Determine driver schema mapping policy with LDAP

How can I determine the dn of a driver schema mapping policy without any available information other than the driver dn? At a quick glance it seems that the information is stored in the policy itself and the driver object.

In the policy itself it is recognizable from XMLdata and DirXML-pkgInitialState attributes but they are of type stream and not suited for ldap substring query. I would have to go through all policies and look for the mapping table from each policy XMLdata.

In a driver object attribute DirXML-Policies the schema mapping policy is incuded as one value:
cn=NOVLDTXTBASE-smp,cn=drivercn,cn=driverset,o=system#0#0

This seems to be a structured attribute with some added information. Is there something here to tell me it is a schema mapping policy? Any ideas? iManager seems to know which one is a mapping policy and I presume it does something smarter than read them all through.
  • kuronen wrote:

    > Is there something here to tell me it is a schema mapping policy?


    Just look at the two digits after the policy DN: the one is the policy set it
    is linked to and the other the position/order in that set. I do not know the
    key number for schema mapping by heart, but can find out by checking with any
    existing driver yourself. Geoffrey has written an article about this, too: -->
    https://www.netiq.com/communities/cool-solutions/talking-about-dirxml-policies-attributes/

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • #0 seems to mark schema mapping policy. Checked it out against several drivers.
  • On 2/18/2019 1:04 AM, kuronen wrote:
    >
    > How could I determine the dn of a driver schema mapping policy? At a
    > quick glance it seems that the information is stored in the policy
    > itself and the driver object.
    >
    > In the policy itself it is recognizable from XMLdata and
    > DirXML-pkgInitialState attributes but they are of type stream and not
    > suited for ldap substring query.
    >
    > In a driver object attribute DirXML-Policies the schema mapping policy
    > is incuded as one value:
    > cn=NOVLDTXTBASE-smp,cn=drivercn,cn=driverset,o=system#0#0
    >
    > This seems to be a structured attribute with some added information. Is
    > there something here to tell me it is a schema mapping policy? Any
    > ideas?


    Conveniently, I wrote about this a few years ago. (Yeesh, 2011!)

    https://www.netiq.com/communities/cool-solutions/talking-about-dirxml-policies-attributes/

    That attribute syntax has a DN, then two integers. First (in LDAP) is
    the position in the list, 0->N. Second represents WHAT the linkage is
    for. See my article. Short answer snipped out:

    0 Schema Map
    1 Input Transform
    2 Output Transform
    3 ECMA Script Object
    4 Sub Event Transform
    5 Pub Event Transform
    6 Sub Match
    7 Pub Match
    8 Sub Create
    9 Pub Create
    10 Sub Command Transform
    11 Pub Command Transform
    12 Sub Placement
    13 Pub Placement
    14 GCV Objects
    15 Startup (New in IDM 4.0.2.3)
    16 Shutdown (New in IDM 4.0.2.3)

    So yep, 0 is Schema Map. Note: You should check contents as Schema Map
    policy set can contain Policies of Schema maps.

    I forget, is the Schema map a different object class? Not connected to a
    live system this second to check.

  • On 2/18/2019 2:18 AM, Lothar Haeger wrote:
    > kuronen wrote:
    >
    >> Is there something here to tell me it is a schema mapping policy?

    >
    > Just look at the two digits after the policy DN: the one is the policy set it
    > is linked to and the other the position/order in that set. I do not know the
    > key number for schema mapping by heart, but can find out by checking with any
    > existing driver yourself. Geoffrey has written an article about this, too: -->
    > https://www.netiq.com/communities/cool-solutions/talking-about-dirxml-policies-attributes/


    Side note: try google and see if you can find an IDM topic where on of
    my articles does NOT come up. (Do let me know, and I will write
    something to break that loophole).


  • geoffc;2495523 wrote:
    On 2/18/2019 2:18 AM, Lothar Haeger wrote:
    > kuronen wrote:
    >
    >> Is there something here to tell me it is a schema mapping policy?

    >
    > Just look at the two digits after the policy DN: the one is the policy set it
    > is linked to and the other the position/order in that set. I do not know the
    > key number for schema mapping by heart, but can find out by checking with any
    > existing driver yourself. Geoffrey has written an article about this, too: -->
    > https://www.netiq.com/communities/cool-solutions/talking-about-dirxml-policies-attributes/


    Side note: try google and see if you can find an IDM topic where on of
    my articles does NOT come up. (Do let me know, and I will write
    something to break that loophole).


    You've got lots of loopholes to patch. The problem with this kinda searches is asking the right question. I tried something like "netiq idm policy identifier" "netiq idm ldap policy names" and got nothing even resembling the subject.

    Google with it's A.I. is still no match match for sir Geoff in mapping foolish questions to actual queries of data.
  • kuronen wrote:

    > asking the right question.


    you surely want to include "geoffc" as a keyword. He's written all about
    everything IDM, so not worth bothering with the rest.. ;-)

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • On 2/19/2019 4:44 AM, kuronen wrote:
    >
    > geoffc;2495523 Wrote:
    >> On 2/18/2019 2:18 AM, Lothar Haeger wrote:
    >>> kuronen wrote:
    >>>
    >>>> Is there something here to tell me it is a schema mapping policy?
    >>>
    >>> Just look at the two digits after the policy DN: the one is the policy

    >> set it
    >>> is linked to and the other the position/order in that set. I do not

    >> know the
    >>> key number for schema mapping by heart, but can find out by checking

    >> with any
    >>> existing driver yourself. Geoffrey has written an article about this,

    >> too: -->
    >>>

    >> https://www.netiq.com/communities/cool-solutions/talking-about-dirxml-policies-attributes/
    >>
    >> Side note: try google and see if you can find an IDM topic where on of
    >> my articles does NOT come up. (Do let me know, and I will write
    >> something to break that loophole).

    >
    > You've got lots of loopholes to patch. The problem with this kinda
    > searches is asking the right question. I tried something like "netiq idm
    > policy identifier" "netiq idm ldap policy names" and got nothing even
    > resembling the subject.


    So I have an article about the attributes IDM uses. Let me work on that
    one for you. :)

    > Google with it's A.I. is still no match match for sir Geoff in mapping
    > foolish questions to actual queries of data.
    >
    >


  • On 2/19/2019 5:22 AM, Lothar Haeger wrote:
    > kuronen wrote:
    >
    >> asking the right question.

    >
    > you surely want to include "geoffc" as a keyword. He's written all about
    > everything IDM, so not worth bothering with the rest.. ;-)


    I think that will save you time, but is cheating in the suggested game.