6423241
Super Contributor.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-07-18
18:22
396 views
Inconsistent behavior from rule
Hello,
I have a rule in the publisher channel event transform policy of an AD driver which moves a user account within Active Directory based on certain criteria. One of the criteria is called "OSUrelationshipExpires", and this is not functioning consistently. The rule sets a local variable to current time, and compares OSUrelationshipExpires to that. It works less than half the time, and I can find no rhyme or reason why it fails.
The policy is:
Two user accounts were created yesterday -- within two minutes of each other -- that should have triggered this rule, as both have OSUrelationshipExpires set to 7/17/2019. One behaved as expected, but the other failed.
The trace for the failure (cn STE237) is here: https://pastebin.com/MtTEZi6p .
Can anyone offer an explanation, and/or a suggestion for preventing this?
Thanks
I have a rule in the publisher channel event transform policy of an AD driver which moves a user account within Active Directory based on certain criteria. One of the criteria is called "OSUrelationshipExpires", and this is not functioning consistently. The rule sets a local variable to current time, and compares OSUrelationshipExpires to that. It works less than half the time, and I can find no rhyme or reason why it fails.
The policy is:
<rule>
<description>Move DocLink Users</description>
<conditions>
<and>
<if-class-name mode="case" op="equal">OSUpersonRelationship</if-class-name>
<if-attr mode="case" name="OSUguestRole" op="equal">DOCL</if-attr>
</and>
</conditions>
<actions>
<do-set-local-variable name="lv-now" notrace="true" scope="policy">
<arg-string>
<token-time format="!CTIME" tz="UTC"/>
</arg-string>
</do-set-local-variable>
<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">Value of local variable 'lv-now' is </token-text>
<token-local-variable name="lv-now"/>
</arg-string>
</do-trace-message>
<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">Value of OSUrelationshipExpires is </token-text>
<token-attr name="OSUrelationshipExpires"/>
</arg-string>
</do-trace-message>
<do-if>
<arg-conditions>
<and>
<if-attr mode="nocase" name="OSUrelationshipExpires" op="gt">$lv-now$</if-attr>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="lv-ObjMC" scope="policy">
<arg-node-set>
<token-query datastore="src" notrace="true">
<arg-dn>
<token-global-variable name="idv.dit.data.users"/>
</arg-dn>
<arg-match-attr name="OSUidmId">
<arg-value type="string">
<token-attr name="OSUidmId"/>
</arg-value>
</arg-match-attr>
<arg-string>
<token-text xml:space="preserve">Login Disabled</token-text>
</arg-string>
<arg-string>
<token-text xml:space="preserve">CN</token-text>
</arg-string>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">lv-ObjMC : </token-text>
<token-xml-serialize>
<token-local-variable name="lv-ObjMC"/>
</token-xml-serialize>
</arg-string>
</do-trace-message>
<do-set-local-variable name="lv-MCCN" scope="policy">
<arg-string>
<token-xpath expression="$lv-ObjMC//attr[@attr-name='CN']/value/text()"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lv-ObjADuser" scope="policy">
<arg-node-set>
<token-query datastore="dest" notrace="true">
<arg-match-attr name="sAMAccountName">
<arg-value type="string">
<token-local-variable name="lv-MCCN"/>
</arg-value>
</arg-match-attr>
<arg-string>
<token-text xml:space="preserve">Login Disabled</token-text>
</arg-string>
<arg-string>
<token-text xml:space="preserve">CN</token-text>
</arg-string>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="lv-ADDN" scope="policy">
<arg-string>
<token-xpath expression="$lv-ObjADuser//@src-dn"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="regex" name="lv-ADDN" op="equal">.+</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-move-dest-object direct="true">
<arg-dn>
<token-local-variable name="lv-ADDN"/>
</arg-dn>
<arg-dn>
<token-global-variable name="DocLinkOU"/>
</arg-dn>
</do-move-dest-object>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>
Two user accounts were created yesterday -- within two minutes of each other -- that should have triggered this rule, as both have OSUrelationshipExpires set to 7/17/2019. One behaved as expected, but the other failed.
The trace for the failure (cn STE237) is here: https://pastebin.com/MtTEZi6p .
Can anyone offer an explanation, and/or a suggestion for preventing this?
Thanks
3 Replies
dgersic
Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-07-18
19:38
Re: Inconsistent behavior from rule
6423241;2484295 wrote:
Hello,
I have a rule in the publisher channel event transform policy of an AD driver which moves a user account within Active Directory based on certain criteria. One of the criteria is called "OSUrelationshipExpires", and this is not functioning consistently. The rule sets a local variable to current time, and compares OSUrelationshipExpires to that. It works less than half the time, and I can find no rhyme or reason why it fails.
The policy is:
<rule>
<description>Move DocLink Users</description>
<conditions>
<and>
<if-class-name mode="case" op="equal">OSUpersonRelationship</if-class-name>
<if-attr mode="case" name="OSUguestRole" op="equal">DOCL</if-attr>
</and>
</conditions>
<actions>
<do-set-local-variable name="lv-now" notrace="true" scope="policy">
<arg-string>
<token-time format="!CTIME" tz="UTC"/>
</arg-string>
</do-set-local-variable>
<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">Value of local variable 'lv-now' is </token-text>
<token-local-variable name="lv-now"/>
</arg-string>
</do-trace-message>
<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">Value of OSUrelationshipExpires is </token-text>
<token-attr name="OSUrelationshipExpires"/>
</arg-string>
</do-trace-message>
<do-if>
<arg-conditions>
<and>
<if-attr mode="nocase" name="OSUrelationshipExpires" op="gt">$lv-now$</if-attr>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="lv-ObjMC" scope="policy">
<arg-node-set>
<token-query datastore="src" notrace="true">
<arg-dn>
<token-global-variable name="idv.dit.data.users"/>
</arg-dn>
<arg-match-attr name="OSUidmId">
<arg-value type="string">
<token-attr name="OSUidmId"/>
</arg-value>
</arg-match-attr>
<arg-string>
<token-text xml:space="preserve">Login Disabled</token-text>
</arg-string>
<arg-string>
<token-text xml:space="preserve">CN</token-text>
</arg-string>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">lv-ObjMC : </token-text>
<token-xml-serialize>
<token-local-variable name="lv-ObjMC"/>
</token-xml-serialize>
</arg-string>
</do-trace-message>
<do-set-local-variable name="lv-MCCN" scope="policy">
<arg-string>
<token-xpath expression="$lv-ObjMC//attr[@attr-name='CN']/value/text()"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lv-ObjADuser" scope="policy">
<arg-node-set>
<token-query datastore="dest" notrace="true">
<arg-match-attr name="sAMAccountName">
<arg-value type="string">
<token-local-variable name="lv-MCCN"/>
</arg-value>
</arg-match-attr>
<arg-string>
<token-text xml:space="preserve">Login Disabled</token-text>
</arg-string>
<arg-string>
<token-text xml:space="preserve">CN</token-text>
</arg-string>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="lv-ADDN" scope="policy">
<arg-string>
<token-xpath expression="$lv-ObjADuser//@src-dn"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="regex" name="lv-ADDN" op="equal">.+</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-move-dest-object direct="true">
<arg-dn>
<token-local-variable name="lv-ADDN"/>
</arg-dn>
<arg-dn>
<token-global-variable name="DocLinkOU"/>
</arg-dn>
</do-move-dest-object>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>
Two user accounts were created yesterday -- within two minutes of each other -- that should have triggered this rule, as both have OSUrelationshipExpires set to 7/17/2019. One behaved as expected, but the other failed.
The trace for the failure (cn STE237) is here: https://pastebin.com/MtTEZi6p .
Can anyone offer an explanation, and/or a suggestion for preventing this?
Thanks
Are you sure this works at all? If this is on the MAD driver's Publisher channel, it looks like you have source and destination backwards. You're querying for data in "source" using a GCV that would normally point to an eDirectory object:
<token-query datastore="src" notrace="true">
<arg-dn>
<token-global-variable name="idv.dit.data.users"/>
</arg-dn>
Then you're doing a move in "destination":
<do-move-dest-object direct="true">
which for the Publisher, would be eDirectory.
Your trace seems to show this all being on the Subscriber channel, which would make more sense. I don't see that it ever fires for making a <move>, but it does seem to fail on <add> being sent to the attached MAD, followed by a couple of <modify> that also fail, because no such object.
Reading through the trace, it seems to fall apart here:
[07/17/18 14:35:22.387]:AD-OSUMC ST: Action: do-set-local-variable("lv-ObjADuser",scope="policy",arg-node-set(token-query(datastore="dest",notrace="true",arg-match-attr("sAMAccountName",token-local-variable("lv-MCCN")),"Login Disabled","CN"))).
[07/17/18 14:35:22.387]:AD-OSUMC ST: arg-node-set(token-query(datastore="dest",notrace="true",arg-match-attr("sAMAccountName",token-local-variable("lv-MCCN")),"Login Disabled","CN"))
[07/17/18 14:35:22.387]:AD-OSUMC ST: token-query(datastore="dest",notrace="true",arg-match-attr("sAMAccountName",token-local-variable("lv-MCCN")),"Login Disabled","CN")
[07/17/18 14:35:22.392]:AD-OSUMC :Remote Interface Driver: Received.
[07/17/18 14:35:22.392]:AD-OSUMC :
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20170106_120000" instance="\ID1\OSUMC\Drivers\edirIDv1\AD-OSUMC" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="0" level="success"/>
</output>
</nds>
You might remove that "notrace", so you can see what's happening there. Because whatever it was supposed to find, it didn't find, the conditions for your move were not met, and the <move> doesn't happen.
6423241
Super Contributor.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-07-18
19:47
Re: Inconsistent behavior from rule
Like I said, there were two objects created within minutes of each other. The rule triggered and operated correctly for one, but not the other. I will post the driver trace if I can get it pared down to a size that pastebin will accept.
The part that I see failing is the "if 'OSUrelationshipExpires' is greater than 'now''" condition.
I did err when I said publisher channel. It's actually in the ETP of the subscriber channel.
Thanks
The part that I see failing is the "if 'OSUrelationshipExpires' is greater than 'now''" condition.
I did err when I said publisher channel. It's actually in the ETP of the subscriber channel.
Thanks
dgersic
Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-07-18
20:04
Re: Inconsistent behavior from rule
6423241;2484300 wrote:
Like I said, there were two objects created within minutes of each other. The rule triggered and operated correctly for one, but not the other. I will post the driver trace if I can get it pared down to a size that pastebin will accept.
The part that I see failing is the "if 'OSUrelationshipExpires' is greater than 'now''" condition.
I did err when I said publisher channel. It's actually in the ETP of the subscriber channel.
Thanks
Yeah, that fails too, but that's earlier. Looks like you have at least one other driver or something going on in the background, which is filling in attributes as it goes. Skip past that, and keep going. It fails later to get what it needs from the query.
