|
| Getting to the src-dn from an output document |
 |
Fri, 09 May 2008 04:24:37 GMT |
During a move user operation in an AD driver, I want to remove a user's
group memberships. So I request the memberOf attribute from AD to get the
list of groups so I can remove the memberships from the groups. I get back
a document like this:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20080229_143300"
instance="AD"
version="3.5.2">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="user" event-id="0"
src-dn="CN=blah,OU=USERS,OU=something,DC=,DC=blah,DC=com">
<association>c82d3459eefc634a8ab1f38c4616e0df</association>
<attr attr-name="memberOf">
<value association-ref="5fd0e71d5eafa94b968db74e725ed5be"
naming="true"
type="dn">CN=TestGroup2,OU=Groups,OU=something,DC=,DC=blah,DC=com&l
t;/value>
<value association-ref="118b8eeb159c444dbcb32eb1141f43e7"
naming="true"
type="dn">CN=TestGroup1,OU=Groups,OU=something,DC=,DC=blah,DC=com&l
t;/value>
</attr>
</instance>
<status event-id="0" level="success"/>
</output>
</nds>
Which I can then do a for-each to step through the groups and individually
remove the membership. The problem I have is that in the move event, I
don't have the user's DN in AD, which I need to remove the group memberships
(the DN's between eDir and AD don't match). Is there any way I can get to
it with XPATH from the output above? Or is there another way I can get the
user's DN in AD easily (Destination DN returns nothing since it is a move
event).
This is the action I'm trying to build:
<do-for-each>
<arg-node-set>
<token-dest-attr name="memberOf"/>
</arg-node-set>
<arg-actions>
<do-remove-dest-attr-value class-name="Group"
name="member"
when="after">
<arg-dn>
<token-local-variable name="current-node"/>
</arg-dn>
<arg-value>
<token-text xml:space="preserve">NEED AD DN
HERE!</token-text>
</arg-value>
</do-remove-dest-attr-value>
</arg-actions>
</do-for-each>
Thanks.
Matt
|
| Post Reply
|
| Re: Getting to the src-dn from an output document |
 |
Fri, 09 May 2008 07:36:01 GMT |
Matt Weisberg wrote:
>
> During a move user operation in an AD driver, I want to remove a user's
> group memberships. So I request the memberOf attribute from AD to get the
> list of groups so I can remove the memberships from the groups. I get
back
> a document like this:
>
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20080229_143300"
instance="AD"
> version="3.5.2">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <instance class-name="user" event-id="0"
> src-dn="CN=blah,OU=USERS,OU=something,DC=,DC=blah,DC=com">
> <association>c82d3459eefc634a8ab1f38c4616e0df</association>
> <attr attr-name="memberOf">
> <value association-ref="5fd0e71d5eafa94b968db74e725ed5be"
naming="true"
>
type="dn">CN=TestGroup2,OU=Groups,OU=something,DC=,DC=blah,DC=3=
Dcom</value>
> <value association-ref="118b8eeb159c444dbcb32eb1141f43e7"
naming="true"
>
type="dn">CN=TestGroup1,OU=Groups,OU=something,DC=,DC=blah,DC=3=
Dcom</value>
> </attr>
> </instance>
> <status event-id="0" level="success"/>
> </output>
> </nds>
>
>
> Which I can then do a for-each to step through the groups and individually
> remove the membership. The problem I have is that in the move event, I
> don't have the user's DN in AD, which I need to remove the group
memberships
> (the DN's between eDir and AD don't match). Is there any way I can get to
> it with XPATH from the output above? Or is there another way I can get
the
> user's DN in AD easily (Destination DN returns nothing since it is a move
> event).
>
> This is the action I'm trying to build:
>
> <do-for-each>
> <arg-node-set>
> <token-dest-attr name="memberOf"/>
> </arg-node-set>
> <arg-actions>
> <do-remove-dest-attr-value class-name="Group"
name="member"
> when="after">
> <arg-dn>
> <token-local-variable name="current-node"/>
> </arg-dn>
> <arg-value>
> <token-text xml:space="preserve">NEED AD DN
HERE!</token-text>
> </arg-value>
> </do-remove-dest-attr-value>
> </arg-actions>
> </do-for-each>
>
>
> Thanks.
>
> Matt
use the query token to read the whole instance into a nodeset variable, then
$myvar/@src-dn will give you what you're looking for. To loop over the memberOf
values, use $myvar/attr[@attr-name="memberOf"]/value/text() instead of
the token-dest-attr in the action above (or leave it as it is and let idm
perform the query twice).
Cheers, Lothar
|
| Post Reply
|
| Re: Getting to the src-dn from an output document |
 |
Fri, 09 May 2008 10:01:25 GMT |
Use the Resolve token.
-Father Ramon
Matt Weisberg wrote:
> During a move user operation in an AD driver, I want to remove a user's
> group memberships. So I request the memberOf attribute from AD to get the
> list of groups so I can remove the memberships from the groups. I get
back
> a document like this:
>
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20080229_143300"
instance="AD"
> version="3.5.2">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <instance class-name="user" event-id="0"
> src-dn="CN=blah,OU=USERS,OU=something,DC=,DC=blah,DC=com">
> <association>c82d3459eefc634a8ab1f38c4616e0df</association>
> <attr attr-name="memberOf">
> <value association-ref="5fd0e71d5eafa94b968db74e725ed5be"
naming="true"
>
type="dn">CN=TestGroup2,OU=Groups,OU=something,DC=,DC=blah,DC=com&l
t;/value>
> <value association-ref="118b8eeb159c444dbcb32eb1141f43e7"
naming="true"
>
type="dn">CN=TestGroup1,OU=Groups,OU=something,DC=,DC=blah,DC=com&l
t;/value>
> </attr>
> </instance>
> <status event-id="0" level="success"/>
> </output>
> </nds>
>
>
> Which I can then do a for-each to step through the groups and individually
> remove the membership. The problem I have is that in the move event, I
> don't have the user's DN in AD, which I need to remove the group
memberships
> (the DN's between eDir and AD don't match). Is there any way I can get to
> it with XPATH from the output above? Or is there another way I can get
the
> user's DN in AD easily (Destination DN returns nothing since it is a move
> event).
>
> This is the action I'm trying to build:
>
> <do-for-each>
> <arg-node-set>
> <token-dest-attr name="memberOf"/>
> </arg-node-set>
> <arg-actions>
> <do-remove-dest-attr-value class-name="Group"
name="member"
> when="after">
> <arg-dn>
> <token-local-variable name="current-node"/>
> </arg-dn>
> <arg-value>
> <token-text xml:space="preserve">NEED AD DN
HERE!</token-text>
> </arg-value>
> </do-remove-dest-attr-value>
> </arg-actions>
> </do-for-each>
>
>
> Thanks.
>
> Matt
>
>
|
| Post Reply
|
| Re: Getting to the src-dn from an output document |
 |
Fri, 09 May 2008 15:50:05 GMT |
I was thinking along the lines of Lothar's suggestion my self when I posted,
but using Resolve is so much simpler! For some reason, I thought that it
would only give me the eDir DN, not the AD DN. But I just used it and said
Datastore: Destination and presto, it worked! Thanks!
Matt
>>> On 5/9/2008 at 6:01 AM, in message
<VhVUj.11149$Dh4.2723@kovat.provo.novell.com>, Father
Ramon<devforums@novell.com> wrote:
> Use the Resolve token.
>
> -Father Ramon
>
>
> Matt Weisberg wrote:
>> During a move user operation in an AD driver, I want to remove a
user's
>> group memberships. So I request the memberOf attribute from AD to get
> the
>> list of groups so I can remove the memberships from the groups. I get
> back
>> a document like this:
>>
>> <nds dtdversion="1.1" ndsversion="8.7">
>> <source>
>> <product asn1id="" build="20080229_143300"
instance="AD"
>> version="3.5.2">AD</product>
>> <contact>Novell, Inc.</contact>
>> </source>
>> <output>
>> <instance class-name="user" event-id="0"
>>
src-dn="CN=blah,OU=USERS,OU=something,DC=,DC=blah,DC=com">
>>
<association>c82d3459eefc634a8ab1f38c4616e0df</association>
>> <attr attr-name="memberOf">
>> <value association-ref="5fd0e71d5eafa94b968db74e725ed5be"
naming="true"
>>
type="dn">CN=TestGroup2,OU=Groups,OU=something,DC=,DC=blah,DC=com&l
t;/value>
>> <value association-ref="118b8eeb159c444dbcb32eb1141f43e7"
naming="true"
>>
type="dn">CN=TestGroup1,OU=Groups,OU=something,DC=,DC=blah,DC=com&l
t;/value>
>> </attr>
>> </instance>
>> <status event-id="0" level="success"/>
>> </output>
>> </nds>
>>
>>
>> Which I can then do a for-each to step through the groups and
> individually
>> remove the membership. The problem I have is that in the move event,
I
>> don't have the user's DN in AD, which I need to remove the group
> memberships
>> (the DN's between eDir and AD don't match). Is there any way I can get
> to
>> it with XPATH from the output above? Or is there another way I can get
> the
>> user's DN in AD easily (Destination DN returns nothing since it is a
> move
>> event).
>>
>> This is the action I'm trying to build:
>>
>> <do-for-each>
>> <arg-node-set>
>> <token-dest-attr name="memberOf"/>
>> </arg-node-set>
>> <arg-actions>
>> <do-remove-dest-attr-value class-name="Group"
name="member"
>> when="after">
>> <arg-dn>
>> <token-local-variable name="current-node"/>
>> </arg-dn>
>> <arg-value>
>> <token-text xml:space="preserve">NEED AD DN
HERE!</token-text>
>> </arg-value>
>> </do-remove-dest-attr-value>
>> </arg-actions>
>> </do-for-each>
>>
>>
>> Thanks.
>>
>> Matt
>>
>>
|
| Post Reply
|
| Re: Getting to the src-dn from an output document |
 |
Fri, 09 May 2008 20:15:59 GMT |
Prior to IDM 3.5, Lothar's solution or something even more convoluted
would have been required.
-Father Ramon
Matt Weisberg wrote:
> I was thinking along the lines of Lothar's suggestion my self when I
posted,
> but using Resolve is so much simpler! For some reason, I thought that it
> would only give me the eDir DN, not the AD DN. But I just used it and
said
> Datastore: Destination and presto, it worked! Thanks!
>
> Matt
>
>
>
>>>> On 5/9/2008 at 6:01 AM, in message
> <VhVUj.11149$Dh4.2723@kovat.provo.novell.com>, Father
> Ramon<devforums@novell.com> wrote:
>> Use the Resolve token.
>>
>> -Father Ramon
>>
>>
>> Matt Weisberg wrote:
>>> During a move user operation in an AD driver, I want to remove a
user's
>>> group memberships. So I request the memberOf attribute from AD to
get
>> the
>>> list of groups so I can remove the memberships from the groups. I
get
>> back
>>> a document like this:
>>>
>>> <nds dtdversion="1.1" ndsversion="8.7">
>>> <source>
>>> <product asn1id="" build="20080229_143300"
instance="AD"
>>> version="3.5.2">AD</product>
>>> <contact>Novell, Inc.</contact>
>>> </source>
>>> <output>
>>> <instance class-name="user" event-id="0"
>>>
src-dn="CN=blah,OU=USERS,OU=something,DC=,DC=blah,DC=com">
>>>
<association>c82d3459eefc634a8ab1f38c4616e0df</association>
>>> <attr attr-name="memberOf">
>>> <value
association-ref="5fd0e71d5eafa94b968db74e725ed5be"
naming="true"
>>>
>
type="dn">CN=TestGroup2,OU=Groups,OU=something,DC=,DC=blah,DC=com&l
t;/value>
>>> <value
association-ref="118b8eeb159c444dbcb32eb1141f43e7"
naming="true"
>>>
>
type="dn">CN=TestGroup1,OU=Groups,OU=something,DC=,DC=blah,DC=com&l
t;/value>
>>> </attr>
>>> </instance>
>>> <status event-id="0" level="success"/>
>>> </output>
>>> </nds>
>>>
>>>
>>> Which I can then do a for-each to step through the groups and
>> individually
>>> remove the membership. The problem I have is that in the move
event, I
>>> don't have the user's DN in AD, which I need to remove the group
>> memberships
>>> (the DN's between eDir and AD don't match). Is there any way I can
get
>> to
>>> it with XPATH from the output above? Or is there another way I can
get
>> the
>>> user's DN in AD easily (Destination DN returns nothing since it is
a
>> move
>>> event).
>>>
>>> This is the action I'm trying to build:
>>>
>>> <do-for-each>
>>> <arg-node-set>
>>> <token-dest-attr name="memberOf"/>
>>> </arg-node-set>
>>> <arg-actions>
>>> <do-remove-dest-attr-value class-name="Group"
name="member"
>>> when="after">
>>> <arg-dn>
>>> <token-local-variable name="current-node"/>
>>> </arg-dn>
>>> <arg-value>
>>> <token-text xml:space="preserve">NEED AD DN
HERE!</token-text>
>>> </arg-value>
>>> </do-remove-dest-attr-value>
>>> </arg-actions>
>>> </do-for-each>
>>>
>>>
>>> Thanks.
>>>
>>> Matt
>>>
>>>
|
| Post Reply
|
|
|