Symantec Identity Manager - How to add Active Directory groups (AD groups) via PxPolicy Deep Dive
search cancel

Symantec Identity Manager - How to add Active Directory groups (AD groups) via PxPolicy Deep Dive


Article ID: 189955


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


After configuring a PxPolicy to assign Active Directory groups (AD Groups) the "Assign Active Directory Group" event is failing or not working correctly.

You can experience errors similar to:

LDAP: error code 70 - Unable to set Group Membership Attribute: memberOf Reason: Group-Membership modification error

Failed to execute AddToRelationshipEvent. ERROR MESSAGE: JIAMOperationException:javax.naming.NamingException: [LDAP: error code 80 - :ETA_E_0008


Release : 14.X
Component : CA Identity Suite (Virtual Appliance)
Component : CA Identity Manager (Standalone Appliance)


Incorrect configuration of the PxPolicy Action Rule.


Following the documentation can be tricky as some valuable information is not currently present. The most common problem with the PxPolicy is the declaration of the group itself. Most times the DN value is configured incorrectly.

Please see the below guide on how to create your DN value appropriately.

Connect to the IM Provisioning Server via LDAP Browser (Jxplorer)
Copy the DN Value of your AD group:
Example: eTADSGroupName=MyTestGroup,eTADSOrgUnitName=Organization3,eTADSOrgUnitName=Organization2,eTADSOrgUnitName=Organization1,eTADSOrgUnitName=Organization,eTADSDirectoryName=MyActiveDirectoryName,eTNamespaceName=ActiveDirectory,dc=im,dc=eta

The next step is to convert this DN Value to an accepted value within Identity Manager there are a few changes to be made.

1) Remove leading 'eT' and trailing 'Name' on the attributes.
Example: eTADSOrgUnitName=Organization becomes ADSOrgUnit=Organization

2) Modify the trailing DN value to be proper config. ADSDirectory is now renamed to EndPoint as well as dc=im,dc=eta becomes Domain=im,Server=Server
Example: eTADSOrgUnitName=Organization,eTADSDirectoryName=MyActiveDirectoryName,eTNamespaceName=ActiveDirectory,dc=im,dc=eta
Becomes: ADSOrgUnit=Organization,EndPoint=MyActiveDirectoryName,Namespace=ActiveDirectory,Domain=im,Server=Server

Example of completed DN Conversion:
{"memberOf" : "ADSGroup=MyTestGroup,ADSOrgUnit=Organization3,ADSOrgUnit=Organization2,ADSOrgUnit=Organization1,ADSOrgUnit=Organization,EndPoint=MyActiveDirectoryName,Namespace=ActiveDirectory,Domain=im,Server=Server"}

See Action Item Example Below: