pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


Hopefully near the end of my questions. So here is the rules that you
wrote. I need to know where the xml code gets pasted (in the mapping
table?). And to be sure I am getting this, I am edited your code with
my info. Can you let me know if I missed something? I assume I still
enter the source and destination info into the table fields like I asked
in my last message.

<rule>
<description>[CIS] Testing placement by mapping table</description>
<comment name="author" xml:space="preserve">Geoffrey Carman</comment>
<comment name="version" xml:space="preserve">1</comment>
<comment name="lastchanged" xml:space="preserve">Mar 21,
2012</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-local-variable name="SRC-DN" scope="policy">
<arg-string>
<token-src-dn length="-2"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="DEST-DN" scope="policy">
<arg-string>
<token-map default-value="XXYY" dest="dest-dn" src="src-dn" *<<< Not
sure what goes in that default value*
table="*Test.Active Directory.AD-TEST.fdny* ">
<token-local-variable name="SRC-DN"/>
</token-map>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="DEST-DN"
op="equal">XXYY</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message disabled="true">
<arg-string>
<token-text xml:space="preserve">If we get XXYY back then the DN
was not found, either error, or place in a default location. Use a
GCV
so you can change it later easily, but I want a simple rule to
demonstrate so I hard code a string value.</token-text>
*<<<Forgive my ignorance, but what is GCV?*
</arg-string>
</do-trace-message>
<do-set-op-dest-dn>
<arg-dn>
<token-text
xml:space="preserve">cn=some,ou=default,ou=placement,dc=container,dc=local</token-text>
*<<<This would be the destination in AD?*
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
<arg-actions>
<do-set-op-dest-dn>
<arg-dn>
<token-local-variable name="DEST-DN"/>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
</do-if>
</actions>
</rule>



And then here is an example of how you can do it in one line.

<rule>
<description>[CIS] Testing placement by mapping table</description>
<comment xml:space="preserve">Now all in one line, which is more
confusing.</comment>
<comment name="author" xml:space="preserve">Geoffrey Carman</comment>
<comment name="version" xml:space="preserve">1</comment>
<comment name="lastchanged" xml:space="preserve">Mar 21,
2012</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-op-dest-dn>
<arg-dn>
<token-map
default-value="cn=some,ou=default,ou=placement,dc=container,dc=local"
dest="dest-dn" src="src-dn" table="SomeTableDN ">
<token-src-dn length="-2"/>
</token-map>
</arg-dn>
</do-set-op-dest-dn>
</actions>
</rule>


>> Finally, a different question, I have the syncing working great

now,
>> but it is going both ways. I only want to go from edir to AD, not

the
>> other way. I cannot figure out where to turn that off.


Two ways.

1) Filter, stop syncing users on the Pub channel.
2) Pub-Match and Create stop it from matching/creating, so changes in
AD
like passwords (which #1 will stop) and login disabled can still flow.


>>
>> Thanks so much for your help. It has been a Godsend!
>>
>> Phil Goldwasser
>> BTDS LAN Group
>> FDNY

>
>



--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD

The block of XML from <rule> to </rule> would go into your placement policy.
There is other XML in that policy but if you create just an empty rule in the GUI, then go to the
XML you can paste this over your empty rule and it will maintain the parent nodes and be pretty.

Then when you switch back to the GUI it will validate this rule for typos and errors.

On 3/21/2012 7:56 AM, pgold wrote:
>
> Hopefully near the end of my questions. So here is the rules that you
> wrote. I need to know where the xml code gets pasted (in the mapping
> table?). And to be sure I am getting this, I am edited your code with
> my info. Can you let me know if I missed something? I assume I still
> enter the source and destination info into the table fields like I asked
> in my last message.
>
> <rule>
> <description>[CIS] Testing placement by mapping table</description>
> <comment name="author" xml:space="preserve">Geoffrey Carman</comment>
> <comment name="version" xml:space="preserve">1</comment>
> <comment name="lastchanged" xml:space="preserve">Mar 21,
> 2012</comment>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> </and>
> </conditions>
> <actions>
> <do-set-local-variable name="SRC-DN" scope="policy">
> <arg-string>
> <token-src-dn length="-2"/>
> </arg-string>
> </do-set-local-variable>
> <do-set-local-variable name="DEST-DN" scope="policy">
> <arg-string>
> <token-map default-value="XXYY" dest="dest-dn" src="src-dn" *<<< Not
> sure what goes in that default value*
> table="*Test.Active Directory.AD-TEST.fdny* ">
> <token-local-variable name="SRC-DN"/>
> </token-map>
> </arg-string>
> </do-set-local-variable>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable mode="nocase" name="DEST-DN"
> op="equal">XXYY</if-local-variable>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-trace-message disabled="true">
> <arg-string>
> <token-text xml:space="preserve">If we get XXYY back then the DN
> was not found, either error, or place in a default location. Use a
> GCV
> so you can change it later easily, but I want a simple rule to
> demonstrate so I hard code a string value.</token-text>
> *<<<Forgive my ignorance, but what is GCV?*
> </arg-string>
> </do-trace-message>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-text
> xml:space="preserve">cn=some,ou=default,ou=placement,dc=container,dc=local</token-text>
> *<<<This would be the destination in AD?*
> </arg-dn>
> </do-set-op-dest-dn>
> </arg-actions>
> <arg-actions>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-local-variable name="DEST-DN"/>
> </arg-dn>
> </do-set-op-dest-dn>
> </arg-actions>
> </do-if>
> </actions>
> </rule>
>
>
>
> And then here is an example of how you can do it in one line.
>
> <rule>
> <description>[CIS] Testing placement by mapping table</description>
> <comment xml:space="preserve">Now all in one line, which is more
> confusing.</comment>
> <comment name="author" xml:space="preserve">Geoffrey Carman</comment>
> <comment name="version" xml:space="preserve">1</comment>
> <comment name="lastchanged" xml:space="preserve">Mar 21,
> 2012</comment>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> </and>
> </conditions>
> <actions>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-map
> default-value="cn=some,ou=default,ou=placement,dc=container,dc=local"
> dest="dest-dn" src="src-dn" table="SomeTableDN ">
> <token-src-dn length="-2"/>
> </token-map>
> </arg-dn>
> </do-set-op-dest-dn>
> </actions>
> </rule>
>
>
>>> Finally, a different question, I have the syncing working great

> now,
>>> but it is going both ways. I only want to go from edir to AD, not

> the
>>> other way. I cannot figure out where to turn that off.

>
> Two ways.
>
> 1) Filter, stop syncing users on the Pub channel.
> 2) Pub-Match and Create stop it from matching/creating, so changes in
> AD
> like passwords (which #1 will stop) and login disabled can still flow.
>
>
>>>
>>> Thanks so much for your help. It has been a Godsend!
>>>
>>> Phil Goldwasser
>>> BTDS LAN Group
>>> FDNY

>>
>>

>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

The Map token needs a DN to reference. I would just open the rule, once
you have it pasted in (per Will's advice, even if he did cut out one of
my precious, precious comments! The Noive! The Noive I say... Why, I
otter...), drill down to the Map token, and use the browser to pick the
mapping table so you get your DN right.

I gave two approaches. One is simpler than the other, but harder to
understand. The first does it the hard way, (time wise, minor
performance difference) so you can see it step by step.



On 3/21/2012 8:56 AM, pgold wrote:
>
> Hopefully near the end of my questions. So here is the rules that you
> wrote. I need to know where the xml code gets pasted (in the mapping
> table?). And to be sure I am getting this, I am edited your code with
> my info. Can you let me know if I missed something? I assume I still
> enter the source and destination info into the table fields like I asked
> in my last message.
>
> <rule>
> <description>[CIS] Testing placement by mapping table</description>
> <comment name="author" xml:space="preserve">Geoffrey Carman</comment>
> <comment name="version" xml:space="preserve">1</comment>
> <comment name="lastchanged" xml:space="preserve">Mar 21,
> 2012</comment>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> </and>
> </conditions>
> <actions>
> <do-set-local-variable name="SRC-DN" scope="policy">
> <arg-string>
> <token-src-dn length="-2"/>
> </arg-string>
> </do-set-local-variable>
> <do-set-local-variable name="DEST-DN" scope="policy">
> <arg-string>
> <token-map default-value="XXYY" dest="dest-dn" src="src-dn" *<<< Not
> sure what goes in that default value*
> table="*Test.Active Directory.AD-TEST.fdny* ">
> <token-local-variable name="SRC-DN"/>
> </token-map>
> </arg-string>
> </do-set-local-variable>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable mode="nocase" name="DEST-DN"
> op="equal">XXYY</if-local-variable>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-trace-message disabled="true">
> <arg-string>
> <token-text xml:space="preserve">If we get XXYY back then the DN
> was not found, either error, or place in a default location. Use a
> GCV
> so you can change it later easily, but I want a simple rule to
> demonstrate so I hard code a string value.</token-text>
> *<<<Forgive my ignorance, but what is GCV?*
> </arg-string>
> </do-trace-message>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-text
> xml:space="preserve">cn=some,ou=default,ou=placement,dc=container,dc=local</token-text>
> *<<<This would be the destination in AD?*
> </arg-dn>
> </do-set-op-dest-dn>
> </arg-actions>
> <arg-actions>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-local-variable name="DEST-DN"/>
> </arg-dn>
> </do-set-op-dest-dn>
> </arg-actions>
> </do-if>
> </actions>
> </rule>
>
>
>
> And then here is an example of how you can do it in one line.
>
> <rule>
> <description>[CIS] Testing placement by mapping table</description>
> <comment xml:space="preserve">Now all in one line, which is more
> confusing.</comment>
> <comment name="author" xml:space="preserve">Geoffrey Carman</comment>
> <comment name="version" xml:space="preserve">1</comment>
> <comment name="lastchanged" xml:space="preserve">Mar 21,
> 2012</comment>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> </and>
> </conditions>
> <actions>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-map
> default-value="cn=some,ou=default,ou=placement,dc=container,dc=local"
> dest="dest-dn" src="src-dn" table="SomeTableDN ">
> <token-src-dn length="-2"/>
> </token-map>
> </arg-dn>
> </do-set-op-dest-dn>
> </actions>
> </rule>
>
>
>>> Finally, a different question, I have the syncing working great

> now,
>>> but it is going both ways. I only want to go from edir to AD, not

> the
>>> other way. I cannot figure out where to turn that off.

>
> Two ways.
>
> 1) Filter, stop syncing users on the Pub channel.
> 2) Pub-Match and Create stop it from matching/creating, so changes in
> AD
> like passwords (which #1 will stop) and login disabled can still flow.
>
>
>>>
>>> Thanks so much for your help. It has been a Godsend!
>>>
>>> Phil Goldwasser
>>> BTDS LAN Group
>>> FDNY

>>
>>

>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD

It wasn't your comments I cut out, it was ones from the post that were mixed in 🙂
I would never cut out your documentation 🙂

On 3/21/2012 12:24 PM, Geoffrey Carman wrote:
> The Map token needs a DN to reference. I would just open the rule, once you have it pasted in (per
> Will's advice, even if he did cut out one of my precious, precious comments! The Noive! The Noive I
> say... Why, I otter...), drill down to the Map token, and use the browser to pick the mapping table
> so you get your DN right.

0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


geoffc;2184133 Wrote:
> The Map token needs a DN to reference. I would just open the rule,
> once
> you have it pasted in (per Will's advice, even if he did cut out one
> of
> my precious, precious comments! The Noive! The Noive I say... Why, I
> otter...), drill down to the Map token, and use the browser to pick
> the
> mapping table so you get your DN right.
>
> I gave two approaches. One is simpler than the other, but harder to
> understand. The first does it the hard way, (time wise, minor
> performance difference) so you can see it step by step.
>
> OK. I got your other message too. So I am pasting exactly what I am
> putting into the placement policy here. I think I have it correct as
> the Mapping Table DN is Test.Active Directory.AD-TEST.fdny. Also you
> have a place in there where you put in some default dn etc. I assume I
> need to edit that to be a vaid dn.
>
> Now in the mapping table, I want to make sure I create it correct as
> well. I have two columns. The top fields I assume are to name the
> fields. Do I need to use names that are in the rule below? So that
> would be SCR-DN and DEST-DN? If so, then in the SCR-DN I would put
> /EDIR2ADLAB/fdny/support/btds/engineering and in the DEST-DN I would put
> ou=engineering,ou=fdny,dc=edir2adlab,dc=local. Is that correct?
>
> <rule>
> <description>[CIS] Testing placement by mapping table</description>
> <comment name="author" xml:space="preserve">Geoffrey Carman</comment>
> <comment name="version" xml:space="preserve">1</comment>
> <comment name="lastchanged" xml:space="preserve">Mar 21,
> 2012</comment>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> </and>
> </conditions>
> <actions>
> <do-set-local-variable name="SRC-DN" scope="policy">
> <arg-string>
> <token-src-dn length="-2"/>
> </arg-string>
> </do-set-local-variable>
> <do-set-local-variable name="DEST-DN" scope="policy">
> <arg-string>
> <token-map default-value="XXYY" dest="dest-dn" src="src-dn"
> table="Test.Active
> Directory.AD-TEST.fdny">
> <token-local-variable name="SRC-DN"/>
> </token-map>
> </arg-string>
> </do-set-local-variable>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable mode="nocase" name="DEST-DN"
> op="equal">XXYY</if-local-variable>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-trace-message disabled="true">
> <arg-string>
> <token-text xml:space="preserve">If we get XXYY back then the DN
> was not found, either error, or place in a default location. Use a
> GCV so you can change it later easily, but I want a simple rule to
> demonstrate so I hard code a string value.</token-text>
> </arg-string>
> </do-trace-message>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-text
> xml:space="preserve">cn=fdny,dc=edir2adlab,dc=local</token-text>
> </arg-dn>
> </do-set-op-dest-dn>
> </arg-actions>
> <arg-actions>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-local-variable name="DEST-DN"/>
> </arg-dn>
> </do-set-op-dest-dn>
> </arg-actions>
> </do-if>
> </actions>
> </rule>



--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

>> OK. I got your other message too. So I am pasting exactly what I am
>> putting into the placement policy here. I think I have it correct as
>> the Mapping Table DN is Test.Active Directory.AD-TEST.fdny. Also you
>> have a place in there where you put in some default dn etc. I assume I
>> need to edit that to be a vaid dn.


Format for the value in Mapping table is fdny\AD-Test\Active Directory\Test

Backslash notation.

As for the default value in the second example, yes, needs to be an LDAP
formatted real DN in AD. So ou=sometihng, dc=edir2lab,dc=local or where
ever you want them to go.

(Or not? Maybe veto if they do not come from a proper container? Both
are options).

Give me an email offline (geoffreycarman@Gmail.com) if you would like.

>>
>> Now in the mapping table, I want to make sure I create it correct as
>> well. I have two columns. The top fields I assume are to name the
>> fields. Do I need to use names that are in the rule below? So that
>> would be SCR-DN and DEST-DN? If so, then in the SCR-DN I would put
>> /EDIR2ADLAB/fdny/support/btds/engineering and in the DEST-DN I would put
>> ou=engineering,ou=fdny,dc=edir2adlab,dc=local. Is that correct?


Almost. Backslashes, not forward slashes.

Thus NOT:
/EDIR2ADLAB/fdny/support/btds/engineering

Rather
\EDIR2ADLAB\fdny\support\btds\engineering

Dest looks good.
>>
>> <rule>
>> <description>[CIS] Testing placement by mapping table</description>
>> <comment name="author" xml:space="preserve">Geoffrey Carman</comment>
>> <comment name="version" xml:space="preserve">1</comment>
>> <comment name="lastchanged" xml:space="preserve">Mar 21,
>> 2012</comment>
>> <conditions>
>> <and>
>> <if-class-name mode="nocase" op="equal">User</if-class-name>
>> </and>
>> </conditions>
>> <actions>
>> <do-set-local-variable name="SRC-DN" scope="policy">
>> <arg-string>
>> <token-src-dn length="-2"/>
>> </arg-string>
>> </do-set-local-variable>
>> <do-set-local-variable name="DEST-DN" scope="policy">
>> <arg-string>
>> <token-map default-value="XXYY" dest="dest-dn" src="src-dn"
>> table="Test.Active
>> Directory.AD-TEST.fdny">
>> <token-local-variable name="SRC-DN"/>
>> </token-map>
>> </arg-string>
>> </do-set-local-variable>
>> <do-if>
>> <arg-conditions>
>> <and>
>> <if-local-variable mode="nocase" name="DEST-DN"
>> op="equal">XXYY</if-local-variable>
>> </and>
>> </arg-conditions>
>> <arg-actions>
>> <do-trace-message disabled="true">
>> <arg-string>
>> <token-text xml:space="preserve">If we get XXYY back then the DN
>> was not found, either error, or place in a default location. Use a
>> GCV so you can change it later easily, but I want a simple rule to
>> demonstrate so I hard code a string value.</token-text>
>> </arg-string>
>> </do-trace-message>
>> <do-set-op-dest-dn>
>> <arg-dn>
>> <token-text
>> xml:space="preserve">cn=fdny,dc=edir2adlab,dc=local</token-text>
>> </arg-dn>
>> </do-set-op-dest-dn>
>> </arg-actions>
>> <arg-actions>
>> <do-set-op-dest-dn>
>> <arg-dn>
>> <token-local-variable name="DEST-DN"/>
>> </arg-dn>
>> </do-set-op-dest-dn>
>> </arg-actions>
>> </do-if>
>> </actions>
>> </rule>

>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On Tue, 20 Mar 2012 12:28:56 +0000, Geoffrey Carman wrote:

> [03/20/12 07:50:28.014]:Active Directory ST: DirXML Log Event
> -------------------
> Driver: \EDIR2ADLAB\fdny\AD-TEST\Active Directory Channel:
> Subscriber
> Object: \EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap Status:
> Error
> Message: Code(-9010) An exception occurred:
> novell.jclient.JCException: modifyEntry -672 ERR_NO_ACCESS


If the driver can't write to eDir, it may lack sufficient rights to read
the distribution password, even if it exists.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
albertjansteven Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


If you go to driver properties, you will see an option trace there you
can set the driver trace file and trace level options. This could be a
nice guide for you: 'Important Notice'
(http://www.novell.com/communities/node/9677/comprehending-idm-traces-part-1)


--
albertjanstevens
------------------------------------------------------------------------
albertjanstevens's Profile: http://forums.novell.com/member.php?userid=84836
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/19/2012 1:56 PM, albertjanstevens wrote:
>
> If you go to driver properties, you will see an option trace there you
> can set the driver trace file and trace level options. This could be a
> nice guide for you: 'Important Notice'
> (http://www.novell.com/communities/node/9677/comprehending-idm-traces-part-1)


Totally agree! Fernando's series was so much better than my attempt at
this, that I stopped on the topic! He has several articles in this
series, let me suggest all of them since you will learn important things
you need to know for certain from them.

http://www.novell.com/communities/node/5681/capturing-and-reading-novell-identity-manager-traces
http://www.novell.com/communities/node/9677/comprehending-idm-traces-part-1
http://www.novell.com/communities/node/11166/comprehending-idm-traces-part-2

Quick Summary: In Designer, look at the Driver Properties, (Double
clcik the line in Modeler view, right click properties, or in OUtline
view). Then the side tab of Trace. The file path is platform specific,
where the engine is running, so if you are on Netware it would look like
sys:\log\ADDriver.log on linux more like /var/log/idmtrace/addriver.log
and Winders would be more like d:\logs\addriver.log. (If you are on
Linux and try the other formats, it will show up in the eDir DIB
directory as a crazy named file, like sys:\logs\Addriver.log which on
Linux looks really crazy.).

In iManager, edit driver properties, Misc tab.



0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


So I pasted that into the placement policy and got the following xml
error:

An exception occurred processing the XML
(com.novell.emframe.dev.PageException: '': (2): element after document
element).

Does the number indicate the line with the error? If so then it is
having a problem with the description I think.


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD

Are you using iMangler or Designer?
Sounds like iMangler.

If you open the placement policy and ctrl-a copy it out and paste it here we can insert the block
here and show you.

There were some comments in the post that don't fit in the rules that might have been the issue.
I cleaned them and reposted below as valid XML:

<rule>
<description>[CIS] Testing placement by mapping table</description>
<comment name="author" xml:space="preserve">Geoffrey Carman</comment>
<comment name="version" xml:space="preserve">1</comment>
<comment name="lastchanged" xml:space="preserve">Mar 21, 2012</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-local-variable name="SRC-DN" scope="policy">
<arg-string>
<token-src-dn length="-2"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="DEST-DN" scope="policy">
<arg-string>
<token-map default-value="XXYY" dest="dest-dn" src="src-dn" table="*Test.Active
Directory.AD-TEST.fdny* ">
<token-local-variable name="SRC-DN"/>
</token-map>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="DEST-DN" op="equal">XXYY</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message disabled="true">
<arg-string>
<token-text xml:space="preserve">If we get XXYY back then the DN
was not found, either error, or place in a default location. Use a
GCV so you can change it later easily, but I want a simple rule to
demonstrate so I hard code a string value.</token-text>
</arg-string>
</do-trace-message>
<do-set-op-dest-dn>
<arg-dn>
<token-text
xml:space="preserve">cn=some,ou=default,ou=placement,dc=container,dc=local</token-text>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
<arg-actions>
<do-set-op-dest-dn>
<arg-dn>
<token-local-variable name="DEST-DN"/>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
</do-if>
</actions>
</rule>

<rule>
<description>[CIS] Testing placement by mapping table</description>
<comment xml:space="preserve">Now all in one line, which is more
confusing.</comment>
<comment name="author" xml:space="preserve">Geoffrey Carman</comment>
<comment name="version" xml:space="preserve">1</comment>
<comment name="lastchanged" xml:space="preserve">Mar 21,
2012</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-op-dest-dn>
<arg-dn>
<token-map default-value="cn=some,ou=default,ou=placement,dc=container,dc=local" dest="dest-dn"
src="src-dn" table="SomeTableDN ">
<token-src-dn length="-2"/>
</token-map>
</arg-dn>
</do-set-op-dest-dn>
</actions>
</rule>

On 3/21/2012 10:56 AM, pgold wrote:
>
> So I pasted that into the placement policy and got the following xml
> error:
>
> An exception occurred processing the XML
> (com.novell.emframe.dev.PageException: '': (2): element after document
> element).
>
> Does the number indicate the line with the error? If so then it is
> having a problem with the description I think.
>
>


0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


Clearly it does not matter which placement policy, as I tried to paste
it into both and both times the driver would not start. Here is the xml
from the placement policy on the subscriber channel.

<?xml version="1.0" encoding="UTF-8"?><policy>
<rule>
<description>placement for all objects</description>
<comment>All objects are placed in the subtree rooted in the given
container. By default the Active Directory scoping container and the
subscriber placement container are the same. You can change this value
if you want to place objects in a different hierarchy than the one used
for scoping. Note especially that if you add multiple scoping containers
to the matching rule, you will likely need to consider multiple base
containers in this rule. If you change the scoping rules in the matching
rules of either the publisher or subscriber channel, you should also
review and change this rule as needed.</comment>
<conditions>
<and/>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-global-variable mode="nocase" name="drv.subPlacementType"
op="equal">flat</if-global-variable>
</and>
</arg-conditions>
<arg-actions>
<do-set-op-dest-dn>
<arg-dn>
<token-src-dn convert="true" length="1" start="-1"/>
<token-text xml:space="preserve">,</token-text>
<token-global-variable name="drv.user.container"/>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
<arg-actions>
<do-set-op-dest-dn>
<arg-dn>
<token-op-property name="unmatched-src-dn"/>
<token-text xml:space="preserve">,</token-text>
<token-global-variable name="drv.user.container"/>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
</do-if>
</actions>
</rule>
<rule>
<description>Use Full Name for naming user objects</description>
<comment>When User Full Name mapping is enabled, the destination
object name is changed to the user's Full Name</comment>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-global-variable mode="case" name="FullNameMap"
op="equal">true</if-global-variable>
</and>
</conditions>
<actions>
<do-set-op-dest-dn>
<arg-dn>
<token-text xml:space="preserve">CN=</token-text>
<token-escape-for-dest-dn>
<token-attr name="Full Name"/>
</token-escape-for-dest-dn>
<token-text xml:space="preserve">,</token-text>
<token-dest-dn length="-2"/>
</arg-dn>
</do-set-op-dest-dn>
</actions>
</rule>
</policy>


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.