UnboundID LDAP: memberOf filter not synchronising users

Question

Apologies for the newbie question, fairly new to LDAP and UnboundID.

I currently have an UnboundID filter that synchronises users who belong to an Active Directory group.

--set include-base-dn:cn=Users,dc=testdomain,dc=net --add "include-filter:(memberOf=CN=Application Access,CN=Users,DC=testdomain,DC=net)

The behaviour I am seeing is that when I add a user to the group "Application Access", no Synchronisation occurs.

However if I edit the users AD profile whilst they are a memberOf "Application Access" then the user profile is synchronised.

Is is possible to synchronise users when they join a group?

Thanks in advance.

jwilleke jwilleke · Accepted Answer · 2015-11-26T11:11:53

In Microsoft Active Directory the MemberOf value is the DN of an entry that the current entry is a member in a Group and is referred to as a Forward Reference.

A Pseudo Attribute Microsoft Active Directory MemberOf is a Pseudo Attribute. This implies You can not monitor the MemberOf attribute for changes (Like with DirXML) Within Microsoft Active Directory MemberOf is flagged as "NO-USER-MODIFICATION" (or System-Only)[1]; This means you can NOT update the attribute. In order to add a user to a group you have to write the user's dn to the member attribute on the group object.

-jim

UnboundID LDAP: memberOf filter not synchronising users

1 Answers