Anonymous_User

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-06-07
16:21
405 views
DirXML-ADContext attribute inconsistently applied
In looking at the users in my identity vault, I noticed that many of
them lack the DirXML-ADContext attribute. There doesn't seem to be any
rhyme or reason behind this. Some user accounts get it, while others --
created by the same process at around the same time -- do not.
I never paid attention to it before, but now I want to use this
attribute value (see thread 'XPATH query confusion') so I'd like to have
it applied consistently.
I think I found the culprit -- a rule in the output transform:
I did not create this driver, a consultant did, and he's not around to
ask. Can anyone venture a guess as to why he thought this rule was needed?
Thanks
them lack the DirXML-ADContext attribute. There doesn't seem to be any
rhyme or reason behind this. Some user accounts get it, while others --
created by the same process at around the same time -- do not.
I never paid attention to it before, but now I want to use this
attribute value (see thread 'XPATH query confusion') so I'd like to have
it applied consistently.
I think I found the culprit -- a rule in the output transform:
<rule>
<description>Strip add/modify of DirXML-ADContext</description>
<conditions>
<or>
<if-operation op="equal">add</if-operation>
<if-operation op="equal">modify</if-operation>
</or>
<or>
<if-op-attr name="DirXML-ADContext" op="available"/>
</or>
</conditions>
<actions>
<do-strip-op-attr name="DirXML-ADContext"/>
</actions>
</rule>
I did not create this driver, a consultant did, and he's not around to
ask. Can anyone venture a guess as to why he thought this rule was needed?
Thanks
4 Replies


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-06-07
20:13
6423241;2500690 wrote:
In looking at the users in my identity vault, I noticed that many of
them lack the DirXML-ADContext attribute. There doesn't seem to be any
rhyme or reason behind this. Some user accounts get it, while others --
created by the same process at around the same time -- do not.
I never paid attention to it before, but now I want to use this
attribute value (see thread 'XPATH query confusion') so I'd like to have
it applied consistently.
I think I found the culprit -- a rule in the output transform:
<rule>
<description>Strip add/modify of DirXML-ADContext</description>
<conditions>
<or>
<if-operation op="equal">add</if-operation>
<if-operation op="equal">modify</if-operation>
</or>
<or>
<if-op-attr name="DirXML-ADContext" op="available"/>
</or>
</conditions>
<actions>
<do-strip-op-attr name="DirXML-ADContext"/>
</actions>
</rule>
I did not create this driver, a consultant did, and he's not around to
ask. Can anyone venture a guess as to why he thought this rule was needed?
Thanks
How many AD domains you have?
One of the possible reasons for this policy (if you have more than one AD domain and more than one AD driver) - attempts to prevent overwriting of DirXML-ADContext information (user's current AD context (LDAP DN)) by the second driver.


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-06-07
20:41
Should not matter if you strip dirxml-adcontext in output transform.
Where I have seen this is the following:
Incorrectly disabling publisher filter class and attrs.
Matching of existing users done badly.
Bugs in old engines where out of band queries return improperly.
Where I have seen this is the following:
Incorrectly disabling publisher filter class and attrs.
Matching of existing users done badly.
Bugs in old engines where out of band queries return improperly.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Anonymous_User

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-06-07
21:21
Alex McHugh,
> Should not matter if you strip dirxml-adcontext in output transform.
>
> Where I have seen this is the following:
>
> Incorrectly disabling publisher filter class and attrs.
> Matching of existing users done badly.
> Bugs in old engines where out of band queries return improperly.
>
The DirXML-ADcontext attribute is set to sync on publish and ignore on
subscribe. There is no mapping for this attribute in the schema table,
but I guess that doesn't matter since the attribute does sync sometimes.
> Should not matter if you strip dirxml-adcontext in output transform.
>
> Where I have seen this is the following:
>
> Incorrectly disabling publisher filter class and attrs.
> Matching of existing users done badly.
> Bugs in old engines where out of band queries return improperly.
>
The DirXML-ADcontext attribute is set to sync on publish and ignore on
subscribe. There is no mapping for this attribute in the schema table,
but I guess that doesn't matter since the attribute does sync sometimes.
Anonymous_User

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-06-07
21:20
al b,
>
>
> How many AD domains you have?
> One of the possible reasons for this policy (if you have more than one
> AD domain and more than one AD driver) - attempts to prevent overwriting
> of DirXML-ADContext information (user's current AD context (LDAP DN))
> by the second driver.
>
We just have one domain.
>
>
> How many AD domains you have?
> One of the possible reasons for this policy (if you have more than one
> AD domain and more than one AD driver) - attempts to prevent overwriting
> of DirXML-ADContext information (user's current AD context (LDAP DN))
> by the second driver.
>
We just have one domain.