"If source attribute equals" doesn't work


Hi all,

I’m facing a new problem in my way to understand a little more how NIM
works :confused:

In my driver’s publisher channel, I want to make the following rule :
If the user’s attribute “adminDescription” changes to ”rt” :

- the mapped attribute (“jackNumber”) will also change
- change “jackNumber” and “adminDescription” to “nm”
- delete “Initials” attribute inside NIM



To to this, I did a rule in the Command Transformation Policy:

Code:
--------------------
<policy>
<rule>
<description>fin de la migration</description>
<conditions>
<and>
<if-src-attr mode="nocase" name="adminDescription" op="equal">rt</if-src-attr>
</and>
</conditions>
<actions>
<do-clear-dest-attr-value class-name="User" name="Initials"/>
<do-set-dest-attr-value class-name="User" name="jackNumber">
<arg-value type="string">
<token-text xml:space="preserve">nm</token-text>
</arg-value>
</do-set-dest-attr-value>
<do-set-src-attr-value class-name="user" name="adminCount">
<arg-value type="string">
<token-text xml:space="preserve">nm</token-text>
</arg-value>
</do-set-src-attr-value>
</actions>
</rule>
</policy>
--------------------


My problem is that when I change manually the “adminDescription”
attribute to “rt”, I see that “jackNumber” changes also to “rt”, but my
rule is rejected:
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20120330_120000"
> instance="\IDV\system\DriverSet\ConnecteurAD"
> version="4.0.0.0">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <instance class-name="user" event-id="0" src-dn="CN=User
> Syn,CN=Users,DC=nim2012,DC=intra">
> <association>428840cd9e5b434a84ea3385787d84e1</association>
> *<attr attr-name="adminDescription">
> <value naming="true" type="string">rt</value>
> </attr>*
> </instance>
> <status level="success"/>
> </output>
> </nds>
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Applying policy:
> NOVLADDCFG-smp.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Mapping class-name
> 'user' to 'User'.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Mapping attr-name
> 'adminDescription' to 'jackNumber'.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Applying policy:
> NOVLDATACOLL-smp-SkipSchemaMapping.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Applying to instance
> #1.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Evaluating selection
> criteria for rule 'skip'.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: (if-operation
> equal "instance") = TRUE.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: (if-op-property
> 'data-collection-query' equal "true") = FALSE.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Rule rejected.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Evaluating selection
> criteria for rule 'restore'.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: (if-op-property
> 'restore-attr-names' equal "true") = FALSE.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Rule rejected.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Applying to status
> #2.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Evaluating selection
> criteria for rule 'skip'.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: (if-operation
> equal "instance") = FALSE.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Rule rejected.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Evaluating selection
> criteria for rule 'restore'.
> [12/08/2014 18:02:09.376] ConnecteurAD PT: (if-op-property
> 'restore-attr-names' equal "true") = FALSE.
> [12/08/2014 18:02:09.376] ConnecteurAD PT: Rule rejected.
> [12/08/2014 18:02:09.376] ConnecteurAD PT: Policy returned:
> [12/08/2014 18:02:09.376] ConnecteurAD PT:
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20120330_120000"
> instance="\IDV\system\DriverSet\ConnecteurAD"
> version="4.0.0.0">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> *<instance class-name="User" event-id="0" src-dn="CN=User
> Syn,CN=Users,DC=nim2012,DC=intra">
> <association>428840cd9e5b434a84ea3385787d84e1</association>
> <attr attr-name="jackNumber">
> <value naming="true" type="string">rt</value>
> </attr>
> </instance>*
> <status level="success"/>
> </output>
> </nds>
> [12/08/2014 18:02:09.376] ConnecteurAD PT: Resolving association
> references.
> [12/08/2014 18:02:09.376] ConnecteurAD PT: Query from policy
> result
> [12/08/2014 18:02:09.376] ConnecteurAD PT:
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20120330_120000"
> instance="\IDV\system\DriverSet\ConnecteurAD"
> version="4.0.0.0">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <instance class-name="User" event-id="0" src-dn="CN=User
> Syn,CN=Users,DC=nim2012,DC=intra">
> <association>428840cd9e5b434a84ea3385787d84e1</association>
> *<attr attr-name="jackNumber">
> <value naming="true" type="string">rt</value>
> </attr>*
> </instance>
> <status level="success"/>
> </output>
> </nds>
> [12/08/2014 18:02:09.376] ConnecteurAD PT: *(if-src-attr
> 'adminDescription' equal "rt") = FALSE.*
> [12/08/2014 18:02:09.376] ConnecteurAD PT: Query from policy
> [12/08/2014 18:02:09.376] ConnecteurAD PT:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <query class-name="User" dest-dn="data\personnes\usyn"
> dest-entry-id="98587" scope="entry">
> <read-attr attr-name="jackNumber"/>
> </query>
> </input>
> </nds>


I also try to evaluate the target attribute using jackNumber, but it was
also rejected...
Does anyone have an idea why?

Thanks in advance,
Remi


--
remifournier
------------------------------------------------------------------------
remifournier's Profile: https://forums.netiq.com/member.php?userid=8277
View this thread: https://forums.netiq.com/showthread.php?t=52385

  • remifournier wrote:

    > I also try to evaluate the target attribute using jackNumber, but it was
    > also rejected...
    > Does anyone have an idea why?


    According to the trace, you map adminDescription to jackNumber and since you
    evaluate your rule in a acommand transform, it's already mapped to jackNumber
    at that time. You need to test for src-attr(jackNumber) instead of
    src-attr(adminDescription), try:

    <if-src-attr mode="nocase" name="jackNumber" op="equal">rt</if-src-attr>

    As a general rule, use Edirectory attribute names in all policies except
    input/output transforms.
  • On 12/9/2014 5:58 AM, remifournier wrote:
    > [12/08/2014 18:02:09.375] ConnecteurAD PT: Mapping attr-name
    >>'adminDescription' to 'jackNumber'.


    So your <instance> starts with "adminDescription" being returned, but
    Schema Map converts that to 'jackNumber'. Which is fine.

    Just ask if source attr jackNumber has the value rt instead.


  • Thanks geoffc and lhaeger,

    It worked. But I have to say it's really hard to think this way. For me
    the source attribute (in my source directory) is still adminDescription.
    In my head, I had:

    - source: adminDescription from AD
    - target: jackNumber from NIM


    The fact that I create a mapping was just to tell NIM that when I change
    AD I would like to change also jackNumber... It's not very intuitive to
    think that my source attribute changed to adminDescription...

    Anyway, the important thing is that it worked and I learned something
    new :)

    Thanks again,
    Remi


    --
    remifournier
    ------------------------------------------------------------------------
    remifournier's Profile: https://forums.netiq.com/member.php?userid=8277
    View this thread: https://forums.netiq.com/showthread.php?t=52385

  • remifournier wrote:

    > It worked. But I have to say it's really hard to think this way. For me
    > the source attribute (in my source directory) is still adminDescription.
    > In my head, I had:
    >
    > - source: adminDescription from AD
    > - target: jackNumber from NIM
    >
    > The fact that I create a mapping was just to tell NIM that when I change
    > AD I would like to change also jackNumber... It's not very intuitive to
    > think that my source attribute changed to adminDescription...


    Think different. (will IBM sue me for this...? Or Lenovo?)

    When you look at the fishbone view in Designer or iManager note where the
    schema mapping policies are located. Everything from there in direction to the
    application is in application namespace (here AD class and attribute names).
    Everything between schema mapping and ID Vault is in Edirectory namespace
    (classes and attributes).

    So in input/output transforms, use AD attribute names, in event, command,
    mapping, creation, placement policies use Edir attribute names.

  • lhaeger;251931 Wrote:
    > Think different. (will IBM sue me for this...? Or Lenovo?)
    >
    > When you look at the fishbone view in Designer or iManager note where
    > the
    > schema mapping policies are located. Everything from there in direction
    > to the
    > application is in application namespace (here AD class and attribute
    > names).
    > Everything between schema mapping and ID Vault is in Edirectory
    > namespace
    > (classes and attributes).
    >
    > So in input/output transforms, use AD attribute names, in event,
    > command,
    > mapping, creation, placement policies use Edir attribute names.


    Hi, sorry for the late answer,

    But every time I thought I understand, there's something that doesn't
    work well :

    Now I'm having some trouble with the displayName and employeeType
    attributes. In my publisher channel's Command Strategy, I've did the
    following rule to change the user's displayName
    > [12/15/2014 13:45:23.106] ConnecteurAD PT: (if-src-attr
    > 'jackNumber' equal "rt") = FALSE.
    > [12/15/2014 13:45:23.106] ConnecteurAD PT: Rule rejected.
    > [12/15/2014 13:45:23.106] ConnecteurAD PT: Evaluating selection
    > criteria for rule 'attributs map'.
    > [12/15/2014 13:45:23.106] ConnecteurAD PT: (if-class-name equal
    > "User") = TRUE.
    > [12/15/2014 13:45:23.106] ConnecteurAD PT: (if-src-attr
    > 'adminDescription' not-equal "nm") = TRUE.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: (if-src-attr
    > 'adminDescription' not-equal "rt") = TRUE.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Rule selected.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Applying rule 'attributs
    > map'.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: * Action:
    > do-set-dest-attr-value("displayName",class-name="User",token-src-attr("Given
    > Name",class-name="User") "
    > " token-src-attr("Surname",class-name="User")).
    > [12/15/2014 13:45:23.107] ConnecteurAD PT:
    > arg-string(token-src-attr("Given Name",class-name="User") "
    > " token-src-attr("Surname",class-name="User"))
    > [12/15/2014 13:45:23.107] ConnecteurAD PT:
    > token-src-attr("Given Name",class-name="User")
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Token Value:
    > "Christine".
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: token-text(" ")
    > [12/15/2014 13:45:23.107] ConnecteurAD PT:
    > token-src-attr("Surname",class-name="User")
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Token Value:
    > "TEST".
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Arg Value:
    > "Christine TEST".
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Action: do-if().
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Evaluating
    > conditions.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: (if-op-attr
    > 'NSCP:employeeNumber' match "^[0-9]*") = FALSE.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Performing else
    > actions.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Action: do-if().
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Evaluating
    > conditions.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: (if-op-attr
    > 'NSCP:employeeNumber' match "^s[0-9]*") = FALSE.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Performing else
    > actions.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Action:
    > do-if().
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Evaluating
    > conditions.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: (if-op-attr
    > 'NSCP:employeeNumber' match "^p[0-9]*") = FALSE.*
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Performing
    > else actions.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT:Policy returned:
    > [12/15/2014 13:45:23.107] ConnecteurAD PT:
    > <nds dtdversion="2.2">
    > <source>
    > <product build="20120330_120000"
    > instance="\IDV\system\DriverSet\ConnecteurAD"
    > version="4.0.0.0">AD</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <modify class-name="User" dest-dn="data\personnes\Christine
    > TEST(4663)" dest-entry-id="92220"
    > event-id="ConnecteurAD##14a4df6b0eb##0" src-dn="CN=Christine
    > TEST(4663),OU=Utilisateurs_Actifs,OU=MYDOMAIN,DC=nim2012,DC=intra">
    > <association>5d7a5eb62cb54642b4af29caf8495754</association>
    > <modify-attr attr-name="departmentNumber">
    > <remove-value>
    > <value timestamp="1418646801#2" type="string">SAA</value>
    > </remove-value>
    > </modify-attr>
    > <modify-attr attr-name="departmentNumber">
    > <add-value>
    > <value naming="false" type="string">SAA33</value>
    > </add-value>
    > </modify-attr>
    > <operation-data AccountTracking-AppAccountStatus="-"
    > AccountTracking-IdvAccountStatus="-"
    > AccountTracking-LDAPDN="CN=Christine TEST
    > (4663),OU=Utilisateurs_Actifs,OU=MYDOMAIN,DC=nim2012,DC=intra"
    > AccountTracking-association="5d7a5eb62cb54642b4af29caf8495754"/>
    > <modify-attr attr-name="displayName">
    > <remove-all-values/>
    > <add-value>
    > <value type="string">Christine TEST</value>
    > </add-value>
    > </modify-attr>
    > </modify>
    > </input>
    > </nds>
    > [12/15/2014 13:45:23.107] ConnecteurAD PT:Filtering out
    > notification-only attributes.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT: Filtered out <modify-attr
    > attr-name='displayName'>.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT:Pumping XDS to eDirectory.
    > [12/15/2014 13:45:23.107] ConnecteurAD PT:Performing operation modify
    > for data\personnes\Christine TEST (4663).
    > [12/15/2014 13:45:23.107] ConnecteurAD PT:--JCLNT--
    > \IDV\system\DriverSet\ConnecteurAD - Publisher : Duplicating : context =
    > 65929325, tempContext = 65929311
    > [12/15/2014 13:45:23.108] ConnecteurAD PT:Modifying entry
    > data\personnes\Christine Abadie (4663).
    > [12/15/2014 13:45:23.143] ConnecteurAD PT:--JCLNT--
    > \IDV\system\DriverSet\ConnecteurAD - Publisher : Calling free on
    > tempContext = 65929311
    > [12/15/2014 13:45:23.143] ConnecteurAD PT:
    > DirXML Log Event -------------------
    > Driver: \IDV\system\DriverSet\ConnecteurAD
    > Channel: Publisher
    > Object: CN=Christine TEST
    > (4663),OU=Utilisateurs_Actifs,OU=MYDOMAIN,DC=nim2012,DC=intra
    > (data\personnes\Christine TEST (4663))
    > Status: Success
    >


    But when the rule is executed, nothing happens in both attributes. They
    don't change.

    The displayName filter is set to notify (pub) / sync (sub) and
    employeeType is set to sync both ways...

    I'm I doing something wrong? I tried with both directory's attributes
    names...

    Thanks again in advance,
    Remi


    --
    remifournier
    ------------------------------------------------------------------------
    remifournier's Profile: https://forums.netiq.com/member.php?userid=8277
    View this thread: https://forums.netiq.com/showthread.php?t=52385

  • remifournier wrote:

    > But when the rule is executed, nothing happens in both attributes. They
    > don't change.
    >
    > The displayName filter is set to notify (pub) / sync (sub) and
    > employeeType is set to sync both ways...


    ConnecteurAD PT:Filtering out notification-only attributes.
    ConnecteurAD PT: Filtered out <modify-attr attr-name='displayName'>

    You need to do one of the following (I suggest the first option)

    1. set displayName directly (you can see this as an option in designer when you edit the set-dest-attr action)
    2. change displayname to publisher sync
    3. remove displayName from the filter entirely (or set it to publisher "none")

  • alexmchugh;252072 Wrote:
    >
    >
    > ConnecteurAD PT:Filtering out notification-only attributes.
    > ConnecteurAD PT: Filtered out <modify-attr attr-name='displayName'>
    >
    > You need to do one of the following (I suggest the first option)
    >
    > 1. set displayName directly (you can see this as an option in designer
    > when you edit the set-dest-attr action)
    > 2. change displayname to publisher sync
    > 3. remove displayName from the filter entirely (or set it to publisher
    > "none")


    Hi, I tried the first option and it works, thanks.

    I have just one more question, how does the mapping works for the class
    names ? It's the same as for attributes? I'm asking because I have some
    rules that evaluate the object class, but I frequently have this kind of
    trace:
    > (if-class-name equal "user") = FALSE.


    Knowing that I'm working with a user object, what do you think is not
    good? (I always use a non-sensitive case rule, so User or user should be
    equal, non?)


    Thanks again,
    Remi


    --
    remifournier
    ------------------------------------------------------------------------
    remifournier's Profile: https://forums.netiq.com/member.php?userid=8277
    View this thread: https://forums.netiq.com/showthread.php?t=52385

  • remifournier wrote:

    > > (if-class-name equal "user") = FALSE.

    >
    > Knowing that I'm working with a user object, what do you think is not
    > good? (I always use a non-sensitive case rule, so User or user should be
    > equal, non?)


    Most likely this test is accidentally mot case-insensitive. Designer changed
    from a default case-INsensitive in earlier version to case-sensitive mode in
    the latest releases and it's easy to miss changing compare mode sometimes.

  • Thanks,

    I will take a look...
    But concerning the mapping, it's the same as you had explained? I mean,
    to evaluate the class names I have to use the same rules you explained
    earlier?

    - User for AD side of the mapping
    - user for NIM side of the mapping


    --
    remifournier
    ------------------------------------------------------------------------
    remifournier's Profile: https://forums.netiq.com/member.php?userid=8277
    View this thread: https://forums.netiq.com/showthread.php?t=52385

  • remifournier wrote:

    > I will take a look...
    > But concerning the mapping, it's the same as you had explained? I mean,
    > to evaluate the class names I have to use the same rules you explained
    > earlier?
    >
    > - User for AD side of the mapping
    > - user for NIM side of the mapping


    I think it was the other way round: "User" in Edir/ID Vault, "user" in AD.