DirXML-ADContext attribute inconsistently applied

Anonymous_User · ‎2019-06-07

In looking at the users in my identity vault, I noticed that many of
them lack the DirXML-ADContext attribute. There doesn't seem to be any
rhyme or reason behind this. Some user accounts get it, while others --
created by the same process at around the same time -- do not.

I never paid attention to it before, but now I want to use this
attribute value (see thread 'XPATH query confusion') so I'd like to have
it applied consistently.

I think I found the culprit -- a rule in the output transform:


<rule>
<description>Strip add/modify of DirXML-ADContext</description>
<conditions>
<or>
<if-operation op="equal">add</if-operation>
<if-operation op="equal">modify</if-operation>
</or>
<or>
<if-op-attr name="DirXML-ADContext" op="available"/>
</or>
</conditions>
<actions>
<do-strip-op-attr name="DirXML-ADContext"/>
</actions>
</rule>

I did not create this driver, a consultant did, and he's not around to
ask. Can anyone venture a guess as to why he thought this rule was needed?

Thanks

al_b · ‎2019-06-07

6423241;2500690 wrote:
In looking at the users in my identity vault, I noticed that many of
them lack the DirXML-ADContext attribute. There doesn't seem to be any
rhyme or reason behind this. Some user accounts get it, while others --
created by the same process at around the same time -- do not.

I never paid attention to it before, but now I want to use this
attribute value (see thread 'XPATH query confusion') so I'd like to have
it applied consistently.

I think I found the culprit -- a rule in the output transform:
<rule>
<description>Strip add/modify of DirXML-ADContext</description>
<conditions>
<or>
<if-operation op="equal">add</if-operation>
<if-operation op="equal">modify</if-operation>
</or>
<or>
<if-op-attr name="DirXML-ADContext" op="available"/>
</or>
</conditions>
<actions>
<do-strip-op-attr name="DirXML-ADContext"/>
</actions>
</rule>
I did not create this driver, a consultant did, and he's not around to
ask. Can anyone venture a guess as to why he thought this rule was needed?

Thanks

How many AD domains you have?
One of the possible reasons for this policy (if you have more than one AD domain and more than one AD driver) - attempts to prevent overwriting of DirXML-ADContext information (user's current AD context (LDAP DN)) by the second driver.

Alex McHugh · ‎2019-06-07

Should not matter if you strip dirxml-adcontext in output transform.

Where I have seen this is the following:

Incorrectly disabling publisher filter class and attrs.
Matching of existing users done badly.
Bugs in old engines where out of band queries return improperly.

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.

Anonymous_User · ‎2019-06-07

Alex McHugh,
> Should not matter if you strip dirxml-adcontext in output transform.
>
> Where I have seen this is the following:
>
> Incorrectly disabling publisher filter class and attrs.
> Matching of existing users done badly.
> Bugs in old engines where out of band queries return improperly.
>

The DirXML-ADcontext attribute is set to sync on publish and ignore on
subscribe. There is no mapping for this attribute in the schema table,
but I guess that doesn't matter since the attribute does sync sometimes.

Anonymous_User · ‎2019-06-07

al b,
>

>
> How many AD domains you have?
> One of the possible reasons for this policy (if you have more than one
> AD domain and more than one AD driver) - attempts to prevent overwriting
> of DirXML-ADContext information (user's current AD context (LDAP DN))
> by the second driver.
>

We just have one domain.

Engine-Drivers