Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.
1575 views

How to evaluate query result from multi-value attribute


I am sure this has been answered before but "Search Forums" doesn't
yield to much positive result...so I am going to ask again.

Working on querying an attribute called directReports, which is
multivalued in AD. I am not sure how to put it inside a variable and
use a for-each loop to interprete/manipulate each value based of the
result of the query (assuming it is called output doc). For example, it
will provide a trace when there is something in directReports attribute,
and I have tried the following:

<do-set-local-variable name="DirectReports" scope="policy">
<arg-node-set>
<token-src-attr name="directReports"/>
</arg-node-set>
</do-set-local-variable>

<do-for-each>
<arg-node-set>
<token-xpath expression="$DirectReports//instance"/>
</arg-node-set>
<arg-actions>
<do-trace-message>
<arg-string>
<token-xpath
expression='$DirectReports/attr[@attr-name="directReports"]/value'/>
</arg-string>
</do-trace-message>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">dumbTrace</token-text>
</arg-string>
</do-trace-message>
</arg-actions>
</do-for-each>

Based on the trace, it came back with empty token value and will not
loop...I must be making a very silly mistake or my knowledge on token is
a bit weak... But please help correct me...Thank you very much.


--
vzlchan
------------------------------------------------------------------------
vzlchan's Profile: https://forums.netiq.com/member.php?userid=4473
View this thread: https://forums.netiq.com/showthread.php?t=53405

Labels (1)
0 Likes
5 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

On 4/28/2015 5:30 PM, vzlchan wrote:
>
> I am sure this has been answered before but "Search Forums" doesn't
> yield to much positive result...so I am going to ask again.
>
> Working on querying an attribute called directReports, which is
> multivalued in AD. I am not sure how to put it inside a variable and
> use a for-each loop to interprete/manipulate each value based of the
> result of the query (assuming it is called output doc). For example, it
> will provide a trace when there is something in directReports attribute,
> and I have tried the following:
>
> <do-set-local-variable name="DirectReports" scope="policy">
> <arg-node-set>
> <token-src-attr name="directReports"/>
> </arg-node-set>
> </do-set-local-variable>
>
> <do-for-each>
> <arg-node-set>
> <token-xpath expression="$DirectReports//instance"/>
> </arg-node-set>
> <arg-actions>
> <do-trace-message>
> <arg-string>
> <token-xpath
> expression='$DirectReports/attr[@attr-name="directReports"]/value'/>
> </arg-string>
> </do-trace-message>
> <do-trace-message>
> <arg-string>
> <token-text xml:space="preserve">dumbTrace</token-text>
> </arg-string>
> </do-trace-message>
> </arg-actions>
> </do-for-each>
>
> Based on the trace, it came back with empty token value and will not
> loop...I must be making a very silly mistake or my knowledge on token is
> a bit weak... But please help correct me...Thank you very much.


Your issue is an understanding of what the Source Attr/Dest Attr/Op
Attr/Attr tokens return, vs a Query tokens result. It is confusing
since the query can look identical, the result identical, but the
nodeset in the variable very different.

As silly as it sounds, it is just loop over the varibale DirectReports,
using the XPATH is fine, or the Local Variable token is fine as well.

Then current-node is the value.

I have written about this several times. Specifically here:

http://www.novell.com/communities/node/5818/different-attribute-options-identity-manager
http://www.novell.com/communities/node/5920/ism-more-thoughts-sourcedestinationoperation-attribute-tokens-identity-manager
http://www.novell.com/communities/node/4906/the-query-token-identity-manager


And I have a series on things beginners need to know about IDM. (Start
at the last one, for a table of contents of the 11 articles to see if
there is a topic that interests you).

https://www.netiq.com/communities/cool-solutions/common-mistakes-newcomers-idm-make-part-1/
http://www.novell.com/communities/node/13057/common-mistakes-newcomers-idm-make-part-2
http://www.novell.com/communities/node/13058/common-mistakes-newcomers-idm-make-part-3
http://www.novell.com/communities/node/13125/common-mistakes-newcomers-idm-make-part-4
http://www.novell.com/communities/node/13126/common-mistakes-newcomers-idm-make-part-5
http://www.novell.com/communities/node/13302/common-mistakes-newcomers-idm-make-part-6
http://www.novell.com/communities/node/13316/common-mistakes-newcomers-idm-make-part-7
http://www.novell.com/communities/node/13347/common-mistakes-newcomers-idm-make-part-8
http://www.novell.com/communities/node/13383/common-mistakes-newcomers-idm-make-part-9
http://www.novell.com/communities/node/13486/common-mistakes-newcomers-idm-make-part-10
http://www.netiq.com/communities/coolsolutions/common-mistakes-newcomers-to-idm-make-part-11/


0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

When you put a nodeset in a foreach loop you can access the current node
with the $current-node local variable (NOT $current-value, which is only
used relative to the reformat-op-attr token). See if that works for you.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

ab wrote:

> When you put a nodeset in a foreach loop you can access the current node
> with the $current-node local variable


Anf there's no need to read directReports into a variable first, just loop over
token-src-attr directly:

<do-for-each>
<arg-node-set>
<token-src-attr name="directReports"/>
</arg-node-set>
<arg-actions>
<do-trace-message>
<arg-string>
<token-local-variable name="current-node"/>
</arg-string>
</do-trace-message>
</arg-actions>
</do-for-each>

If you feel like using a variable, though, $DirectReports//instance will not
work, but you can use either of the following:

<do-for-each>
<arg-node-set>
<token-local-variable name="DirectReports"/>
</arg-node-set>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">$current-node$</token-text>
</arg-string>
</do-trace-message>
</arg-actions>
</do-for-each>


<do-for-each>
<arg-node-set>
<token-xpath expression="$DirectReports"/>
</arg-node-set>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">$current-node$</token-text>
</arg-string>
</do-trace-message>
</arg-actions>
</do-for-each>

Designer's simulator makes it easy to test scenarios like this without the
overhead of deploy/restart driver/simulate event/cleanup etc.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Lothar Haeger wrote:

> $DirectReports//instance will not work


Why is this?

Because token-src-attr does not return instance nodes (those would be one
instance per object, not one per value of an object's attribute) but just the
value nodes. Good to see in trace:

test : Action:
do-set-local-variable("DirectReports",scope="policy",arg-node-set(token-src-attr
("directReports"))).
test : arg-node-set(token-src-attr("directReports"))
test : token-src-attr("directReports")
test : Query from policy
test :
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product version="?.?.?.?">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="User" dest-dn="o=dirXML Test\ou=Users\cn=User1"
scope="entry">
<read-attr attr-name="directReports"/>
</query>
</input>
</nds>
test : Query from policy result
test :
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product version="?.?.?.?">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="User" src-dn="data\user1">
<association>123</association>
<attr attr-name="directReports">
<value type="dn">data\user2</value>
<value type="dn">data\user3</value>
<value type="dn">data\user4</value>
</attr>
</instance>
</output>
</nds>
test : Token Value: {<value> @type = "dn",<value> @type = "dn",<value>
@type = "dn"}.
test : Arg Value: {<value> @type = "dn",<value> @type = "dn",<value>
@type = "dn"}.

Now when you try to loop over instance subnodes of your variable you get an
empty nodeset as argument:

test : Action:
do-for-each(arg-node-set(token-xpath("$DirectReports//instance"))).
test : arg-node-set(token-xpath("$DirectReports//instance"))
test : token-xpath("$DirectReports//instance")
test : Token Value: {}.
test : Arg Value: {}.

While looping over the plain variable looks better:

test : Action:
do-for-each(arg-node-set(token-local-variable("DirectReports"))).
test : arg-node-set(token-local-variable("DirectReports"))
test : token-local-variable("DirectReports")
test : Token Value: {<value> @type = "dn",<value> @type = "dn",<value>
@type = "dn"}.
test : Arg Value: {<value> @type = "dn",<value> @type = "dn",<value>
@type = "dn"}.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Absent Member.
Absent Member.


Thank you very much...works perfectly...


--
vzlchan
------------------------------------------------------------------------
vzlchan's Profile: https://forums.netiq.com/member.php?userid=4473
View this thread: https://forums.netiq.com/showthread.php?t=53405

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.