XPATH query confusion

Hello,

I am trying to write a rule which will, when it receives a password
change event for a user, query a specific group in AD to see if that
user is a member... or else query the'memberOf' pseudo-attribute for
the user and see if the specific group is listed.

I know that if I use either approach, I will need to use XPATH and a
for-each statement.
For the first approach, I would query for all members of the specific
group and iterate over them looking for the user in question, and for
the second approach I would iterate over all groups the user is a member
of until it finds a match. I'm stuck on which is the better approach and
exactly how to construct the query.

Can someone steer me toward a useful XPATH tutorial with gobs of examples?

Thanks
  • On 5/16/2019 11:20 AM, 6423241 wrote:
    > Hello,
    >
    > I am trying to write a rule which will, when it receives a password
    > change event for a user, query a specific group in AD to see if that
    > user is a member...  or else query the'memberOf' pseudo-attribute for
    > the user and see if the specific group is listed.
    >
    > I know that if I use either approach, I will need to use XPATH and a
    > for-each statement.
    > For the first approach, I would query for all members of the specific
    > group and iterate over them looking for the user in question, and for
    > the second approach I would iterate over all groups the user is a member
    > of until it finds a match. I'm stuck on which is the better approach and
    > exactly how to construct the query.
    >
    > Can someone steer me toward a useful XPATH tutorial with gobs of examples?


    Beetlejuice?

    XPATH:

    Concepts:
    http://www.novell.com/communities/node/4833/some-thoughts-xpath-novell-identity-manager
    https://www.netiq.com/communities/cool-solutions/xpath-and-context-node/
    http://www.novell.com/communities/node/6109/xpath-and-math
    http://www.novell.com/communities/node/6179/using-string-compares-xpath-statements
    http://www.novell.com/communities/node/6910/another-attempt-explaining-xpath-context-node
    http://www.novell.com/communities/node/9214/example-walk-through-using-xpath-identity-manager
    http://www.novell.com/communities/node/12361/examples-using-xpath-identity-manager
    http://www.novell.com/communities/node/13617/xpath-and-the-four-contexts

    Cool tips:
    http://www.novell.com/communities/node/5845/using-xpath-examine-association-values
    https://www.netiq.com/communities/cool-solutions/cool-tricks-using-xpath-nodesets/
    http://www.novell.com/communities/node/4825/using-global-configuration-values-xpath
    http://www.novell.com/communities/node/6276/using-xpath-get-position-node-node-set

    http://www.novell.com/communities/node/11637/xpath-do-schema-mapping-rule
    http://www.novell.com/communities/node/12261/using-xpath-reproduce-map-token


    However those are all redirected to the new Community site as of last
    week or so and I am not sure if all will redirect properly. Let me
    know, and I will get you the proper URL.

    Argh, I am getting bad redirects on some, and the URL I get when I
    search on commuinity looks like:
    community.microfocus.com/.../1773331
  • 6423241 wrote:

    > I know that if I use either approach, I will need to use XPATH and a for-each
    > statement.


    Not necessarily. You could query for the group as search base and
    member=<user-dn> as matching criteria. Now if you get back an <instance> the
    user is a group member, if you do not get any <instance> back, it's not.
    Not sure how well that works with the AD shim's query capabilities. It will
    certainly work with Edir and LDAP

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • Lothar Haeger,
    >
    >> I know that if I use either approach, I will need to use XPATH and a for-each
    >> statement.

    >
    > Not necessarily. You could query for the group as search base and
    > member=<user-dn> as matching criteria. Now if you get back an <instance> the
    > user is a group member, if you do not get any <instance> back, it's not.
    > Not sure how well that works with the AD shim's query capabilities. It will
    > certainly work with Edir and LDAP
    >


    It's worth a try, especially since all but a few of the links Geoffrey
    helpfully provided return "Page Not Found".

    Thanks


  • On 5/16/2019 1:26 PM, 6423241 wrote:
    > Lothar Haeger,
    >>
    >>> I know that if I use either approach, I will need to use XPATH and a
    >>> for-each
    >>> statement.

    >>
    >> Not necessarily. You could query for the group as search base and
    >> member=<user-dn> as matching criteria. Now if you get back an
    >> <instance> the
    >> user is a group member, if you do not get any <instance> back, it's not.
    >> Not sure how well that works with the AD shim's query capabilities. It
    >> will
    >> certainly work with Edir and LDAP
    >>

    >
    > It's worth a try, especially since all but a few of the links Geoffrey
    > helpfully provided return "Page Not Found".


    Ya, annoying. The ladies working on this have the remapping list and
    are working on getting it all done. So these are supposed to start
    working again at some point soon.

    Go to community.microfocus.com and search for any words in the URL or
    topics and you will likely find the article.

    LOthars approach is even simpler than mine.

  • Lothar Haeger,

    > 6423241 wrote:
    >
    >> I know that if I use either approach, I will need to use XPATH and a for-each
    >> statement.

    >
    > Not necessarily. You could query for the group as search base and
    > member=<user-dn> as matching criteria. Now if you get back an <instance> the
    > user is a group member, if you do not get any <instance> back, it's not.
    > Not sure how well that works with the AD shim's query capabilities. It will
    > certainly work with Edir and LDAP
    >


    So I want to do a query of the destination datastore, scope Subtree,
    class name group, specified DN = [dn of target group], match attributes
    member...

    I'm bogged down at the <user DN> bit. Given that the user I'm looking
    for could be in one of many OUs on the MAD side and a user CN in the ID
    vault is not the same as CN in MAD, what specific value am I matching on?



    Thanks
  • On 5/20/2019 4:05 PM, 6423241 wrote:
    > Lothar Haeger,
    >
    >> 6423241 wrote:
    >>
    >>> I know that if I use either approach, I will need to use XPATH and a
    >>> for-each
    >>> statement.

    >>
    >> Not necessarily. You could query for the group as search base and
    >> member=<user-dn> as matching criteria. Now if you get back an
    >> <instance> the
    >> user is a group member, if you do not get any <instance> back, it's not.
    >> Not sure how well that works with the AD shim's query capabilities. It
    >> will
    >> certainly work with Edir and LDAP
    >>

    >
    > So I want to do a query of the destination datastore, scope Subtree,
    > class name group, specified DN = [dn of target group], match attributes
    > member...
    >
    > I'm bogged down at the <user DN> bit. Given that the user I'm looking
    > for could be in one of many OUs on the MAD side and a user CN in the ID
    > vault is not the same as CN in MAD, what specific value am I matching on?


    Are all your users associated? Look at DirXML-ADContext in the IDV to
    get the DN in AD. Or use the Resolve token to convert the Assoc value
    on the user for this driver, to the DN in the remote source.
  • 6423241 wrote:

    > So I want to do a query of the destination datastore, scope Subtree, class
    > name group, specified DN = [dn of target group], match attributes member...


    Scope should be "base" (search only this single DN/group), though "subtree"
    would probably work as well, since groups are non-containers

    > I'm bogged down at the <user DN> bit. Given that the user I'm looking for
    > could be in one of many OUs on the MAD side and a user CN in the ID vault is
    > not the same as CN in MAD, what specific value am I matching on?


    Simply use token-src-dn. If you're on the publisher (were does your pw change
    event come from? AD or Edir), it's already the DN in AD. If on the subscriber,
    it should be resolved to that user's association in schema mapping and
    @association-ref will be added to the <value> node automatically.

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • On 5/21/2019 04:28, Lothar Haeger wrote:
    > 6423241 wrote:
    >
    >> So I want to do a query of the destination datastore, scope Subtree, class
    >> name group, specified DN = [dn of target group], match attributes member...

    >
    > Scope should be "base" (search only this single DN/group), though "subtree"
    > would probably work as well, since groups are non-containers
    >
    >> I'm bogged down at the <user DN> bit. Given that the user I'm looking for
    >> could be in one of many OUs on the MAD side and a user CN in the ID vault is
    >> not the same as CN in MAD, what specific value am I matching on?

    >
    > Simply use token-src-dn. If you're on the publisher (were does your pw change
    > event come from? AD or Edir), it's already the DN in AD. If on the subscriber,
    > it should be resolved to that user's association in schema mapping and
    > @association-ref will be added to the <value> node automatically.
    >


    Password change events come from the vault, so I'm creating the rule in
    the ETP on the subscriber channel. There isn't a scope 'base' -- how
    about 'entry'? The other option is 'subordinates'.

  • 6423241 wrote:

    > There isn't a scope 'base' -- how about 'entry'?


    That's the one. Funny how they reinvent terminology in Designer - to "simplify"
    the user experience, I guess.

    Similar thing with subversion commit (which is called "check in" in Designer)

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • Here is my rule:


    <rule>
    <description>identify users in StaleUsers group </description>
    <conditions>
    <and>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
    <if-operation mode="nocase" op="equal">modify</if-operation>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="lv-isMember" scope="driver">
    <arg-node-set>
    <token-query class-name="group" datastore="dest" scope="entry">
    <arg-dn>
    <token-text
    xml:space="preserve">CN=Stale_Osumc.Users,OU=Application,OU=Access
    Groups,DC=OSUMC,DC=EDU</token-text>
    </arg-dn>
    <arg-match-attr name="member">
    <arg-value type="dn">
    <token-src-dn/>
    </arg-value>
    </arg-match-attr>
    </token-query>
    </arg-node-set>
    </do-set-local-variable>
    <do-if>
    <arg-conditions>
    <and>
    <if-xpath op="true">count($lv-isMember/@src-dn)=1</if-xpath>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-add-src-attr-value name="IWS:User Comment">
    <arg-value type="string">
    <token-text xml:space="preserve">Bingo!</token-text>
    </arg-value>
    </do-add-src-attr-value>
    </arg-actions>
    <arg-actions/>
    </do-if>
    </actions>
    </rule>


    The trace returns a status message that says:
    <message>Error getting next page of search results</message>
    <ldap-err ldap-rc="10" ldap-rc-name="LDAP_REFERRAL">

    Full L3 trace is here: https://pastebin.com/0kURsNzh

    I think I'm closer to pay dirt, but something is still missing.

    Thanks