Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
sivaramtm Super Contributor.
Super Contributor.
195 views

Query for nrfmemberof

Jump to solution

Getting syntax violation error while doing the below query. Please help. Same query works using ldap browser.

[09/25/19 14:27:00.131]:InternalAD PT: Action: do-set-local-variable("lvQueryidvnrfMember",scope="policy",token-query(class-name="User",arg-match-attr("CN",token-local-variable("lvIDVParsedCN")),arg-match-attr("nrfMemberOf",token-local-variable("lvIDVRoleparsedDN")),"employeeStatus")).
[09/25/19 14:27:00.132]:InternalAD PT: arg-string(token-query(class-name="User",arg-match-attr("CN",token-local-variable("lvIDVParsedCN")),arg-match-attr("nrfMemberOf",token-local-variable("lvIDVRoleparsedDN")),"employeeStatus"))
[09/25/19 14:27:00.133]:InternalAD PT: token-query(class-name="User",arg-match-attr("CN",token-local-variable("lvIDVParsedCN")),arg-match-attr("nrfMemberOf",token-local-variable("lvIDVRoleparsedDN")),"employeeStatus")
[09/25/19 14:27:00.133]:InternalAD PT: arg-match-attr("CN",token-local-variable("lvIDVParsedCN"))
[09/25/19 14:27:00.134]:InternalAD PT: arg-string(token-local-variable("lvIDVParsedCN"))
[09/25/19 14:27:00.134]:InternalAD PT: token-local-variable("lvIDVParsedCN")
[09/25/19 14:27:00.134]:InternalAD PT: Token Value: "Z8QHL".
[09/25/19 14:27:00.135]:InternalAD PT: Arg Value: "Z8QHL".
[09/25/19 14:27:00.135]:InternalAD PT: arg-match-attr("nrfMemberOf",token-local-variable("lvIDVRoleparsedDN"))
[09/25/19 14:27:00.135]:InternalAD PT: arg-string(token-local-variable("lvIDVRoleparsedDN"))
[09/25/19 14:27:00.136]:InternalAD PT: token-local-variable("lvIDVRoleparsedDN")
[09/25/19 14:27:00.136]:InternalAD PT: Token Value: "CN=A-HDS-TDSTPA,CN=ADRoles,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=driverset1,O=system".
[09/25/19 14:27:00.137]:InternalAD PT: Arg Value: "CN=A-HDS-TDSTPA,CN=ADRoles,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=driverset1,O=system".
[09/25/19 14:27:00.137]:InternalAD PT: arg-string("employeeStatus")
[09/25/19 14:27:00.138]:InternalAD PT: token-text("employeeStatus")
[09/25/19 14:27:00.138]:InternalAD PT: Arg Value: "employeeStatus".
[09/25/19 14:27:00.138]:InternalAD PT: Query from policy
[09/25/19 14:27:00.138]:InternalAD PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="User" scope="subtree">
<search-class class-name="User"/>
<search-attr attr-name="CN">
<value type="string">Z8QHL</value>
</search-attr>
<search-attr attr-name="nrfMemberOf">
<value type="string">CN=A-HDS-TDSTPA,CN=ADRoles,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=driverset1,O=system</value>
</search-attr>
<read-attr attr-name="employeeStatus"/>
</query>
</input>
</nds>
[09/25/19 14:27:00.141]:InternalAD PT: Pumping XDS to eDirectory.
[09/25/19 14:27:00.141]:InternalAD PT: Performing operation query for .
[09/25/19 14:27:00.141]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Duplicating : context = 1919483980, tempContext = 1919484141
[09/25/19 14:27:00.142]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Calling free on tempContext = 1919484141
[09/25/19 14:27:00.152]:InternalAD PT: Query from policy result
[09/25/19 14:27:00.152]:InternalAD PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="0" level="error">Code(-9010) An exception occurred: novell.jclient.JCException: initVlistIterator -613 ERR_SYNTAX_VIOLATION</status>
</output>
</nds>
[09/25/19 14:27:00.154]:InternalAD PT: Token Value: "".
[09/25/19 14:27:00.154]:InternalAD PT: Arg Value: "".

Labels (1)
0 Likes
1 Solution

Accepted Solutions
sivaramtm Super Contributor.
Super Contributor.

Re: Query for nrfmemberof

Jump to solution

I did the same now the syntax error is cleared but the query is not giving any output but in ldap i am getting the result.

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="User" scope="subtree">
<search-class class-name="User"/>
<search-attr attr-name="CN">
<value type="string">Z8QHL</value>
</search-attr>
<search-attr attr-name="nrfMemberOf">
<value type="string">O=system\CN=driverset1\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level20\CN=ADRoles\CN=A-HDS-MPS-R</value>
</search-attr>
<read-attr attr-name="employeeStatus"/>
</query>
</input>
</nds>
[09/25/19 15:33:20.365]:InternalAD PT: Pumping XDS to eDirectory.
[09/25/19 15:33:20.365]:InternalAD PT: Performing operation query for .
[09/25/19 15:33:20.365]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Duplicating : context = 1919484151, tempContext = 1919484134
[09/25/19 15:33:20.365]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Calling free on tempContext = 1919484134
[09/25/19 15:33:20.365]:InternalAD PT: Query from policy result
[09/25/19 15:33:20.365]:InternalAD PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="0" level="success"></status>
</output>
</nds>
[09/25/19 15:33:20.365]:InternalAD PT: Token Value: "".
[09/25/19 15:33:20.365]:InternalAD PT: Arg Value: "".

0 Likes
5 Replies
dbuschke Super Contributor.
Super Contributor.

Re: Query for nrfmemberof

Jump to solution
Hi,
instead of CN=A-HDS-TDSTPA,CN=ADRoles,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=driverset1,O=system (LDAP notation) use something like "system\driverset1\UserApp...." which is slash-notation. I don't know if you need to prefix the tree name on a query. If so look at the local variables there is an auto one for tree.
If you need to convert them on the fly look for the parseDN verb.

regards
Daniel
sivaramtm Super Contributor.
Super Contributor.

Re: Query for nrfmemberof

Jump to solution

I did the same now the syntax error is cleared but the query is not giving any output but in ldap i am getting the result.

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="User" scope="subtree">
<search-class class-name="User"/>
<search-attr attr-name="CN">
<value type="string">Z8QHL</value>
</search-attr>
<search-attr attr-name="nrfMemberOf">
<value type="string">O=system\CN=driverset1\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level20\CN=ADRoles\CN=A-HDS-MPS-R</value>
</search-attr>
<read-attr attr-name="employeeStatus"/>
</query>
</input>
</nds>
[09/25/19 15:33:20.365]:InternalAD PT: Pumping XDS to eDirectory.
[09/25/19 15:33:20.365]:InternalAD PT: Performing operation query for .
[09/25/19 15:33:20.365]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Duplicating : context = 1919484151, tempContext = 1919484134
[09/25/19 15:33:20.365]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Calling free on tempContext = 1919484134
[09/25/19 15:33:20.365]:InternalAD PT: Query from policy result
[09/25/19 15:33:20.365]:InternalAD PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="0" level="success"></status>
</output>
</nds>
[09/25/19 15:33:20.365]:InternalAD PT: Token Value: "".
[09/25/19 15:33:20.365]:InternalAD PT: Arg Value: "".

0 Likes
Knowledge Partner
Knowledge Partner

Re: Query for nrfmemberof

Jump to solution

You left the CN= and OU= in the DN path.

 

For whatever reason, IDM, internally uses Slash format for DN's. Why?  I dunno.  But it does.

So when you specify a DN for read or write in IDM against the IDV, you use the format you that the first poster suggested.

You got close.  He said, instead of:

CN=A-HDS-TDSTPA,CN=ADRoles,CN=Level20,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=driverset1,O=system

 

To reverse the order (root most to leaf most instead of LDAPS leafmost to rootmost) and use slashes as the delimiters to be more like:

system\driverset1\UserApplication\AppConfig\....

And you used:

O=system\CN=driverset1\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level20\CN=ADRoles\CN=A-HDS-MPS-R

 

Which is not quite correct, remove the O= the CN= and so on and try again. You are getting closer.

Side note:

Parse DN will convert the DN format.  Parse DN on the variable holding the role name, start 0, length of -1, and source format is LDAP, dest format is slash.

 

0 Likes
sivaramtm Super Contributor.
Super Contributor.

Re: Query for nrfmemberof

Jump to solution

I got it i was using qualified-src-dn instead of src-dn.

 

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="User" scope="subtree">
<search-class class-name="User"/>
<search-attr attr-name="CN">
<value type="string">Z8QHL</value>
</search-attr>
<search-attr attr-name="nrfMemberOf">
<value type="string">\BBCIDV\system\driverset1\UserApplication\AppConfig\RoleConfig\RoleDefs\Level20\ADRoles\A-HDS-PRDHOME</value>
</search-attr>
<read-attr attr-name="employeeStatus"/>
</query>
</input>
</nds>
[09/26/19 08:56:41.795]:InternalAD PT: Pumping XDS to eDirectory.
[09/26/19 08:56:41.795]:InternalAD PT: Performing operation query for .
[09/26/19 08:56:41.795]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Duplicating : context = 1919484147, tempContext = 1919483983
[09/26/19 08:56:41.795]:InternalAD PT: --JCLNT-- \BBCIDV\system\driverset1\AD-Internal-BBC - Publisher : Calling free on tempContext = 1919483983
[09/26/19 08:56:41.795]:InternalAD PT: Query from policy result
[09/26/19 08:56:41.795]:InternalAD PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<instance class-name="User" event-id="0" qualified-src-dn="O=BBC\OU=users\OU=contractors\CN=Z8QHL" src-dn="\BBCIDV\BBC\users\contractors\Z8QHL" src-entry-id="214104">
<association state="associated">a4c47948b9bdc6429bdf71fda2f9a88e</association>
<attr attr-name="employeeStatus">
<value timestamp="1484741961#21" type="string">3</value>
</attr>
</instance>
<status event-id="0" level="success"></status>
</output>
</nds>

0 Likes
dbuschke Super Contributor.
Super Contributor.

Re: Query for nrfmemberof

Jump to solution

Hi,
you not just removed the full qualifiers but you also added the tree name.

As I wasn't unsure about using FQDNs I made some query tests in 4.7.3:

  1. using full qualified without tree (o=system\cn=driverset..) -> FAIL
  2. using unqualified without tree (system\driverset..) -> FAIL
  3. using full qualified with tree (\mytree\o=system\cn=driverset..) -> OK
  4. using unqualified with tree (\mytree\system\driverset..) -> OK

So you MUST prefix the tree  (maybe a senior could tell us if this changed recently) and you CAN use FQDN in member queries.

BTW: Number 3 is a bit strange as in my opinion this is a mix of qualified and unqualified as it should be \t=mytree\o=system\cn=driverset.. but that didn't work either.

regards
Daniel

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.