Query for nrfmemberof

Getting syntax violation error while doing the below query. Please help. Same query works using ldap browser.

[09/25/19 14:27:00.131]:InternalAD PT: Action: do-set-local-variable("lvQueryidvnrfMember",scope="policy",token-query(class-name="User",arg-match-attr("CN",token-local-variable("lvIDVParsedCN")),arg-match-attr("nrfMemberOf",token-local-variable("lvIDVRoleparsedDN")),"employeeStatus")).
[09/25/19 14:27:00.132]:InternalAD PT: arg-string(token-query(class-name="User",arg-match-attr("CN",token-local-variable("lvIDVParsedCN")),arg-match-attr("nrfMemberOf",token-local-variable("lvIDVRoleparsedDN")),"employeeStatus"))
[09/25/19 14:27:00.133]:InternalAD PT: token-query(class-name="User",arg-match-attr("CN",token-local-variable("lvIDVParsedCN")),arg-match-attr("nrfMemberOf",token-local-variable("lvIDVRoleparsedDN")),"employeeStatus")
[09/25/19 14:27:00.133]:InternalAD PT: arg-match-attr("CN",token-local-variable("lvIDVParsedCN"))
[09/25/19 14:27:00.134]:InternalAD PT: arg-string(token-local-variable("lvIDVParsedCN"))
[09/25/19 14:27:00.134]:InternalAD PT: token-local-variable("lvIDVParsedCN")
[09/25/19 14:27:00.134]:InternalAD PT: Token Value: "Z8QHL".
[09/25/19 14:27:00.135]:InternalAD PT: Arg Value: "Z8QHL".
[09/25/19 14:27:00.135]:InternalAD PT: arg-match-attr("nrfMemberOf",token-local-variable("lvIDVRoleparsedDN"))
[09/25/19 14:27:00.135]:InternalAD PT: arg-string(token-local-variable("lvIDVRoleparsedDN"))
[09/25/19 14:27:00.136]:InternalAD PT: token-local-variable("lvIDVRoleparsedDN")
[09/25/19 14:27:00.136]:InternalAD PT: Token Value: "CN=A-HDS-TDSTPA,CN=ADRoles,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=driverset1,O=system".
[09/25/19 14:27:00.137]:InternalAD PT: Arg Value: "CN=A-HDS-TDSTPA,CN=ADRoles,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=driverset1,O=system".
[09/25/19 14:27:00.137]:InternalAD PT: arg-string("employeeStatus")
[09/25/19 14:27:00.138]:InternalAD PT: token-text("employeeStatus")
[09/25/19 14:27:00.138]:InternalAD PT: Arg Value: "employeeStatus".
[09/25/19 14:27:00.138]:InternalAD PT: Query from policy
[09/25/19 14:27:00.138]:InternalAD PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="User" scope="subtree">
<search-class class-name="User"/>
<search-attr attr-name="CN">
<value type="string">Z8QHL</value>
</search-attr>
<search-attr attr-name="nrfMemberOf">
<value type="string">CN=A-HDS-TDSTPA,CN=ADRoles,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=driverset1,O=system</value>
</search-attr>
<read-attr attr-name="employeeStatus"/>
</query>
</input>
</nds>
[09/25/19 14:27:00.141]:InternalAD PT: Pumping XDS to eDirectory.
[09/25/19 14:27:00.141]:InternalAD PT: Performing operation query for .
[09/25/19 14:27:00.141]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Duplicating : context = 1919483980, tempContext = 1919484141
[09/25/19 14:27:00.142]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Calling free on tempContext = 1919484141
[09/25/19 14:27:00.152]:InternalAD PT: Query from policy result
[09/25/19 14:27:00.152]:InternalAD PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="0" level="error">Code(-9010) An exception occurred: novell.jclient.JCException: initVlistIterator -613 ERR_SYNTAX_VIOLATION</status>
</output>
</nds>
[09/25/19 14:27:00.154]:InternalAD PT: Token Value: "".
[09/25/19 14:27:00.154]:InternalAD PT: Arg Value: "".

  • Hi,
    instead of CN=A-HDS-TDSTPA,CN=ADRoles,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=driverset1,O=system (LDAP notation) use something like "system\driverset1\UserApp...." which is slash-notation. I don't know if you need to prefix the tree name on a query. If so look at the local variables there is an auto one for tree.
    If you need to convert them on the fly look for the parseDN verb.

    regards
    Daniel
  • Verified Answer

    I did the same now the syntax error is cleared but the query is not giving any output but in ldap i am getting the result.

    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.3.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <query class-name="User" scope="subtree">
    <search-class class-name="User"/>
    <search-attr attr-name="CN">
    <value type="string">Z8QHL</value>
    </search-attr>
    <search-attr attr-name="nrfMemberOf">
    <value type="string">O=system\CN=driverset1\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level20\CN=ADRoles\CN=A-HDS-MPS-R</value>
    </search-attr>
    <read-attr attr-name="employeeStatus"/>
    </query>
    </input>
    </nds>
    [09/25/19 15:33:20.365]:InternalAD PT: Pumping XDS to eDirectory.
    [09/25/19 15:33:20.365]:InternalAD PT: Performing operation query for .
    [09/25/19 15:33:20.365]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Duplicating : context = 1919484151, tempContext = 1919484134
    [09/25/19 15:33:20.365]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Calling free on tempContext = 1919484134
    [09/25/19 15:33:20.365]:InternalAD PT: Query from policy result
    [09/25/19 15:33:20.365]:InternalAD PT:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.3.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status event-id="0" level="success"></status>
    </output>
    </nds>
    [09/25/19 15:33:20.365]:InternalAD PT: Token Value: "".
    [09/25/19 15:33:20.365]:InternalAD PT: Arg Value: "".

  • You left the CN= and OU= in the DN path.

     

    For whatever reason, IDM, internally uses Slash format for DN's. Why?  I dunno.  But it does.

    So when you specify a DN for read or write in IDM against the IDV, you use the format you that the first poster suggested.

    You got close.  He said, instead of:

    CN=A-HDS-TDSTPA,CN=ADRoles,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=driverset1,O=system

     

    To reverse the order (root most to leaf most instead of LDAPS leafmost to rootmost) and use slashes as the delimiters to be more like:

    system\driverset1\UserApplication\AppConfig\....

    And you used:

    O=system\CN=driverset1\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level20\CN=ADRoles\CN=A-HDS-MPS-R

     

    Which is not quite correct, remove the O= the CN= and so on and try again. You are getting closer.

    Side note:

    Parse DN will convert the DN format.  Parse DN on the variable holding the role name, start 0, length of -1, and source format is LDAP, dest format is slash.

     

  • I got it i was using qualified-src-dn instead of src-dn.

     

    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.3.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <query class-name="User" scope="subtree">
    <search-class class-name="User"/>
    <search-attr attr-name="CN">
    <value type="string">Z8QHL</value>
    </search-attr>
    <search-attr attr-name="nrfMemberOf">
    <value type="string">\BBCIDV\system\driverset1\UserApplication\AppConfig\RoleConfig\RoleDefs\Level20\ADRoles\A-HDS-PRDHOME</value>
    </search-attr>
    <read-attr attr-name="employeeStatus"/>
    </query>
    </input>
    </nds>
    [09/26/19 08:56:41.795]:InternalAD PT: Pumping XDS to eDirectory.
    [09/26/19 08:56:41.795]:InternalAD PT: Performing operation query for .
    [09/26/19 08:56:41.795]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Duplicating : context = 1919484147, tempContext = 1919483983
    [09/26/19 08:56:41.795]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Calling free on tempContext = 1919483983
    [09/26/19 08:56:41.795]:InternalAD PT: Query from policy result
    [09/26/19 08:56:41.795]:InternalAD PT:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.3.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <instance class-name="User" event-id="0" qualified-src-dn="O=BBC\OU=users\OU=contractors\CN=Z8QHL" src-dn="\BBCIDV\BBC\users\contractors\Z8QHL" src-entry-id="214104">
    <association state="associated">a4c47948b9bdc6429bdf71fda2f9a88e</association>
    <attr attr-name="employeeStatus">
    <value timestamp="1484741961#21" type="string">3</value>
    </attr>
    </instance>
    <status event-id="0" level="success"></status>
    </output>
    </nds>

  • Hi,
    you not just removed the full qualifiers but you also added the tree name.

    As I wasn't sure about using FQDNs I made some query tests in 4.7.3:

    1. using full qualified without tree (o=system\cn=driverset..) -> FAIL
    2. using unqualified without tree (system\driverset..) -> FAIL
    3. using full qualified with tree (\mytree\o=system\cn=driverset..) -> OK
    4. using unqualified with tree (\mytree\system\driverset..) -> OK

    So you MUST prefix the tree  (maybe a senior could tell us if this changed recently) and you CAN use FQDN in member queries.

    BTW: Number 3 is a bit strange as in my opinion this is a mix of qualified and unqualified as it should be \t=mytree\o=system\cn=driverset.. but that didn't work either.

    regards
    Daniel

    Edit: Corrected double negation