Active Directory group memberships (memberOf) not imported into OpenIAM groups

Getting Started with OpenIAM
1

Hello,

I am currently evaluating OpenIAM 4.2.x with an Active Directory PowerShell managed system.

What works:

  • Users are imported successfully.

  • Groups are imported successfully.

  • Group attributes such as sAMAccountName and DistinguishedName are imported correctly.

  • User attributes such as GivenName, Surname, DisplayName, UserPrincipalName etc. are processed correctly.

  • The user synchronization job completes successfully.

What does not work:

  • AD group memberships are not imported.

  • No user-to-group relationships are created in OpenIAM (USER_GRP remains empty).

Configuration:

  • User policy: USER_POLICY_win02

  • Group policy: GROUP_POLICY_win02

  • memberOf is configured and active in the user policy.

  • User synchronization uses:

    • ADPowerShellAttributes.groovy

    • ADPowerShellTransformation.groovy

  • memberOf is included in the configured source attributes.

  • AD users have valid memberOf values.

  • Imported groups contain the correct DistinguishedName values matching the values returned by AD.

Question:
Is there any additional configuration required in OpenIAM to enable automatic processing of Active Directory memberOf relationships into OpenIAM group memberships?

Are there specific reconciliation settings, managed system settings, or membership mappings that must be configured beyond enabling the memberOf attribute in the user policy?

Any guidance or example configurations for AD group membership synchronization would be greatly appreciated.

Thank you.

2

Hello @Luca ,

Your existing ADPowerShellTransformation.groovy script is mostly correct, but I would recommend using out of the box script -TransformActiveDirRecord

Option 1 — Switch to the OOTB script (TransformActiveDirRecord.groovy)

This is the simpler path. Attach the provided script to your managed system and configure it.

Option 2 — Patch your existing script )

Keep your current ADPowerShellTransformation.groovy as-is and replace only the memberOf block with the following:

def memberOfAttr = columnMap.get("memberOf")

if (memberOfAttr) {
    String singleDN = memberOfAttr.getValue()
    if (singleDN) {
        addUserGroupByAttribute(pUser, "DistinguishedName", singleDN, CERTIFIED_RIGHT_SET, null, null, null)
    }

    List<String> dnList = memberOfAttr.getValueList()
    if (dnList) {
        dnList.each { dn ->
            addUserGroupByAttribute(pUser, "DistinguishedName", dn, CERTIFIED_RIGHT_SET, null, null, null)
        }
    }
}

// Keep your existing group removal block below unchanged

Additionally, please verify the following before re-running the sync:

1. Group sync must run BEFORE user sync — addUserGroupByAttribute looks up already-imported groups by DistinguishedName

2. Imported AD groups must have metadata type set to AD_GROUP in OpenIAM

3. The DistinguishedName values stored on the OpenIAM group objects must match exactly (case and format) what AD returns in memberOf

One more thing worth clarifying: **the policy map is not relevant here.** Policy maps are used for outbound provisioning — i.e., when OpenIAM pushes changes *to* a target system. For inbound sync (importing users and group memberships *from* AD into OpenIAM), everything is handled by the transformation script in the synchronization.

TransformActiveDirRecord.groovy (10.2 KB)

Let us know if you need further assistance.

3

Hello Ameet,

thank you again for your assistance.

I performed some additional testing based on your suggestions and would like to share an observation that may help narrow down the issue.

For context:

  • OpenIAM version: 4.2.1.13

  • Connector: AD PowerShell Connector

  • Test environment connected directly to Active Directory using an AD Administrator account (lab/test environment)

  • We followed the official OpenIAM video guide for the AD PowerShell connector setup:
    https://www.youtube.com/watch?v=nBGdmpEOOno&list=PLLJky1wNOG3PgU5oxQozVjHeUgLM7kH2W&index=2

  • No custom synchronization scripts have been implemented so far.

  • We are using the out-of-the-box synchronization configuration and scripts.

Current configuration:

User synchronization:

  • Validation Rule: ADPowerShellValidation.groovy

  • Transformation Rule: TransformActiveDirRecord.groovy

  • Source Attributes Script: ADPowerShellAttributes.groovy

Group synchronization:

  • Standard OpenIAM group synchronization configuration

I have attached screenshots of the synchronization jobs, managed system configuration, and related settings for reference.

ADUserOpenIamSync
ADUserOpenIamSync1351×877 29.8 KB

What I noticed:

The ADPowerShellAttributes.groovy script explicitly requests the following attributes:

return [
    "SamAccountName",
    "DisplayName",
    "EmailAddress",
    "memberOf",
    "GivenName",
    "Name",
    "Surname",
    "UserPrincipalName"
]

However, when reviewing the synchronization audit logs, the imported record only contains:

{
  "SamAccountName": "...",
  "GivenName": "...",
  "Name": "...",
  "Surname": "...",
  "UserPrincipalName": "..."
}

The following requested attributes are completely missing from the columnMap:

  • DisplayName

  • EmailAddress

  • memberOf

Example audit excerpt:

"columnMap": {
  "SamAccountName": {...},
  "GivenName": {...},
  "Name": {...},
  "Surname": {...},
  "UserPrincipalName": {...}
}

Since memberOf never appears in the synchronization record, it seems that TransformActiveDirRecord.groovy never receives any group membership information to process.

This made me wonder whether the issue may actually occur before the transformation script is executed.

At the moment it appears that the synchronization process never receives memberOf at all, which would explain why no USER_GRP relationships are created.

Any guidance would be greatly appreciated.

Thank you for your help.

4

ADGroupOpenIamSync
ADGroupOpenIamSync1382×904 31.3 KB

5

ManagedSystemOpenIAM
ManagedSystemOpenIAM1010×975 27.6 KB