AD driver looping over street address

Good Morning, 

I have a AD driver that when we try to reset street address it just keeps on looping.  We do this Via policy as you can see in the trace below.  I just do not understand why it does not see it as equal I have been looking and looking around to try to resolve this but coming up empty. I have taken some items out for privacy.  

Any help would be greatly appreciated 

[11/02/22 05:31:21.445]:AD PT::
<nds dtdversion="2.2">
<source>
<product build="20180125_120000" instance="" version="4.1.2.0">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="user" event-id="AD##18438531b5d##0" src-dn="CN=\, Ka(XXXXX9),OU=People,DC=com">
<association>03c823e4144e8c418ed655c0fdf22768</association>
<modify-attr attr-name="streetAddress">
<remove-all-values/>
<add-value>
<value naming="false" type="string">Royal Australian Air Force Base
South Amberley Road</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[11/02/22 05:31:21.447]:AD PT::Applying policy: %+C%14CHandleWriteBackAttributes%-C.
[11/02/22 05:31:21.447]:AD PT:: Applying to modify #1.
[11/02/22 05:31:21.447]:AD PT:: Evaluating selection criteria for rule 'LoginExpires '.
[11/02/22 05:31:21.447]:AD PT:: (if-operation equal "modify") = TRUE.
[11/02/22 05:31:21.447]:AD PT:: Rule selected.
[11/02/22 05:31:21.448]:AD PT:: Applying rule 'LoginExpires '.
[11/02/22 05:31:21.448]:AD PT:: Action: do-set-local-variable("lvAcctExp",scope="policy",token-op-attr("accountExpires")).
[11/02/22 05:31:21.448]:AD PT:: arg-string(token-op-attr("accountExpires"))
[11/02/22 05:31:21.449]:AD PT:: token-op-attr("accountExpires")
[11/02/22 05:31:21.450]:AD PT:: Token Value: "".
[11/02/22 05:31:21.450]:AD PT:: Arg Value: "".
[11/02/22 05:31:21.450]:AD PT:: Action: do-if().
[11/02/22 05:31:21.450]:AD PT:: Evaluating conditions.
[11/02/22 05:31:21.451]:AD PT:: (if-local-variable 'lvAcctExp' not-equal "") = FALSE.
[11/02/22 05:31:21.451]:AD PT:: Performing else actions.
[11/02/22 05:31:21.451]:AD PT:: Action: do-trace-message(level="3",token-local-variable("lvAcctExp")).
[11/02/22 05:31:21.451]:AD PT:: arg-string(token-local-variable("lvAcctExp"))
[11/02/22 05:31:21.451]:AD PT:: token-local-variable("lvAcctExp")
[11/02/22 05:31:21.452]:AD PT:: Token Value: "".
[11/02/22 05:31:21.452]:AD PT:: Arg Value: "".
[11/02/22 05:31:21.452]:AD PT::
[11/02/22 05:31:21.452]:AD PT:: Evaluating selection criteria for rule 'Full Name - displayName 11042016 JC'.
[11/02/22 05:31:21.452]:AD PT:: (if-operation equal "modify") = TRUE.
[11/02/22 05:31:21.452]:AD PT:: (if-op-attr 'displayName' changing) = FALSE.
[11/02/22 05:31:21.453]:AD PT:: Rule rejected.
[11/02/22 05:31:21.453]:AD PT:: Evaluating selection criteria for rule 'SA - streetAddress 11302016 JC'.
[11/02/22 05:31:21.453]:AD PT:: (if-operation equal "modify") = TRUE.
[11/02/22 05:31:21.453]:AD PT:: (if-op-attr 'streetAddress' changing) = TRUE.
[11/02/22 05:31:21.473]:AD PT:: (if-association associated) = TRUE.
[11/02/22 05:31:21.473]:AD PT:: Rule selected.
[11/02/22 05:31:21.473]:AD PT:: Applying rule 'SA - streetAddress 11302016 JC'.
[11/02/22 05:31:21.473]:AD PT:: Action: do-set-local-variable("streetAddress",scope="policy",token-op-attr("streetAddress")).
[11/02/22 05:31:21.473]:AD PT:: arg-string(token-op-attr("streetAddress"))
[11/02/22 05:31:21.473]:AD PT:: token-op-attr("streetAddress")
[11/02/22 05:31:21.474]:AD PT:: Token Value: "Royal Australian Air Force Base
South Amberley Road".
[11/02/22 05:31:21.474]:AD PT:: Arg Value: "Royal Australian Air Force Base
South Amberley Road".
[11/02/22 05:31:21.474]:AD PT:: Action: do-if().
[11/02/22 05:31:21.474]:AD PT:: Evaluating conditions.
[11/02/22 05:31:21.474]:AD PT:: Query from policy
[11/02/22 05:31:21.475]:AD PT::
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.8.2.1">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="user" scope="entry">
<association>03c823e4144e8c418ed655c0fdf22768</association>
<read-attr attr-name="ngcExcludeUser"/>
<read-attr attr-name="SA"/>
</query>
</input>
</nds>
[11/02/22 05:31:21.476]:AD PT:: Pumping XDS to eDirectory.
[11/02/22 05:31:21.476]:AD PT:: Performing operation query for .
[11/02/22 05:31:21.480]:AD PT:: --JCLNT-- - Publisher : Calling free on tempContext = 754057431
[11/02/22 05:31:21.487]:AD PT:: Query from policy result
[11/02/22 05:31:21.487]:AD PT::
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.8.2.1">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<instance class-name="User" event-id="0" qualified-src-dn="" src-dn="" src-entry-id="588008">
<association state="associated">03c823e4144e8c418ed655c0fdf22768</association>
<attr attr-name="SA">
<value timestamp="1662363022#108" type="string">Royal Australian Air Force Base
South Amberley Road</value>
</attr>
</instance>
<status event-id="0" level="success"></status>
</output>
</nds>
[11/02/22 05:31:21.489]:AD PT:: Expanded variable reference '$streetAddress$' to 'Royal Australian Air Force Base
South Amberley Road'.
[11/02/22 05:31:21.489]:AD PT:: (if-dest-attr 'SA' not-equal "$streetAddress$") = TRUE.
[11/02/22 05:31:21.489]:AD PT:: (if-dest-attr 'ngcExcludeUser' not-equal "yes") = TRUE.
[11/02/22 05:31:21.489]:AD PT:: Performing if actions.
[11/02/22 05:31:21.490]:AD PT:: Action: do-set-local-variable("destSA",scope="policy",token-dest-attr("SA")).
[11/02/22 05:31:21.490]:AD PT:: arg-string(token-dest-attr("SA"))
[11/02/22 05:31:21.490]:AD PT:: token-dest-attr("SA")
[11/02/22 05:31:21.490]:AD PT:: Token Value: "Royal Australian Air Force Base
South Amberley Road".
[11/02/22 05:31:21.490]:AD PT:: Arg Value: "Royal Australian Air Force Base
South Amberley Road".
[11/02/22 05:31:21.491]:AD PT:: Action: do-if().
[11/02/22 05:31:21.491]:AD PT:: Evaluating conditions.
[11/02/22 05:31:21.491]:AD PT:: (if-xpath true "string-length($destSA) > 0") = TRUE.
[11/02/22 05:31:21.491]:AD PT:: Performing if actions.
[11/02/22 05:31:21.491]:AD PT:: Action: do-set-src-attr-value("streetAddress",token-local-variable("destSA")).
[11/02/22 05:31:21.492]:AD PT:: arg-string(token-local-variable("destSA"))
[11/02/22 05:31:21.492]:AD PT:: token-local-variable("destSA")
[11/02/22 05:31:21.492]:AD PT:: Token Value: "Royal Australian Air Force Base
South Amberley Road".
[11/02/22 05:31:21.492]:AD PT:: Arg Value: "Royal Australian Air Force Base
South Amberley Road".
[11/02/22 05:31:21.493]:AD PT:: Action: do-set-local-variable("adModified",scope="policy","true").
[11/02/22 05:31:21.493]:AD PT:: arg-string("true")
[11/02/22 05:31:21.493]:AD PT:: token-text("true")
[11/02/22 05:31:21.493]:AD PT:: Arg Value: "true".
[11/02/22 05:31:21.493]:AD PT:: Action: do-strip-op-attr("streetAddress").
[11/02/22 05:31:21.493]:AD PT:: Evaluating selection criteria for rule 'NGCstartDate - ngcStartDate 11302016'.
[11/02/22 05:31:21.494]:AD PT:: (if-operation equal "modify") = TRUE.
[11/02/22 05:31:21.494]:AD PT:: (if-op-attr 'ngcStartDate' changing) = FALSE.
[11/02/22 05:31:21.494]:AD PT:: Rule rejected.
[11/02/22 05:31:21.494]:AD PT:: Evaluating selection criteria for rule 'NGCEndDate - ngcEndDate '.
[11/02/22 05:31:21.494]:AD PT:: (if-operation equal "modify") = TRUE.
[11/02/22 05:31:21.495]:AD PT:: (if-op-attr 'NGCEndDate' changing) = FALSE.
[11/02/22 05:31:21.495]:AD PT:: Rule rejected.
[11/02/22 05:31:21.495]:AD PT:: Evaluating selection criteria for rule 'ngcExternalID - ngcExternalID '.
[11/02/22 05:31:21.495]:AD PT:: (if-operation equal "modify") = TRUE.
[11/02/22 05:31:21.495]:AD PT:: (if-op-attr 'ngcExternalID' changing) = FALSE.
[11/02/22 05:31:21.496]:AD PT:: Rule rejected.
[11/02/22 05:31:21.496]:AD PT:: Direct command from policy
[11/02/22 05:31:21.496]:AD PT::
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.8.2.1">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="user" dest-dn="CN=Costall[AU]\, Ka(XXXXX9),OU=People,DC=com" event-id="AD##18438531b5d##0">
<association>03c823e4144e8c418ed655c0fdf22768</association>
<modify-attr attr-name="streetAddress">
<remove-all-values/>
<add-value>
<value>Royal Australian Air Force Base
South Amberley Road</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>

Tags:

  • The way loopback protection on the AD driver works, is that the end result of the Sub channel modify, has to return on the Pub channel, somethning that equals the value in IDV.

    So IDV value gets set to "Something".  Sent to AD.  This is detected and loops back on the Pub channel.  Theh ITP/Pub channel MUST convert the value before it leaves the Pub-CTP to "Something".  Else it is processed. 

  • [11/02/22 05:31:21.489]:AD PT:: (if-dest-attr 'SA' not-equal "$streetAddress$") = TRUE

    If I understand the problem is in this line only? Could you take a screenshot of the rule and send XML of the rule so we can test it out?
    ....

    Ok looked even deeper and the problem might be a line-break in the value. Is there a line break or was that just added during the move of the trace?

  • Below you will find the XML of the rule.  I am not sure of the line break, I saw that also thought that maybe that was causing a problem but its on everything and we do write backs for just about everything having one authoritative source.  So wondering why would not cause problems on the other attributes.  I am just stumped. 

    Thanks so much for the input.  

    <rule>
    <description>SA - streetAddress </description>
    <conditions>
    <and>
    <if-operation mode="case" op="equal">modify</if-operation>
    <if-op-attr name="streetAddress" op="changing"/>
    <if-association op="associated"/>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="streetAddress" scope="policy">
    <arg-string>
    <token-op-attr name="streetAddress"/>
    </arg-string>
    </do-set-local-variable>
    <do-if>
    <arg-conditions>
    <and>
    <if-dest-attr mode="nocase" name="SA" op="not-equal">$streetAddress$</if-dest-attr>
    <if-dest-attr mode="nocase" name="ngcExcludeUser" op="not-equal">yes</if-dest-attr>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-set-local-variable name="destSA" scope="policy">
    <arg-string>
    <token-dest-attr name="SA"/>
    </arg-string>
    </do-set-local-variable>
    <do-if>
    <arg-conditions>
    <and>
    <if-xpath op="true">string-length($destSA) > 0</if-xpath>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-set-src-attr-value name="streetAddress">
    <arg-value>
    <token-local-variable name="destSA"/>
    </arg-value>
    </do-set-src-attr-value>
    <do-set-local-variable name="adModified" scope="policy">
    <arg-string>
    <token-text xml:space="preserve">true</token-text>
    </arg-string>
    </do-set-local-variable>
    </arg-actions>
    <arg-actions>
    <do-clear-src-attr-value name="streetAddress"/>
    <do-set-local-variable name="adModified" scope="policy">
    <arg-string>
    <token-text xml:space="preserve">true</token-text>
    </arg-string>
    </do-set-local-variable>
    </arg-actions>
    </do-if>
    </arg-actions>
    <arg-actions/>
    </do-if>
    <do-strip-op-attr name="streetAddress"/>
    </actions>

    </rule>

  • I trhink the question is, your compare of Dest Attr SA to your variable, maybe that has issues with white space, funny characters? 

    Also this line:
    <if-xpath op="true">string-length($destSA) > 0</if-xpath>

    Probably simpler to do if local variable, streetAddress, not-equal Regex .+ (i.e. has any values, not empty).  Not sure which is faster,

  • I copied the rule into my designer and simulated it with your trace results, and did not replicate the issue (the attribute was stripped).
    That means the pasted trace got somehow mangled or there is a difference in designer and IDM working, can you replicate the issue in your designer, and which version is it (if it is replicated)?
    Most likely when copying a trace some hidden characters might be changed. I often use alt+enter instead of plain enter which might mean a different character is used... Now I remembered that shouldn't be a problem because the driver is looping and setting same value over and over again, but just for the sake of it I would copy and paste the same value from regular notepad into both systems manually just so we know we don't have some hidden character issue which might get skipped or translated into something else while setting the value.
    I am grasping at the air right now but just an idea ;)

  • Ok, I tried pasting the original several different ways but it would not show the special CHR.  So I ended up taking a screen shot so you could see the special chr.  Thanks for taking the time to do all that.  So, if I understand in your system it saw it as equal and just stripped it out ? 

  • Yes I simulated that in designer not in IDM, here is my snippet of the trace:

    SCIM Driver :Applying policy: %+C%14CTEST-pub-ctp%-C.
    SCIM Driver :  Applying to modify #1.
    SCIM Driver :    Evaluating selection criteria for rule 'SA - streetAddress '.
    SCIM Driver :      (if-operation equal "modify") = TRUE.
    SCIM Driver :      (if-op-attr 'streetAddress' changing) = TRUE.
    SCIM Driver :      Query from policy
    SCIM Driver :      
    <nds dtdversion="4.0" ndsversion="8.x">
      <source>
        <product version="4.8.4.0">DirXML</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <input>
        <query class-name="user" scope="entry">
          <association>03c823e4144e8c418ed655c0fdf22768</association>
          <read-attr attr-name="DirXML-Associations"/>
        </query>
      </input>
    </nds>
    SCIM Driver :      Query from policy result
    SCIM Driver :      
    <nds dtdversion="4.0" ndsversion="8.x">
      <source>
        <product edition="Advanced" version="4.8.2.1">DirXML</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <output>
        <instance class-name="User" event-id="0" qualified-src-dn="" src-dn="" src-entry-id="588008">
          <association state="associated">03c823e4144e8c418ed655c0fdf22768</association>
          <attr attr-name="SA">
            <value timestamp="1662363022#108" type="string">Royal Australian Air Force Base
    South Amberley Road</value>
          </attr>
        </instance>
        <status event-id="0" level="success"/>
      </output>
    </nds>
    SCIM Driver :      (if-association associated) = TRUE.
    SCIM Driver :    Rule selected.
    SCIM Driver :    Applying rule 'SA - streetAddress '.
    SCIM Driver :      Action: do-set-local-variable("streetAddress",scope="policy",token-op-attr("streetAddress")).
    SCIM Driver :        arg-string(token-op-attr("streetAddress"))
    SCIM Driver :          token-op-attr("streetAddress")
    SCIM Driver :            Token Value: "Royal Australian Air Force Base
    South Amberley Road".
    SCIM Driver :          Arg Value: "Royal Australian Air Force Base
    South Amberley Road".
    SCIM Driver :      Action: do-if().
    SCIM Driver :        Evaluating conditions.
    SCIM Driver :          Query from policy
    SCIM Driver :          
    <nds dtdversion="4.0" ndsversion="8.x">
      <source>
        <product version="4.8.4.0">DirXML</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <input>
        <query class-name="user" scope="entry">
          <association>03c823e4144e8c418ed655c0fdf22768</association>
          <read-attr attr-name="SA"/>
        </query>
      </input>
    </nds>
    SCIM Driver :          Query from policy result
    SCIM Driver :          
    <nds dtdversion="4.0" ndsversion="8.x">
      <source>
        <product edition="Advanced" version="4.8.2.1">DirXML</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <output>
        <instance class-name="User" event-id="0" qualified-src-dn="" src-dn="" src-entry-id="588008">
          <association state="associated">03c823e4144e8c418ed655c0fdf22768</association>
          <attr attr-name="SA">
            <value timestamp="1662363022#108" type="string">Royal Australian Air Force Base
    South Amberley Road</value>
          </attr>
        </instance>
        <status event-id="0" level="success"/>
      </output>
    </nds>
    SCIM Driver :          Expanded variable reference '$streetAddress$' to 'Royal Australian Air Force Base
    South Amberley Road'.
    SCIM Driver :          (if-dest-attr 'SA' not-equal "$streetAddress$") = FALSE.
    SCIM Driver :        Performing else actions.
    SCIM Driver :      Action: do-strip-op-attr("streetAddress").
    SCIM Driver :Policy returned:
    SCIM Driver :
    <nds dtdversion="2.2">
      <source>
        <product build="20180125_120000" instance="" version="4.1.2.0">AD</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <input>
        <modify class-name="user" event-id="AD##18438531b5d##0" src-dn="CN=\, Ka(XXXXX9),OU=People,DC=com">
          <association>03c823e4144e8c418ed655c0fdf22768</association>
        </modify>
      </input>
    </nds>
    


    Do NOT mind SCIM driver, that was just the one I had laying around Slight smile

    I can see that text that I copy from your original post is no different in characters than the one from your screenshot. It might be that if you have IDM running in linux and then transfer it to windows that in-between some hidden character changes, but I think if you copy directly and open directly with notepad++ without any saving in-between there should be no format changes...

    Here is how you simulate in designer (where you have opened policy):


    I think your best bet would be this:


    just for the sake of it I would copy and paste the same value from regular notepad into both systems manually just so we know we don't have some hidden character issue which might get skipped or translated into something else while setting the value
  • Zan, 

    Thanks so much for taking the time.  I am trying to use simulator, but I am not sure how to use it.  I even goggled for some written doc's but I am coming up empty.  Can I ask how you what the bare minimum is to run this simulation.  We do have linux boxes and windows boxes.   

  • If you have tried your policy in the engine and it has failed, and now you are trying to fix it in Designer with Simulator, go to your IDM Trace file (level 3 minimum please) and find the event that is fed into the broken policy.  Copy the text into a text editor.

    Then in Designer, on the proper policy object open, click the simulator (A chevron, with a VCR like play button over top, it is tiny, but that is what they were going for) and the Input screen has a XML Source tab at the bottom, paste your XML into it.  (Fix line wrap issues, it is sensitive to broken lines).  Then run through your policy.

    If you have a Query (Source Attr?  Dest Attr?  If Dest attr?  and so on) you will see the Query event (GUI, but flip to XML Source to see the XML of the query) and there is a Response tab (top) that you clan click over to, then build the response doc. (Grab this from your trace too, if your rule made it that far, or else build an d<instnace> doc by hand, or with the GUI editory).

    Simulating an entire driver, never really worked for me.  You have to do it policy by policy and it is awesome.

  • Are you using Designer on Windows and your engine runs on Linux? Then it might work because of the different default line endings: Windows uses CRLF. In Linux it's just LF.

    Try tracing the base64 encoded value of both op-attr and dest-attr. That should give a hint of where differences might be.

    Norbert