maqsood1 Absent Member.
Absent Member.
1660 views

How to initiate a "<sync>" event after add sub?


NetIQ REST Driver

I have sucessfully deployed NetIQ REST driver to a third party REST
webservice. I am synchronizing groups from IDM to 3rd party webservice.
There are couple of HTTP command needs to be fired from subscriber after
a group is created sucessfully in 3rd party webservice.

I can see the result of sucessfully add event on the publisher channel
and see the status 201 being generated by 3rd party webservice.

<nds dtdversion="3.0">
<source>
<product build="20161216_0543" version="1.0.0.1">Identity Manager
REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status event-id="REMOVED_INENTIONALLY_#20161228195421#2#1:*"
level="success" type="driver-general">
<driver-operation-data class-name="groups" command="add"
dest-dn="REMOVED_INENTIONALLY_"
event-id="REMOVED_INENTIONALLY_#20161228195421#2#1:*"
src-dn="REMOVED_INENTIONALLY_">
<response method="put" url="">
<url-token custom_associaiton="*" guid="*"/>
<header accept="application/json"
content-type="application/json"/>
<value message="Created"
status="201">{"@odata.context":"https://dev.$$$$.com/v1.0/$metadata#groups/$entity","id":"REMOVED_INENTIONALLY_","classification":null,"createdDateTime":"2016-12-28T19:54:23Z"}</value>
</response>
</driver-operation-data>
<operation-data prop.pub.itp.matached="false"
prop.sub.ctp.description="*" prop.sub.ctp.Guid="*" prop.sub.ctp.name="*"
prop.sub.ctp.owner="*"/>
</status>
</output>
</nds>


Based on the above result document, I have dixml policy on publisher Itp
which generates association for the object on Adds.

<rule>
<description>Check for association -ADD</description>
<conditions>
<and>
<if-operation mode="regex" op="equal">status</if-operation>
<if-xpath
op="true">./driver-operation-data[@command="add"]</if-xpath>
<if-xpath op="true">self::status[@level = 'success']</if-xpath>
<if-local-variable mode="nocase" name="responseStatus"
op="equal">201</if-local-variable>
</and>
</conditions>
<actions>
<do-set-local-variable name="responseValue" scope="policy">
<arg-string>
<token-xpath expression="./driver-operation-data/response/value"/>
</arg-string>
</do-set-local-variable>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">responseValue => </token-text>
<token-local-variable name="responseValue"/>
</arg-string>
</do-trace-message>
<!-- groupid -->
<do-set-local-variable name="getId" scope="policy">
<arg-string>
<token-xpath
expression="substring-after($responseValue,'"id":')"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="getId" scope="policy">
<arg-string>
<token-xpath expression="substring-before($getId,',')"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="getId" scope="policy">
<arg-string>
<token-replace-all regex='"' replace-with="">
<token-local-variable name="getId"/>
</token-replace-all>
</arg-string>
</do-set-local-variable>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">GROUP ID => </token-text>
<token-local-variable name="getId"/>
</arg-string>
</do-trace-message>
<do-add-association>
<arg-dn>
<token-local-variable name="getDN"/>
</arg-dn>
<arg-association>
<token-local-variable name="getId"/>
</arg-association>
</do-add-association>
</actions>
</rule>


How would I initiate an extra "<sync>" event on the subscriber channel
after sucessfully association created, so that I can fire extra HTTP
commands from subscriber channel to a group which already exist in the
API?

Regards,

Maqsood.


--
maqsood
------------------------------------------------------------------------
maqsood's Profile: https://forums.netiq.com/member.php?userid=2617
View this thread: https://forums.netiq.com/showthread.php?t=57117

Labels (1)
20 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: How to initiate a "<sync>" event after add sub?

maqsood wrote:

> How would I initiate an extra "<sync>" event on the subscriber channel
> after sucessfully association created, so that I can fire extra HTTP
> commands from subscriber channel to a group which already exist in the
> API?


You could use a call to
http://developer.novell.com/documentation/dirxml/dirxmlbk/ref/javadocs/com/novel
l/nds/dirxml/util/DxCommand.html to queue an event or
http://www.novell.com/documentation/developer/dirxml/dirxmlbk/ref/javadocs/com/n
ovell/nds/dirxml/driver/XdsCommandProcessor.html to execute a command directly.
You could also trigger a migrate by modifying the association through a
sideband connection (e.g. via some ecmascript implementation of ldapmodify) or
by enabling publisher loopback (through an ECV). Or you set a trigger
attribute, which a different driver react to andremoves, which your REST driver
sees and triggers the extra stuff.

Why don't you "fire extra HTTP commands" from the same policy that generates
the association, though?


--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
Knowledge Partner
Knowledge Partner

Re: How to initiate a "<sync>" event after add sub?

Lothar Haeger <lothar.haeger@is4it.de> wrote:
>
>
>


All good suggestions from Lothar, What we use is to call a script/JAR that
queues the sync event in the driver's cache. We have found this to work
nicely.

>
> Why don't you "fire extra HTTP commands" from the same policy that generates
> the association, though?
>
>


1. Getting the channel write-back operation to be correctly processed by
the existing output transformations and the status you've correctly
processed by the input ones can be tricky in some scenarios. The engine
expects that you are already in app namespace.

2. Some shims don't properly handle requests like this. (Scripting comes to
mind here)

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Knowledge Partner
Knowledge Partner

Re: How to initiate a "<sync>" event after add sub?

Alex Mchugh wrote:

> Lothar Haeger <lothar.haeger@is4it.de> wrote:
> >

>
> All good suggestions from Lothar, What we use is to call a script/JAR
> that queues the sync event in the driver's cache. We have found this
> to work nicely.
>


To be more precise, what we use is an ECMAScript version of this (the
Java source code is in the JAR)

https://www.netiq.com/communities/cool-solutions/cool_tools/sending-xds-message-one-driver-another/
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
maqsood1 Absent Member.
Absent Member.

Re: How to initiate a "<sync>" event after add sub?


Aha.. thank folks for good tips.

btw just wondering, is it possible to send operation-data back to shim
from the pub itp, would it work? (this would played a cleaner approach)
to my challenge.


regards,
Maqsood.

alexmchugh;273557 Wrote:
> Alex Mchugh wrote:
>
> > Lothar Haeger <lothar.haeger@is4it.de> wrote:
> > >

> >
> > All good suggestions from Lothar, What we use is to call a script/JAR
> > that queues the sync event in the driver's cache. We have found this
> > to work nicely.
> >

>
> To be more precise, what we use is an ECMAScript version of this (the
> Java source code is in the JAR)
>
> http://tinyurl.com/pq4kzd4



--
maqsood
------------------------------------------------------------------------
maqsood's Profile: https://forums.netiq.com/member.php?userid=2617
View this thread: https://forums.netiq.com/showthread.php?t=57117

0 Likes
Knowledge Partner
Knowledge Partner

Re: How to initiate a "<sync>" event after add sub?

maqsood wrote:

>
> Aha.. thank folks for good tips.
>
> btw just wondering, is it possible to send operation-data back to shim
> from the pub itp, would it work? (this would played a cleaner
> approach) to my challenge.



you mean driver-operation-data, not operation-data.


Also just to be pedantic, itp, schema mapping and otp are not
exclusively part of pub or sub schannel/threads.

For clarification, take a look at
https://www.netiq.com/documentation/idm402/idm_overview/data/b1019czu.html

(On a side note, I really wish the IDM Doc writers hadn't dropped this
part of the IDM documentation as part of the 4.5 documenation
cleanup/reorg. Maybe we should start a petition or something to get it
added back in)


Finally, this execellent article by Fernando
https://www.netiq.com/communities/cool-solutions/comprehending-idm-traces-part-2/

Explains why you can do what you ask for but you need to be careful and
you end up re-implementing a lot of the output translation logic in
your input policy that kicks this off.

That is why for drivers with extensive translation processor logic in
the I prefer to trigger a new sync on the subscriber channel instead.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to initiate a "<sync>" event after add sub?

Alex McHugh wrote:

> Also just to be pedantic, itp, schema mapping and otp are not
> exclusively part of pub or sub schannel/threads.


Exactly, because itp, otp and schema mapping are exclusively part of pub AND
sub channels/threads as there are two instances of each of these policy sets
running, one per channel/thread. The $fromNds driver scope variable let's you
find out in policy in which one it is currently being executed. At least that's
how I understood the engine architecture.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
maqsood1 Absent Member.
Absent Member.

Re: How to initiate a "<sync>" event after add sub?


well i know lots this stuff already you shared, so thank for the links
anyway.

well i tried to inject xds command but my whole dirver hang! and had to
do "service ndsd restart" to put life back to my driver.

this what i have in my xds injection policies:

xmlns:dircmd="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.cmd.DriverCmd"

<do-set-local-variable name="lv-driverdn" scope="policy">
<arg-string>
<token-global-variable name="dirxml.auto.driverdn"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lv-groupdn" scope="policy">
<arg-string>
<token-op-property name="prop.pub.itp.operation.DN"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lv-cmd" scope="policy">
<arg-node-set>
<token-xml-parse>
<token-text xml:space="preserve"><nds>
<input>
<sync class-name="Group" src-dn="$lv-groupdn$"/>
</input>
</nds></token-text>
</token-xml-parse>
</arg-node-set>
</do-set-local-variable>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">QUEUE EVENT ON THIS DRIVER ==>
</token-text>
<token-local-variable name="lv-cmd"/>
</arg-string>
</do-trace-message>
<do-set-local-variable name="lv-sendquery" scope="policy">
<arg-node-set>
<token-xpath expression="dircmd:sendDriverCommand($lv-driverdn,
$lv-cmd/nds)"/>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="lv-checkquery" scope="policy">
<arg-node-set>
<token-xml-serialize>
<token-local-variable name="lv-sendquery"/>
</token-xml-serialize>
</arg-node-set>
</do-set-local-variable>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">QUEUE EVENT RESULT =>
</token-text>
<token-xpath
expression="$lv-sendquery/nds/output/instance/@src-dn"/>
</arg-string>
</do-trace-message>


--
maqsood
------------------------------------------------------------------------
maqsood's Profile: https://forums.netiq.com/member.php?userid=2617
View this thread: https://forums.netiq.com/showthread.php?t=57117

0 Likes
Knowledge Partner
Knowledge Partner

Re: How to initiate a "<sync>" event after add sub?

maqsood wrote:

>
> well i know lots this stuff already you shared, so thank for the links
> anyway.
>
> well i tried to inject xds command but my whole dirver hang! and had
> to do "service ndsd restart" to put life back to my driver.
>



1. You can't use sendDriverCommand here (chicken and egg issue), that
is why I linked to the JAR that implements sendQueueEvent (which
doesn't wait for the result, just queues the event).
2. I build the xds sync command in a different manner, also include
association value (which you should have obtained by this point)
3. The engine is sensitive to the xds sync command and any malformed or
incomplete XML documents may potentially hang the engine. It's wise to
put lots of error checking in there.


Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to initiate a "<sync>" event after add sub?

Alex McHugh wrote:

> 1. You can't use sendDriverCommand here (chicken and egg issue)


Right, so scratch my suggestion to send a modify instead of a sync. You are
already in the subscriber channel and another command cannot be executed until
the current one has been finished.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to initiate a "<sync>" event after add sub?

maqsood wrote:

> i tried to inject xds command but my whole dirver hang!


You did not inject an event into the driver cache but you told the driver to
execute your XDS as a command i.e. process it starting with the first command
transform policy. <sync> events are not meant to be processed as commands,
usually the engine converts them to modifies or adds before further processing.
In short: either use DxCommand with the -queueevent option to queue a <sync>
event for the dirver or submit a <modify> command to your driver with the
DriverCmd class as you tried.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to initiate a "<sync>" event after add sub?

On 12/29/2016 5:14 AM, Alex McHugh wrote:
> maqsood wrote:
>
>>
>> Aha.. thank folks for good tips.
>>
>> btw just wondering, is it possible to send operation-data back to shim
>> from the pub itp, would it work? (this would played a cleaner
>> approach) to my challenge.

>
>
> you mean driver-operation-data, not operation-data.


This change is also fairly new for some shims. The issue was that
operation-data is removed before being submitted to the shim, whereas
driver-operation-data is not, and thus is available for the shim to use.



>
> Also just to be pedantic, itp, schema mapping and otp are not
> exclusively part of pub or sub schannel/threads.
>
> For clarification, take a look at
> https://www.netiq.com/documentation/idm402/idm_overview/data/b1019czu.html
>
> (On a side note, I really wish the IDM Doc writers hadn't dropped this
> part of the IDM documentation as part of the 4.5 documenation
> cleanup/reorg. Maybe we should start a petition or something to get it
> added back in)


Agreed! I shall stay out of it, since I seem to have the negative
influence when I try to get the doc writers to do stuff.

>
> Finally, this execellent article by Fernando
> https://www.netiq.com/communities/cool-solutions/comprehending-idm-traces-part-2/


Fernandos series here is truly excellent and well worth reading! Highly
recommended!


0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: How to initiate a "<sync>" event after add sub?

On 29/12/2016 21:34, Geoffrey Carman wrote:
>> you mean driver-operation-data, not operation-data.

>
> This change is also fairly new for some shims. The issue was that
> operation-data is removed before being submitted to the shim, whereas
> driver-operation-data is not, and thus is available for the shim to use.


Are you sure about that?

To my knowledge the drivers are still responsible for the copy/paste of
the operation-data (which is not used by the driver), but
driver-operation-data is used by the driver, like with Soap, Rest, and
so on.

I have not seen any change to the engine in this respect.

Casper
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to initiate a "<sync>" event after add sub?

On 12/30/2016 4:01 AM, Casper Pedersen wrote:
> On 29/12/2016 21:34, Geoffrey Carman wrote:
>>> you mean driver-operation-data, not operation-data.

>>
>> This change is also fairly new for some shims. The issue was that
>> operation-data is removed before being submitted to the shim, whereas
>> driver-operation-data is not, and thus is available for the shim to use.

>
> Are you sure about that?
>
> To my knowledge the drivers are still responsible for the copy/paste of
> the operation-data (which is not used by the driver), but
> driver-operation-data is used by the driver, like with Soap, Rest, and
> so on.
>
> I have not seen any change to the engine in this respect.


Perhaps I phrased it wrong.

When an op is submitted to the shim by the engine the op-data is removed
and restored to the response. The driver-op-data is passed through to
the shim to use.


0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: How to initiate a "<sync>" event after add sub?

On 30/12/2016 13:00, Geoffrey Carman wrote:
> On 12/30/2016 4:01 AM, Casper Pedersen wrote:
>> On 29/12/2016 21:34, Geoffrey Carman wrote:
>>>> you mean driver-operation-data, not operation-data.
>>>
>>> This change is also fairly new for some shims. The issue was that
>>> operation-data is removed before being submitted to the shim, whereas
>>> driver-operation-data is not, and thus is available for the shim to use.

>>
>> Are you sure about that?
>>
>> To my knowledge the drivers are still responsible for the copy/paste of
>> the operation-data (which is not used by the driver), but
>> driver-operation-data is used by the driver, like with Soap, Rest, and
>> so on.
>>
>> I have not seen any change to the engine in this respect.

>
> Perhaps I phrased it wrong.
>
> When an op is submitted to the shim by the engine the op-data is removed
> and restored to the response. The driver-op-data is passed through to
> the shim to use.


<thumbs>

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.