I have a very specific question and was not able to find anything related to this question online, so I would be very happy to see if someone has tried the same or if someone can help me with this.
We are using 389 Directory Server combined with Azure Active Directory. The user data is stored in 389 DS and synced to Azure using Azure AD Connect. We have set up this synchronization by using the Azure AD Connect wizard to set up synchronization between Azure and Windows Server AD and then altering the configuration to make it work for 389 DS (as suggested by this blog post). This was done by adding a Generic LDAP Connector in Synchronization Service Manager and adding the necessary rules in Synchronization Rules Editor for 389 DS. This actually works really well, better than expected, with the exception that we can't get group synchronization to work.
Groups in 389 DS use the uniqueMember attribute as defined in RFC 4519 which does not use the DN/Reference syntax. To synchronize this attribute with the member attribute in the Connect Metaverse I have tried the following transformations:
- [uniqueMember] (i.e. the direct transformation)
- CRef([uniqueMember])
- CRef(Split(Join([uniqueMember], ";"), ";"))
- Item(CRef([uniqueMember]),1)
But I always get the following or a related error:
Attribute type - value mismatch. Received a string or binary multi-value, expected Reference value. Property name = member
at Microsoft.MetadirectoryServices.SyncRulesEngine.AttributeFlowModule.ConvertBackAsValueAdds(Value sourceValue, EntryPropertyDefinition targetPropertyDefinition)
at Microsoft.MetadirectoryServices.SyncRulesEngine.AttributeFlowModule.GetEntryPropertyModificationForExpressionFlow(AttributeFlowMapping attributeFlowMapping, IEntryModification sourceObject, IEntryModification targetObject, SynchronizationRule rule)
at Microsoft.MetadirectoryServices.SyncRulesEngine.AttributeFlowModule.PerformAttributeFlowMappingFlow(IEnumerable`1 annotatedAttributeFlowMappings, IEntryModification targetObject)
at Microsoft.MetadirectoryServices.SyncRulesEngine.AttributeFlowModule.PerformSyncRuleAttributeFlows(IEntryModification sourceObject, IEntryModification targetObject, SynchronizationRule synchronizationRule, Boolean applyExecuteOnceMappings)
at Microsoft.MetadirectoryServices.SyncRulesEngine.JoinModule.PiggyBackSyncRuleOnExistingLinks(SynchronizationRule syncRule, SyncRulePipelineArguments pipelineArguments, AttributeFlowModule attributeFlowModule)
at Microsoft.MetadirectoryServices.SyncRulesEngine.JoinModule.Execute(PipelineArguments argsToProcess)
at Microsoft.MetadirectoryServices.SyncRulesEngine.Server.SyncEngine.RunSyncPipeline(SyncRulePipelineArguments pipelineData, List`1 pipelineChain)
at Microsoft.MetadirectoryServices.SyncRulesEngine.Server.SyncEngine.Synchronize(SynchronizationOperation operation, IObjectLinkGraph inputGraph, Boolean preview)
at ManagedSyncRulesEngine.Synchronize(ManagedSyncRulesEngine* , CCsObject* sourceCsObject, CMvObject* mvObject, SynchronizationOperation operation, Char** error)
InnerException=>
none
Native call stack:
Using a transformation with the Error function I was able to confirm that the result is actually a multi-value reference type, like how I guess it should be. However it doesn't work.
Error([uniqueMember]) results in:
InnerException=>
Argument 1 of function Error: expected type Microsoft.IdentityManagement.Synchronization.SyncRuleExpressions.Interpreter.StringValue, passed multivalue(string("uid=APerson,ou=People,dc=esmgquadrivium,dc=nl"), string("uid=AnotherPerson,ou=People,dc=esmgquadrivium,dc=nl"), string("uid=ACat,ou=People,dc=esmgquadrivium,dc=nl")).
Error(CRef([uniqueMember])) results in:
InnerException=>
Argument 1 of function Error: expected type Microsoft.IdentityManagement.Synchronization.SyncRuleExpressions.Interpreter.StringValue, passed multivalue(reference(uid=Dog,ou=People,dc=esmgquadrivium,dc=nl), reference(uid=Fish,ou=People,dc=esmgquadrivium,dc=nl), reference(uid=Plant,ou=People,dc=esmgquadrivium,dc=nl)).
