Hi, Hao. Not really sure I understand why would you need to do that. May be you could provide some details on what is your final goal? From glimpse at setups at other institutions which try to employ group membership from backend in some way, it's usually done by utilizing some kind of mapping in custom CR script, like **"if substr(GroupDN1) ~= 'OU=Students' then epa='Students'"**, where `epa` is then used to assign value(s) to `eduPersonAffiliation` attribute, or may be to some custom attribute. So they don't copy DNs of groups as-it-is. But if you need it this way, you could try to set a simple mapping for CR like `group_attribute_at_backend -> memberof`. (Not sure what `group_attribute_at_backend` is in your case, you may need to provide a dump of full user entry from backend)

Hi Aliaksandr, Thanks for quick response! What I meant: currently we have (external) **openldap ** to store users, each user is assigned to different group (can also be common group), refer to this screenshot:  In screenshot above, user **testkwan2 **is assigned to **SupportNetwork **group, which has a dn "cn=SupportNetwork,ou=AllGroups,ou=AllUsers,dc=example,dc=com". So what we wanted to do is retrieve this group name "SupportNetwork" (could be multiple groups) from its respective openldap properties, and assigned to every user imported from CR into Gluu. If this could be done with custom CR script, can you please help me in getting the right code to retrieve the group name from openldap? default CR script as follows: ``` from org.xdi.model.custom.script.type.user import CacheRefreshType from org.xdi.util import StringHelper, ArrayHelper from java.util import Arrays, ArrayList from org.gluu.oxtrust.model import GluuCustomAttribute import java class CacheRefresh(CacheRefreshType): def __init__(self, currentTimeMillis): self.currentTimeMillis = currentTimeMillis def init(self, configurationAttributes): print "Cache refresh. Initialization" print "Cache refresh. Initialized successfully" return True def destroy(self, configurationAttributes): print "Cache refresh. Destroy" print "Cache refresh. Destroyed successfully" return True # Update user entry before persist it # user is org.gluu.oxtrust.model.GluuCustomPerson # configurationAttributes is java.util.Map<String, SimpleCustomProperty> def updateUser(self, user, configurationAttributes): print "Cache refresh. UpdateUser method" attributes = user.getCustomAttributes() # Add new attribute preferredLanguage attrPrefferedLanguage = GluuCustomAttribute("preferredLanguage", "en-us") attributes.add(attrPrefferedLanguage) # Add new attribute userPassword attrUserPassword = GluuCustomAttribute("userPassword", "test") attributes.add(attrUserPassword) # Update givenName attribute for attribute in attributes: attrName = attribute.getName() if (("givenname" == StringHelper.toLowerCase(attrName)) and StringHelper.isNotEmpty(attribute.getValue())): attribute.setValue(StringHelper.removeMultipleSpaces(attribute.getValue()) + " (updated)") return True def getApiVersion(self): return 1 ```

Whether it can be done easily depends on composition of user entries in your backend (that's why I asked to provide a full dump of one of it). CR requests a specified set of attributes for each user entry in backend and process them one at a time. So ideally this set of attributes must provide all required data by itself, without need to do any additional LDAP requests. If all those user entries have some attribute back-referencing groups they are members of, like, by groups' DNs, then you can use approach I mentioned and either directly map this attribute to `memberof` inside Gluu, or do more complex processing in script.