Anonymous_User Absent Member.
Absent Member.
284 views

MS ADS Add dest attribute Group Member to current user


IDM 3.6.1

I would like to use an auxiliary attribute (Boolean) in the eDirectory
to add and remove users to an Active Directory Group.
The auxiliary attribute is in the schema and filter. Once the auxiliary
Attribute value is set to true, the existing user should be added as
member to the Group - But it wont work.

Any ideas or help would be appreciated



<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
"policy-builder-dtd" "C:\Program Files
(x86)\Novell\Designer\plugins\com.novell.idm.policybuilder_3.5.0.200909160331\DTD\dirxmlscript3.6.1.dtd"><policy>
<rule>
<description>Add dest attribute Group Member to current
user</description>
<conditions>
<and>
<if-operation mode="nocase" op="not-equal">delete</if-operation>
<if-op-attr mode="nocase" name="auxmycompanyOfflineFolder"
op="changing-to">TRUE</if-op-attr>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-add-dest-attr-value class-name="Group" name="Member">
<arg-dn>
<token-text
xml:space="preserve">cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger</token-text>
</arg-dn>
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</do-add-dest-attr-value>
</actions>
</rule>
</policy>


L3 trace:

[04/01/14 11:51:54.969]:MSAD-DE ST:Start transaction.
[04/01/14 11:51:54.970]:MSAD-DE ST:Processing events for transaction.
[04/01/14 11:51:54.971]:MSAD-DE ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20140401095154.935Z" class-name="User"
event-id="idm-mh-brm02#20140401095154#3#1"
qualified-src-dn="O=mycompany\OU=DE\CN=me_Test"
src-dn="\mycompany-TREE\mycompany\DE\me_Test" src-entry-id="60271"
timestamp="1396345914#2">
<association
state="associated">87a070d8719e8b4fa505dd5a05149e9d</association>
<modify-attr attr-name="auxmycompanyOfflineFolder">
<remove-value>
<value timestamp="1396345867#2" type="state">false</value>
</remove-value>
<add-value>
<value timestamp="1396345914#2" type="state">true</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[04/01/14 11:51:54.973]:MSAD-DE ST:No event transformation policies.
[04/01/14 11:51:54.973]:MSAD-DE ST:Subscriber processing modify for
\mycompany-TREE\mycompany\DE\me_Test.
[04/01/14 11:51:54.973]:MSAD-DE ST:Applying command transformation
policies.
[04/01/14 11:51:54.973]:MSAD-DE ST:Applying policy:
%+C%14Csub-ctp-group-assignment-OfflineDrive%-C.
[04/01/14 11:51:54.974]:MSAD-DE ST: Applying to modify #1.
[04/01/14 11:51:54.974]:MSAD-DE ST: Evaluating selection criteria for
rule 'Add dest attribute Group Member to current user'.
[04/01/14 11:51:54.974]:MSAD-DE ST: (if-operation not-equal
"delete") = TRUE.
[04/01/14 11:51:54.974]:MSAD-DE ST: (if-op-attr
'auxmycompanyOfflineFolder' changing-to "TRUE") = TRUE.
[04/01/14 11:51:54.975]:MSAD-DE ST: (if-class-name equal "User") =
TRUE.
[04/01/14 11:51:54.975]:MSAD-DE ST: Rule selected.
[04/01/14 11:51:54.975]:MSAD-DE ST: Applying rule 'Add dest attribute
Group Member to current user'.
[04/01/14 11:51:54.975]:MSAD-DE ST: Action:
do-add-dest-attr-value("Member",class-name="Group",arg-dn("cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger"),token-src-dn()).
[04/01/14 11:51:54.975]:MSAD-DE ST:
arg-dn("cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger")
[04/01/14 11:51:54.976]:MSAD-DE ST:
token-text("cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger")
[04/01/14 11:51:54.976]:MSAD-DE ST: Arg Value:
"cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger".
[04/01/14 11:51:54.976]:MSAD-DE ST: arg-string(token-src-dn())
[04/01/14 11:51:54.976]:MSAD-DE ST: token-src-dn()
[04/01/14 11:51:54.977]:MSAD-DE ST: Token Value:
"\mycompany-TREE\mycompany\DE\me_Test".
[04/01/14 11:51:54.977]:MSAD-DE ST: Arg Value:
"\mycompany-TREE\mycompany\DE\me_Test".
[04/01/14 11:51:54.977]:MSAD-DE ST:Policy returned:
[04/01/14 11:51:54.977]:MSAD-DE ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20140401095154.935Z" class-name="User"
event-id="idm-mh-brm02#20140401095154#3#1"
qualified-src-dn="O=mycompany\OU=DE\CN=me_Test"
src-dn="\mycompany-TREE\mycompany\DE\me_Test" src-entry-id="60271"
timestamp="1396345914#2">
<association
state="associated">87a070d8719e8b4fa505dd5a05149e9d</association>
<modify-attr attr-name="auxmycompanyOfflineFolder">
<remove-value>
<value timestamp="1396345867#2" type="state">false</value>
</remove-value>
<add-value>
<value timestamp="1396345914#2" type="state">true</value>
</add-value>
</modify-attr>
</modify>
<modify class-name="Group"
dest-dn="cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger"
event-id="idm-mh-brm02#20140401095154#3#1">
<modify-attr attr-name="Member">
<add-value>
<value type="dn">\mycompany-TREE\mycompany\DE\me_Test</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>


--
Laude_Volker
------------------------------------------------------------------------
Laude_Volker's Profile: https://forums.netiq.com/member.php?userid=6336
View this thread: https://forums.netiq.com/showthread.php?t=50410

Labels (1)
0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: MS ADS Add dest attribute Group Member to current user

Laude Volker wrote:

>
> IDM 3.6.1
>
> I would like to use an auxiliary attribute (Boolean) in the eDirectory
> to add and remove users to an Active Directory Group.
> The auxiliary attribute is in the schema and filter. Once the auxiliary
> Attribute value is set to true, the existing user should be added as
> member to the Group - But it wont work.



Try the following instead.


<rule>
<description>Add dest attribute Group Member to current
user</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation mode="regex" op="equal">add|modify</if-operation>
<if-op-attr mode="nocase" name="auxmycompanyOfflineFolder" op="changing-to">true</if-op-attr>
</and>
</conditions>
<actions>
<do-add-dest-attr-value class-name="Group" name="Member">
<arg-dn>
<token-text xml:space="preserve">cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger</token-text>
</arg-dn>
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</do-add-dest-attr-value>
<do-set-xml-attr expression="../modify[@class-name='Group' and last()]/modify-attr[@attr-name='Member' and last()]/add-value[last()]/value[last()]" name="association-ref">
<arg-string>
<token-association/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: MS ADS Add dest attribute Group Member to current user


The rule was modified as recommanded - The result is the same - No
Errors, no membership

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
"policy-builder-dtd" "C:\Program Files
(x86)\Novell\Designer\plugins\com.novell.idm.policybuilder_3.5.0.200909160331\DTD\dirxmlscript3.6.1.dtd"><policy>
<rule>
<description>Add dest attribute Group Member to current
user</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation mode="regex" op="equal">add|modify</if-operation>
<if-op-attr mode="nocase" name="auxbrenntagOfflineFolder"
op="changing-to">true</if-op-attr>
</and>
</conditions>
<actions>
<do-add-dest-attr-value class-name="Group" name="Member">
<arg-dn>
<token-text
xml:space="preserve">cn=schnulli,OU=Groups,OU=DE,OU=Brenntag,DC=brenntag,DC=ger</token-text>
</arg-dn>
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</do-add-dest-attr-value>
<do-set-xml-attr expression="../modify[@class-name='Group' and
last()]/modify-attr[@attr-name='Member' and
last()]/add-value[last()]/value[last()]" name="association-ref">
<arg-string>
<token-association/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
</policy>

L3 trace:
[04/01/14 13:59:26.844]:MSAD-DE ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20140401115926.835Z" class-name="User"
event-id="idm-mh-brm02#20140401115926#3#1"
qualified-src-dn="O=mycompany\OU=DE\CN=me_Test"
src-dn="\mycompany-TREE\mycompany\DE\me_Test" src-entry-id="60271"
timestamp="1396353566#2">
<association
state="associated">87a070d8719e8b4fa505dd5a05149e9d</association>
<modify-attr attr-name="auxmycompanyOfflineFolder">
<remove-value>
<value timestamp="1396353506#2" type="state">false</value>
</remove-value>
<add-value>
<value timestamp="1396353566#2" type="state">true</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[04/01/14 13:59:26.846]:MSAD-DE ST:No event transformation policies.
[04/01/14 13:59:26.846]:MSAD-DE ST:Subscriber processing modify for
\mycompany-TREE\mycompany\DE\me_Test.
[04/01/14 13:59:26.847]:MSAD-DE ST:Applying command transformation
policies.
[04/01/14 13:59:26.847]:MSAD-DE ST:Applying policy:
%+C%14Csub-ctp-group-assignment-OfflineDrive%-C.
[04/01/14 13:59:26.847]:MSAD-DE ST: Applying to modify #1.
[04/01/14 13:59:26.847]:MSAD-DE ST: Evaluating selection criteria for
rule 'Add dest attribute Group Member to current user'.
[04/01/14 13:59:26.848]:MSAD-DE ST: (if-class-name equal "User") =
TRUE.
[04/01/14 13:59:26.848]:MSAD-DE ST: (if-operation match
"add|modify") = TRUE.
[04/01/14 13:59:26.848]:MSAD-DE ST: (if-op-attr
'auxmycompanyOfflineFolder' changing-to "true") = TRUE.
[04/01/14 13:59:26.848]:MSAD-DE ST: Rule selected.
[04/01/14 13:59:26.848]:MSAD-DE ST: Applying rule 'Add dest attribute
Group Member to current user'.
[04/01/14 13:59:26.849]:MSAD-DE ST: Action:
do-add-dest-attr-value("Member",class-name="Group",arg-dn("cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger"),token-src-dn()).
[04/01/14 13:59:26.849]:MSAD-DE ST:
arg-dn("cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger")
[04/01/14 13:59:26.849]:MSAD-DE ST:
token-text("cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger")
[04/01/14 13:59:26.850]:MSAD-DE ST: Arg Value:
"cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger".
[04/01/14 13:59:26.850]:MSAD-DE ST: arg-string(token-src-dn())
[04/01/14 13:59:26.850]:MSAD-DE ST: token-src-dn()
[04/01/14 13:59:26.850]:MSAD-DE ST: Token Value:
"\mycompany-TREE\mycompany\DE\me_Test".
[04/01/14 13:59:26.851]:MSAD-DE ST: Arg Value:
"\mycompany-TREE\mycompany\DE\me_Test".
[04/01/14 13:59:26.851]:MSAD-DE ST: Action:
do-set-xml-attr("association-ref","../modify[@class-name='Group' and
last()]/modify-attr[@attr-name='Member' and
last()]/add-value[last()]/value[last()]",token-association()).
[04/01/14 13:59:26.851]:MSAD-DE ST:
arg-string(token-association())
[04/01/14 13:59:26.851]:MSAD-DE ST: token-association()
[04/01/14 13:59:26.852]:MSAD-DE ST: Token Value:
"87a070d8719e8b4fa505dd5a05149e9d".
[04/01/14 13:59:26.852]:MSAD-DE ST: Arg Value:
"87a070d8719e8b4fa505dd5a05149e9d".
[04/01/14 13:59:26.852]:MSAD-DE ST:Policy returned:
[04/01/14 13:59:26.852]:MSAD-DE ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20140401115926.835Z" class-name="User"
event-id="idm-mh-brm02#20140401115926#3#1"
qualified-src-dn="O=mycompany\OU=DE\CN=me_Test"
src-dn="\mycompany-TREE\mycompany\DE\me_Test" src-entry-id="60271"
timestamp="1396353566#2">
<association
state="associated">87a070d8719e8b4fa505dd5a05149e9d</association>
<modify-attr attr-name="auxmycompanyOfflineFolder">
<remove-value>
<value timestamp="1396353506#2" type="state">false</value>
</remove-value>
<add-value>
<value timestamp="1396353566#2" type="state">true</value>
</add-value>
</modify-attr>
</modify>
<modify class-name="Group"
dest-dn="cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger"
event-id="idm-mh-brm02#20140401115926#3#1">
<modify-attr attr-name="Member">
<add-value>
<value association-ref="87a070d8719e8b4fa505dd5a05149e9d"
type="dn">\mycompany-TREE\mycompany\DE\me_Test</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>


--
Laude_Volker
------------------------------------------------------------------------
Laude_Volker's Profile: https://forums.netiq.com/member.php?userid=6336
View this thread: https://forums.netiq.com/showthread.php?t=50410

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: MS ADS Add dest attribute Group Member to current user

Laude Volker <Laude_Volker@no-mx.forums.netiq.com> wrote:
> The rule was modified as recommanded - The result is the same - No
> Errors, no membership


What does the remote loader level 3 trace show? The event looks right now.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: MS ADS Add dest attribute Group Member to current user


Since the policy was moved down in the command transformation - The
policy is able to add the user to the AD Group!!
Now I tried to adapt the policy, to remove the user from AD Group when
the auxiliary attribute (Boolean) in the eDirectory is "false"
But that wont work.
Any ideas?

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
"policy-builder-dtd" "C:\Program Files
(x86)\Novell\Designer\plugins\com.novell.idm.policybuilder_3.5.0.200909160331\DTD\dirxmlscript3.6.1.dtd"><policy>
<rule>
<description>Delete dest attribute Group Member from current
user</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation mode="regex" op="equal">modify|delete</if-operation>
<if-op-attr mode="nocase" name="auxmycompanyOfflineFolder"
op="changing-to">false</if-op-attr>
</and>
</conditions>
<actions>
<do-remove-dest-attr-value class-name="Group" name="Member">
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</do-remove-dest-attr-value>
<do-set-xml-attr expression="../modify[@class-name='Group' and
last()]/modify-attr[@attr-name='Member' and
last()]/add-value[last()]/value[last()]" name="association-ref">
<arg-string>
<token-association/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
</policy>

L3 Trace:

<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20140402074107.322Z" class-name="User"
event-id="idm-mh-brm02#20140402074107#3#1"
qualified-src-dn="O=mycompany\OU=DE\CN=me_Test"
src-dn="\mycompany-TREE\mycompany\DE\me_Test" src-entry-id="60271"
timestamp="1396424467#2">
<association
state="associated">87a070d8719e8b4fa505dd5a05149e9d</association>
<modify-attr attr-name="auxmycompanyOfflineFolder">
<remove-value>
<value timestamp="1396424458#2" type="state">true</value>
</remove-value>
<add-value>
<value timestamp="1396424467#2" type="state">false</value>
</add-value>
</modify-attr>
</modify>
<move class-name="User" event-id="idm-mh-brm02#20140402074107#3#1"
qualified-src-dn="O=mycompany\OU=DE\CN=me_Test"
src-dn="\mycompany-TREE\mycompany\DE\me_Test" src-entry-id="60271">
<association>87a070d8719e8b4fa505dd5a05149e9d</association>
<parent
dest-dn="OU=Users,OU=IT,OU=MH,OU=DE,OU=mycompany,DC=mycompany,DC=ger"/>
</move>
</input>
</nds>
[04/02/14 09:41:07.583]:MSAD-DE ST:Applying policy:
%+C%14Csub-ctp-group-unassignment-OfflineDrive%-C.
[04/02/14 09:41:07.583]:MSAD-DE ST: Applying to modify #1.
[04/02/14 09:41:07.583]:MSAD-DE ST: Evaluating selection criteria for
rule 'Delete dest attribute Group Member from current user'.
[04/02/14 09:41:07.584]:MSAD-DE ST: (if-class-name equal "User") =
TRUE.
[04/02/14 09:41:07.584]:MSAD-DE ST: (if-operation match
"modify|delete") = TRUE.
[04/02/14 09:41:07.584]:MSAD-DE ST: (if-op-attr
'auxmycompanyOfflineFolder' changing-to "false") = TRUE.
[04/02/14 09:41:07.584]:MSAD-DE ST: Rule selected.
[04/02/14 09:41:07.584]:MSAD-DE ST: Applying rule 'Delete dest
attribute Group Member from current user'.
[04/02/14 09:41:07.585]:MSAD-DE ST: Action:
do-remove-dest-attr-value("Member",class-name="Group",token-src-dn()).
[04/02/14 09:41:07.585]:MSAD-DE ST: arg-string(token-src-dn())
[04/02/14 09:41:07.585]:MSAD-DE ST: token-src-dn()
[04/02/14 09:41:07.585]:MSAD-DE ST: Token Value:
"\mycompany-TREE\mycompany\DE\me_Test".
[04/02/14 09:41:07.585]:MSAD-DE ST: Arg Value:
"\mycompany-TREE\mycompany\DE\me_Test".
[04/02/14 09:41:07.586]:MSAD-DE ST: Action:
do-set-xml-attr("association-ref","../modify[@class-name='Group' and
last()]/modify-attr[@attr-name='Member' and
last()]/add-value[last()]/value[last()]",token-association()).
[04/02/14 09:41:07.586]:MSAD-DE ST:
arg-string(token-association())
[04/02/14 09:41:07.586]:MSAD-DE ST: token-association()
[04/02/14 09:41:07.587]:MSAD-DE ST: Token Value:
"87a070d8719e8b4fa505dd5a05149e9d".
[04/02/14 09:41:07.587]:MSAD-DE ST: Arg Value:
"87a070d8719e8b4fa505dd5a05149e9d".
[04/02/14 09:41:07.587]:MSAD-DE ST: Applying to move #2.
[04/02/14 09:41:07.587]:MSAD-DE ST: Evaluating selection criteria for
rule 'Delete dest attribute Group Member from current user'.
[04/02/14 09:41:07.588]:MSAD-DE ST: (if-class-name equal "User") =
TRUE.
[04/02/14 09:41:07.588]:MSAD-DE ST: (if-operation match
"modify|delete") = FALSE.
[04/02/14 09:41:07.588]:MSAD-DE ST: Rule rejected.
[04/02/14 09:41:07.588]:MSAD-DE ST:Policy returned:
[04/02/14 09:41:07.588]:MSAD-DE ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20140402074107.322Z" class-name="User"
event-id="idm-mh-brm02#20140402074107#3#1"
qualified-src-dn="O=mycompany\OU=DE\CN=me_Test"
src-dn="\mycompany-TREE\mycompany\DE\me_Test" src-entry-id="60271"
timestamp="1396424467#2">
<association
state="associated">87a070d8719e8b4fa505dd5a05149e9d</association>
<modify-attr attr-name="auxmycompanyOfflineFolder">
<remove-value>
<value timestamp="1396424458#2" type="state">true</value>
</remove-value>
<add-value>
<value timestamp="1396424467#2" type="state">false</value>
</add-value>
</modify-attr>
<modify-attr attr-name="Member">
<remove-value>
<value type="dn">\mycompany-TREE\mycompany\DE\me_Test</value>
</remove-value>
</modify-attr>
</modify>
<move class-name="User" event-id="idm-mh-brm02#20140402074107#3#1"
qualified-src-dn="O=mycompany\OU=DE\CN=me_Test"
src-dn="\mycompany-TREE\mycompany\DE\me_Test" src-entry-id="60271">
<association>87a070d8719e8b4fa505dd5a05149e9d</association>
<parent
dest-dn="OU=Users,OU=IT,OU=MH,OU=DE,OU=mycompany,DC=mycompany,DC=ger"/>
</move>
</input>
</nds>


--
Laude_Volker
------------------------------------------------------------------------
Laude_Volker's Profile: https://forums.netiq.com/member.php?userid=6336
View this thread: https://forums.netiq.com/showthread.php?t=50410

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: MS ADS Add dest attribute Group Member to current user

Laude Volker wrote:

> Since the policy was moved down in the command transformation - The
> policy is able to add the user to the AD Group!!
> Now I tried to adapt the policy, to remove the user from AD Group when
> the auxiliary attribute (Boolean) in the eDirectory is "false"
> But that wont work.
> Any ideas?


There are several problems with your policy.

1. You specified "current-object" as the target of the remove destination attribute. You need to specify a group object in the destination system (or an association).
2. The set xml attribute XPath is slightly different for a remove.
3. Your conditions are not correct. It's useless to trigger trigger on delete as well as modify. In the current IDM version, a delete event does not contain any attributes to trigger off (this has been raised as an enhancement request)

I've rewritten your code to handle add/remove in one rule.

<rule>
<description>Add/Remove dest attribute Group Member for current user</description>
<comment xml:space="preserve">Add or remove (based on boolean attribute)</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation mode="nocase" op="equal">modify</if-operation>
<if-op-attr mode="regex" name="auxmycompanyOfflineFolder" op="changing-to">.+</if-op-attr>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-op-attr mode="nocase" name="auxmycompanyOfflineFolder" op="equal">TRUE</if-op-attr>
</and>
</arg-conditions>
<arg-actions>
<do-add-dest-attr-value class-name="Group" name="Member" when="after">
<arg-dn>
<token-text xml:space="preserve">cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger</token-text>
</arg-dn>
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</do-add-dest-attr-value>
<do-set-xml-attr expression="../modify[@class-name='Group' and last()]/modify-attr[@attr-name='Member' and last()]/add-value[last()]/value[last()]" name="association-ref">
<arg-string>
<token-association/>
</arg-string>
</do-set-xml-attr>
</arg-actions>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-op-attr mode="nocase" name="auxmycompanyOfflineFolder" op="equal">FALSE</if-op-attr>
</and>
</arg-conditions>
<arg-actions>
<do-remove-dest-attr-value class-name="Group" name="Member" when="after">
<arg-dn>
<token-text xml:space="preserve">cn=test,OU=Groups,OU=DE,OU=mycompany,DC=mycompany,DC=ger</token-text>
</arg-dn>
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</do-remove-dest-attr-value>
<do-set-xml-attr expression="../modify[@class-name='Group' and last()]/modify-attr[@attr-name='Member' and last()]/remove-value[last()]/value[last()]" name="association-ref">
<arg-string>
<token-association/>
</arg-string>
</do-set-xml-attr>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-if>
</actions>
</rule>



--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: MS ADS Add dest attribute Group Member to current user


That works fine fine - Problem solved - Many thanks !!


--
Laude_Volker
------------------------------------------------------------------------
Laude_Volker's Profile: https://forums.netiq.com/member.php?userid=6336
View this thread: https://forums.netiq.com/showthread.php?t=50410

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: MS ADS Add dest attribute Group Member to current user


Now it is works - After changing the sequence inside the command
transfer policies, it works like a charme.
Thanks Alex for great help.


--
Laude_Volker
------------------------------------------------------------------------
Laude_Volker's Profile: https://forums.netiq.com/member.php?userid=6336
View this thread: https://forums.netiq.com/showthread.php?t=50410

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.