Entitlements not being removed

I know this is "Not Supported" but this goes back a long way when Novell first set things up on site.  I am just looking for some items to try, if anyone has anything.  

Situation: We use style sheets to remove entitlements if they are not longer needed or maybe a employeeType changes.  What  is happening, when the user comes through, the style sheet is triggered and we see it the <remove-value> See below

This is the confusing part, we have several drivers that do this for whatever reason, but we have a handful of drivers that the even comes through it looks perfect and the entitlement is still there.  The ones that are not working and the ones that ARE working look identical in the DIRXML, so I am pretty much dumbfounded. I was guessing it might be a setting but all seem to be identical.  

Things we have tried:

1.  Took a style sheet we knew worked and replaced the one did not work. 

2.  Compared driver versions, GCV's, Engine control values all the same.  

3.  Made sure the drivers had the same permissions.

Any suggestions would be greatly appreciated.  

[08/03/21 05:41:39.018]:ADDriver ST: %13Cxsl:message -> NOTE: Removing Account Entitlement on Employee Type Change
[08/03/21 05:41:39.019]:ADDriver ST: Direct command from policy
[08/03/21 05:41:39.019]:ADDriver ST:
<nds dtdversion="4.0" ndsversion="8.x">
<input>
<modify class-name="user" dest-dn="\TREE\ZZZ\Vault\Internal\People\X99999">
<modify-attr attr-name="DirXML-EntitlementRef">
<remove-value>
<value type="structured">
<component name="nameSpace">1</component>
<component name="volume">\TREE\ZZZ\ZZZDriverSet\ADDriver\Account</component>
<component name="path.xml">
<ref>
<id>GrantedByr</id>
<param>Domain</param>
</ref>
</component>
</value>
</remove-value>
</modify-attr>
</modify>
</input>
</nds>
[08/03/21 05:41:39.021]:ADDriver ST: Pumping XDS to eDirectory.
[08/03/21 05:41:39.021]:ADDriver ST: Performing operation modify for \TREE\ZZZ\Vault\Internal\People\X99999.
[08/03/21 05:41:39.022]:ADDriver ST: --JCLNT-- \TREE\ZZZ\Services\ZZZDriverSet\ADDriver : Duplicating : context = 1448018056, tempContext = 1448018116
[08/03/21 05:41:39.023]:ADDriver ST: Modifying entry \TREE\ZZZ\Vault\People\X99999.
[08/03/21 05:41:39.040]:ADDriver ST: --JCLNT-- \TREE\ZZZ\\ZZZDriverSet\ADDriver : Calling free on tempContext = 1448018116
[08/03/21 05:41:39.040]:ADDriver ST: Processing returned document.
[08/03/21 05:41:39.041]:ADDriver ST: Processing operation <status> for .
[08/03/21 05:41:39.041]:ADDriver ST:
DirXML Log Event -------------------
Driver: \TREE\ZZZ\Services\ZZZDriverSet\ADDriver
Channel: Subscriber
Status: Success
[08/03/21 05:41:39.041]:ADDriver ST: Direct command from policy result
[08/03/21 05:41:39.042]:ADDriver ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.8.2.1">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="0" level="success"><application>DirXML</application>
<module>ADDriver</module>
<object-dn></object-dn>
<component>Subscriber</component>
</status>
</output>
</nds>
[08/03/21 05:41:39.043]:ADDriver ST: %13Cxsl:message -> DirXMLNetIQ CorporationADDriverSubscriber
[08/03/21 05:41:39.043]:ADDriver ST:Policy returned:
[08/03/21 05:41:39.044]:ADDriver ST:

Parents
  • Hi,

    You talk about 'entitlements' but the snippet shows a DirXML-EntitlementRef which is not the I normally think of when I think of Entitlements, then I think of DirXML-Entitlements.

    Was this initially configured with the Entitlement Service Driver (pre. 4.0) ?

    I guess you expect that when the EntitlementRef is removed then the corresponding DirXML-Entitlements is also removed ?

    Casper

Reply
  • Hi,

    You talk about 'entitlements' but the snippet shows a DirXML-EntitlementRef which is not the I normally think of when I think of Entitlements, then I think of DirXML-Entitlements.

    Was this initially configured with the Entitlement Service Driver (pre. 4.0) ?

    I guess you expect that when the EntitlementRef is removed then the corresponding DirXML-Entitlements is also removed ?

    Casper

Children
  • Probably two separate issues.

    1) I think it was Casper or Norbert who finally explained to me, that simply removing the DirXML-EntitlementRef attribute does not count as a revoke.  You have to remove the current value and add the value with a nameSpace of 0, instead of 1.  This actually counts as a Removed Entitlement, if your driver reacts to Entitlements.

    2) The remove value has to be exactly correct.  In policy, I find it easiest to loop over the values, decide this is the proper value and then generate the Remove Source Attr, using the XPATH to select the value of the node.  Whitespace sort of matters as well, which makes it hard to sometimes to remove a value by recreating the values.

    This part, the component[@name='path.xml'] needs to be exactly correct.

    Now your XML is very simple:

    <ref>
    <id>GrantedByr</id>
    <param>Domain</param>
    </ref>

    But it needs to be pretty close to perfect.

  • You are exactly correct it has to be perfect and match exactly.  What is posted is heavily redacted(I have always wanted to use that word :)) Well anyway, the style sheet finds the entitlement and that is what the <Remove-Value is, which is exactly what its supposed to do but then when it it seems to "Submit" it, it dies.  It has the path of the user and the exact tree.  I can go to other drivers, they see when other entitlements are being removed, but I go look for this transaction and none of the other drivers see it.  Weird....And it shows success from the driver but no it does not work.  I am not sure if anyone has worked with these type of style sheets but I was thinking maybe with these para are held somewhere, maybe I am missing one....? I am reaching and trying just about everything that I can think of.  

    <!-- parameters passed in from the DirXML engine -->
    <xsl:param name="srcQueryProcessor"/>
    <xsl:param name="destQueryProcessor"/>
    <xsl:param name="srcCommandProcessor"/>
    <xsl:param name="destCommandProcessor"/>
    <xsl:param name="dnConverter"/>
    <xsl:param name="fromNds"/>
    <!-- identity transformation template -->

    With the style sheet we do pluck the exact entitlement off of the DirXML-EntitlementRef, we do not revoke.  Just for Reference.   

    [08/03/21 05:41:39.021]:ADDriver ST: Pumping XDS to eDirectory.
    [08/03/21 05:41:39.021]:ADDriver ST: Performing operation modify for \TREE\ZZZ\Vault\Internal\People\X99999.
    [08/03/21 05:41:39.022]:ADDriver ST: --JCLNT-- \TREE\ZZZ\Services\ZZZDriverSet\ADDriver : Duplicating : context = 1448018056, tempContext = 1448018116
    [08/03/21 05:41:39.023]:ADDriver ST: Modifying entry \TREE\ZZZ\Vault\People\X99999.
    [08/03/21 05:41:39.040]:ADDriver ST: --JCLNT-- \TREE\ZZZ\\ZZZDriverSet\ADDriver : Calling free on tempContext = 1448018116
    [08/03/21 05:41:39.040]:ADDriver ST: Processing returned document.
    [08/03/21 05:41:39.041]:ADDriver ST: Processing operation <status> for .
    [08/03/21 05:41:39.041]:ADDriver ST:
    DirXML Log Event -------------------
    Driver: \TREE\ZZZ\Services\ZZZDriverSet\ADDriver
    Channel: Subscriber
    Status: Success

  • I would very closely compare the remove-value it generates between the drivers, looking for spacing differences and what not.

    Does the stylesheet read the current Entitlement to revoke, or does it generate the value based on what it should be?

  • In fact, it is slightly more subtle than simple whitespace the more i think about it.  I wrote an article about it but cannot find it since the community links are still busted. I am informed they will fix it.  It is on the list, but been months. Whatever.

    The component[@name="path"] and component[@name="path.xml"] are similar but also different. 

    When it path.xml it actually has to be valid XML and a nodeset not a string. 

    In policy, if you do a loop over the valuies, detect your case, and then in that loop instance do a remove src attr, you can specify the value as:
    $current-node/component[@name="path,xml"]

    and it selects the proper nodeset or string, depending on what came out of eDir so it perfectly matches.  Short of this approach it is possible to goof it up pretty easily.

  • Ok, here is the Style sheet, yes some of the values have been modified.  See below

    Geoffrey, I have your signed book right next to my desk.  I was looking through prior posts and every time I went to click on a link it was broken, very frustrating.  

    So we have taken a style sheet that we knows works and just modified the values and it still did not work.  I am open to try anything...I am not sure if this helps or not.  

    <?xml version="1.0" encoding="UTF-8"?><xsl:stylesheet exclude-result-prefixes="query cmd dncv" version="1.0" xmlns:cmd="">www.novell.com/.../com.novell.nds.dirxml.driver.XdsCommandProcessor" xmlns:dncv="">www.novell.com/.../com.novell.nds.dirxml.driver.DNConverter" xmlns:query="">www.novell.com/.../com.novell.nds.dirxml.driver.XdsQueryProcessor" xmlns:xsl="">www.w3.org/.../Transform">
    <!-- parameters passed in from the DirXML engine -->
    <xsl:param name="srcQueryProcessor"/>
    <xsl:param name="destQueryProcessor"/>
    <xsl:param name="srcCommandProcessor"/>
    <xsl:param name="destCommandProcessor"/>
    <xsl:param name="dnConverter"/>
    <xsl:param name="fromNds"/>
    <!-- identity transformation template -->
    <!-- in the absence of any other templates this will cause -->
    <!-- the stylesheet to copy the input through unchanged to the output -->
    <xsl:template match="node()|@*">
    <xsl:copy>
    <xsl:apply-templates select="@*"/>
    <xsl:apply-templates select="node()"/>
    </xsl:copy>
    </xsl:template>
    <!-- add your custom templates here -->
    <xsl:template match="modify">
    <xsl:message>testing INTL removal</xsl:message>
    <xsl:choose>
    <xsl:when test="operation-data/RemoveINTLEnt='true'">
    <xsl:message>Remove INTLEnt=true</xsl:message>
    <xsl:variable name="userDN" select="@src-dn"/>
    <xsl:variable name="cmd">
    <query dest-dn="{@src-dn}" scope="entry">
    <read-attr attr-name="DirXML-EntitlementRef"/>
    </query>
    </xsl:variable>
    <xsl:variable name="result" select="query:query($srcQueryProcessor,$cmd)"/>
    <xsl:choose>
    <xsl:when test="$result//instance/attr[@attr-name='DirXML-EntitlementRef']">
    <xsl:for-each select="$result//instance/attr/value">
    <!--<xsl:message>note:removing INTL account entitlement</xsl:message>-->
    <xsl:choose>
    <xsl:when test="contains(component[@name='volume']/text(),'XX_XX_INTL\INTL')">
    <xsl:message>note:removing INTL account entitlement</xsl:message>
    <xsl:variable name="modcmd">
    <modify class-name="user" dest-dn="{$userDN}">
    <modify-attr attr-name="DirXML-EntitlementRef">
    <remove-value>
    <value type="structured">
    <xsl:apply-templates select="node()"/>
    </value>
    </remove-value>
    </modify-attr>
    </modify>
    </xsl:variable>
    <xsl:variable name="result1" select="cmd:execute($srcCommandProcessor, $modcmd)"/>
    <xsl:message>
    <xsl:value-of select="$result1"/>
    </xsl:message>
    </xsl:when>
    </xsl:choose>
    </xsl:for-each>
    </xsl:when>
    </xsl:choose>
    </xsl:when>
    </xsl:choose>
    <xsl:copy>
    <xsl:apply-templates select="@*|node()"/>
    </xsl:copy>
    </xsl:template>
    </xsl:stylesheet>

  • So heart of this one is this segment in the middle.

    <xsl:when test="contains(component[@name='volume']/text(),'XX_XX_INTL\INTL')">
       <xsl:message>note:removing INTL account entitlement</xsl:message>
       <xsl:variable name="modcmd">
          <modify class-name="user" dest-dn="{$userDN}">
    	 <modify-attr attr-name="DirXML-EntitlementRef">
    	    <remove-value>
    	       <value type="structured">
    		  <xsl:apply-templates select="node()" />
    	       </value>
    	    </remove-value>
    	 </modify-attr>
          </modify>
       </xsl:variable>
       <xsl:variable name="result1" select="cmd:execute($srcCommandProcessor, $modcmd)" />
       <xsl:message>
          <xsl:value-of select="$result1" />
       </xsl:message>
    </xsl:when>

    Hmm, that code block does not look correct. Just in case, here it is in text.

    <xsl:when test="contains(component[@name='volume']/text(),'XX_XX_INTL\INTL')">
       <xsl:variable name="modcmd">
          <modify class-name="user" dest-dn="{$userDN}">
         <modify-attr attr-name="DirXML-EntitlementRef">
            <remove-value>
               <value type="structured">
              <xsl:apply-templates select="node()" />
               </value>
            </remove-value>
         </modify-attr>
          </modify>
       </xsl:variable>
       <xsl:variable name="result1" select="cmd:execute($srcCommandProcessor, $modcmd)" />
       <xsl:message>
          <xsl:value-of select="$result1" />
       </xsl:message>
    </xsl:when>

    This is inside a loop over the Query results, and in the end it copies the value node for the instance, into the value node of the remove attribute. So that is what I suggested needed doing. So that looks correct.

    Was that a working one, or a not working XSLT example?  Changes between XSLT I assume is the name of the target entitlement and the like.  What else changes?