUs may have more than one value for locationID.

<do-set-local-variable name="user-locID">
		<token-src-attr name="locationID"/>
<do-set-local-variable name="placement-ou-dn">
		<token-xpath expression='query:search($destQueryProcessor, 
"~SearchScope~", "", "~SearchBase~", "Organizational Unit", 
"locationID", $user-locID, "")[1]/@src-dn'/>

… where “SearchBase” and “SearchScope” are GCVs (set SearchScope to “subtree” and leave SearchBase empty to search the whole tree). This assumes you put the policy on the publisher channel on the destination tree’s driver.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: jwilleke
May 23, 2007
8:59 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow