Active Directory group memberships (memberOf) not imported into OpenIAM groups

Getting Started with OpenIAM
1

Hello,

I am currently evaluating OpenIAM 4.2.x with an Active Directory PowerShell managed system.

What works:

  • Users are imported successfully.

  • Groups are imported successfully.

  • Group attributes such as sAMAccountName and DistinguishedName are imported correctly.

  • User attributes such as GivenName, Surname, DisplayName, UserPrincipalName etc. are processed correctly.

  • The user synchronization job completes successfully.

What does not work:

  • AD group memberships are not imported.

  • No user-to-group relationships are created in OpenIAM (USER_GRP remains empty).

Configuration:

  • User policy: USER_POLICY_win02

  • Group policy: GROUP_POLICY_win02

  • memberOf is configured and active in the user policy.

  • User synchronization uses:

    • ADPowerShellAttributes.groovy

    • ADPowerShellTransformation.groovy

  • memberOf is included in the configured source attributes.

  • AD users have valid memberOf values.

  • Imported groups contain the correct DistinguishedName values matching the values returned by AD.

Question:
Is there any additional configuration required in OpenIAM to enable automatic processing of Active Directory memberOf relationships into OpenIAM group memberships?

Are there specific reconciliation settings, managed system settings, or membership mappings that must be configured beyond enabling the memberOf attribute in the user policy?

Any guidance or example configurations for AD group membership synchronization would be greatly appreciated.

Thank you.

2

Hello @Luca ,

Your existing ADPowerShellTransformation.groovy script is mostly correct, but I would recommend using out of the box script -TransformActiveDirRecord

Option 1 — Switch to the OOTB script (TransformActiveDirRecord.groovy)

This is the simpler path. Attach the provided script to your managed system and configure it.

Option 2 — Patch your existing script )

Keep your current ADPowerShellTransformation.groovy as-is and replace only the memberOf block with the following:

def memberOfAttr = columnMap.get("memberOf")

if (memberOfAttr) {
    String singleDN = memberOfAttr.getValue()
    if (singleDN) {
        addUserGroupByAttribute(pUser, "DistinguishedName", singleDN, CERTIFIED_RIGHT_SET, null, null, null)
    }

    List<String> dnList = memberOfAttr.getValueList()
    if (dnList) {
        dnList.each { dn ->
            addUserGroupByAttribute(pUser, "DistinguishedName", dn, CERTIFIED_RIGHT_SET, null, null, null)
        }
    }
}

// Keep your existing group removal block below unchanged

Additionally, please verify the following before re-running the sync:

1. Group sync must run BEFORE user sync — addUserGroupByAttribute looks up already-imported groups by DistinguishedName

2. Imported AD groups must have metadata type set to AD_GROUP in OpenIAM

3. The DistinguishedName values stored on the OpenIAM group objects must match exactly (case and format) what AD returns in memberOf

One more thing worth clarifying: **the policy map is not relevant here.** Policy maps are used for outbound provisioning — i.e., when OpenIAM pushes changes *to* a target system. For inbound sync (importing users and group memberships *from* AD into OpenIAM), everything is handled by the transformation script in the synchronization.

TransformActiveDirRecord.groovy (10.2 KB)

Let us know if you need further assistance.