Verifying object location in AD tree

Dirxml 2.0
Edir <-> AD sync.

I am doing some specific tree structure modifications between AD and
Edir. So, I need to know if a user object that exists in a Edir
location exists in a particular location in AD or not. If not, then I
need to move the AD object to that location.

The if-src-dn rule evaluates correctly (I see this on the debug
output), but the if-dest-dn always returns true. That means that the
rule always executes if I just modify a user in any way in that ou.

Obviously the if-dest-dn side is my AD tree.

Any thoughts on how I can fix this?

My current rule code looks like this:

<rule>
	<description>Move User to Phoenix OU</description>
	<conditions>
		<and>
			<if-class-name op="equal">user</if-class-name>
			<if-operation op="equal">modify</if-operation>
			<if-src-dn op="available"/>
			<if-src-dn
op="in-subtree">LewisAndRoca\Phoenix</if-src-dn>
			<if-dest-dn
op="not-in-subtree">ou=users,ou=phoenix,ou=lewisandroca,dc=lrlaw,dc=com</if-dest-dn>
		</and>
	</conditions>
	<actions>
		<do-move-dest-object when="after">
			<arg-dn>
				<token-text
xml:space="preserve">ou=users,ou=phoenix,ou=lewisandroca,dc=lrlaw,dc=com</token-text>
			</arg-dn>
		</do-move-dest-object>
	</actions>
</rule>




0
Steven
2/1/2006 7:24:58 PM
novell.id-manager.drivers 10360 articles. 0 followers. Follow

3 Replies
239 Views

Similar Articles

[PageSpeed] 50

if-dest-dn operates only on the dest-dn attribute in the current 
operation, which on the subscriber channel is usually only populated by 
the placement policy on an add and usually not present at all on any 
other operation. In order to get the destination dn from the 
application, you currently have to use an XPATH expression to call the 
destination query processor to read the object and extract the dn from 
it, though I think AD has a pseudo attribute called DN so you may be 
able to use if-dest-attr to query and test it.

--

Father Ramon


Steven Stringham wrote:
> Dirxml 2.0
> Edir <-> AD sync.
> 
> I am doing some specific tree structure modifications between AD and
> Edir. So, I need to know if a user object that exists in a Edir
> location exists in a particular location in AD or not. If not, then I
> need to move the AD object to that location.
> 
> The if-src-dn rule evaluates correctly (I see this on the debug
> output), but the if-dest-dn always returns true. That means that the
> rule always executes if I just modify a user in any way in that ou.
> 
> Obviously the if-dest-dn side is my AD tree.
> 
> Any thoughts on how I can fix this?
> 
> My current rule code looks like this:
> 
> <rule>
> 	<description>Move User to Phoenix OU</description>
> 	<conditions>
> 		<and>
> 			<if-class-name op="equal">user</if-class-name>
> 			<if-operation op="equal">modify</if-operation>
> 			<if-src-dn op="available"/>
> 			<if-src-dn
> op="in-subtree">LewisAndRoca\Phoenix</if-src-dn>
> 			<if-dest-dn
> op="not-in-subtree">ou=users,ou=phoenix,ou=lewisandroca,dc=lrlaw,dc=com</if-dest-dn>
> 		</and>
> 	</conditions>
> 	<actions>
> 		<do-move-dest-object when="after">
> 			<arg-dn>
> 				<token-text
> xml:space="preserve">ou=users,ou=phoenix,ou=lewisandroca,dc=lrlaw,dc=com</token-text>
> 			</arg-dn>
> 		</do-move-dest-object>
> 	</actions>
> </rule>
> 
> 
> 
> 
0
Father
2/1/2006 7:59:10 PM
This rule is indeed in the subscriber channel in the command transform
policy.

Can you give me some code examples?

Or, point me to some?


On Wed, 01 Feb 2006 19:59:10 GMT, Father Ramon <devforums@novell.com>
wrote:

>if-dest-dn operates only on the dest-dn attribute in the current 
>operation, which on the subscriber channel is usually only populated by 
>the placement policy on an add and usually not present at all on any 
>other operation. In order to get the destination dn from the 
>application, you currently have to use an XPATH expression to call the 
>destination query processor to read the object and extract the dn from 
>it, though I think AD has a pseudo attribute called DN so you may be 
>able to use if-dest-attr to query and test it.
0
Steven
2/1/2006 8:10:43 PM
Try changing:

<if-dest-dn
op="not-in-subtree">ou=users,ou=phoenix,ou=lewisandroca,dc=lrlaw,dc=com</if-dest-dn>

to

<if-dest-attr name="dn" op="not-equal" 
mode="regex">.*ou=users,ou=phoenix,ou=lewisandroca,dc=lrlaw,dc=com</if-dest-attr>
--

Father Ramon


Steven Stringham wrote:
> This rule is indeed in the subscriber channel in the command transform
> policy.
> 
> Can you give me some code examples?
> 
> Or, point me to some?
> 
> 
> On Wed, 01 Feb 2006 19:59:10 GMT, Father Ramon <devforums@novell.com>
> wrote:
> 
>> if-dest-dn operates only on the dest-dn attribute in the current 
>> operation, which on the subscriber channel is usually only populated by 
>> the placement policy on an add and usually not present at all on any 
>> other operation. In order to get the destination dn from the 
>> application, you currently have to use an XPATH expression to call the 
>> destination query processor to read the object and extract the dn from 
>> it, though I think AD has a pseudo attribute called DN so you may be 
>> able to use if-dest-attr to query and test it.
0
Father
2/1/2006 9:56:17 PM
Reply: