Read createTimestamp attribute of User from Driver Policy

I am trying to read the "createTimestamp" attribute value of User and for this I have the below policy. I have the User DN in the local variable but not sure how to read the attribute value directly from user dn that's why using the filter "(&(objectClass=user)(cn=tuser01))".

<do-set-local-variable name="lv-UserList" scope="policy">
	<arg-node-set>
		<token-xpath expression="es:ldapSearch($idv-host, $idv-port, $idv-admin-user, $idv-admin-pwd, $idv-search-base, $idv-search-scope, '(&(objectClass=user)(cn=tuser01))', 'createTimestamp', $dtdversion, $idv-ssl-truststore-path, $lv-TrustStorePwd)"/>
	</arg-node-set>
</do-set-local-variable>
<do-for-each>
	<arg-node-set>
		<token-local-variable name="lv-UserList"/>
	</arg-node-set>
	<arg-actions>
		<do-trace-message>
			<arg-string>
				<token-xpath expression='$current-node/attr[@attr-name="createTimestamp"]/value'/>
			</arg-string>
		</do-trace-message>
	</arg-actions>
</do-for-each>

By using the above code I am getting nothing, please help me on this. I am using IDM 4.7.3.

  • 0  

    You are trying to trace the specific value, how about instead as you loop over the nodeset, trace the entirety of each user record found?

    Obviously the two options are you have bad XPATH or else you don't have the data at all.

    The LDAP Search returns a nodeset that looks like <instance> nodes I think.  So looping over that should have current-node at the instance node.  So your XPATH should be good.

    But maybe the XML You get back is a little different and your current-node is not where you think it is. You could try to loop over XPATH of $lv-UserList/instance perhaps.

  • 0 in reply to   

      I am getting the data. I have added the driver logs below, but not sure if that data has the "createTimestamp" attribute value or not. I am assuming we can retrieve this attribute value from LDAP Search as this is a operation attribute.

    Do we have any other way to get the value of "createTimestamp" attribute as I have the user dn, please suggest.

    [09/20/24 03:33:39.964]:IDVTOEDIR ST:      Action: do-set-local-variable("lv-UserList",scope="policy",arg-node-set(token-xpath("es:ldapSearch($idv-host, $idv-port, $idv-admin-user, $lv-AdminPwd, $idv-search-base, $idv-search-scope, $lv-SearchFilter, 'createTimestamp', $dtdversion, $idv-ssl-truststore-path, $lv-TrustStorePwd)"))).
    [09/20/24 03:33:39.964]:IDVTOEDIR ST:        arg-node-set(token-xpath("es:ldapSearch($idv-host, $idv-port, $idv-admin-user, $lv-AdminPwd, $idv-search-base, $idv-search-scope, $lv-SearchFilter, 'createTimestamp', $dtdversion, $idv-ssl-truststore-path, $lv-TrustStorePwd)"))
    [09/20/24 03:33:39.964]:IDVTOEDIR ST:          token-xpath("es:ldapSearch($idv-host, $idv-port, $idv-admin-user, $lv-AdminPwd, $idv-search-base, $idv-search-scope, $lv-SearchFilter, 'createTimestamp', $dtdversion, $idv-ssl-truststore-path, $lv-TrustStorePwd)")
    [09/20/24 03:33:39.965]:IDVTOEDIR ST:            LDAPSearch: Search Base Container: ou=Accounts,ou=TestPortal,ou=Applications,o=testlab
    [09/20/24 03:33:39.965]:IDVTOEDIR ST:            LDAPSearch: Scope: sub
    [09/20/24 03:33:39.965]:IDVTOEDIR ST:            LDAPSearch: Search Filter: (&(objectClass=user)(cn=tuser01))
    [09/20/24 03:33:39.965]:IDVTOEDIR ST:            LDAPSearch: Return Attributes: createTimestamp
    [09/20/24 03:33:39.965]:IDVTOEDIR ST:            LDAPSearch: dtdversion: 4.0
    [09/20/24 03:33:39.967]:IDVTOEDIR ST:            LDAPSearch: Inside openLdapConnection
    [09/20/24 03:33:39.967]:IDVTOEDIR ST:            LDAPSearch: Host: xx.xx.xx.xxx
    [09/20/24 03:33:39.967]:IDVTOEDIR ST:            LDAPSearch: Port: 636
    [09/20/24 03:33:39.967]:IDVTOEDIR ST:            LDAPSearch: Admin User: cn=admin,ou=sa,ou=services,o=testlab
    [09/20/24 03:33:39.967]:IDVTOEDIR ST:            LDAPSearch: SSL TrustStore Path: /opt/netiq/common/jre/lib/security/cacerts
    [09/20/24 03:33:39.968]:IDVTOEDIR ST:            LDAPSearch: New connection object declared properly.
    [09/20/24 03:33:40.013]:IDVTOEDIR ST:            LDAPSearch: LDAP bind completed successfully with credentials.
    [09/20/24 03:33:40.013]:IDVTOEDIR ST:            LDAPSearch: LDAP Search completed successfully. Starting loop through results.
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:            LDAPSearch: Closing LDAP Connection.
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:          Token Value: {<instance> @src-dn = "cn=tuser01,ou=Accounts,ou=TestPortal,ou=Applications,o=testlab"}.
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:          Arg Value: {<instance> @src-dn = "cn=tuser01,ou=Accounts,ou=TestPortal,ou=Applications,o=testlab"}.
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:      Action: do-trace-message(token-xpath("$lv-UserList/instance")).
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:        arg-string(token-xpath("$lv-UserList/instance"))
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:          token-xpath("$lv-UserList/instance")
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:            Token Value: "".
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:          Arg Value: "".
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:      Action: do-for-each(arg-node-set(token-local-variable("lv-UserList"))).
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:        arg-node-set(token-local-variable("lv-UserList"))
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:          token-local-variable("lv-UserList")
    [09/20/24 03:33:40.015]:IDVTOEDIR ST:          Token Value: {<instance> @src-dn = "cn=tuser01,ou=Accounts,ou=TestPortal,ou=Applications,o=testlab"}.
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:          Arg Value: {<instance> @src-dn = "cn=tuser01,ou=Accounts,ou=TestPortal,ou=Applications,o=testlab"}.
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:        Performing actions for local-variable(current-node) = <instance> @src-dn = "cn=tuser01,ou=Accounts,ou=TestPortal,ou=Applications,o=testlab".
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:          Action: do-trace-message(token-xpath("$current-node")).
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:            arg-string(token-xpath("$current-node"))
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:              token-xpath("$current-node")
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:                Token Value: "".
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:              Arg Value: "".
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:          Action: do-trace-message(token-xpath("$current-value")).
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:            arg-string(token-xpath("$current-value"))
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:              token-xpath("$current-value")
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:                Token Value: "".
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:              Arg Value: "".
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:
    [09/20/24 03:33:40.016]:IDVTOEDIR ST:          Action: do-trace-message(token-xpath("$current-node/attr[@attr-name="createTimestamp"]/value")).
    [09/20/24 03:33:40.017]:IDVTOEDIR ST:            arg-string(token-xpath("$current-node/attr[@attr-name="createTimestamp"]/value"))
    [09/20/24 03:33:40.017]:IDVTOEDIR ST:              token-xpath("$current-node/attr[@attr-name="createTimestamp"]/value")
    [09/20/24 03:33:40.017]:IDVTOEDIR ST:                Token Value: "".
    [09/20/24 03:33:40.017]:IDVTOEDIR ST:              Arg Value: "".
    

    I tried $lv-UserList/instance also outside the loop but did not get anything. I also tried current-node, current-value but did not get anything.

  • 0   in reply to 

    Ok, so this trace is helpful...  The response contains this, per your trace:

    Token Value: {<instance> @src-dn = "cn=tuser01,ou=Accounts,ou=TestPortal,ou=Applications,o=testlab"}

    That means it has just a <instance> node.  That has no text() element so tracing it out as a string is an empty string.

    Use XML Serialize on top of the local variable lv-UserList and you will see the XML inside.

    current-value was a good idea, but it is only used inside the Reformat Op Attr and does nothing here.

    Since we know it only returns one value, before looping over it, try to trace the XPATH of

    $lv-UserList/attr[@attr-name="createTimestamp"]/value

    I suspect that might work.  But the loop should work, it says it is looping over one value, so the instance should be current context.

    Therefore it seems very important to see the structure of the XML inside the variable.

  • Suggested Answer

    0 in reply to   

    I got the issue.

    In my Driver's ECMAScript function "ldapSearch", way back before I was comment the below peace of code.

    while(allAttributes.hasNext()) {
    	var attribute = allAttributes.next();
    	var attrElement = document.createElement("attr");
    	attrElement.setAttributeNS(null, "attr-name", attribute.getName());
    	tracer.trace("Attribute Name: " + attribute.getName(), 5);
    	tracer.trace("Attribute Value: " + attribute.getStringValue(), 5);
    	var allValues = attribute.getStringValues();
    	if( allValues != null) {
    		while(allValues.hasMoreElements()) {
    			var valueElement = document.createElement("value");
    			valueElement.appendChild(document.createTextNode(allValues.nextElement()));
    			attrElement.appendChild(valueElement);
    		}
    		instanceElement.appendChild(attrElement);
    	}
    }

    I found that this code is responsible for retrieving the value of the Return Attributes so when I uncomment that code and after that, it works fine with the below Xpath.

    $current-node/attr[@attr-name="createTimestamp"]/value

    Thank You  for your support.

  • 0   in reply to 

    Ah,so you returned the users, and none of the attributes, and unsurprisingly there are no attributes returned.

    Tracing out the returned variable would have shown that right away.

    Glad it worked out.