Anonymous_User Absent Member.
Absent Member.
148 views

DirXML-ADContext attribute inconsistently applied

In looking at the users in my identity vault, I noticed that many of
them lack the DirXML-ADContext attribute. There doesn't seem to be any
rhyme or reason behind this. Some user accounts get it, while others --
created by the same process at around the same time -- do not.

I never paid attention to it before, but now I want to use this
attribute value (see thread 'XPATH query confusion') so I'd like to have
it applied consistently.

I think I found the culprit -- a rule in the output transform:


<rule>
<description>Strip add/modify of DirXML-ADContext</description>
<conditions>
<or>
<if-operation op="equal">add</if-operation>
<if-operation op="equal">modify</if-operation>
</or>
<or>
<if-op-attr name="DirXML-ADContext" op="available"/>
</or>
</conditions>
<actions>
<do-strip-op-attr name="DirXML-ADContext"/>
</actions>
</rule>


I did not create this driver, a consultant did, and he's not around to
ask. Can anyone venture a guess as to why he thought this rule was needed?


Thanks





Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: DirXML-ADContext attribute inconsistently applied

6423241;2500690 wrote:
In looking at the users in my identity vault, I noticed that many of
them lack the DirXML-ADContext attribute. There doesn't seem to be any
rhyme or reason behind this. Some user accounts get it, while others --
created by the same process at around the same time -- do not.

I never paid attention to it before, but now I want to use this
attribute value (see thread 'XPATH query confusion') so I'd like to have
it applied consistently.

I think I found the culprit -- a rule in the output transform:


<rule>
<description>Strip add/modify of DirXML-ADContext</description>
<conditions>
<or>
<if-operation op="equal">add</if-operation>
<if-operation op="equal">modify</if-operation>
</or>
<or>
<if-op-attr name="DirXML-ADContext" op="available"/>
</or>
</conditions>
<actions>
<do-strip-op-attr name="DirXML-ADContext"/>
</actions>
</rule>


I did not create this driver, a consultant did, and he's not around to
ask. Can anyone venture a guess as to why he thought this rule was needed?


Thanks


How many AD domains you have?
One of the possible reasons for this policy (if you have more than one AD domain and more than one AD driver) - attempts to prevent overwriting of DirXML-ADContext information (user's current AD context (LDAP DN)) by the second driver.
0 Likes
Knowledge Partner
Knowledge Partner

Re: DirXML-ADContext attribute inconsistently applied

Should not matter if you strip dirxml-adcontext in output transform.

Where I have seen this is the following:

Incorrectly disabling publisher filter class and attrs.
Matching of existing users done badly.
Bugs in old engines where out of band queries return improperly.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: DirXML-ADContext attribute inconsistently applied

Alex McHugh,
> Should not matter if you strip dirxml-adcontext in output transform.
>
> Where I have seen this is the following:
>
> Incorrectly disabling publisher filter class and attrs.
> Matching of existing users done badly.
> Bugs in old engines where out of band queries return improperly.
>


The DirXML-ADcontext attribute is set to sync on publish and ignore on
subscribe. There is no mapping for this attribute in the schema table,
but I guess that doesn't matter since the attribute does sync sometimes.





0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: DirXML-ADContext attribute inconsistently applied

al b,
>


>
> How many AD domains you have?
> One of the possible reasons for this policy (if you have more than one
> AD domain and more than one AD driver) - attempts to prevent overwriting
> of DirXML-ADContext information (user's current AD context (LDAP DN))
> by the second driver.
>


We just have one domain.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.