Google Apps Group Entitlement with subdomains


We are looking at working with Google Apps driver (IDM 4.7.1) and use Group Entitlement. We have multiple domains in our Google setup, but the code map refresh query is somehow limited to the primary domain.

Below is a snippet of the trace (level 10):
[11/24/18 23:45:56.880]:Google Apps ST:execute
[11/24/18 23:45:56.880]:Google Apps ST:
<nds dtdversion="2.0">
<query class-name="Group" event-id="0" scope="subtree">
<search-class class-name="Group"/>
<read-attr attr-name="Description"/>
<read-attr attr-name="Name"/>
[11/24/18 23:45:56.895]:Google Apps ST:connect
[11/24/18 23:45:56.895]:Google Apps ST:dispatch
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: association == null
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: class-name == 'Group'
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: dest-dn == null
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: event-id == '0'
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: max-result-count == 2147483647
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: qualified-src-dn == null
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: scope == 'subtree'
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: src-dn == null
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: src-entry-id == null
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: Adding Description to read attrs
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: read-attr == 'Description'
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: Adding Name to read attrs
[11/24/18 23:45:56.895]:Google Apps ST:queryHandler: read-attr == 'Name'
[11/24/18 23:45:56.895]:Google Apps ST:Processing search criteria
[11/24/18 23:45:56.895]:Google Apps ST:GMailShim queryHandler(): Query for Group object
[11/24/18 23:45:56.895]:Google Apps ST:GMailShim queryHandler(): Search Attribute: null
[11/24/18 23:45:56.895]:Google Apps ST:GMailShim queryHandler(): Association: null
[11/24/18 23:45:56.895]:Google Apps ST:DirectoryAppClient.retrieveAllGroups(): Domain = null; Filter User = null
[11/24/18 23:45:56.895]:Google Apps ST:DirectoryAppClient.retrieveAllGroups(): No domain specified. Using default = ourhiddendomain.com
[11/24/18 23:45:58.786]:Google Apps ST:DirectoryAppClient.getGroupsSettingsByEmailAddress(): Email Address = group1@ourhiddendomain.com
[11/24/18 23:45:59.052]:Google Apps ST:DirectoryAppClient.getGroupsSettingsByEmailAddress(): Email Address = group2@ourhiddendomain.com
[11/24/18 23:45:59.333]:Google Apps ST:DirectoryAppClient.getGroupsSettingsByEmailAddress(): Email Address = group3@ourhiddendomain.com
[11/24/18 23:45:59.599]:Google Apps ST:DirectoryAppClient.getGroupsSettingsByEmailAddress(): Email Address = group4@ourhiddendomain.com
[11/24/18 23:45:59.864]:Google Apps ST:DirectoryAppClient.getGroupsSettingsByEmailAddress(): Email Address = group5@ourhiddendomain.com
[11/24/18 23:46:00.146]:Google Apps ST:DirectoryAppClient.getGroupsSettingsByEmailAddress(): Email Address = group6@ourhiddendomain.com
[11/24/18 23:46:00.427]:Google Apps ST:DirectoryAppClient.getGroupsSettingsByEmailAddress(): Email Address = group7@ourhiddendomain.com
[11/24/18 23:46:00.708]:Google Apps ST:Processed 7 group results
[11/24/18 23:46:00.708]:Google Apps ST:SubscriptionShim.execute() returned:
[11/24/18 23:46:00.708]:Google Apps ST:
<nds dtdversion="3.0">
<product build="20170126_1523" instance="Google Apps" version="">GMail Driver</product>
<contact>NetIQ Corporation</contact>
<instance class-name="Group">
<attr attr-name="Name">
<value>Some group</value>
<status event-id="0" level="success" type="driver-status"/>

The important part being "No domain specified. Using default = ourhiddendomain.com". So it only queries this specific domain, and I cannot find a way to make it query for other domains.

Please help me 🙂

Best Regards
Labels (1)
3 Replies
Absent Member.
Absent Member.


It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.

Be sure to read the forum FAQ about what to expect in the way of responses:

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team

Cadet 1st Class
Cadet 1st Class

Did you ever figure out how to specify domain in the group query?



I had an SR open with Micro Focus, and it is not possible to query for groups in subdomains/other domains with the Google Apps shim.

Suggested approach from Micro Focus was to setup separate drivers for each subdomain in the Google setup, but this is not possible for us as we have a lot of different domains in Google.

As this was for the group entitlement, what I did was I setup GAM on schedule to get all groups from the Google tenant and put it in a text file. This text file is then imported to IDV using a text driver of your choice (we use the Generic File Driver) and add it to a simple list object where the groups are put in a structured format in a multivalue attribute. For example the attribute L on the list object contains similar to:


Then I added some policies to the Google driver to append these values on the group entitlement refresh from the list object, so IDM thinks they get all groups from the Google shim, but actually it receives groups from the primary domain from the shim and the rest from the list object. This works fine, but it is a bit ugly.

Best regards


The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.