How to read a Group member getting added currently in Active Directory using AD driver

Hi,

Below code is fetching the member from Group which sits on top or sorted in first instead of current added member.

Need to know to how to read the current member which is getting added.

<rule>
<description>Watchdog - read group member </description>
<conditions>
<and>
<if-class-name op="equal">Group</if-class-name>
<if-operation mode="nocase" op="equal">modify</if-operation>
<if-op-attr name="Member" op="available"/>
</and>
</conditions>
<actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Group membership is added or removed in ACTIVEDIRECTORY</token-text>
<token-src-dn/>
<token-text xml:space="preserve">Member</token-text>
<token-attr name="Member"/>
</arg-string>
</do-trace-message>

<do-veto/>
</actions>
</rule>

Thanks

Sivaram T

  • You cant do that in a rule.
    You need to add the group in the filter and the gfoupmembership attribute.
    Then the remote loader will automatically read all changes of that attribute from ad replication cache.
    There is a setting in the driver to only get changes and that is probably what you need.

    Best luck.
  • I have added the group and member in filter but could not find the any luck.

    Thanks

    Sivaram T

  • Are you not getting the membership change event in the driver ?

  • I am getting the event and also members of the group but the issue is instead of getting present added member i am getting all members in alphabetical order so there is no way to identify which member has been added at present.

    Thanks

    Sivaram T

  • You can create and sync those groups in eDirectory.

    Then you can take the operation attribute of the groupmembership value of the user as like below,

    <rule>
    <description>Modify</description>
    <comment xml:space="preserve">Modify User add group membership</comment>
    <conditions>
    <and>
    <if-class-name op="equal">User</if-class-name>
    <if-operation mode="nocase" op="equal">modify</if-operation>
    <if-op-attr name="Group Membership" op="changing"/>
    <if-xpath op="true">(modify-attr[@attr-name="Group Membership"]/add-value/value)</if-xpath>
    </and>
    </conditions>
    <actions>
    <do-trace-message level="5">
    <arg-string>
    <token-text xml:space="preserve">Group Membership are adding</token-text>
    </arg-string>
    </do-trace-message>
    </actions>
    </rule>

    Let me know if it helps you out..

  • Thanks for quick reply. I dont want to sync the members to eDirectory just want to read the present member and then delete the member from AD. So i have below written in input transformation policy of publisher channel. So is it possible to just read the member with out syncing to eDirectory?

    <rule>
    <description>Watchdog - read group member </description>
    <conditions>
    <and>
    <if-class-name op="equal">Group</if-class-name>
    <if-operation mode="nocase" op="equal">modify</if-operation>
    <if-op-attr name="Member" op="available"/>
    </and>
    </conditions>
    <actions>
    <do-trace-message>
    <arg-string>
    <token-text xml:space="preserve">Group membership is added or removed in ACTIVEDIRECTORY</token-text>
    <token-src-dn/>
    <token-text xml:space="preserve">Member</token-text>
    <token-attr name="Member"/>
    </arg-string>
    </do-trace-message>

    <do-veto/>
    </actions>
    </rule>

    Thanks

    Sivaram T

     

  • Verified Answer

    Hi,

     

    Have you changed the value "Enable DirSync incremential values" to true on the driver properties page?

    It is default to false and need to be changed to only process changes instead of all values.

    I think you ned this to accomplish what you are after.

     

    " Name: enable-incremental-values
    Type: enum
    Description:
    Ordinarily, the Publisher channel receives all values of a multi-valued attribute. Enabling this option reports only the added or deleted values during the poll interval. Requires 2003 Forest functional mode. "

  • I agree with Joakim.  With this set to false a Group member change in AD sends all members in every change event.  With it set to true, you get only the changes.  Much better.

     

    however to make this sporty, the XML for the Driver Configuration (No GUI editor, have to click Edit XML) has a tag of hide='true' which means it is there, set to false, but does not show up in the GUI editor.  How annoyinG!

     

    So if you do not see it, click Edit XML, jump to the bottom and look for it in the XML, remove the hide='true' (or is it hidden? Whatever, you will see what I mean) save and then it should show up in the GUI.

     

    This was fixed in later packages, but surprisingly recently all things considered.

     

  • yes i did it by default it is in hidden state so i change the hide value to false and then it showed up in Designer UI. Thanks for the help.

    Regards

    Sivaram T

  • They did finally remove the hide=true from later AD Driver packages.  But the way those settings are delivered is through Initial Settings (In Package Developer mode) and it is not clear how that updates existing settings.