So,
Reciprocal was a no go since I'm in the subscriber channel.

I get a dn attribute changing on the user object and want to write the
user dn in the member attribute of the Group.
I have syncronization of the group so there is an association but since
the group on IDV side is a dynamic Group it can not sync the members.
This leads to the syncronization of the User, I have a dn attribute on
the user "dynamicGroupDN" that is mapped to the groupMembership in the
LDAP server, works good.

Now I need to write the member attribute of the group object when that
attribute changes on the User.

This is the rule I tried with:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
"policy-builder-dtd"
"/opt/idm-designer/plugins/com.novell.idm.policybuilder_4.0.0.201210161153/DTD/dirxmlscript4.0.2.dtd"><policy>
<rule>
<description>add/remove member of Group when dynamicGroupDN
changing</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-op-attr name="dynamicGroupDN" op="changing"/>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-op-attr mode="regex" name="dynamicGroupDN"
op="equal">.*</if-op-attr>
</and>
</arg-conditions>
<arg-actions>
<do-add-dest-attr-value class-name="Group" direct="true"
name="Member">
<arg-dn>
<token-op-attr name="dynamicGroupDN"/>
</arg-dn>
<arg-value type="dn">
<token-src-dn/>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
<arg-actions>
<do-remove-dest-attr-value class-name="Group" name="Member"
when="after">
<arg-dn>
<token-removed-attr name="dynamicGroupDN"/>
</arg-dn>
<arg-value type="dn">
<token-src-dn convert="false"/>
</arg-value>
</do-remove-dest-attr-value>
</arg-actions>
</do-if>
</actions>
</rule>
</policy>

and result is this trace:

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20121121131559.578Z" class-name="User"
event-id="intdirectory01#20121121131556#1#4:f01bbf2e-a931-4ad3-7bba-2ebf1bf031a9"
qualified-src-dn="O=data\OU=users\OU=internal\CN=TestUser"
src-dn="\Test-tree\data\users\internal\TestUser" src-entry-id="104548"
timestamp="1353503759#2">
<association
state="associated">21820DBB8362854FA99721820DBB836 2</association>
<modify-attr attr-name="dynamicGroupDN">
<add-value>
<value timestamp="1353503759#2"
type="dn">\Test-tree\data\groups\TestGroup</value>
</add-value>
</modify-attr>
</modify>
<modify class-name="dynamicGroup"
dest-dn="\Test-tree\data\groups\TestGroup"
event-id="intdirectory01#20121121131556#1#4:f01bbf2e-a931-4ad3-7bba-2ebf1bf031a9">
<modify-attr attr-name="Member">
<add-value>
<value
type="dn">\Test-tree\data\users\internal\TestUser</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[11/21/12 14:15:59.692]:BiDirec Directory ST:Filtering out
notification-only attributes.
[11/21/12 14:15:59.692]:BiDirec Directory ST:Fixing up association
references.
[11/21/12 14:15:59.693]:BiDirec Directory ST:Applying schema mapping
policies to output.
[11/21/12 14:15:59.693]:BiDirec Directory ST:Applying policy:
%+C%14CNOVLEDIR2DFC-smp%-C.
[11/21/12 14:15:59.693]:BiDirec Directory ST: Mapping attr-name
'dynamicGroupDN' to 'groupMembership'.
[11/21/12 14:15:59.693]:BiDirec Directory ST: Mapping attr-name
'Member' to 'uniqueMember'.
[11/21/12 14:15:59.693]:BiDirec Directory ST: Mapping class-name 'User'
to 'inetOrgPerson'.
[11/21/12 14:15:59.693]:BiDirec Directory ST: Mapping class-name
'dynamicGroup' to 'groupOfNames'.
[11/21/12 14:15:59.694]:BiDirec Directory ST:Applying output
transformation policies.
[11/21/12 14:15:59.694]:BiDirec Directory ST:Applying policy:
%+C%14CNOVLPWDSYNC-otp-EmailOnFailedPwdPub%-C.
[11/21/12 14:15:59.694]:BiDirec Directory ST: Applying to modify #1.
[11/21/12 14:15:59.694]:BiDirec Directory ST: Evaluating selection
criteria for rule 'Send e-mail for a failed publish password
operation'.
[11/21/12 14:15:59.694]:BiDirec Directory ST: (if-global-variable
'notify-user-on-password-dist-failure' equal "true") = TRUE.
[11/21/12 14:15:59.694]:BiDirec Directory ST: (if-operation equal
"status") = FALSE.
[11/21/12 14:15:59.694]:BiDirec Directory ST: Rule rejected.
[11/21/12 14:15:59.694]:BiDirec Directory ST: Applying to modify #2.
[11/21/12 14:15:59.695]:BiDirec Directory ST: Evaluating selection
criteria for rule 'Send e-mail for a failed publish password
operation'.
[11/21/12 14:15:59.695]:BiDirec Directory ST: (if-global-variable
'notify-user-on-password-dist-failure' equal "true") = TRUE.
[11/21/12 14:15:59.695]:BiDirec Directory ST: (if-operation equal
"status") = FALSE.
[11/21/12 14:15:59.695]:BiDirec Directory ST: Rule rejected.
[11/21/12 14:15:59.695]:BiDirec Directory ST:Policy returned:
[11/21/12 14:15:59.695]:BiDirec Directory ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20121121131559.578Z" class-name="inetOrgPerson"
event-id="intdirectory01#20121121131556#1#4:f01bbf2e-a931-4ad3-7bba-2ebf1bf031a9"
qualified-src-dn="O=data\OU=users\OU=internal\CN=TestUser"
src-dn="\Test-tree\data\users\internal\TestUser" src-entry-id="104548"
timestamp="1353503759#2">
<association
state="associated">21820DBB8362854FA99721820DBB836 2</association>
<modify-attr attr-name="groupMembership">
<add-value>
<value association-ref="1C0F615BA8AF21449B821C0F615BA8AF"
timestamp="1353503759#2"
type="dn">\Test-tree\data\groups\TestGroup</value>
</add-value>
</modify-attr>
</modify>
<modify class-name="groupOfNames"
dest-dn="\Test-tree\data\groups\TestGroup"
event-id="intdirectory01#20121121131556#1#4:f01bbf2e-a931-4ad3-7bba-2ebf1bf031a9">
<modify-attr attr-name="uniqueMember">
<add-value>
<value association-ref="21820DBB8362854FA99721820DBB8362"
type="dn">\Test-tree\data\users\internal\TestUser</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[11/21/12 14:15:59.697]:BiDirec Directory ST:Submitting document to
subscriber shim:
[11/21/12 14:15:59.697]:BiDirec Directory ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20121121131559.578Z" class-name="inetOrgPerson"
event-id="intdirectory01#20121121131556#1#4:f01bbf2e-a931-4ad3-7bba-2ebf1bf031a9"
qualified-src-dn="O=data\OU=users\OU=internal\CN=TestUser"
src-dn="\Test-tree\data\users\internal\TestUser" src-entry-id="104548"
timestamp="1353503759#2">
<association
state="associated">21820DBB8362854FA99721820DBB836 2</association>
<modify-attr attr-name="groupMembership">
<add-value>
<value association-ref="1C0F615BA8AF21449B821C0F615BA8AF"
timestamp="1353503759#2"
type="dn">\Test-tree\data\groups\TestGroup</value>
</add-value>
</modify-attr>
</modify>
<modify class-name="groupOfNames"
dest-dn="\Test-tree\data\groups\TestGroup"
event-id="intdirectory01#20121121131556#1#4:f01bbf2e-a931-4ad3-7bba-2ebf1bf031a9">
<modify-attr attr-name="uniqueMember">
<add-value>
<value association-ref="21820DBB8362854FA99721820DBB8362"
type="dn">\Test-tree\data\users\internal\TestUser</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[11/21/12 14:15:59.699]:BiDirec Directory ST:BiDirec Directory: LDAP
Modify: cn=TestUser,ou=P0,ou=users,o=data
LDAPModification: (operation=add,(LDAPAttribute:
{type='groupMembership', value='cn=TestGroup,ou=groups,o=data'}))
[11/21/12 14:15:59.707]:BiDirec Directory ST:BiDirec Directory:
EDIRSub.performModifyOperation() No association key for modification
operation.
[11/21/12 14:15:59.707]:BiDirec Directory ST:SubscriptionShim.execute()
returned:
[11/21/12 14:15:59.707]:BiDirec Directory ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product instance="BiDirec Directory" version="4.0.1.0">Identity
Manager Bi-directional Driver for eDirectory</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status
event-id="intdirectory01#20121121131556#1#4:f01bbf2e-a931-4ad3-7bba-2ebf1bf031a9"
level="success"/>
<status
event-id="intdirectory01#20121121131556#1#4:f01bbf2e-a931-4ad3-7bba-2ebf1bf031a9"
level="error">No association key for modification operation.</status>
</output>
</nds>


It is quite obvious that I don't have the association record for the
group modify, should be something like this:
<association
state="associated">1C0F615BA8AF21449B821C0F615BA8A F</association>

How do I get that in there? or do I need to do this as two diffrent
<input> documents? how would I do that?

I'm blaming my cold that I can't think properly right now


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=46218