manipulating dirxml-entitlementref in code

I've run into a situation that I've found can be avoided if I manually
change the value of a DirXML-EntitlementRef attribute value directly on
a user object in an LDAP browser from

cn=NOVLGGLEUSER-Account,cn=Google Apps
Driver,cn=IDM-Driverset,o=services#1# <etc..>

to

cn=NOVLGGLEUSER-Account,cn=Google Apps
Driver,cn=IDM-Driverset,o=services#0# <etc..>

Note the change from #1# to #0#.
I want to do this on hundreds of users so looking for a way to automate
it using driver code or any other means.

Any help much appreciated.
Parents
  • On 9/8/2017 4:19 PM, de Groot, David wrote:
    > I've run into a situation that I've found can be avoided if I manually
    > change the value of a DirXML-EntitlementRef attribute value directly on
    > a user object in an LDAP browser from
    >
    > cn=NOVLGGLEUSER-Account,cn=Google Apps
    > Driver,cn=IDM-Driverset,o=services#1# <etc..>
    >
    > to
    >
    > cn=NOVLGGLEUSER-Account,cn=Google Apps
    > Driver,cn=IDM-Driverset,o=services#0# <etc..>
    >
    > Note the change from #1# to #0#.
    > I want to do this on hundreds of users so looking for a way to automate
    > it using driver code or any other means.
    >
    > Any help much appreciated.


    I wrote an article on the topic but cannot recall the URL offhand.
    The key is treat the path.xml node as a nodeset, and read/write it that
    way.

    Remove a structured attribute, with three components and then add it
    back where the values of the volume and path.xml components are XPATH
    selecting those values.

  • Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
    >
    >
    > I wrote an article on the topic but cannot recall the URL offhand.
    > The key is treat the path.xml node as a nodeset, and read/write it that
    > way.
    >
    > Remove a structured attribute, with three components and then add it
    > back where the values of the volume and path.xml components are XPATH
    > selecting those values.
    >


    Essentially,

    1. read out dirXML entitlement values for current user. Into a variable of
    type nodeset.
    2. For each over just those values where an xpath value test for volume
    component matches your desired Entitlement DN (remember it isn't going to
    be Alfaro style DN here in policy)
    3.a In policy remove attribute value - structured with namespace of 1,
    volume of your desired Entitlement DN
    3b clone by xpath $current-node/component[@name='path.xml'] to
    .../modify[last()]/modify-attr[last()]/value[last()]

    Or something like that.

    4a In policy add attribute value - structured with namespace of 0, volume
    of your desired Entitlement DN
    4b clone by xpath $current-node/component[@name='path.xml'] to
    .../modify[last()]/modify-attr[last()]/value[last()]

    Or something like that.



    set the first two values via policy and the third one use clone by xpath to
    clone from
  • On 9/8/2017 5:52 PM, Alex McHugh wrote:
    > Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
    >>
    >>
    >> I wrote an article on the topic but cannot recall the URL offhand.
    >> The key is treat the path.xml node as a nodeset, and read/write it that
    >> way.
    >>
    >> Remove a structured attribute, with three components and then add it
    >> back where the values of the volume and path.xml components are XPATH
    >> selecting those values.
    >>

    >
    > Essentially,
    >
    > 1. read out dirXML entitlement values for current user. Into a variable of
    > type nodeset.
    > 2. For each over just those values where an xpath value test for volume
    > component matches your desired Entitlement DN (remember it isn't going to
    > be Alfaro style DN here in policy)
    > 3.a In policy remove attribute value - structured with namespace of 1,
    > volume of your desired Entitlement DN
    > 3b clone by xpath $current-node/component[@name='path.xml'] to
    > ../modify[last()]/modify-attr[last()]/value[last()]
    >
    > Or something like that.
    >
    > 4a In policy add attribute value - structured with namespace of 0, volume
    > of your desired Entitlement DN
    > 4b clone by xpath $current-node/component[@name='path.xml'] to
    > ../modify[last()]/modify-attr[last()]/value[last()]
    >
    > Or something like that.
    >
    >
    >
    > set the first two values via policy and the third one use clone by xpath to
    > clone from
    >

    Thanks for the responses. I'll work on implementation and see how it looks
  • Have you any working code for removing an entitlement value ?
    Just spent a day trying to get this to work without any luck.
    I am trying to build a service driver that can clean out out old entitlements (and som other values) before removing drivers. (to avoid getting 100K events when we delete discontinued drivers)

    Entitlement to be removed when i read the value :

            <value timestamp="1505221035#2" type="structured">
    <component name="nameSpace">0</component>
    <component name="volume">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</component>
    <component name="path.xml">
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    </component>
    </value>


    Code to loop/remove values :

    <do-for-each>
    <arg-node-set>
    <token-src-attr name="DirXML-EntitlementRef"/>
    </arg-node-set>
    <arg-actions>
    <do-set-local-variable name="volume" scope="policy">
    <arg-string>
    <token-xpath expression="$current-node//component[@name='volume']"/>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="nameSpace" scope="policy">
    <arg-string>
    <token-xpath expression="$current-node//component[@name='nameSpace']"/>
    </arg-string>
    </do-set-local-variable>
    <do-if>
    <arg-conditions>
    <or>
    <if-local-variable mode="nocase" name="volume" op="equal">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Drug-service</if-local-variable>
    <if-local-variable mode="nocase" name="volume" op="equal">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</if-local-variable>
    </or>
    </arg-conditions>
    <arg-actions>
    <do-if>
    <arg-conditions>
    <and>
    <if-xpath op="true">count($current-node//component[@name='path.xml'])=1</if-xpath>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-local-variable name="nameSpace"/>
    </arg-component>
    <arg-component name="volume">
    <token-local-variable name="volume"/>
    </arg-component>
    </arg-value>
    </do-remove-src-attr-value>
    <do-clone-xpath dest-expression="../modify[last()]/modify-attr[@attr-name='DirXML-EntitlementRef'][last()]/remove-value[last()]/value[last()]" src-expression="$current-node//component[@name='path.xml']"/>
    </arg-actions>
    <arg-actions>
    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-local-variable name="nameSpace"/>
    </arg-component>
    <arg-component name="volume">
    <token-local-variable name="volume"/>
    </arg-component>
    <arg-component name="path">
    <token-local-variable name="path"/>
    </arg-component>
    </arg-value>
    </do-remove-src-attr-value>
    <do-clone-xpath dest-expression="../modify[last()]/modify-attr[@attr-name='DirXML-EntitlementRef'][last()]/remove-value[last()]/value[last()]" src-expression="$current-node//component[@name='path']"/>
    </arg-actions>
    </do-if>
    </arg-actions>
    <arg-actions/>
    </do-if>
    </arg-actions>
    </do-for-each>


    Result:

    [09/13/17 09:39:15.003]:PrepareDriverRemoval ST:  
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.1.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="\FELLES\BSK\RM\Users\KRIMOE" dest-entry-id="37163" event-id="extest0010#20170913073914#6#1:8425445a-8cc4-4b81-10ad-5a442584c48c">
    <modify-attr attr-name="DirXML-EntitlementRef">
    <remove-value>
    <value type="structured">
    <component name="nameSpace">0</component>
    <component name="volume">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</component>
    <component name="path.xml">
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    </component>
    </value>
    </remove-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [09/13/17 09:39:15.005]:PrepareDriverRemoval ST: Pumping XDS to eDirectory.
    [09/13/17 09:39:15.005]:PrepareDriverRemoval ST: Performing operation modify for \FELLES\BSK\RM\Users\KRIMOE.
    [09/13/17 09:39:15.006]:PrepareDriverRemoval ST: --JCLNT-- \FELLES\System\IDM\MediumDriverSet\PrepareDriverRemoval : Duplicating : context = 330170538, tempContext = 330170531
    [09/13/17 09:39:15.007]:PrepareDriverRemoval ST: Modifying entry \FELLES\BSK\RM\Users\KRIMOE.
    [09/13/17 09:39:15.011]:PrepareDriverRemoval ST: --JCLNT-- \FELLES\System\IDM\MediumDriverSet\PrepareDriverRemoval : Calling free on tempContext = 330170531
    [09/13/17 09:39:15.011]:PrepareDriverRemoval ST: Processing returned document.
    [09/13/17 09:39:15.011]:PrepareDriverRemoval ST: Processing operation <status> for .
    [09/13/17 09:39:15.012]:PrepareDriverRemoval ST:
    DirXML Log Event -------------------
    Driver: \FELLES\System\IDM\MediumDriverSet\PrepareDriverRemoval
    Channel: Subscriber
    Status: Success


    When i check my account the entitlement has not been removed. Have tried different XML Parse / serialize approaches but nothing seems to work for removal of this attribute.

    Any ideas ?

    /Kristoffer
  • How was the entitlements given out?
    I would remove them the same way, either by removing the role or changing the Entitlement driver to revoke them.
  • joakim_ganse;2466209 wrote:
    How was the entitlements given out?
    I would remove them the same way, either by removing the role or changing the Entitlement driver to revoke them.


    The entitlements have been revoked with the RR driver. (#0#)
    I want to completely remove the entitlement values before deleting the driver holding them. (to control how many events my eDirectory receives)


    /Kristoffer
  • joakim ganse wrote:

    >
    > How was the entitlements given out?
    > I would remove them the same way, either by removing the role or
    > changing the Entitlement driver to revoke them.


    That is generally the best advice, for example if migrating from one
    entitlement granting agent to another, might be better to stop the drivers that
    subscribe to DirXMl-EntitlementRef and then configure the agents to revoke and
    re-grant as required.

    However there are some cases where one must absolutely manipulate entitlements
    directly. It is officially not supported and can be a minefield, but is
    definitely possible.

    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
  • Agree, and I have revoked the entitlements the official way. The driver holding the entitlements is right now disabled and just waiting for deletion.

    But I want to control the flow when we want to delete drivers no longer needed.
    If I just delete the driver i might see 100K events. (and more if i delete the resources at the same time because of nrfResourceHistory)

    Stopping around 50 drivers or more will take some time.

    So my idea was to build a driver where i can synchronize a couple of thousand object at a time, and it will remove values no longer needed because the entitlements/resources is up for deletion.

    /Kristoffer
  • kristoffer wrote:

    >
    > Agree, and I have revoked the entitlements the official way. The driver
    > holding the entitlements is right now disabled and just waiting for
    > deletion.
    >


    Ok, so you want to clean up in batches before deleting the actual driver.

    > If I just delete the driver i might see 100K events. (and more if i
    > delete the resources at the same time because of nrfResourceHistory)
    >


    Events at eDir level? Or in the other drivers that subscribe to
    DirXMl-EntitlementRef changes?
    I have a generic scoping sub-etp policy in each of my drivers to strip and veto
    DirXMl-EntitlementRef changes that relate to other drivers - this minimises
    time spent by drivers reacting to unecessary events (and solved some race
    conditions I saw in one environment)

    > Stopping around 50 drivers or more will take some time.


    Stopping them takes no time at all (From Designer or iManager - you can stop
    all drivers at once), you could likely also script cache manipulation (set
    driver to disabled) via dxcmd.

    >
    > So my idea was to build a driver where i can synchronize a couple of
    > thousand object at a time, and it will remove values no longer needed
    > because the entitlements/resources is up for deletion.


    That should be easy enough to write. (simpler than updating entitlements at
    least).

    Here is how I would solve this (taking advantage of some XPath trickery to
    avoid the need for a for-each loop entirely)

    <do-set-local-variable name="nsCurrentEntitlements" notrace="true" scope="policy">
    <arg-node-set>
    <token-src-attr name="DirXML-EntitlementRef" notrace="true"/>
    </arg-node-set>
    </do-set-local-variable>
    <do-set-local-variable name="strTargetEntitlement" scope="policy">
    <arg-string>
    <token-text xml:space="preserve">servicesContainer\driverSet\myDriver\myEntitlementName</token-text>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="nsRemovedEntitlements" scope="policy">
    <arg-node-set>
    <token-xpath expression="$nsCurrentEntitlements[component[@name='volume']=$strTargetEntitlement][component[@name='nameSpace']='0']"/>
    </arg-node-set>
    </do-set-local-variable>
    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="string">
    <token-text xml:space="preserve">dummy</token-text>
    </arg-value>
    </do-remove-src-attr-value>
    <do-clone-xpath dest-expression="../modify[last()]/modify-attr[@attr-name='DirXML-EntitlementRef'][last()]/remove-value[last()]" src-expression="$nsRemovedEntitlements"/>
    <do-strip-xpath expression="../modify[last()]/modify-attr[@attr-name='DirXML-EntitlementRef'][last()]/remove-value[last()]/value[.='dummy']"/>


    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
  • alexmchugh;2466306 wrote:


    Here is how I would solve this (taking advantage of some XPath trickery to
    avoid the need for a for-each loop entirely)


    Still no luck. It seems that this part of the entitlement is causing the trouble: <?xml version="1.0" encoding="UTF-8"?>
    Seems to be ignored by the policies/Xpath. I can make it work if i write/delete entitlements without this XML header part. Seems that the header is included automatically on all my entitlements.


    This is the complete entitlement from Apache Studio:
    cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>

    I can remove the value with af UserApplication WF that loops / deletes entitlement values, but still looking to do it directly from a driver. Any more ideas ?

    /Kristoffer
  • kristoffer wrote:

    > Any more ideas ?


    posting your code and a trace could be helpful...

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • Already done earlier in the thread. This new code example looks exactly the same in the trace when the attribute should be removed.

    /Kristoffer
Reply Children
  • kristoffer wrote:

    > Already done earlier in the thread. This new code example looks exactly
    > the same in the trace when the attribute should be removed.


    Sorry, I'm using almost exclusively the NNTP interface and that's missing the
    first two post in this thread (probably due to a server issue last week). I
    should've become suspicious when since this thread starts with a subject line
    beginning with "Re:..." when viewed via NNTP.

    Back to topic: the path component of DirXML-EntitlementRef is XML text not an
    XML node. Instead of

    <do-clone-xpath
    dest-expression="../modify[last()]/modify-attr[@attr-name='DirXML-EntitlementRef
    '][last()]/remove-value[last()]/value[last()]"
    src-expression="$current-node//component[@name='path.xml']"

    you need to serialize the xml you want to write into the path(.xml) component
    as in:

    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-local-variable name="nameSpace"/>
    </arg-component>
    <arg-component name="volume">
    <token-local-variable name="volume"/>
    </arg-component>
    <arg-component name="path">
    <token-xml-serialize>
    <token-xpath expression="$current-node//component[@name='path']"/>
    </token-xml-serialize>
    </arg-component>
    </arg-value>
    </do-remove-src-attr-value>

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • Still no luck.

    Entitlement instance being looped:

            <value timestamp="1505221035#2" type="structured">
    <component name="nameSpace">0</component>
    <component name="volume">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</component>
    <component name="path.xml">
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    </component>
    </value>



    I had to change your code to take the component part: path.xml/ref.


    [09/19/17 14:22:14.437]:PrepareDriverRemoval ST:            Evaluating conditions.
    [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: (if-local-variable 'volume' equal "\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Drug-service") = FALSE.
    [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: (if-local-variable 'volume' equal "\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse") = TRUE.
    [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: Performing if actions.
    [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: Action: do-if().
    [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: Evaluating conditions.
    [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: (if-xpath true "count($current-node//component[@name='path.xml'])=1") = TRUE.
    [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: Performing if actions.
    [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: Action: do-remove-src-attr-value("DirXML-EntitlementRef",{nameSpace=token-local-variable("nameSpace"),volume=token-local-variable("volume"),path=token-xml-serialize(token-xpath("$current-node//component[@name='path.xml']/ref"))}).
    [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: arg-string({nameSpace=token-local-variable("nameSpace"),volume=token-local-variable("volume"),path=token-xml-serialize(token-xpath("$current-node//component[@name='path.xml']/ref"))})
    [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: arg-component("nameSpace",token-local-variable("nameSpace"))
    [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: token-local-variable("nameSpace")
    [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: Token Value: "0".
    [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: Arg Value: "0".
    [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: arg-component("volume",token-local-variable("volume"))
    [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: token-local-variable("volume")
    [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: Token Value: "\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse".
    [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: Arg Value: "\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse".
    [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: arg-component("path",token-xml-serialize(token-xpath("$current-node//component[@name='path.xml']/ref")))
    [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: token-xml-serialize(token-xpath("$current-node//component[@name='path.xml']/ref"))
    [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: token-xml-serialize(token-xpath("$current-node//component[@name='path.xml']/ref"))
    [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: token-xpath("$current-node//component[@name='path.xml']/ref")
    [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: Token Value: {<ref>}.
    [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: Arg Value: {<ref>}.
    [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: Token Value: "<ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>".
    [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: Arg Value: "<ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>".
    [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: Direct command from policy
    [09/19/17 14:22:14.440]:PrepareDriverRemoval ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.1.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="\FELLES\BSK\RM\Users\KRIMOE" dest-entry-id="37163" event-id="extest0010#20170919122214#6#1:f27ecd87-b7d6-4da1-619c-87cd7ef2d6b7">
    <modify-attr attr-name="DirXML-EntitlementRef">
    <remove-value>
    <value type="structured">
    <component name="nameSpace">0</component>
    <component name="volume">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</component>
    <component name="path"><ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref></component>
    </value>
    </remove-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [09/19/17 14:22:14.440]:PrepareDriverRemoval ST: Pumping XDS to eDirectory.
    [09/19/17 14:22:14.440]:PrepareDriverRemoval ST: Performing operation modify for \FELLES\BSK\RM\Users\KRIMOE.
    [09/19/17 14:22:14.441]:PrepareDriverRemoval ST: --JCLNT-- \FELLES\System\IDM\MediumDriverSet\PrepareDriverRemoval : Duplicating : context = 330170484, tempContext = 330170435
    [09/19/17 14:22:14.441]:PrepareDriverRemoval ST: Modifying entry \FELLES\BSK\RM\Users\KRIMOE.
    [09/19/17 14:22:14.445]:PrepareDriverRemoval ST: --JCLNT-- \FELLES\System\IDM\MediumDriverSet\PrepareDriverRemoval : Calling free on tempContext = 330170435
    [09/19/17 14:22:14.446]:PrepareDriverRemoval ST: Processing returned document.
    [09/19/17 14:22:14.446]:PrepareDriverRemoval ST: Processing operation <status> for .
    [09/19/17 14:22:14.446]:PrepareDriverRemoval ST:
    DirXML Log Event -------------------
    Driver: \FELLES\System\IDM\MediumDriverSet\PrepareDriverRemoval
    Channel: Subscriber
    Status: Success


    Still can't see if we should have the XML header <?xml version="1.0" encoding="UTF-8"?> somewhere in the code.


    /Kristoffer
  • On 19.09.2017 14:44, kristoffer wrote:
    >
    > Still no luck.
    >
    > Entitlement instance being looped:
    >
    >
    > Code:
    > --------------------
    > <value timestamp="1505221035#2" type="structured">
    > <component name="nameSpace">0</component>
    > <component name="volume">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</component>
    > <component name="path.xml">
    > <ref>
    > <src>UA</src>
    > <id/>
    > <param/>
    > </ref>
    > </component>
    > </value>
    > --------------------
    >
    >
    >
    > I had to change your code to take the component part: path.xml/ref.
    >
    >
    >
    > Code:
    > --------------------
    > [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: Evaluating conditions.
    > [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: (if-local-variable 'volume' equal "\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Drug-service") = FALSE.
    > [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: (if-local-variable 'volume' equal "\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse") = TRUE.
    > [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: Performing if actions.
    > [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: Action: do-if().
    > [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: Evaluating conditions.
    > [09/19/17 14:22:14.437]:PrepareDriverRemoval ST: (if-xpath true "count($current-node//component[@name='path.xml'])=1") = TRUE.
    > [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: Performing if actions.
    > [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: Action: do-remove-src-attr-value("DirXML-EntitlementRef",{nameSpace=token-local-variable("nameSpace"),volume=token-local-variable("volume"),path=token-xml-serialize(token-xpath("$current-node//component[@name='path.xml']/ref"))}).
    > [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: arg-string({nameSpace=token-local-variable("nameSpace"),volume=token-local-variable("volume"),path=token-xml-serialize(token-xpath("$current-node//component[@name='path.xml']/ref"))})
    > [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: arg-component("nameSpace",token-local-variable("nameSpace"))
    > [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: token-local-variable("nameSpace")
    > [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: Token Value: "0".
    > [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: Arg Value: "0".
    > [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: arg-component("volume",token-local-variable("volume"))
    > [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: token-local-variable("volume")
    > [09/19/17 14:22:14.438]:PrepareDriverRemoval ST: Token Value: "\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse".
    > [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: Arg Value: "\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse".
    > [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: arg-component("path",token-xml-serialize(token-xpath("$current-node//component[@name='path.xml']/ref")))
    > [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: token-xml-serialize(token-xpath("$current-node//component[@name='path.xml']/ref"))
    > [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: token-xml-serialize(token-xpath("$current-node//component[@name='path.xml']/ref"))
    > [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: token-xpath("$current-node//component[@name='path.xml']/ref")
    > [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: Token Value: {<ref>}.
    > [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: Arg Value: {<ref>}.
    > [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: Token Value: "<ref>
    > <src>UA</src>
    > <id/>
    > <param/>
    > </ref>".
    > [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: Arg Value: "<ref>
    > <src>UA</src>
    > <id/>
    > <param/>
    > </ref>".
    > [09/19/17 14:22:14.439]:PrepareDriverRemoval ST: Direct command from policy
    > [09/19/17 14:22:14.440]:PrepareDriverRemoval ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.6.1.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <modify class-name="User" dest-dn="\FELLES\BSK\RM\Users\KRIMOE" dest-entry-id="37163" event-id="extest0010#20170919122214#6#1:f27ecd87-b7d6-4da1-619c-87cd7ef2d6b7">
    > <modify-attr attr-name="DirXML-EntitlementRef">
    > <remove-value>
    > <value type="structured">
    > <component name="nameSpace">0</component>
    > <component name="volume">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</component>
    > <component name="path"><ref>
    > <src>UA</src>
    > <id/>
    > <param/>
    > </ref></component>
    > </value>
    > </remove-value>
    > </modify-attr>
    > </modify>
    > </input>
    > </nds>
    > [09/19/17 14:22:14.440]:PrepareDriverRemoval ST: Pumping XDS to eDirectory.
    > [09/19/17 14:22:14.440]:PrepareDriverRemoval ST: Performing operation modify for \FELLES\BSK\RM\Users\KRIMOE.
    > [09/19/17 14:22:14.441]:PrepareDriverRemoval ST: --JCLNT-- \FELLES\System\IDM\MediumDriverSet\PrepareDriverRemoval : Duplicating : context = 330170484, tempContext = 330170435
    > [09/19/17 14:22:14.441]:PrepareDriverRemoval ST: Modifying entry \FELLES\BSK\RM\Users\KRIMOE.
    > [09/19/17 14:22:14.445]:PrepareDriverRemoval ST: --JCLNT-- \FELLES\System\IDM\MediumDriverSet\PrepareDriverRemoval : Calling free on tempContext = 330170435
    > [09/19/17 14:22:14.446]:PrepareDriverRemoval ST: Processing returned document.
    > [09/19/17 14:22:14.446]:PrepareDriverRemoval ST: Processing operation <status> for .
    > [09/19/17 14:22:14.446]:PrepareDriverRemoval ST:
    > DirXML Log Event -------------------
    > Driver: \FELLES\System\IDM\MediumDriverSet\PrepareDriverRemoval
    > Channel: Subscriber
    > Status: Success
    > --------------------
    >
    >
    > Still can't see if we should have the XML header <?xml version="1.0"
    > encoding="UTF-8"?> somewhere in the code.


    The value being removed must match the stored one exactly, ie. byte by
    byte. Is the output from token-xml-serialize the same as you see it in
    Apache Directory Studio? Including things like trailing whitespace, line
    breaks. Those do not have a significance in XML and might be removed
    when the XML is parsed in the first place.


    --
    Norbert
  • Norbert Klasen wrote:

    > The value being removed must match the stored one exactly, ie. byte by
    > byte.... Including things like trailing whitespace, line
    > breaks.


    That seems to nail it. At least a quick look in one of my systems shows a
    trainling line break that is missing here:

    > > <component name="path"><ref> <src>UA</src>
    > > <id/>
    > > <param/>
    > > </ref></component>


    You might also check if the line break has to be LF or CRLF, since IDM uses the
    system default setting, which differs between Windows and Linux hosts.

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • Lothar Haeger wrote:

    > a quick look in one of my systems shows a
    > trailing line break is missing


    And the <?xml version="1.0" encoding="UTF-8"?> part is also missing, it seems.

    Here's what I see via LDAP in my system:

    "cn=Entitlement,cn=Driver,cn=DriverSet,o=system#1#<?xml version="1.0"
    encoding="UTF-8"?><ref>
    <src>UA</src>
    <id/>
    <param>{"ID":"9999"}</param>
    </ref>
    "

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • Lothar Haeger <lothar.haeger@is4it.de> wrote:
    > kristoffer wrote:
    >
    >> Already done earlier in the thread. This new code example looks exactly
    >> the same in the trace when the attribute should be removed.

    >
    > Sorry, I'm using almost exclusively the NNTP interface and that's missing the
    > first two post in this thread (probably due to a server issue last week). I
    > should've become suspicious when since this thread starts with a subject line
    > beginning with "Re:..." when viewed via NNTP.
    >
    > Back to topic: the path component of DirXML-EntitlementRef is XML text not an
    > XML node.


    I seem to recall Shon saying it wasn't pure-text, that you had to use clone
    as it is a separate embedded XML document.

    That was distinction between path and path.xml as component name.

    Regardless. I strongly suspect that the representation of this path.xml in
    the engine differs in a subtle way from how it looks via LDAP.




  • Alex McHugh wrote:

    > I seem to recall Shon saying it wasn't pure-text, that you had to use clone
    > as it is a separate embedded XML document.
    >
    > That was distinction between path and path.xml as component name.


    That would make sense and explain the ".xml" suffix. It seems both ways work,
    either XML text with a "path" component or XML nodes as children of a
    "path.xml" component.

    Here's what I could dig up for reference:

    Father Ramon wrote in 2007:

    > You're making it way harder than it is.
    >
    > <do-add-src-attr-value name="DirXML-EntitlementRef">
    > <arg-dn>
    > <token-text>KAHVAKEHITYS\Kahva\System\IAM\KahvaDriverSet\Entitlement
    > Policies\</token-text> <token-src-name/>
    > </arg-dn>
    > <arg-value type="structured">
    > <arg-component name="nameSpace">
    > <token-text>0</token-text>
    > </arg-component>
    > <arg-component name="volume">
    > <token-text>\KAHVAKEHITYS\Kahva\System\IAM\KahvaDriverSet\GroupEntitlementLoop
    > back\Groups</token-text> </arg-component> <arg-component name="path">
    > <token-text><ref><param>\KAHVAKEHITYS\Kahva\City\Groups\SAPOrgGroups\</t
    > oken-text> <token-src-name/>
    > <token-text></param></ref></token-text> </arg-component>
    > </arg-value>
    > </do-add-src-attr-value>


    In 2008:

    > Your primary problem is that your test input data doesn't have the correct
    > format for an entitlement ref. The volume component should have the DN of the
    > entitlement, the nameSpace should be 1 for granted or 0 for revoked, and the
    > path should actually be path.xml and contain XML. Something like:
    >
    > <value type="structured">
    > <component name="volume">\[ROOT]\discorp\config\DISCORP-Driver Sets\Active
    > Directory\UserAccount</component>
    > <component name="nameSpace">1</component>
    > <component
    > name="path.xml"><ref><src>RBE</src><id>xxxxxxxxxxxxxxx</id></ref></component>
    > </value>


    An in 2009:

    > > Use path instead of path.xml and you can put it in as string using
    > > token-text. If you value is dynamic (i.e. coming from an existing
    > > value), you can use token-xml-serialize to get the string form.

    >
    > Though I should also add that you really shouldn't be messing around
    > with that particular attribute - there are strict undocumented
    > protocols to be followed for updating them and if you don't adhere to
    > them you'll cause yourself problems and no-one at Novell is going to be
    > able to support you on it.



    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)
  • On 9/19/2017 12:28 PM, Lothar Haeger wrote:
    > Alex McHugh wrote:
    >
    >> I seem to recall Shon saying it wasn't pure-text, that you had to use clone
    >> as it is a separate embedded XML document.
    >>
    >> That was distinction between path and path.xml as component name.

    >
    > That would make sense and explain the ".xml" suffix. It seems both ways work,
    > either XML text with a "path" component or XML nodes as children of a
    > "path.xml" component.


    It needs to be treated as XML nodeset, else whitespace matters in the
    removal.

    If you send non-valid XML you get a distinctive error that I wish I had
    saved.
  • Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
    > On 9/19/2017 12:28 PM, Lothar Haeger wrote:
    >> Alex McHugh wrote:
    >>

    > It needs to be treated as XML nodeset, else whitespace matters in the
    > removal.
    >


    All of which is why I thought cloning was best option when removing an
    existing value.




  • On 9/19/2017 2:20 PM, Alex McHugh wrote:
    > Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
    >> On 9/19/2017 12:28 PM, Lothar Haeger wrote:
    >>> Alex McHugh wrote:
    >>>

    >> It needs to be treated as XML nodeset, else whitespace matters in the
    >> removal.
    >>

    >
    > All of which is why I thought cloning was best option when removing an
    > existing value.


    What I do is in the Remove Attr value, Structrued, path.xml component,
    you refernence it by XPATH...

    $current-node/component[@name='path.xml']

    Assuming you loop over values of DirXML-EntitlementRef.