Anonymous_User Absent Member.
Absent Member.
757 views

Unable to get value of error.do-find-matching-object


I have a matching rule in the publisher channel in a JDBC driver that
checks for matching objects based on the givenname and surname in the
identity vault. Whenever there is a match the local variable
*error.do-find-matching-object* gets set with the src-dn of the matched
object and the dest-dn of the incoming object as &#FFFC; for a single
match as shown in the trace. Now I have a condition where I have to
handle this exception and update the attributes of the matched object in
the identity vault with the new values of the incoming object.
1. How can I do that?
2. How can get the value of the local variable
error.do-find-matching-object? I have tried if
error.do-find-matching-object is available, then print its value. But i
always get FALSE in the trace even when there is a match.


--
joydeepg
------------------------------------------------------------------------
joydeepg's Profile: https://forums.netiq.com/member.php?userid=7638
View this thread: https://forums.netiq.com/showthread.php?t=51207

Labels (1)
0 Likes
11 Replies
Knowledge Partner
Knowledge Partner

Re: Unable to get value of error.do-find-matching-object

joydeepg wrote:

>
> I have a matching rule in the publisher channel in a JDBC driver that
> checks for matching objects based on the givenname and surname in the
> identity vault. Whenever there is a match the local variable
> *error.do-find-matching-object* gets set with the src-dn of the matched
> object and the dest-dn of the incoming object as &#FFFC; for a single
> match as shown in the trace. Now I have a condition where I have to
> handle this exception and update the attributes of the matched object in
> the identity vault with the new values of the incoming object.
> 1. How can I do that?
> 2. How can get the value of the local variable
> error.do-find-matching-object? I have tried if
> error.do-find-matching-object is available, then print its value. But i
> always get FALSE in the trace even when there is a match.


First, post a trace and the code you tried that did not work properly. It's
hard to help without those.

That said, I usually use something like this to handle the exceptions you
mention:

<rule>
<description>Log Matching errors</description>
<comment name="author" xml:space="preserve">Lothar Haeger</comment>
<conditions>
<and>
<if-class-name mode="case" op="equal">User</if-class-name>
<if-local-variable mode="regex" name="error.do-find-matching-object"
op="equal">.+</if-local-variable>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-xpath op="true">count($error.do-find-matching-object)=1</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="logMessage" scope="policy">
<arg-string>
<token-src-name/>
<token-text xml:space="preserve">: ERROR: Matching found an already
associated object: </token-text>
<token-local-variable name="error.do-find-matching-object"/>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions>
<do-set-local-variable name="logMessage" scope="policy">
<arg-string>
<token-src-name/>
<token-text xml:space="preserve">: ERROR: Matching found multiple
objects: </token-text>
<token-join delimiter=", ">
<token-local-variable name="error.do-find-matching-object"/>
</token-join>
</arg-string>
</do-set-local-variable>
</arg-actions>
</do-if>
<do-status level="error">
<arg-string>
<token-local-variable name="logMessage"/>
</arg-string>
</do-status>
<do-veto/>
</actions>
</rule>

If you really want to update the already associated object found with values
from the current object (wold you mind expain why you want to do that?), just
use

<token-local-variable name="error.do-find-matching-object"/>

as the DN of the target object in token do-set/add/remove/clear-dest-attr
instead of the default of "Current Object".

Now if the variable error.do-find-matching-object is false this indicates that
there is no matching error, which can be a successful match (the destination DN
will then be set) or no match found (which leaves the current operation without
destination DN. Can it be that you confuse a successful match with a matching
error where an object already associated to a different user in your DB is
found and expect a successful match to set the error variable?
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to get value of error.do-find-matching-object


lhaeger;246003 Wrote:
> joydeepg wrote:
>
> >
> > I have a matching rule in the publisher channel in a JDBC driver that
> > checks for matching objects based on the givenname and surname in the
> > identity vault. Whenever there is a match the local variable
> > *error.do-find-matching-object* gets set with the src-dn of the

> matched
> > object and the dest-dn of the incoming object as &#FFFC; for a single
> > match as shown in the trace. Now I have a condition where I have to
> > handle this exception and update the attributes of the matched object

> in
> > the identity vault with the new values of the incoming object.
> > 1. How can I do that?
> > 2. How can get the value of the local variable
> > error.do-find-matching-object? I have tried if
> > error.do-find-matching-object is available, then print its value. But

> i
> > always get FALSE in the trace even when there is a match.

>
> First, post a trace and the code you tried that did not work properly.
> It's
> hard to help without those.
>
> That said, I usually use something like this to handle the exceptions
> you
> mention:
>
> <rule>
> <description>Log Matching errors</description>
> <comment name="author" xml:space="preserve">Lothar Haeger</comment>
> <conditions>
> <and>
> <if-class-name mode="case" op="equal">User</if-class-name>
> <if-local-variable mode="regex" name="error.do-find-matching-object"
> op="equal">.+</if-local-variable>
> </and>
> </conditions>
> <actions>
> <do-if>
> <arg-conditions>
> <and>
> <if-xpath op="true">count($error.do-find-matching-object)=1</if-xpath>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-set-local-variable name="logMessage" scope="policy">
> <arg-string>
> <token-src-name/>
> <token-text xml:space="preserve">: ERROR: Matching found an already
> associated object: </token-text>
> <token-local-variable name="error.do-find-matching-object"/>
> </arg-string>
> </do-set-local-variable>
> </arg-actions>
> <arg-actions>
> <do-set-local-variable name="logMessage" scope="policy">
> <arg-string>
> <token-src-name/>
> <token-text xml:space="preserve">: ERROR: Matching found multiple
> objects: </token-text>
> <token-join delimiter=", ">
> <token-local-variable name="error.do-find-matching-object"/>
> </token-join>
> </arg-string>
> </do-set-local-variable>
> </arg-actions>
> </do-if>
> <do-status level="error">
> <arg-string>
> <token-local-variable name="logMessage"/>
> </arg-string>
> </do-status>
> <do-veto/>
> </actions>
> </rule>
>
> If you really want to update the already associated object found with
> values
> from the current object (wold you mind expain why you want to do that?),
> just
> use
>
> <token-local-variable name="error.do-find-matching-object"/>
>
> as the DN of the target object in token
> do-set/add/remove/clear-dest-attr
> instead of the default of "Current Object".
>
> Now if the variable error.do-find-matching-object is false this
> indicates that
> there is no matching error, which can be a successful match (the
> destination DN
> will then be set) or no match found (which leaves the current operation
> without
> destination DN. Can it be that you confuse a successful match with a
> matching
> error where an object already associated to a different user in your DB
> is
> found and expect a successful match to set the error variable?


This is the matching rule:

<rule>
<description>matchUserInIDV</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation mode="case" op="equal">add</if-operation>
</and>
</conditions>
<actions>
<do-find-matching-object scope="subtree">
<arg-dn>
<token-text xml:space="preserve">us\dev1\users</token-text>
</arg-dn>
<arg-match-attr name="Surname"/>
<arg-match-attr name="Given Name"/>
</do-find-matching-object>
</actions>
</rule>

and after execution the driver returned:

<nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
<source>
<product build="20120601_0445" instance="JDBC_LAWSON"
version="3.5.9">DirXML Driver for JDBC</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" dest-dn="" dest-entry-id="-1"
event-id="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER"
src-dn="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER">
<association
state="associated">EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER</association>
<add-attr attr-name="employeeNumber">
<value type="integer">129</value>
</add-attr>
<add-attr attr-name="Given Name">
<value type="string">jtest</value>
</add-attr>
<add-attr attr-name="Surname">
<value type="string">user</value>
</add-attr>
<operation-data
error.do-find-matching-object="\PDS-DEV\us\dev1\users\jtest_user"/>
</add>
</input>
</nds>


--
joydeepg
------------------------------------------------------------------------
joydeepg's Profile: https://forums.netiq.com/member.php?userid=7638
View this thread: https://forums.netiq.com/showthread.php?t=51207

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to get value of error.do-find-matching-object

On 06/30/2014 04:28 AM, joydeepg wrote:
>
> This is the matching rule:
>
> <rule>
> <description>matchUserInIDV</description>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> <if-operation mode="case" op="equal">add</if-operation>
> </and>
> </conditions>
> <actions>
> <do-find-matching-object scope="subtree">
> <arg-dn>
> <token-text xml:space="preserve">us\dev1\users</token-text>
> </arg-dn>
> <arg-match-attr name="Surname"/>
> <arg-match-attr name="Given Name"/>
> </do-find-matching-object>
> </actions>
> </rule>
>
> and after execution the driver returned:
>
> <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
> <source>
> <product build="20120601_0445" instance="JDBC_LAWSON"
> version="3.5.9">DirXML Driver for JDBC</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add class-name="User" dest-dn="" dest-entry-id="-1"
> event-id="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER"
> src-dn="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER">
> <association
> state="associated">EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER</association>
> <add-attr attr-name="employeeNumber">
> <value type="integer">129</value>
> </add-attr>
> <add-attr attr-name="Given Name">
> <value type="string">jtest</value>
> </add-attr>
> <add-attr attr-name="Surname">
> <value type="string">user</value>
> </add-attr>
> <operation-data
> error.do-find-matching-object="\PDS-DEV\us\dev1\users\jtest_user"/>
> </add>
> </input>
> </nds>


It would help if we had the trace of things happening, not just the end
state. It may also help to know exactly which version of IDM (including
patches) you are on.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to get value of error.do-find-matching-object


ab;246015 Wrote:
> On 06/30/2014 04:28 AM, joydeepg wrote:
> >
> > This is the matching rule:
> >
> > <rule>
> > <description>matchUserInIDV</description>
> > <conditions>
> > <and>
> > <if-class-name mode="nocase" op="equal">User</if-class-name>
> > <if-operation mode="case" op="equal">add</if-operation>
> > </and>
> > </conditions>
> > <actions>
> > <do-find-matching-object scope="subtree">
> > <arg-dn>
> > <token-text xml:space="preserve">us\dev1\users</token-text>
> > </arg-dn>
> > <arg-match-attr name="Surname"/>
> > <arg-match-attr name="Given Name"/>
> > </do-find-matching-object>
> > </actions>
> > </rule>
> >
> > and after execution the driver returned:
> >
> > <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
> > <source>
> > <product build="20120601_0445" instance="JDBC_LAWSON"
> > version="3.5.9">DirXML Driver for JDBC</product>
> > <contact>Novell, Inc.</contact>
> > </source>
> > <input>
> > <add class-name="User" dest-dn="" dest-entry-id="-1"
> > event-id="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER"
> > src-dn="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER">
> > <association
> >

> state="associated">EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER</association>
> > <add-attr attr-name="employeeNumber">
> > <value type="integer">129</value>
> > </add-attr>
> > <add-attr attr-name="Given Name">
> > <value type="string">jtest</value>
> > </add-attr>
> > <add-attr attr-name="Surname">
> > <value type="string">user</value>
> > </add-attr>
> > <operation-data
> > error.do-find-matching-object="\PDS-DEV\us\dev1\users\jtest_user"/>
> > </add>
> > </input>
> > </nds>

>
> It would help if we had the trace of things happening, not just the end
> state. It may also help to know exactly which version of IDM
> (including
> patches) you are on.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


[06/30/14 15:22:32.477]:lawson PT:Synthetic add:
[06/30/14 15:22:32.477]:lawson PT:
<nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
<source>
<product build="20120601_0445" instance="JDBC_LAWSON"
version="3.5.9">DirXML Driver for JDBC</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User"
event-id="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER"
src-dn="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER">
<association
state="associated">EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER</association>
<add-attr attr-name="employeeNumber">
<value type="integer">129</value>
</add-attr>
<add-attr attr-name="Given Name">
<value type="string">jtest</value>
</add-attr>
<add-attr attr-name="Surname">
<value type="string">user</value>
</add-attr>
</add>
</input>
</nds>
[06/30/14 15:22:32.478]:lawson PT:Applying object matching policies.
[06/30/14 15:22:32.478]:lawson PT:Applying policy:
%+C%14Cpub-mp-matchExistingUser%-C.
[06/30/14 15:22:32.478]:lawson PT: Applying to add #1.
[06/30/14 15:22:32.479]:lawson PT: Evaluating selection criteria for
rule 'matchUserInIDV'.
[06/30/14 15:22:32.479]:lawson PT: (if-class-name equal "User") =
TRUE.
[06/30/14 15:22:32.479]:lawson PT: (if-operation equal "add") =
TRUE.
[06/30/14 15:22:32.479]:lawson PT: Rule selected.
[06/30/14 15:22:32.479]:lawson PT: Applying rule 'matchUserInIDV'.
[06/30/14 15:22:32.479]:lawson PT: Action:
do-find-matching-object(scope="subtree",arg-dn("us\dev1\users"),arg-match-attr("Surname"),arg-match-attr("Given
Name")).
[06/30/14 15:22:32.480]:lawson PT: arg-dn("us\dev1\users")
[06/30/14 15:22:32.480]:lawson PT: token-text("us\dev1\users")
[06/30/14 15:22:32.480]:lawson PT: Arg Value: "us\dev1\users".
[06/30/14 15:22:32.480]:lawson PT: arg-match-attr("Surname")
[06/30/14 15:22:32.480]:lawson PT: arg-match-attr("Given Name")
[06/30/14 15:22:32.480]:lawson PT: Query from policy
[06/30/14 15:22:32.480]:lawson PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="User" dest-dn="us\dev1\users" scope="subtree">
<search-class class-name="User"/>
<search-attr attr-name="Surname">
<value type="string">user</value>
</search-attr>
<search-attr attr-name="Given Name">
<value type="string">jtest</value>
</search-attr>
<read-attr/>
</query>
</input>
</nds>
[06/30/14 15:22:32.481]:lawson PT: Pumping XDS to eDirectory.
[06/30/14 15:22:32.481]:lawson PT: Performing operation query for
us\dev1\users.
[06/30/14 15:22:32.482]:lawson PT: --JCLNT--
\PDS-DEV\system\idm\driverset\JDBC_LAWSON - Publisher : Duplicating :
context = 1782775901, tempContext = 1782775917
[06/30/14 15:22:32.483]:lawson PT: --JCLNT--
\PDS-DEV\system\idm\driverset\JDBC_LAWSON - Publisher : Calling free on
tempContext = 1782775917
[06/30/14 15:22:32.484]:lawson PT: Query from policy result
[06/30/14 15:22:32.484]:lawson PT:

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="User" event-id="0"
qualified-src-dn="C=us\O=dev1\OU=users\CN=jtest_user"
src-dn="\PDS-DEV\us\dev1\users\jtest_user" src-entry-id="33578">
<association
state="associated">EMPLOYEE=127,table=EMPLOYEE_TABLE,schema=TEST_USER</association>
</instance>
<status event-id="0" level="success"></status>
</output>
</nds>
[06/30/14 15:22:32.485]:lawson PT: Match found:
src-dn='\PDS-DEV\us\dev1\users\jtest_user'
[06/30/14 15:22:32.485]:lawson PT:Policy returned:
[06/30/14 15:22:32.485]:lawson PT:
<nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
<source>
<product build="20120601_0445" instance="JDBC_LAWSON"
version="3.5.9">DirXML Driver for JDBC</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" dest-dn="" dest-entry-id="-1"
event-id="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER"
src-dn="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER">
<association
state="associated">EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER</association>
<add-attr attr-name="employeeNumber">
<value type="integer">129</value>
</add-attr>
<add-attr attr-name="Given Name">
<value type="string">jtest</value>
</add-attr>
<add-attr attr-name="Surname">
<value type="string">user</value>
</add-attr>
<operation-data
error.do-find-matching-object="\PDS-DEV\us\dev1\users\jtest_user"/>
</add>
</input>
</nds>

Hopefully this trace helps. I am using 4.0.2 version.


--
joydeepg
------------------------------------------------------------------------
joydeepg's Profile: https://forums.netiq.com/member.php?userid=7638
View this thread: https://forums.netiq.com/showthread.php?t=51207

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to get value of error.do-find-matching-object

On 06/30/2014 05:24 AM, joydeepg wrote:
>
> ab;246015 Wrote:
>> On 06/30/2014 04:28 AM, joydeepg wrote:
>>>
>>> This is the matching rule:
>>>
>>> <rule>
>>> <description>matchUserInIDV</description>
>>> <conditions>
>>> <and>
>>> <if-class-name mode="nocase" op="equal">User</if-class-name>
>>> <if-operation mode="case" op="equal">add</if-operation>
>>> </and>
>>> </conditions>
>>> <actions>
>>> <do-find-matching-object scope="subtree">
>>> <arg-dn>
>>> <token-text xml:space="preserve">us\dev1\users</token-text>
>>> </arg-dn>
>>> <arg-match-attr name="Surname"/>
>>> <arg-match-attr name="Given Name"/>
>>> </do-find-matching-object>
>>> </actions>
>>> </rule>
>>>
>>> and after execution the driver returned:
>>>
>>> <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
>>> <source>
>>> <product build="20120601_0445" instance="JDBC_LAWSON"
>>> version="3.5.9">DirXML Driver for JDBC</product>
>>> <contact>Novell, Inc.</contact>
>>> </source>
>>> <input>
>>> <add class-name="User" dest-dn="" dest-entry-id="-1"
>>> event-id="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER"
>>> src-dn="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER">
>>> <association
>>>

>> state="associated">EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER</association>
>>> <add-attr attr-name="employeeNumber">
>>> <value type="integer">129</value>
>>> </add-attr>
>>> <add-attr attr-name="Given Name">
>>> <value type="string">jtest</value>
>>> </add-attr>
>>> <add-attr attr-name="Surname">
>>> <value type="string">user</value>
>>> </add-attr>
>>> <operation-data
>>> error.do-find-matching-object="\PDS-DEV\us\dev1\users\jtest_user"/>
>>> </add>
>>> </input>
>>> </nds>

>>
>> It would help if we had the trace of things happening, not just the end
>> state. It may also help to know exactly which version of IDM
>> (including
>> patches) you are on.
>>
>> --
>> Good luck.
>>
>> If you find this post helpful and are logged into the web interface,
>> show your appreciation and click on the star below...

>
> [06/30/14 15:22:32.477]:lawson PT:Synthetic add:
> [06/30/14 15:22:32.477]:lawson PT:
> <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
> <source>
> <product build="20120601_0445" instance="JDBC_LAWSON"
> version="3.5.9">DirXML Driver for JDBC</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add class-name="User"
> event-id="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER"
> src-dn="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER">
> <association
> state="associated">EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER</association>
> <add-attr attr-name="employeeNumber">
> <value type="integer">129</value>
> </add-attr>
> <add-attr attr-name="Given Name">
> <value type="string">jtest</value>
> </add-attr>
> <add-attr attr-name="Surname">
> <value type="string">user</value>
> </add-attr>
> </add>
> </input>
> </nds>
> [06/30/14 15:22:32.478]:lawson PT:Applying object matching policies.
> [06/30/14 15:22:32.478]:lawson PT:Applying policy:
> %+C%14Cpub-mp-matchExistingUser%-C.
> [06/30/14 15:22:32.478]:lawson PT: Applying to add #1.
> [06/30/14 15:22:32.479]:lawson PT: Evaluating selection criteria for
> rule 'matchUserInIDV'.
> [06/30/14 15:22:32.479]:lawson PT: (if-class-name equal "User") =
> TRUE.
> [06/30/14 15:22:32.479]:lawson PT: (if-operation equal "add") =
> TRUE.
> [06/30/14 15:22:32.479]:lawson PT: Rule selected.
> [06/30/14 15:22:32.479]:lawson PT: Applying rule 'matchUserInIDV'.
> [06/30/14 15:22:32.479]:lawson PT: Action:
> do-find-matching-object(scope="subtree",arg-dn("us\dev1\users"),arg-match-attr("Surname"),arg-match-attr("Given
> Name")).
> [06/30/14 15:22:32.480]:lawson PT: arg-dn("us\dev1\users")
> [06/30/14 15:22:32.480]:lawson PT: token-text("us\dev1\users")
> [06/30/14 15:22:32.480]:lawson PT: Arg Value: "us\dev1\users".
> [06/30/14 15:22:32.480]:lawson PT: arg-match-attr("Surname")
> [06/30/14 15:22:32.480]:lawson PT: arg-match-attr("Given Name")
> [06/30/14 15:22:32.480]:lawson PT: Query from policy
> [06/30/14 15:22:32.480]:lawson PT:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.2.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <query class-name="User" dest-dn="us\dev1\users" scope="subtree">
> <search-class class-name="User"/>
> <search-attr attr-name="Surname">
> <value type="string">user</value>
> </search-attr>
> <search-attr attr-name="Given Name">
> <value type="string">jtest</value>
> </search-attr>
> <read-attr/>
> </query>
> </input>
> </nds>
> [06/30/14 15:22:32.481]:lawson PT: Pumping XDS to eDirectory.
> [06/30/14 15:22:32.481]:lawson PT: Performing operation query for
> us\dev1\users.
> [06/30/14 15:22:32.482]:lawson PT: --JCLNT--
> \PDS-DEV\system\idm\driverset\JDBC_LAWSON - Publisher : Duplicating :
> context = 1782775901, tempContext = 1782775917
> [06/30/14 15:22:32.483]:lawson PT: --JCLNT--
> \PDS-DEV\system\idm\driverset\JDBC_LAWSON - Publisher : Calling free on
> tempContext = 1782775917
> [06/30/14 15:22:32.484]:lawson PT: Query from policy result
> [06/30/14 15:22:32.484]:lawson PT:
>
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.2.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <instance class-name="User" event-id="0"
> qualified-src-dn="C=us\O=dev1\OU=users\CN=jtest_user"
> src-dn="\PDS-DEV\us\dev1\users\jtest_user" src-entry-id="33578">
> <association
> state="associated">EMPLOYEE=127,table=EMPLOYEE_TABLE,schema=TEST_USER</association>
> </instance>
> <status event-id="0" level="success"></status>
> </output>
> </nds>
> [06/30/14 15:22:32.485]:lawson PT: Match found:
> src-dn='\PDS-DEV\us\dev1\users\jtest_user'
> [06/30/14 15:22:32.485]:lawson PT:Policy returned:
> [06/30/14 15:22:32.485]:lawson PT:
> <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
> <source>
> <product build="20120601_0445" instance="JDBC_LAWSON"
> version="3.5.9">DirXML Driver for JDBC</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add class-name="User" dest-dn="" dest-entry-id="-1"
> event-id="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER"
> src-dn="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER">
> <association
> state="associated">EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER</association>
> <add-attr attr-name="employeeNumber">
> <value type="integer">129</value>
> </add-attr>
> <add-attr attr-name="Given Name">
> <value type="string">jtest</value>
> </add-attr>
> <add-attr attr-name="Surname">
> <value type="string">user</value>
> </add-attr>
> <operation-data
> error.do-find-matching-object="\PDS-DEV\us\dev1\users\jtest_user"/>
> </add>
> </input>
> </nds>


Great! In this case you just need to add in the logic from Lothar's
policy after this rule and see if that handles the situation properly.
The idea is that it will detect a local variable which you can then use to
do other things like generate an audit or trace messages, set the new
dest-dn for the already-matched object, or whatever else.

Just to be clear, I do not think anything you have shown so far actually
includes any logic to do anything, even read, the local variable that your
thread says you are not able to access. Seeing that failure would be
helpful, and if you add Lothar's rules right after your sin the same
policy we can probably see what is needed in a new trace.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to get value of error.do-find-matching-object


[06/30/14 15:22:32.487]:lawson PT:Applying policy:
%+C%14Cpub-mp-processMatchedUser%-C.
[06/30/14 15:22:32.487]:lawson PT: Applying to add #1.
[06/30/14 15:22:32.487]:lawson PT: Evaluating selection criteria for
rule 'matchedUserProcessing'.
[06/30/14 15:22:32.487]:lawson PT: (if-xml-attr 'dest-dn' match
"\uFFFC") = TRUE.
[06/30/14 15:22:32.488]:lawson PT: (if-dest-dn match "\uFFFC") =
TRUE.
[06/30/14 15:22:32.488]:lawson PT: (if-xpath true "@dest-dn=''")
= TRUE.
[06/30/14 15:22:32.488]:lawson PT: Rule selected.
[06/30/14 15:22:32.488]:lawson PT: Applying rule
'matchedUserProcessing'.
[06/30/14 15:22:32.488]:lawson PT: Action: do-trace-message("Error
in object creation").
[06/30/14 15:22:32.488]:lawson PT: arg-string("Error in object
creation")
[06/30/14 15:22:32.489]:lawson PT: token-text("Error in object
creation")
[06/30/14 15:22:32.489]:lawson PT: Arg Value: "Error in object
creation".
[06/30/14 15:22:32.489]:lawson PT:Error in object creation
[06/30/14 15:22:32.489]:lawson PT: Action:
do-set-local-variable("dest-dn",scope="policy",token-xpath("@dest-dn")).
[06/30/14 15:22:32.489]:lawson PT:
arg-string(token-xpath("@dest-dn"))
[06/30/14 15:22:32.489]:lawson PT: token-xpath("@dest-dn")
[06/30/14 15:22:32.489]:lawson PT: Token Value: "".
[06/30/14 15:22:32.490]:lawson PT: Arg Value: "".
[06/30/14 15:22:32.490]:lawson PT: Action:
do-trace-message(token-local-variable("dest-dn")).
[06/30/14 15:22:32.490]:lawson PT:
arg-string(token-local-variable("dest-dn"))
[06/30/14 15:22:32.490]:lawson PT:
token-local-variable("dest-dn")
[06/30/14 15:22:32.490]:lawson PT: Token Value: "".
[06/30/14 15:22:32.490]:lawson PT: Arg Value: "".
[06/30/14 15:22:32.490]:lawson PT:
[06/30/14 15:22:32.490]:lawson PT: Action:
do-set-local-variable("matchObject",scope="policy",arg-node-set(token-local-variable("error.do-find-matching-object"))).
[06/30/14 15:22:32.491]:lawson PT:
arg-node-set(token-local-variable("error.do-find-matching-object"))
[06/30/14 15:22:32.491]:lawson PT:
token-local-variable("error.do-find-matching-object")
[06/30/14 15:22:32.491]:lawson PT: Token Value: "".
[06/30/14 15:22:32.491]:lawson PT: Arg Value: {""}.
[06/30/14 15:22:32.491]:lawson PT:Policy returned:
[06/30/14 15:22:32.491]:lawson PT:
<nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
<source>
<product build="20120601_0445" instance="JDBC_LAWSON"
version="3.5.9">DirXML Driver for JDBC</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" dest-dn="" dest-entry-id="-1"
event-id="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER"
src-dn="EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER">
<association
state="associated">EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER</association>
<add-attr attr-name="employeeNumber">
<value type="integer">129</value>
</add-attr>
<add-attr attr-name="Given Name">
<value type="string">jtest</value>
</add-attr>
<add-attr attr-name="Surname">
<value type="string">user</value>
</add-attr>
<operation-data
error.do-find-matching-object="\PDS-DEV\us\dev1\users\jtest_user"/>
</add>
</input>
</nds>
[06/30/14 15:22:32.493]:lawson PT:
DirXML Log Event -------------------
Driver: \PDS-DEV\system\idm\driverset\JDBC_LAWSON
Channel: Publisher
Object: EMPLOYEE=129,table=EMPLOYEE_TABLE,schema=TEST_USER
Status: Error
Message: Code(-9063) Object matching policy found an object that
is already associated: {0}.
[06/30/14 15:22:32.498]:lawson PT:Fixing up association references.
[06/30/14 15:22:32.499]:lawson PT:Applying schema mapping policies to
output.
[06/30/14 15:22:32.499]:lawson PT:Applying policy:
%+C%14CSchema+Mapping+Rule%-C.
lawson lines 74302-74363/117397 64%


I have tried to print the values but you can see
error.do-find-matching-object returns nothing.


--
joydeepg
------------------------------------------------------------------------
joydeepg's Profile: https://forums.netiq.com/member.php?userid=7638
View this thread: https://forums.netiq.com/showthread.php?t=51207

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to get value of error.do-find-matching-object


One more thing Designer does not show the error.do-find-matching-object.
why?


--
joydeepg
------------------------------------------------------------------------
joydeepg's Profile: https://forums.netiq.com/member.php?userid=7638
View this thread: https://forums.netiq.com/showthread.php?t=51207

0 Likes
Knowledge Partner
Knowledge Partner

Re: Unable to get value of error.do-find-matching-object

On 6/30/2014 12:34 PM, joydeepg wrote:
>
> One more thing Designer does not show the error.do-find-matching-object.
> why?


It is in the Error variables tab, and only if you are 'near' a Find
Matching object. So maybe it only shows it in the Matching policy?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to get value of error.do-find-matching-object


geoffc;246056 Wrote:
> On 6/30/2014 12:34 PM, joydeepg wrote:
> >
> > One more thing Designer does not show the

> error.do-find-matching-object.
> > why?

>
> It is in the Error variables tab, and only if you are 'near' a Find
> Matching object. So maybe it only shows it in the Matching policy?


I am getting the following list of error variables only in the error
variables tab:

error.do-add-resource
error.do-add-role
error.do-clear-sso-credential
error.do-remove-resource
error.do-remove-role
error.do-send-email
error.do-send-email-from-template
error.do-set-sso-credential
error.do-set-sso-passphrase
error.do-start-workflow

Even if I am manually entering the name, the
error.do-find-matching-object does not return the src-dn of the matched
object as you can from the trace I posted. Why this is happening?


--
joydeepg
------------------------------------------------------------------------
joydeepg's Profile: https://forums.netiq.com/member.php?userid=7638
View this thread: https://forums.netiq.com/showthread.php?t=51207

0 Likes
Knowledge Partner
Knowledge Partner

Re: Unable to get value of error.do-find-matching-object

joydeepg wrote:

> I am getting the following list of error variables only in the error
> variables tab:
>
> error.do-add-resource
> error.do-add-role
> error.do-clear-sso-credential
> error.do-remove-resource
> error.do-remove-role
> error.do-send-email
> error.do-send-email-from-template
> error.do-set-sso-credential
> error.do-set-sso-passphrase
> error.do-start-workflow


This is probably a Designer bug, open a SR to get it fixed or enter directly at
bugzilla.novell.com

> Even if I am manually entering the name, the
> error.do-find-matching-object does not return the src-dn of the matched
> object as you can from the trace I posted. Why this is happening?


Seems like you set a variable of type "nodeset" here:

>

do-set-local-variable("matchObject",scope="policy",arg-node-set(token-local-vari
able("error.do-find-matching-object"))).

Try with "string" instead (and if that does not help, open a SR, maybe?)

______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Unable to get value of error.do-find-matching-object


lhaeger;246073 Wrote:
> joydeepg wrote:
>
> > I am getting the following list of error variables only in the error
> > variables tab:
> >
> > error.do-add-resource
> > error.do-add-role
> > error.do-clear-sso-credential
> > error.do-remove-resource
> > error.do-remove-role
> > error.do-send-email
> > error.do-send-email-from-template
> > error.do-set-sso-credential
> > error.do-set-sso-passphrase
> > error.do-start-workflow

>
> This is probably a Designer bug, open a SR to get it fixed or enter
> directly at
> bugzilla.novell.com
>
> > Even if I am manually entering the name, the
> > error.do-find-matching-object does not return the src-dn of the

> matched
> > object as you can from the trace I posted. Why this is happening?

>
> Seems like you set a variable of type "nodeset" here:
>
> >

> do-set-local-variable("matchObject",scope="policy",arg-node-set(token-local-vari
> able("error.do-find-matching-object"))).
>
> Try with "string" instead (and if that does not help, open a SR, maybe?)


<nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
<source>
<product build="20120601_0445" instance="JDBC_LAWSON"
version="3.5.9">DirXML Driver for JDBC</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" dest-dn="?" dest-entry-id="-1"
event-id="EMPLOYEE=142,table=EMPLOYEE_TABLE,schema=TEST_USER"
src-dn="EMPLOYEE=142,table=EMPLOYEE_TABLE,schema=TEST_USER">
<association
state="associated">EMPLOYEE=142,table=EMPLOYEE_TABLE,schema=TEST_USER</association>
<add-attr attr-name="employeeNumber">
<value type="integer">142</value>
</add-attr>
<add-attr attr-name="Given Name">
<value type="string">jtest</value>
</add-attr>
<add-attr attr-name="Surname">
<value type="string">user</value>
</add-attr>
<operation-data
error.do-find-matching-object="\PDS-DEV\us\dev1\users\jtest_user"/>
</add>
</input>
</nds>
[07/02/14 13:52:32.992]:lawson PT:Applying policy:
%+C%14Cpub-mp-processMatchedUser%-C.
[07/02/14 13:52:32.993]:lawson PT: Applying to add #1.
[07/02/14 13:52:32.993]:lawson PT: Evaluating selection criteria for
rule 'matchedUserProcessing'.
[07/02/14 13:52:32.993]:lawson PT: (if-xml-attr 'dest-dn' match
"\uFFFC") = TRUE.
[07/02/14 13:52:32.993]:lawson PT: (if-dest-dn match "\uFFFC") =
TRUE.
[07/02/14 13:52:32.994]:lawson PT: (if-xpath true "@dest-dn='?'") =
TRUE.
[07/02/14 13:52:32.994]:lawson PT: Rule selected.
[07/02/14 13:52:32.994]:lawson PT: Applying rule
'matchedUserProcessing'.
[07/02/14 13:52:32.994]:lawson PT: Action: do-trace-message("Error
in object creation").
[07/02/14 13:52:32.994]:lawson PT: arg-string("Error in object
creation")
[07/02/14 13:52:32.994]:lawson PT: token-text("Error in object
creation")
[07/02/14 13:52:32.994]:lawson PT: Arg Value: "Error in object
creation".
[07/02/14 13:52:32.995]:lawson PT:Error in object creation
[07/02/14 13:52:32.995]:lawson PT: Action:
do-set-local-variable("dest-dn",scope="policy",token-xpath("@dest-dn")).
[07/02/14 13:52:32.995]:lawson PT:
arg-string(token-xpath("@dest-dn"))
[07/02/14 13:52:32.995]:lawson PT: token-xpath("@dest-dn")
[07/02/14 13:52:32.995]:lawson PT: Token Value: "?".
[07/02/14 13:52:33.012]:lawson PT: Arg Value: "?".
[07/02/14 13:52:33.012]:lawson PT: Action:
do-trace-message(token-local-variable("dest-dn")).
[07/02/14 13:52:33.012]:lawson PT:
arg-string(token-local-variable("dest-dn"))
[07/02/14 13:52:33.012]:lawson PT:
token-local-variable("dest-dn")
[07/02/14 13:52:33.012]:lawson PT: Token Value: "?".
[07/02/14 13:52:33.012]:lawson PT: Arg Value: "?".
[07/02/14 13:52:33.013]:lawson PT:?
[07/02/14 13:52:33.013]:lawson PT: Action:
do-set-local-variable("matchObject",scope="policy",token-xpath("operation-data/@error.do-find-matching-object")).
[07/02/14 13:52:33.013]:lawson PT:
arg-string(token-xpath("operation-data/@error.do-find-matching-object"))
[07/02/14 13:52:33.013]:lawson PT:
token-xpath("operation-data/@error.do-find-matching-object")
[07/02/14 13:52:33.013]:lawson PT: Token Value:
"\PDS-DEV\us\dev1\users\jtest_user".
[07/02/14 13:52:33.014]:lawson PT: Arg Value:
"\PDS-DEV\us\dev1\users\jtest_user".
[07/02/14 13:52:33.014]:lawson PT:Policy returned:
[07/02/14 13:52:33.014]:lawson PT:
<nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
<source>
<product build="20120601_0445" instance="JDBC_LAWSON"
version="3.5.9">DirXML Driver for JDBC</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" dest-dn="?" dest-entry-id="-1"
event-id="EMPLOYEE=142,table=EMPLOYEE_TABLE,schema=TEST_USER"
src-dn="EMPLOYEE=142,table=EMPLOYEE_TABLE,schema=TEST_USER">

I have devised a way to get the value as you can see in the trace. Is
this the right way?


--
joydeepg
------------------------------------------------------------------------
joydeepg's Profile: https://forums.netiq.com/member.php?userid=7638
View this thread: https://forums.netiq.com/showthread.php?t=51207

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.