Search for objects with partial DN

Hi,

I have an issue where I need to search the vault for existing workorders using wildcards.

For example, disable workorders are created in the format:

cn=disable-user-CountryCode-StaffID-Date(ddmmYYYY)

Ideally when a termination date of a user is changed, I'd like the loopback driver to query the vault for workorders with their StaffID in
e.g: for a UK user "12345" it should query the workorders container for all workorders with a cn containing the text "disable-user-UK-1235"

I've tried this with policy (do-find-matching-object) and failed, so I'm assuming there will need to be an XPATH statement which would return a nodeset of results. The end action would be to delete any existing workorders that match.

Is this even possible, and if so does anyone have a starting point I could work with?

Thanks is advance.
John
  • Jevans78 wrote:

    > Is this even possible, and if so does anyone have a starting point I
    > could work with?


    I do not think you can use wildcards in DNs at all. You would need the relevant
    values in attributes on the workorder objects to search for them in the way you
    like it to do. In this case you'd have set something like workforceID and a due
    date. For the latter DirXML-DueDate might already be set if you're lucky.
    If you're not lucky you could set up a loopback driver to create/maintain the
    required attributes from the object name (or add such code to the Workorder
    driver directly).

    --
    http://www.is4it.de/en/solution/identity-access-management/
  • On 04/28/2016 08:41 AM, Lothar Haeger wrote:
    > Jevans78 wrote:
    >
    >> Is this even possible, and if so does anyone have a starting point I
    >> could work with?

    >
    > I do not think you can use wildcards in DNs at all. You would need the relevant
    > values in attributes on the workorder objects to search for them in the way you
    > like it to do. In this case you'd have set something like workforceID and a due


    I do not think this extra work is done; the CN value is there, so search
    against it directly.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • I think you might need to do a query with the query token and store the
    result in a nodeset variable.

    You can then do a for each over the nodeset and do a regex compare.


    --
    joakim_ganse
    ------------------------------------------------------------------------
    joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
    View this thread: https://forums.netiq.com/showthread.php?t=55785

  • On Thu, 28 Apr 2016 14:06:03 0000, Jevans78 wrote:

    > I have an issue where I need to search the vault for existing workorders
    > using wildcards.
    >
    > For example, disable workorders are created in the format:
    >
    > cn=disable-user-CountryCode-StaffID-Date(ddmmYYYY)
    >
    > Ideally when a termination date of a user is changed, I'd like the
    > loopback driver to query the vault for workorders with their StaffID in
    >
    > e.g: for a UK user "12345" it should query the workorders container for
    > all workorders with a cn containing the text "disable-user-UK-1235"
    >
    > I've tried this with policy (do-find-matching-object) and failed, so I'm
    > assuming there will need to be an XPATH statement which would return a
    > nodeset of results. The end action would be to delete any existing
    > workorders that match.


    You could probably leverage Lothar's ldapsearch ECMAScript to do the
    search. LDAP search deals with wildcards in the search filter. You'll get
    back a nodeset of matching objects.


    --
    David Gersic
    Knowledge Partner http://forums.microfocus.com
    If you find this post helpful, please click on the star below.
  • David Gersic wrote:

    > You could probably leverage Lothar's ldapsearch ECMAScript to do the
    > search. LDAP search deals with wildcards in the search filter. You'll get
    > back a nodeset of matching objects.


    I actually wrote that ldapsearch for a very similar scenario: search for
    accounts with a timestamp smaller than X. LDAP searches not only allow for
    wider wildcard use than token query or do-find-matching-object, they also
    support more operators, especially <= and >=.

    So if the OP writes the due date to a timestamp attribute (can be string syntax
    but must be sortable and comparable by <= and >= e.g. as yyyyMMdd), the search
    can be crafted in a way that it returns just the desired objects and no looping
    over a result(super)set is required. Whether that's worth the trouble of
    setting up ldapsearch depends on the perfomance requirements. If the typical
    nodeset to process would have more than a few hundred elements or you'd have to
    perform the search very often (every X seconds rather than hours or days), it
    might be reasonable to look into it.

    --
    http://www.is4it.de/en/solution/identity-access-management/

  • Yep, that's quicker than the query token.


    --
    joakim_ganse
    ------------------------------------------------------------------------
    joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
    View this thread: https://forums.netiq.com/showthread.php?t=55785

  • On 4/28/2016 12:06 PM, Lothar Haeger wrote:
    > David Gersic wrote:
    >
    >> You could probably leverage Lothar's ldapsearch ECMAScript to do the
    >> search. LDAP search deals with wildcards in the search filter. You'll get
    >> back a nodeset of matching objects.

    >
    > I actually wrote that ldapsearch for a very similar scenario: search for
    > accounts with a timestamp smaller than X. LDAP searches not only allow for
    > wider wildcard use than token query or do-find-matching-object, they also
    > support more operators, especially <= and >=.
    >
    > So if the OP writes the due date to a timestamp attribute (can be string syntax
    > but must be sortable and comparable by <= and >= e.g. as yyyyMMdd), the search
    > can be crafted in a way that it returns just the desired objects and no looping
    > over a result(super)set is required. Whether that's worth the trouble of
    > setting up ldapsearch depends on the perfomance requirements. If the typical
    > nodeset to process would have more than a few hundred elements or you'd have to
    > perform the search very often (every X seconds rather than hours or days), it
    > might be reasonable to look into it.
    >


    I've used this approach many times as well. I much prefer the ldapsearch approach. I think not having wildcards in the
    tokens is a major shortcoming.

    I believe Geoffrey also has an article about how to SSL enable the ldapsearch library. Actually, I think Lothar's later
    versions might already include that now that I think about it.


    --
    -----------------------------------------------------------------------
    Will Schneider
    Knowledge Partner http://forums.netiq.com

    If you find this post helpful, please click on the star below.
  • Will Schneider <descent@no-mx.forums.netiq.com> wrote:
    >
    >
    > I believe Geoffrey also has an article about how to SSL enable the
    > ldapsearch library. Actually, I think Lothar's later
    > versions might already include that now that I think about it.
    >
    >


    Lothar's version does do SSL. Has done for a long time.

    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...

  • On 4/29/2016 1:41 AM, Alex Mchugh wrote:
    > Will Schneider <descent@no-mx.forums.netiq.com> wrote:
    >>
    >>
    >> I believe Geoffrey also has an article about how to SSL enable the
    >> ldapsearch library. Actually, I think Lothar's later
    >> versions might already include that now that I think about it.
    >>
    >>

    >
    > Lothar's version does do SSL. Has done for a long time.
    >


    See, I need to update my packages :) Silly me :)

    --
    -----------------------------------------------------------------------
    Will Schneider
    Knowledge Partner http://forums.netiq.com

    If you find this post helpful, please click on the star below.
  • Hi all,

    Thanks for the replies. I think the easiest/most efficient way is to set searchable attributes on the workorders when they are created. I can then match using these, so I'll test this way.

    Many thanks
    John