sivaramtm Super Contributor.
Super Contributor.
249 views

How to read a Group member getting added currently in Active Directory using AD driver

Jump to solution

Hi,

Below code is fetching the member from Group which sits on top or sorted in first instead of current added member.

Need to know to how to read the current member which is getting added.

<rule>
<description>Watchdog - read group member </description>
<conditions>
<and>
<if-class-name op="equal">Group</if-class-name>
<if-operation mode="nocase" op="equal">modify</if-operation>
<if-op-attr name="Member" op="available"/>
</and>
</conditions>
<actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Group membership is added or removed in ACTIVEDIRECTORY</token-text>
<token-src-dn/>
<token-text xml:space="preserve">Member</token-text>
<token-attr name="Member"/>
</arg-string>
</do-trace-message>

<do-veto/>
</actions>
</rule>

Thanks

Sivaram T

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Knowledge Partner
Knowledge Partner

Re: How to read a Group member getting added currently in Active Directory using AD driver

Jump to solution

Hi,

 

Have you changed the value "Enable DirSync incremential values" to true on the driver properties page?

It is default to false and need to be changed to only process changes instead of all values.

I think you ned this to accomplish what you are after.

 

" Name: enable-incremental-values
Type: enum
Description:
Ordinarily, the Publisher channel receives all values of a multi-valued attribute. Enabling this option reports only the added or deleted values during the poll interval. Requires 2003 Forest functional mode. "

10 Replies
Knowledge Partner
Knowledge Partner

Re: How to read a Group member getting added currently in Active Directory using AD driver

Jump to solution
You cant do that in a rule.
You need to add the group in the filter and the gfoupmembership attribute.
Then the remote loader will automatically read all changes of that attribute from ad replication cache.
There is a setting in the driver to only get changes and that is probably what you need.

Best luck.
0 Likes
sivaramtm Super Contributor.
Super Contributor.

Re: How to read a Group member getting added currently in Active Directory using AD driver

Jump to solution

I have added the group and member in filter but could not find the any luck.

Thanks

Sivaram T

0 Likes
Satz Respected Contributor.
Respected Contributor.

Re: How to read a Group member getting added currently in Active Directory using AD driver

Jump to solution

Are you not getting the membership change event in the driver ?

0 Likes
sivaramtm Super Contributor.
Super Contributor.

Re: How to read a Group member getting added currently in Active Directory using AD driver

Jump to solution

I am getting the event and also members of the group but the issue is instead of getting present added member i am getting all members in alphabetical order so there is no way to identify which member has been added at present.

Thanks

Sivaram T

0 Likes
Satz Respected Contributor.
Respected Contributor.

Re: How to read a Group member getting added currently in Active Directory using AD driver

Jump to solution

You can create and sync those groups in eDirectory.

Then you can take the operation attribute of the groupmembership value of the user as like below,

<rule>
<description>Modify</description>
<comment xml:space="preserve">Modify User add group membership</comment>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-operation mode="nocase" op="equal">modify</if-operation>
<if-op-attr name="Group Membership" op="changing"/>
<if-xpath op="true">(modify-attr[@attr-name="Group Membership"]/add-value/value)</if-xpath>
</and>
</conditions>
<actions>
<do-trace-message level="5">
<arg-string>
<token-text xml:space="preserve">Group Membership are adding</token-text>
</arg-string>
</do-trace-message>
</actions>
</rule>

Let me know if it helps you out..

0 Likes
sivaramtm Super Contributor.
Super Contributor.

Re: How to read a Group member getting added currently in Active Directory using AD driver

Jump to solution

Thanks for quick reply. I dont want to sync the members to eDirectory just want to read the present member and then delete the member from AD. So i have below written in input transformation policy of publisher channel. So is it possible to just read the member with out syncing to eDirectory?

<rule>
<description>Watchdog - read group member </description>
<conditions>
<and>
<if-class-name op="equal">Group</if-class-name>
<if-operation mode="nocase" op="equal">modify</if-operation>
<if-op-attr name="Member" op="available"/>
</and>
</conditions>
<actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Group membership is added or removed in ACTIVEDIRECTORY</token-text>
<token-src-dn/>
<token-text xml:space="preserve">Member</token-text>
<token-attr name="Member"/>
</arg-string>
</do-trace-message>

<do-veto/>
</actions>
</rule>

Thanks

Sivaram T

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: How to read a Group member getting added currently in Active Directory using AD driver

Jump to solution

Hi,

 

Have you changed the value "Enable DirSync incremential values" to true on the driver properties page?

It is default to false and need to be changed to only process changes instead of all values.

I think you ned this to accomplish what you are after.

 

" Name: enable-incremental-values
Type: enum
Description:
Ordinarily, the Publisher channel receives all values of a multi-valued attribute. Enabling this option reports only the added or deleted values during the poll interval. Requires 2003 Forest functional mode. "

Knowledge Partner
Knowledge Partner

Re: How to read a Group member getting added currently in Active Directory using AD driver

Jump to solution

I agree with Joakim.  With this set to false a Group member change in AD sends all members in every change event.  With it set to true, you get only the changes.  Much better.

 

however to make this sporty, the XML for the Driver Configuration (No GUI editor, have to click Edit XML) has a tag of hide='true' which means it is there, set to false, but does not show up in the GUI editor.  How annoyinG!

 

So if you do not see it, click Edit XML, jump to the bottom and look for it in the XML, remove the hide='true' (or is it hidden? Whatever, you will see what I mean) save and then it should show up in the GUI.

 

This was fixed in later packages, but surprisingly recently all things considered.

 

0 Likes
sivaramtm Super Contributor.
Super Contributor.

Re: How to read a Group member getting added currently in Active Directory using AD driver

Jump to solution

yes i did it by default it is in hidden state so i change the hide value to false and then it showed up in Designer UI. Thanks for the help.

Regards

Sivaram T

0 Likes
Knowledge Partner
Knowledge Partner

Re: How to read a Group member getting added currently in Active Directory using AD driver

Jump to solution

They did finally remove the hide=true from later AD Driver packages.  But the way those settings are delivered is through Initial Settings (In Package Developer mode) and it is not clear how that updates existing settings.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.