Build details:

Identity Manager Version 3.7.0 Patch G
Build Revision 38716

I have a no-approval workflow here that used to work correctly, now
doesn't, since patch G. I was on F, previously, and while I haven't yet
gone back to that to verify, I'm pretty sure it worked correctly there as

This workflow has a simple form with one text entry box. Its purpose is
to allow the currently logged in user to request a new email address.
There is an onload event used to set up a validation script that is used
to check the requested email address to verify that it is reasonably well
formatted and not already in use. form.showError() is used to block form
submission until the validation passes.

Here's the ECMAScript:

form.addCustomValidation("RequestedAlias", "after", function () {


if (v.length <= 9)
form.showError("Email alias too short.");


if (vv[1] != "")
form.showError("Email alias must be");

var pattern=/[^a-z0-9-_.]/;
if ( pattern.test(vv[0]) )
form.showError("Email alias contains invalid characters.");

var val="";
val=IDVault.globalQuery(null,"EmailAliasQuery",{"q alias":field.getValue()}
if(val.length > 0 && val[0].length > 0 && val[0][0] != "") {
// use the showError to stop the submitting of the form if the
requested email alias is a duplicate
form.showError("Email alias already in use.");

var val1="";
val1=IDVault.globalQuery(null,"EmailCNQuery",{"qal ias":field.getValue
if(val1.length > 0 && val1[0].length > 0 && val1[0][0] != "") {
// use the showError to stop the submitting of the form if the
requested email alias is a duplicate of an existing object CN
form.showError("Email alias may not be the same as an existing


The validation script works _unless_ a found user object is hidden from
RBPM (srvprvHideUser is True). Then it fails.

I set up a test with email address (mailLocalAddress) I see
the LDAP search that RBPM is doing:

11:05:19 42018940 LDAP: Search request:
base: "O=NIU"
scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectClass=inetOrgPerson)(mailLocalAddress=te"
attribute: "srvprvHideUser"
attribute: "srvprvHideAttributes"
attribute: "modifyTimeStamp"
attribute: "objectClass"
11:05:19 42018940 LDAP: nds_back_search: Search Control OID

and I see the search results successfully found a user object where the
filter is true:

11:05:19 42018940 LDAP: Sending search result entry
"cn=XXXXXXXXXXX,ou=Users,o=NIU" to connection 0xd8cbc00
11:05:19 42018940 LDAP: Sending operation result 0:"":"" to connection

at which point what should happen is that this:

form.showError("Email alias already in use.");

should stop the form from being submitted. But it doesn't. The form is
submitted, the workflow runs, and away we go.

Looking at the user object it found, srvprvHideUser is True:

dn: cn=XXXXXXXXXXX,ou=Users,o=NIU
srvprvHideUser: TRUE

It looks to me like the LDAP search is correct, and the returned results
are correct, but I see RBPM requesting additional attributes, including
srvprvHideUser. It looks to me like RBPM is filtering the search results
before returning them to me. I don't think it used to do this. More
importantly, I need it _not_ to do this.

One additional commentary: the RBPM shouldn't have to do the work of
filtering search results. If you don't want to find objects where
srvprvHideUser is true, then change the search filter to exclude those
objects, like:


I see that there's a patch "H" available, and I'll try that next, but
since I don't see this documented in the readme for any of the patch
versions for RBPM 3.70, I don't know when it was introduced, or whether
or not patch H will fix it.


David Gersic
Knowledge Partner

Please post questions in the forums. No support provided via email.