Anonymous_User Absent Member.
Absent Member.
547 views

"If source attribute equals" doesn't work


Hi all,

I’m facing a new problem in my way to understand a little more how NIM
works :confused:

In my driver’s publisher channel, I want to make the following rule :
If the user’s attribute “adminDescription” changes to ”rt” :

- the mapped attribute (“jackNumber”) will also change
- change “jackNumber” and “adminDescription” to “nm”
- delete “Initials” attribute inside NIM



To to this, I did a rule in the Command Transformation Policy:

Code:
--------------------
<policy>
<rule>
<description>fin de la migration</description>
<conditions>
<and>
<if-src-attr mode="nocase" name="adminDescription" op="equal">rt</if-src-attr>
</and>
</conditions>
<actions>
<do-clear-dest-attr-value class-name="User" name="Initials"/>
<do-set-dest-attr-value class-name="User" name="jackNumber">
<arg-value type="string">
<token-text xml:space="preserve">nm</token-text>
</arg-value>
</do-set-dest-attr-value>
<do-set-src-attr-value class-name="user" name="adminCount">
<arg-value type="string">
<token-text xml:space="preserve">nm</token-text>
</arg-value>
</do-set-src-attr-value>
</actions>
</rule>
</policy>
--------------------


My problem is that when I change manually the “adminDescription”
attribute to “rt”, I see that “jackNumber” changes also to “rt”, but my
rule is rejected:
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20120330_120000"
> instance="\IDV\system\DriverSet\ConnecteurAD"
> version="4.0.0.0">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <instance class-name="user" event-id="0" src-dn="CN=User
> Syn,CN=Users,DC=nim2012,DC=intra">
> <association>428840cd9e5b434a84ea3385787d84e1</association>
> *<attr attr-name="adminDescription">
> <value naming="true" type="string">rt</value>
> </attr>*
> </instance>
> <status level="success"/>
> </output>
> </nds>
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Applying policy:
> NOVLADDCFG-smp.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Mapping class-name
> 'user' to 'User'.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Mapping attr-name
> 'adminDescription' to 'jackNumber'.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Applying policy:
> NOVLDATACOLL-smp-SkipSchemaMapping.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Applying to instance
> #1.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Evaluating selection
> criteria for rule 'skip'.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: (if-operation
> equal "instance") = TRUE.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: (if-op-property
> 'data-collection-query' equal "true") = FALSE.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Rule rejected.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Evaluating selection
> criteria for rule 'restore'.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: (if-op-property
> 'restore-attr-names' equal "true") = FALSE.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Rule rejected.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Applying to status
> #2.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Evaluating selection
> criteria for rule 'skip'.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: (if-operation
> equal "instance") = FALSE.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Rule rejected.
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Evaluating selection
> criteria for rule 'restore'.
> [12/08/2014 18:02:09.376] ConnecteurAD PT: (if-op-property
> 'restore-attr-names' equal "true") = FALSE.
> [12/08/2014 18:02:09.376] ConnecteurAD PT: Rule rejected.
> [12/08/2014 18:02:09.376] ConnecteurAD PT: Policy returned:
> [12/08/2014 18:02:09.376] ConnecteurAD PT:
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20120330_120000"
> instance="\IDV\system\DriverSet\ConnecteurAD"
> version="4.0.0.0">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> *<instance class-name="User" event-id="0" src-dn="CN=User
> Syn,CN=Users,DC=nim2012,DC=intra">
> <association>428840cd9e5b434a84ea3385787d84e1</association>
> <attr attr-name="jackNumber">
> <value naming="true" type="string">rt</value>
> </attr>
> </instance>*
> <status level="success"/>
> </output>
> </nds>
> [12/08/2014 18:02:09.376] ConnecteurAD PT: Resolving association
> references.
> [12/08/2014 18:02:09.376] ConnecteurAD PT: Query from policy
> result
> [12/08/2014 18:02:09.376] ConnecteurAD PT:
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20120330_120000"
> instance="\IDV\system\DriverSet\ConnecteurAD"
> version="4.0.0.0">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <instance class-name="User" event-id="0" src-dn="CN=User
> Syn,CN=Users,DC=nim2012,DC=intra">
> <association>428840cd9e5b434a84ea3385787d84e1</association>
> *<attr attr-name="jackNumber">
> <value naming="true" type="string">rt</value>
> </attr>*
> </instance>
> <status level="success"/>
> </output>
> </nds>
> [12/08/2014 18:02:09.376] ConnecteurAD PT: *(if-src-attr
> 'adminDescription' equal "rt") = FALSE.*
> [12/08/2014 18:02:09.376] ConnecteurAD PT: Query from policy
> [12/08/2014 18:02:09.376] ConnecteurAD PT:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <query class-name="User" dest-dn="data\personnes\usyn"
> dest-entry-id="98587" scope="entry">
> <read-attr attr-name="jackNumber"/>
> </query>
> </input>
> </nds>


I also try to evaluate the target attribute using jackNumber, but it was
also rejected...
Does anyone have an idea why?

Thanks in advance,
Remi


--
remifournier
------------------------------------------------------------------------
remifournier's Profile: https://forums.netiq.com/member.php?userid=8277
View this thread: https://forums.netiq.com/showthread.php?t=52385

Labels (1)
0 Likes
16 Replies
Knowledge Partner
Knowledge Partner

Re: "If source attribute equals" doesn't work

remifournier wrote:

> I also try to evaluate the target attribute using jackNumber, but it was
> also rejected...
> Does anyone have an idea why?


According to the trace, you map adminDescription to jackNumber and since you
evaluate your rule in a acommand transform, it's already mapped to jackNumber
at that time. You need to test for src-attr(jackNumber) instead of
src-attr(adminDescription), try:

<if-src-attr mode="nocase" name="jackNumber" op="equal">rt</if-src-attr>

As a general rule, use Edirectory attribute names in all policies except
input/output transforms.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: "If source attribute equals" doesn't work

On 12/9/2014 5:58 AM, remifournier wrote:
> [12/08/2014 18:02:09.375] ConnecteurAD PT: Mapping attr-name
>>'adminDescription' to 'jackNumber'.


So your <instance> starts with "adminDescription" being returned, but
Schema Map converts that to 'jackNumber'. Which is fine.

Just ask if source attr jackNumber has the value rt instead.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "If source attribute equals" doesn't work


Thanks geoffc and lhaeger,

It worked. But I have to say it's really hard to think this way. For me
the source attribute (in my source directory) is still adminDescription.
In my head, I had:

- source: adminDescription from AD
- target: jackNumber from NIM


The fact that I create a mapping was just to tell NIM that when I change
AD I would like to change also jackNumber... It's not very intuitive to
think that my source attribute changed to adminDescription...

Anyway, the important thing is that it worked and I learned something
new 🙂

Thanks again,
Remi


--
remifournier
------------------------------------------------------------------------
remifournier's Profile: https://forums.netiq.com/member.php?userid=8277
View this thread: https://forums.netiq.com/showthread.php?t=52385

0 Likes
Knowledge Partner
Knowledge Partner

Re: "If source attribute equals" doesn't work

remifournier wrote:

> It worked. But I have to say it's really hard to think this way. For me
> the source attribute (in my source directory) is still adminDescription.
> In my head, I had:
>
> - source: adminDescription from AD
> - target: jackNumber from NIM
>
> The fact that I create a mapping was just to tell NIM that when I change
> AD I would like to change also jackNumber... It's not very intuitive to
> think that my source attribute changed to adminDescription...


Think different. (will IBM sue me for this...? Or Lenovo?)

When you look at the fishbone view in Designer or iManager note where the
schema mapping policies are located. Everything from there in direction to the
application is in application namespace (here AD class and attribute names).
Everything between schema mapping and ID Vault is in Edirectory namespace
(classes and attributes).

So in input/output transforms, use AD attribute names, in event, command,
mapping, creation, placement policies use Edir attribute names.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "If source attribute equals" doesn't work


lhaeger;251931 Wrote:
> Think different. (will IBM sue me for this...? Or Lenovo?)
>
> When you look at the fishbone view in Designer or iManager note where
> the
> schema mapping policies are located. Everything from there in direction
> to the
> application is in application namespace (here AD class and attribute
> names).
> Everything between schema mapping and ID Vault is in Edirectory
> namespace
> (classes and attributes).
>
> So in input/output transforms, use AD attribute names, in event,
> command,
> mapping, creation, placement policies use Edir attribute names.


Hi, sorry for the late answer,

But every time I thought I understand, there's something that doesn't
work well :

Now I'm having some trouble with the displayName and employeeType
attributes. In my publisher channel's Command Strategy, I've did the
following rule to change the user's displayName
> [12/15/2014 13:45:23.106] ConnecteurAD PT: (if-src-attr
> 'jackNumber' equal "rt") = FALSE.
> [12/15/2014 13:45:23.106] ConnecteurAD PT: Rule rejected.
> [12/15/2014 13:45:23.106] ConnecteurAD PT: Evaluating selection
> criteria for rule 'attributs map'.
> [12/15/2014 13:45:23.106] ConnecteurAD PT: (if-class-name equal
> "User") = TRUE.
> [12/15/2014 13:45:23.106] ConnecteurAD PT: (if-src-attr
> 'adminDescription' not-equal "nm") = TRUE.
> [12/15/2014 13:45:23.107] ConnecteurAD PT: (if-src-attr
> 'adminDescription' not-equal "rt") = TRUE.
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Rule selected.
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Applying rule 'attributs
> map'.
> [12/15/2014 13:45:23.107] ConnecteurAD PT: * Action:
> do-set-dest-attr-value("displayName",class-name="User",token-src-attr("Given
> Name",class-name="User")+"
> "+token-src-attr("Surname",class-name="User")).
> [12/15/2014 13:45:23.107] ConnecteurAD PT:
> arg-string(token-src-attr("Given Name",class-name="User")+"
> "+token-src-attr("Surname",class-name="User"))
> [12/15/2014 13:45:23.107] ConnecteurAD PT:
> token-src-attr("Given Name",class-name="User")
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Token Value:
> "Christine".
> [12/15/2014 13:45:23.107] ConnecteurAD PT: token-text(" ")
> [12/15/2014 13:45:23.107] ConnecteurAD PT:
> token-src-attr("Surname",class-name="User")
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Token Value:
> "TEST".
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Arg Value:
> "Christine TEST".
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Action: do-if().
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Evaluating
> conditions.
> [12/15/2014 13:45:23.107] ConnecteurAD PT: (if-op-attr
> 'NSCP:employeeNumber' match "^[0-9]*") = FALSE.
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Performing else
> actions.
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Action: do-if().
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Evaluating
> conditions.
> [12/15/2014 13:45:23.107] ConnecteurAD PT: (if-op-attr
> 'NSCP:employeeNumber' match "^s[0-9]*") = FALSE.
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Performing else
> actions.
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Action:
> do-if().
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Evaluating
> conditions.
> [12/15/2014 13:45:23.107] ConnecteurAD PT: (if-op-attr
> 'NSCP:employeeNumber' match "^p[0-9]*") = FALSE.*
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Performing
> else actions.
> [12/15/2014 13:45:23.107] ConnecteurAD PT:Policy returned:
> [12/15/2014 13:45:23.107] ConnecteurAD PT:
> <nds dtdversion="2.2">
> <source>
> <product build="20120330_120000"
> instance="\IDV\system\DriverSet\ConnecteurAD"
> version="4.0.0.0">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <modify class-name="User" dest-dn="data\personnes\Christine
> TEST(4663)" dest-entry-id="92220"
> event-id="ConnecteurAD##14a4df6b0eb##0" src-dn="CN=Christine
> TEST(4663),OU=Utilisateurs_Actifs,OU=MYDOMAIN,DC=nim2012,DC=intra">
> <association>5d7a5eb62cb54642b4af29caf8495754</association>
> <modify-attr attr-name="departmentNumber">
> <remove-value>
> <value timestamp="1418646801#2" type="string">SAA</value>
> </remove-value>
> </modify-attr>
> <modify-attr attr-name="departmentNumber">
> <add-value>
> <value naming="false" type="string">SAA33</value>
> </add-value>
> </modify-attr>
> <operation-data AccountTracking-AppAccountStatus="-"
> AccountTracking-IdvAccountStatus="-"
> AccountTracking-LDAPDN="CN=Christine TEST
> (4663),OU=Utilisateurs_Actifs,OU=MYDOMAIN,DC=nim2012,DC=intra"
> AccountTracking-association="5d7a5eb62cb54642b4af29caf8495754"/>
> <modify-attr attr-name="displayName">
> <remove-all-values/>
> <add-value>
> <value type="string">Christine TEST</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> [12/15/2014 13:45:23.107] ConnecteurAD PT:Filtering out
> notification-only attributes.
> [12/15/2014 13:45:23.107] ConnecteurAD PT: Filtered out <modify-attr
> attr-name='displayName'>.
> [12/15/2014 13:45:23.107] ConnecteurAD PT:Pumping XDS to eDirectory.
> [12/15/2014 13:45:23.107] ConnecteurAD PT:Performing operation modify
> for data\personnes\Christine TEST (4663).
> [12/15/2014 13:45:23.107] ConnecteurAD PT:--JCLNT--
> \IDV\system\DriverSet\ConnecteurAD - Publisher : Duplicating : context =
> 65929325, tempContext = 65929311
> [12/15/2014 13:45:23.108] ConnecteurAD PT:Modifying entry
> data\personnes\Christine Abadie (4663).
> [12/15/2014 13:45:23.143] ConnecteurAD PT:--JCLNT--
> \IDV\system\DriverSet\ConnecteurAD - Publisher : Calling free on
> tempContext = 65929311
> [12/15/2014 13:45:23.143] ConnecteurAD PT:
> DirXML Log Event -------------------
> Driver: \IDV\system\DriverSet\ConnecteurAD
> Channel: Publisher
> Object: CN=Christine TEST
> (4663),OU=Utilisateurs_Actifs,OU=MYDOMAIN,DC=nim2012,DC=intra
> (data\personnes\Christine TEST (4663))
> Status: Success
>


But when the rule is executed, nothing happens in both attributes. They
don't change.

The displayName filter is set to notify (pub) / sync (sub) and
employeeType is set to sync both ways...

I'm I doing something wrong? I tried with both directory's attributes
names...

Thanks again in advance,
Remi


--
remifournier
------------------------------------------------------------------------
remifournier's Profile: https://forums.netiq.com/member.php?userid=8277
View this thread: https://forums.netiq.com/showthread.php?t=52385

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "If source attribute equals" doesn't work

remifournier wrote:

> But when the rule is executed, nothing happens in both attributes. They
> don't change.
>
> The displayName filter is set to notify (pub) / sync (sub) and
> employeeType is set to sync both ways...


ConnecteurAD PT:Filtering out notification-only attributes.
ConnecteurAD PT: Filtered out <modify-attr attr-name='displayName'>

You need to do one of the following (I suggest the first option)

1. set displayName directly (you can see this as an option in designer when you edit the set-dest-attr action)
2. change displayname to publisher sync
3. remove displayName from the filter entirely (or set it to publisher "none")
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "If source attribute equals" doesn't work


alexmchugh;252072 Wrote:
>
>
> ConnecteurAD PT:Filtering out notification-only attributes.
> ConnecteurAD PT: Filtered out <modify-attr attr-name='displayName'>
>
> You need to do one of the following (I suggest the first option)
>
> 1. set displayName directly (you can see this as an option in designer
> when you edit the set-dest-attr action)
> 2. change displayname to publisher sync
> 3. remove displayName from the filter entirely (or set it to publisher
> "none")


Hi, I tried the first option and it works, thanks.

I have just one more question, how does the mapping works for the class
names ? It's the same as for attributes? I'm asking because I have some
rules that evaluate the object class, but I frequently have this kind of
trace:
> (if-class-name equal "user") = FALSE.


Knowing that I'm working with a user object, what do you think is not
good? (I always use a non-sensitive case rule, so User or user should be
equal, non?)


Thanks again,
Remi


--
remifournier
------------------------------------------------------------------------
remifournier's Profile: https://forums.netiq.com/member.php?userid=8277
View this thread: https://forums.netiq.com/showthread.php?t=52385

0 Likes
Knowledge Partner
Knowledge Partner

Re: "If source attribute equals" doesn't work

remifournier wrote:

> > (if-class-name equal "user") = FALSE.

>
> Knowing that I'm working with a user object, what do you think is not
> good? (I always use a non-sensitive case rule, so User or user should be
> equal, non?)


Most likely this test is accidentally mot case-insensitive. Designer changed
from a default case-INsensitive in earlier version to case-sensitive mode in
the latest releases and it's easy to miss changing compare mode sometimes.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "If source attribute equals" doesn't work


Thanks,

I will take a look...
But concerning the mapping, it's the same as you had explained? I mean,
to evaluate the class names I have to use the same rules you explained
earlier?

- User for AD side of the mapping
- user for NIM side of the mapping


--
remifournier
------------------------------------------------------------------------
remifournier's Profile: https://forums.netiq.com/member.php?userid=8277
View this thread: https://forums.netiq.com/showthread.php?t=52385

0 Likes
Knowledge Partner
Knowledge Partner

Re: "If source attribute equals" doesn't work

remifournier wrote:

> I will take a look...
> But concerning the mapping, it's the same as you had explained? I mean,
> to evaluate the class names I have to use the same rules you explained
> earlier?
>
> - User for AD side of the mapping
> - user for NIM side of the mapping


I think it was the other way round: "User" in Edir/ID Vault, "user" in AD.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "If source attribute equals" doesn't work


Ok,

Thanks again. I will now continue my tests, hope it will work this time.
:rolleyes:


--
remifournier
------------------------------------------------------------------------
remifournier's Profile: https://forums.netiq.com/member.php?userid=8277
View this thread: https://forums.netiq.com/showthread.php?t=52385

0 Likes
Knowledge Partner
Knowledge Partner

Re: "If source attribute equals" doesn't work

remifournier wrote:

> :rolleyes:


Details, details, details... 😉
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "If source attribute equals" doesn't work

remifournier wrote:

> I will take a look...
> But concerning the mapping, it's the same as you had explained? I mean,
> to evaluate the class names I have to use the same rules you explained
> earlier?
>
> - User for AD side of the mapping
> - user for NIM side of the mapping


Yes.

in application namespace you use "user" - input/output transform.

Everywhere else, you use "User"

That said, case insensitive should also work, you just need to make surre that you specify this in the rule:

<if-class-name mode="nocase" op="equal">user</if-class-name>

not

<if-class-name mode="case" op="equal">user</if-class-name>

You only see this if you look at the XML source code directly, or if you go in and edit the condition in Designer or iManager
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: "If source attribute equals" doesn't work


alexmchugh;252072 Wrote:
> ConnecteurAD PT:Filtering out notification-only attributes.
> ConnecteurAD PT: Filtered out <modify-attr attr-name='displayName'>
>
> You need to do one of the following (I suggest the first option)
>
> 1. set displayName directly (you can see this as an option in designer
> when you edit the set-dest-attr action)
> 2. change displayname to publisher sync
> 3. remove displayName from the filter entirely (or set it to publisher
> "none")


Hi,

Sorry to come back to this subject, but I just notice a little "bug" in
the process :
When I go through this rule, I'm actually doing a user creation, so when
I pass into this rule, it didn't write the attributes (I think thats
because the user doesn't exists yet). It only do the update later, if I
do a update to the user. - *when using the 1st method *

Is it possible to delay the writing do this "writing" for after the user
created? Now it's in the command strategies. If not, do you think it's
possible to delete this "filtering out" the notifications-only
attributes?

Thanks in advance,
Remi


EDIT : Sorry for the second login, it's always me 😮


--
MuadDib_II
------------------------------------------------------------------------
MuadDib_II's Profile: https://forums.netiq.com/member.php?userid=8754
View this thread: https://forums.netiq.com/showthread.php?t=52385

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.