6423241 Super Contributor.
Super Contributor.
396 views

Inconsistent behavior from rule

Hello,

I have a rule in the publisher channel event transform policy of an AD driver which moves a user account within Active Directory based on certain criteria. One of the criteria is called "OSUrelationshipExpires", and this is not functioning consistently. The rule sets a local variable to current time, and compares OSUrelationshipExpires to that. It works less than half the time, and I can find no rhyme or reason why it fails.

The policy is:


<rule>
<description>Move DocLink Users</description>
<conditions>
<and>
<if-class-name mode="case" op="equal">OSUpersonRelationship</if-class-name>
<if-attr mode="case" name="OSUguestRole" op="equal">DOCL</if-attr>
</and>
</conditions>
<actions>
<do-set-local-variable name="lv-now" notrace="true" scope="policy">
<arg-string>
<token-time format="!CTIME" tz="UTC"/>
</arg-string>
</do-set-local-variable>
<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">Value of local variable 'lv-now' is </token-text>
<token-local-variable name="lv-now"/>
</arg-string>
</do-trace-message>
<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">Value of OSUrelationshipExpires is </token-text>
<token-attr name="OSUrelationshipExpires"/>
</arg-string>
</do-trace-message>
<do-if>
<arg-conditions>
<and>
<if-attr mode="nocase" name="OSUrelationshipExpires" op="gt">$lv-now$</if-attr>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="lv-ObjMC" scope="policy">
<arg-node-set>
<token-query datastore="src" notrace="true">
<arg-dn>
<token-global-variable name="idv.dit.data.users"/>
</arg-dn>
<arg-match-attr name="OSUidmId">
<arg-value type="string">
<token-attr name="OSUidmId"/>
</arg-value>
</arg-match-attr>
<arg-string>
<token-text xml:space="preserve">Login Disabled</token-text>
</arg-string>
<arg-string>
<token-text xml:space="preserve">CN</token-text>
</arg-string>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">lv-ObjMC : </token-text>
<token-xml-serialize>
<token-local-variable name="lv-ObjMC"/>
</token-xml-serialize>
</arg-string>
</do-trace-message>
<do-set-local-variable name="lv-MCCN" scope="policy">
<arg-string>
<token-xpath expression="$lv-ObjMC//attr[@attr-name='CN']/value/text()"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lv-ObjADuser" scope="policy">
<arg-node-set>
<token-query datastore="dest" notrace="true">
<arg-match-attr name="sAMAccountName">
<arg-value type="string">
<token-local-variable name="lv-MCCN"/>
</arg-value>
</arg-match-attr>
<arg-string>
<token-text xml:space="preserve">Login Disabled</token-text>
</arg-string>
<arg-string>
<token-text xml:space="preserve">CN</token-text>
</arg-string>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="lv-ADDN" scope="policy">
<arg-string>
<token-xpath expression="$lv-ObjADuser//@src-dn"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="regex" name="lv-ADDN" op="equal">.+</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-move-dest-object direct="true">
<arg-dn>
<token-local-variable name="lv-ADDN"/>
</arg-dn>
<arg-dn>
<token-global-variable name="DocLinkOU"/>
</arg-dn>
</do-move-dest-object>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>



Two user accounts were created yesterday -- within two minutes of each other -- that should have triggered this rule, as both have OSUrelationshipExpires set to 7/17/2019. One behaved as expected, but the other failed.
The trace for the failure (cn STE237) is here: https://pastebin.com/MtTEZi6p .

Can anyone offer an explanation, and/or a suggestion for preventing this?





Thanks
Labels (1)
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: Inconsistent behavior from rule

6423241;2484295 wrote:
Hello,

I have a rule in the publisher channel event transform policy of an AD driver which moves a user account within Active Directory based on certain criteria. One of the criteria is called "OSUrelationshipExpires", and this is not functioning consistently. The rule sets a local variable to current time, and compares OSUrelationshipExpires to that. It works less than half the time, and I can find no rhyme or reason why it fails.

The policy is:


<rule>
<description>Move DocLink Users</description>
<conditions>
<and>
<if-class-name mode="case" op="equal">OSUpersonRelationship</if-class-name>
<if-attr mode="case" name="OSUguestRole" op="equal">DOCL</if-attr>
</and>
</conditions>
<actions>
<do-set-local-variable name="lv-now" notrace="true" scope="policy">
<arg-string>
<token-time format="!CTIME" tz="UTC"/>
</arg-string>
</do-set-local-variable>
<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">Value of local variable 'lv-now' is </token-text>
<token-local-variable name="lv-now"/>
</arg-string>
</do-trace-message>
<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">Value of OSUrelationshipExpires is </token-text>
<token-attr name="OSUrelationshipExpires"/>
</arg-string>
</do-trace-message>
<do-if>
<arg-conditions>
<and>
<if-attr mode="nocase" name="OSUrelationshipExpires" op="gt">$lv-now$</if-attr>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="lv-ObjMC" scope="policy">
<arg-node-set>
<token-query datastore="src" notrace="true">
<arg-dn>
<token-global-variable name="idv.dit.data.users"/>
</arg-dn>
<arg-match-attr name="OSUidmId">
<arg-value type="string">
<token-attr name="OSUidmId"/>
</arg-value>
</arg-match-attr>
<arg-string>
<token-text xml:space="preserve">Login Disabled</token-text>
</arg-string>
<arg-string>
<token-text xml:space="preserve">CN</token-text>
</arg-string>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">lv-ObjMC : </token-text>
<token-xml-serialize>
<token-local-variable name="lv-ObjMC"/>
</token-xml-serialize>
</arg-string>
</do-trace-message>
<do-set-local-variable name="lv-MCCN" scope="policy">
<arg-string>
<token-xpath expression="$lv-ObjMC//attr[@attr-name='CN']/value/text()"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lv-ObjADuser" scope="policy">
<arg-node-set>
<token-query datastore="dest" notrace="true">
<arg-match-attr name="sAMAccountName">
<arg-value type="string">
<token-local-variable name="lv-MCCN"/>
</arg-value>
</arg-match-attr>
<arg-string>
<token-text xml:space="preserve">Login Disabled</token-text>
</arg-string>
<arg-string>
<token-text xml:space="preserve">CN</token-text>
</arg-string>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="lv-ADDN" scope="policy">
<arg-string>
<token-xpath expression="$lv-ObjADuser//@src-dn"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="regex" name="lv-ADDN" op="equal">.+</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-move-dest-object direct="true">
<arg-dn>
<token-local-variable name="lv-ADDN"/>
</arg-dn>
<arg-dn>
<token-global-variable name="DocLinkOU"/>
</arg-dn>
</do-move-dest-object>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>



Two user accounts were created yesterday -- within two minutes of each other -- that should have triggered this rule, as both have OSUrelationshipExpires set to 7/17/2019. One behaved as expected, but the other failed.
The trace for the failure (cn STE237) is here: https://pastebin.com/MtTEZi6p .

Can anyone offer an explanation, and/or a suggestion for preventing this?





Thanks


Are you sure this works at all? If this is on the MAD driver's Publisher channel, it looks like you have source and destination backwards. You're querying for data in "source" using a GCV that would normally point to an eDirectory object:


<token-query datastore="src" notrace="true">
<arg-dn>
<token-global-variable name="idv.dit.data.users"/>
</arg-dn>


Then you're doing a move in "destination":


<do-move-dest-object direct="true">


which for the Publisher, would be eDirectory.

Your trace seems to show this all being on the Subscriber channel, which would make more sense. I don't see that it ever fires for making a <move>, but it does seem to fail on <add> being sent to the attached MAD, followed by a couple of <modify> that also fail, because no such object.

Reading through the trace, it seems to fall apart here:


[07/17/18 14:35:22.387]:AD-OSUMC ST: Action: do-set-local-variable("lv-ObjADuser",scope="policy",arg-node-set(token-query(datastore="dest",notrace="true",arg-match-attr("sAMAccountName",token-local-variable("lv-MCCN")),"Login Disabled","CN"))).
[07/17/18 14:35:22.387]:AD-OSUMC ST: arg-node-set(token-query(datastore="dest",notrace="true",arg-match-attr("sAMAccountName",token-local-variable("lv-MCCN")),"Login Disabled","CN"))
[07/17/18 14:35:22.387]:AD-OSUMC ST: token-query(datastore="dest",notrace="true",arg-match-attr("sAMAccountName",token-local-variable("lv-MCCN")),"Login Disabled","CN")
[07/17/18 14:35:22.392]:AD-OSUMC :Remote Interface Driver: Received.
[07/17/18 14:35:22.392]:AD-OSUMC :
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20170106_120000" instance="\ID1\OSUMC\Drivers\edirIDv1\AD-OSUMC" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="0" level="success"/>
</output>
</nds>


You might remove that "notrace", so you can see what's happening there. Because whatever it was supposed to find, it didn't find, the conditions for your move were not met, and the <move> doesn't happen.
0 Likes
6423241 Super Contributor.
Super Contributor.

Re: Inconsistent behavior from rule

Like I said, there were two objects created within minutes of each other. The rule triggered and operated correctly for one, but not the other. I will post the driver trace if I can get it pared down to a size that pastebin will accept.

The part that I see failing is the "if 'OSUrelationshipExpires' is greater than 'now''" condition.

I did err when I said publisher channel. It's actually in the ETP of the subscriber channel.

Thanks
0 Likes
Knowledge Partner
Knowledge Partner

Re: Inconsistent behavior from rule

6423241;2484300 wrote:
Like I said, there were two objects created within minutes of each other. The rule triggered and operated correctly for one, but not the other. I will post the driver trace if I can get it pared down to a size that pastebin will accept.

The part that I see failing is the "if 'OSUrelationshipExpires' is greater than 'now''" condition.

I did err when I said publisher channel. It's actually in the ETP of the subscriber channel.

Thanks


Yeah, that fails too, but that's earlier. Looks like you have at least one other driver or something going on in the background, which is filling in attributes as it goes. Skip past that, and keep going. It fails later to get what it needs from the query.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.