Group Membership is not syncing or notifying in the logs when there's a group modification on Active Directory side. It's like the event is not being sent to IDM.

Configuration and testing

I've tried the configuration shown in the image attached. Also tried with "Notify" in the publisher side and with "ignore" in the subscriber side.

  • -The testing was removing and adding groups to a synced user in Active Directory. 
  • -I've also tested adding groups to that same user via User Application, just to check if at least the subscriber channel was working, and the log captured the event just fine.
  • I've also tried merge authority to be "application" and "default"
  • Log level is 5
  • Other attributes sync/notify fine
  • Both IDM and Active Directory have the same groups each time I test. (I've also tested with them having different groups, but this brought me some trouble on the subscriber side)

Any help will be appreciated here. Thanks!

    eDir has 4 attributes for group membership but only two are relevant here.

    AD only has 1.  And it is on the Group, not the user.

    For AD to event on a group change the group has to be in the filter, with the Member attribute set to Pub sync.  Your image does not include that.


    Side note: Images of trace are kind of pointless.  Look at the file, snip the text and paste into a code block (In the Post editor here, hit the ellipsis (... 3 dots button) and there is a <./> icon for pasting code snippets.


  • Thank you very much! That worked. The group filter was not configured.

  • There IS an attribute in AD on the user, memberOf, however it is a dynamic lookup that returns only when you look at it.  Sort of like an LDAP dynamic group that is not per se stored, rather when you look at it, a query is performed and you see the results.

    Thus you cannot event upon it, like you can in eDir when it is a proper attribute.