SOAP driver: Source DN not available on Delete

joer999 · ‎2016-06-22

Recently I have installed a new IDM server (4.5.3). The accounts on the
old server (4.0.2) reside in de OU's data\guests\gast and
data\guests\gen.
New server: data\users\gast resp. data\users\gen.
Ik can easily move the users from the old server to the new with ICE and
re-route the SOAP messages to the new server. Those messages origin from
an external
party. In order not te be dependant on them, I have DIRXML-ed something
in Event Transformation in the SOAP driver:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
"policy-builder-dtd"
"D:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201601220536\DTD\dirxmlscript4.5.3.dtd"><policy>
<rule>
<description>Source DN data\guests\... --> Destination DN
data\users\...</description>
<conditions>
<and/>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-src-dn op="in-subtree">data\guests\gast</if-src-dn>
</and>
</arg-conditions>
<arg-actions>
<do-set-op-dest-dn>
<arg-dn>
<token-text xml:space="preserve">data\users\gast\</token-text>
<token-src-name/>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-src-dn op="in-subtree">data\guests\gen</if-src-dn>
</and>
</arg-conditions>
<arg-actions>
<do-set-op-dest-dn>
<arg-dn>
<token-text xml:space="preserve">data\users\gen\</token-text>
<token-src-name/>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-if>
</actions>
</rule>
</policy>

It works fine on a Modify but on a Delete, I get "Operation vetoed on on
unassociated object" in my SOAP client. Partial Trace below.
It seems that Source DN and Source Name are not available in case of a
Delete. How do I work around this? Thanks in advance.

MODIFY (executed correctly):

[06/22/16 15:44:03.881]:iWelcome SOAP PT:Applying policy:
%+C%14CNOVLADDCFG-pub-etp-HG_HandleExceptions%-C.
[06/22/16 15:44:03.881]:iWelcome SOAP PT: Applying to modify #1.
[06/22/16 15:44:03.881]:iWelcome SOAP PT: Evaluating selection
criteria for rule 'Source DN data\guests\... --> Destination DN
data\users\...'.
[06/22/16 15:44:03.881]:iWelcome SOAP PT: Rule selected.
[06/22/16 15:44:03.881]:iWelcome SOAP PT: Applying rule 'Source DN
data\guests\... --> Destination DN data\users\...'.
[06/22/16 15:44:03.881]:iWelcome SOAP PT: Action: do-if().
[06/22/16 15:44:03.881]:iWelcome SOAP PT: Evaluating conditions.
[06/22/16 15:44:03.897]:iWelcome SOAP PT: (if-src-dn in-subtree
"data\guests\gast") = TRUE.
[06/22/16 15:44:03.897]:iWelcome SOAP PT: Performing if actions.
[06/22/16 15:44:03.897]:iWelcome SOAP PT: Action:
do-set-op-dest-dn(arg-dn("data\users\gast\"+token-src-name())).
[06/22/16 15:44:03.897]:iWelcome SOAP PT:
arg-dn("data\users\gast\"+token-src-name())
[06/22/16 15:44:03.897]:iWelcome SOAP PT:
token-text("data\users\gast\")
[06/22/16 15:44:03.897]:iWelcome SOAP PT: token-src-name()
[06/22/16 15:44:03.897]:iWelcome SOAP PT: Token Value:
"p.de.boskabouter@oehoeboeroe.nl".
[06/22/16 15:44:03.897]:iWelcome SOAP PT: Arg Value:
"data\users\gast\p.de.boskabouter@oehoeboeroe.nl".
[06/22/16 15:44:03.897]:iWelcome SOAP PT:Policy returned:

DELETE (Destination DN not changed so the SOAP client gets a "Operation
vetoed on on unassociated object"):

[06/22/16 15:35:05.647]:iWelcome SOAP PT:Applying policy:
%+C%14CNOVLADDCFG-pub-etp-HG_HandleExceptions%-C.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Applying to delete #1.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Evaluating selection
criteria for rule 'Source DN data\guests\... --> Destination DN
data\users\...'.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Rule selected.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Applying rule 'Source DN
data\guests\... --> Destination DN data\users\...'.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Action: do-if().
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Evaluating conditions.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: (if-src-dn in-subtree
"data\guests\gast") = FALSE.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Performing else
actions.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Action: do-if().
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Evaluating
conditions.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: (if-src-dn
in-subtree "data\guests\gen") = FALSE.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Performing else
actions.
[06/22/16 15:35:05.647]:iWelcome SOAP PT:Policy returned:

--
joer999
------------------------------------------------------------------------
joer999's Profile: https://forums.netiq.com/member.php?userid=6162
View this thread: https://forums.netiq.com/showthread.php?t=56087

aburgemeister · ‎2016-06-22

We need to see the full trace to really help much. Even then, I think you
may be confused about when these are firing. The policy you posted
appears to be made for the Subscriber channel based on its data and your
description, but the trace you posted is all on the Publisher channel.

Also, if you want a Delete to go through when it has no association, be
sure you synthesize an association before it gets dropped due to the lack
of one.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

joer999 · ‎2016-06-23

ab;268925 Wrote:
> We need to see the full trace to really help much. Even then, I think
> you
> may be confused about when these are firing. The policy you posted
> appears to be made for the Subscriber channel based on its data and
> your
> description, but the trace you posted is all on the Publisher channel.
>
> Also, if you want a Delete to go through when it has no association, be
> sure you synthesize an association before it gets dropped due to the
> lack
> of one.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...
Thank you for the reply. The full trace: http://textuploader.com/53x5x.
The policy resides in the Publisher Channel (Event Transformation).
There is an external party that sends SOAP messages to our NetIQ IDM, so
through the Publisher Channel, changes (Add/Modify/Delete) are made to
User Objects in the ID Vault. I do nothing in the Subsciber Channel of
the SOAP driver.
The policy does what it's supposed to do in case of a modify (ie.
changing a surname). There is an association. The error "Operation
vetoed on unassociated object" is because the policy doesn't work in
case of a delete.

--
joer999
------------------------------------------------------------------------
joer999's Profile: https://forums.netiq.com/member.php?userid=6162
View this thread: https://forums.netiq.com/showthread.php?t=56087

Alex McHugh · ‎2016-06-23

joer999 wrote:

>
> > If you find this post helpful and are logged into the web interface,
> > show your appreciation and click on the star below...
> Thank you for the reply. The full trace:
> http://textuploader.com/53x5x. The policy resides in the Publisher
> Channel (Event Transformation). There is an external party that
> sends SOAP messages to our NetIQ IDM, so through the Publisher
> Channel, changes (Add/Modify/Delete) are made to User Objects in the
> ID Vault. I do nothing in the Subsciber Channel of the SOAP driver.
> The policy does what it's supposed to do in case of a modify (ie.
> changing a surname). There is an association. The error "Operation
> vetoed on unassociated object" is because the policy doesn't work in
> case of a delete.

You either need to change the stylesheet to add an appropriate src-dn
to the delete or adjust your policy so it handles this scenario.

There doesn't look to be anything wrong with the way the engine handles
this event.

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.

joer999 · ‎2016-06-23

This turned out to work for me. Not bothering with the Source DN or
Destination DN but just changing the Operation Association. Now in the
SOAP messages (Modify or Delete) it doesn't matter whether
data\guests\gast\{CN} or data\users\gast\{CN} is the psoID.
With some help from Mr. Carman's 'A definitive guide to NetIQ's IDM
tokens', page 68.

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
"policy-builder-dtd"
"D:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201601220536\DTD\dirxmlscript4.5.3.dtd"><policy>
<rule>
<description>Association data\guests\... --> Association
data\users\...</description>
<conditions>
<and/>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-association mode="regex"
op="equal">data\\guests\\gast.*</if-association>
</and>
</arg-conditions>
<arg-actions>
<do-set-op-association>
<arg-association>
<token-replace-first regex="data\\guests\\gast"
replace-with="data\\users\\gast">
<token-association/>
</token-replace-first>
</arg-association>
</do-set-op-association>
</arg-actions>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-association mode="regex"
op="equal">data\\guests\\gen.*</if-association>
</and>
</arg-conditions>
<arg-actions>
<do-set-op-association>
<arg-association>
<token-replace-first regex="data\\guests\\gen"
replace-with="data\\users\\gen">
<token-association/>
</token-replace-first>
</arg-association>
</do-set-op-association>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-if>
</actions>
</rule>
</policy>

--
joer999
------------------------------------------------------------------------
joer999's Profile: https://forums.netiq.com/member.php?userid=6162
View this thread: https://forums.netiq.com/showthread.php?t=56087

geoffc · ‎2016-06-23

On 6/23/2016 8:56 AM, joer999 wrote:
>
> This turned out to work for me. Not bothering with the Source DN or
> Destination DN but just changing the Operation Association. Now in the
> SOAP messages (Modify or Delete) it doesn't matter whether
> data\guests\gast\{CN} or data\users\gast\{CN} is the psoID.
> With some help from Mr. Carman's 'A definitive guide to NetIQ's IDM
> tokens', page 68.

Good to know someone actually read some of that... 🙂

Engine-Drivers