joer999 Absent Member.
Absent Member.
231 views

SOAP driver: Source DN not available on Delete


Recently I have installed a new IDM server (4.5.3). The accounts on the
old server (4.0.2) reside in de OU's data\guests\gast and
data\guests\gen.
New server: data\users\gast resp. data\users\gen.
Ik can easily move the users from the old server to the new with ICE and
re-route the SOAP messages to the new server. Those messages origin from
an external
party. In order not te be dependant on them, I have DIRXML-ed something
in Event Transformation in the SOAP driver:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
"policy-builder-dtd"
"D:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201601220536\DTD\dirxmlscript4.5.3.dtd"><policy>
<rule>
<description>Source DN data\guests\... --> Destination DN
data\users\...</description>
<conditions>
<and/>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-src-dn op="in-subtree">data\guests\gast</if-src-dn>
</and>
</arg-conditions>
<arg-actions>
<do-set-op-dest-dn>
<arg-dn>
<token-text xml:space="preserve">data\users\gast\</token-text>
<token-src-name/>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-src-dn op="in-subtree">data\guests\gen</if-src-dn>
</and>
</arg-conditions>
<arg-actions>
<do-set-op-dest-dn>
<arg-dn>
<token-text xml:space="preserve">data\users\gen\</token-text>
<token-src-name/>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-if>
</actions>
</rule>
</policy>


It works fine on a Modify but on a Delete, I get "Operation vetoed on on
unassociated object" in my SOAP client. Partial Trace below.
It seems that Source DN and Source Name are not available in case of a
Delete. How do I work around this? Thanks in advance.


MODIFY (executed correctly):

[06/22/16 15:44:03.881]:iWelcome SOAP PT:Applying policy:
%+C%14CNOVLADDCFG-pub-etp-HG_HandleExceptions%-C.
[06/22/16 15:44:03.881]:iWelcome SOAP PT: Applying to modify #1.
[06/22/16 15:44:03.881]:iWelcome SOAP PT: Evaluating selection
criteria for rule 'Source DN data\guests\... --> Destination DN
data\users\...'.
[06/22/16 15:44:03.881]:iWelcome SOAP PT: Rule selected.
[06/22/16 15:44:03.881]:iWelcome SOAP PT: Applying rule 'Source DN
data\guests\... --> Destination DN data\users\...'.
[06/22/16 15:44:03.881]:iWelcome SOAP PT: Action: do-if().
[06/22/16 15:44:03.881]:iWelcome SOAP PT: Evaluating conditions.
[06/22/16 15:44:03.897]:iWelcome SOAP PT: (if-src-dn in-subtree
"data\guests\gast") = TRUE.
[06/22/16 15:44:03.897]:iWelcome SOAP PT: Performing if actions.
[06/22/16 15:44:03.897]:iWelcome SOAP PT: Action:
do-set-op-dest-dn(arg-dn("data\users\gast\"+token-src-name())).
[06/22/16 15:44:03.897]:iWelcome SOAP PT:
arg-dn("data\users\gast\"+token-src-name())
[06/22/16 15:44:03.897]:iWelcome SOAP PT:
token-text("data\users\gast\")
[06/22/16 15:44:03.897]:iWelcome SOAP PT: token-src-name()
[06/22/16 15:44:03.897]:iWelcome SOAP PT: Token Value:
"p.de.boskabouter@oehoeboeroe.nl".
[06/22/16 15:44:03.897]:iWelcome SOAP PT: Arg Value:
"data\users\gast\p.de.boskabouter@oehoeboeroe.nl".
[06/22/16 15:44:03.897]:iWelcome SOAP PT:Policy returned:


DELETE (Destination DN not changed so the SOAP client gets a "Operation
vetoed on on unassociated object"):

[06/22/16 15:35:05.647]:iWelcome SOAP PT:Applying policy:
%+C%14CNOVLADDCFG-pub-etp-HG_HandleExceptions%-C.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Applying to delete #1.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Evaluating selection
criteria for rule 'Source DN data\guests\... --> Destination DN
data\users\...'.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Rule selected.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Applying rule 'Source DN
data\guests\... --> Destination DN data\users\...'.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Action: do-if().
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Evaluating conditions.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: (if-src-dn in-subtree
"data\guests\gast") = FALSE.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Performing else
actions.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Action: do-if().
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Evaluating
conditions.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: (if-src-dn
in-subtree "data\guests\gen") = FALSE.
[06/22/16 15:35:05.647]:iWelcome SOAP PT: Performing else
actions.
[06/22/16 15:35:05.647]:iWelcome SOAP PT:Policy returned:


--
joer999
------------------------------------------------------------------------
joer999's Profile: https://forums.netiq.com/member.php?userid=6162
View this thread: https://forums.netiq.com/showthread.php?t=56087

Labels (1)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: SOAP driver: Source DN not available on Delete

We need to see the full trace to really help much. Even then, I think you
may be confused about when these are firing. The policy you posted
appears to be made for the Subscriber channel based on its data and your
description, but the trace you posted is all on the Publisher channel.

Also, if you want a Delete to go through when it has no association, be
sure you synthesize an association before it gets dropped due to the lack
of one.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
joer999 Absent Member.
Absent Member.

Re: SOAP driver: Source DN not available on Delete


ab;268925 Wrote:
> We need to see the full trace to really help much. Even then, I think
> you
> may be confused about when these are firing. The policy you posted
> appears to be made for the Subscriber channel based on its data and
> your
> description, but the trace you posted is all on the Publisher channel.
>
> Also, if you want a Delete to go through when it has no association, be
> sure you synthesize an association before it gets dropped due to the
> lack
> of one.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...

Thank you for the reply. The full trace: http://textuploader.com/53x5x.
The policy resides in the Publisher Channel (Event Transformation).
There is an external party that sends SOAP messages to our NetIQ IDM, so
through the Publisher Channel, changes (Add/Modify/Delete) are made to
User Objects in the ID Vault. I do nothing in the Subsciber Channel of
the SOAP driver.
The policy does what it's supposed to do in case of a modify (ie.
changing a surname). There is an association. The error "Operation
vetoed on unassociated object" is because the policy doesn't work in
case of a delete.


--
joer999
------------------------------------------------------------------------
joer999's Profile: https://forums.netiq.com/member.php?userid=6162
View this thread: https://forums.netiq.com/showthread.php?t=56087

0 Likes
Knowledge Partner
Knowledge Partner

Re: SOAP driver: Source DN not available on Delete

joer999 wrote:

>
> > If you find this post helpful and are logged into the web interface,
> > show your appreciation and click on the star below...

> Thank you for the reply. The full trace:
> http://textuploader.com/53x5x. The policy resides in the Publisher
> Channel (Event Transformation). There is an external party that
> sends SOAP messages to our NetIQ IDM, so through the Publisher
> Channel, changes (Add/Modify/Delete) are made to User Objects in the
> ID Vault. I do nothing in the Subsciber Channel of the SOAP driver.
> The policy does what it's supposed to do in case of a modify (ie.
> changing a surname). There is an association. The error "Operation
> vetoed on unassociated object" is because the policy doesn't work in
> case of a delete.


You either need to change the stylesheet to add an appropriate src-dn
to the delete or adjust your policy so it handles this scenario.

There doesn't look to be anything wrong with the way the engine handles
this event.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
joer999 Absent Member.
Absent Member.

Re: SOAP driver: Source DN not available on Delete


This turned out to work for me. Not bothering with the Source DN or
Destination DN but just changing the Operation Association. Now in the
SOAP messages (Modify or Delete) it doesn't matter whether
data\guests\gast\{CN} or data\users\gast\{CN} is the psoID.
With some help from Mr. Carman's 'A definitive guide to NetIQ's IDM
tokens', page 68.


<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
"policy-builder-dtd"
"D:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201601220536\DTD\dirxmlscript4.5.3.dtd"><policy>
<rule>
<description>Association data\guests\... --> Association
data\users\...</description>
<conditions>
<and/>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-association mode="regex"
op="equal">data\\guests\\gast.*</if-association>
</and>
</arg-conditions>
<arg-actions>
<do-set-op-association>
<arg-association>
<token-replace-first regex="data\\guests\\gast"
replace-with="data\\users\\gast">
<token-association/>
</token-replace-first>
</arg-association>
</do-set-op-association>
</arg-actions>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-association mode="regex"
op="equal">data\\guests\\gen.*</if-association>
</and>
</arg-conditions>
<arg-actions>
<do-set-op-association>
<arg-association>
<token-replace-first regex="data\\guests\\gen"
replace-with="data\\users\\gen">
<token-association/>
</token-replace-first>
</arg-association>
</do-set-op-association>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-if>
</actions>
</rule>
</policy>


--
joer999
------------------------------------------------------------------------
joer999's Profile: https://forums.netiq.com/member.php?userid=6162
View this thread: https://forums.netiq.com/showthread.php?t=56087

0 Likes
Knowledge Partner
Knowledge Partner

Re: SOAP driver: Source DN not available on Delete

On 6/23/2016 8:56 AM, joer999 wrote:
>
> This turned out to work for me. Not bothering with the Source DN or
> Destination DN but just changing the Operation Association. Now in the
> SOAP messages (Modify or Delete) it doesn't matter whether
> data\guests\gast\{CN} or data\users\gast\{CN} is the psoID.
> With some help from Mr. Carman's 'A definitive guide to NetIQ's IDM
> tokens', page 68.


Good to know someone actually read some of that... 🙂

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.