So I've been testing various scenarios with boolean attributes and found
that Rob's generic multi-to-single value rule didn't work properly.

Below is my fixed version, can anyone find fault with the two new XPath
statements I added?

Fix#1 Use the IDM3.6+ document token to read app schema. (not really a
fix, rather an modernisation)
From:
Code:
--------------------
<do-set-local-variable name="APP-SCHEMA" scope="driver">
<arg-node-set>
<token-xml-parse notrace="true">
<token-base64-decode notrace="true">
<token-src-attr name="DirXML-ApplicationSchema" notrace="true">
<arg-dn>
<token-global-variable name="dirxml.auto.driverdn"/>
</arg-dn>
</token-src-attr>
</token-base64-decode>
</token-xml-parse>
</arg-node-set>
</do-set-local-variable>
--------------------


To:
Code:
--------------------
<do-set-local-variable name="APP-SCHEMA" notrace="true" scope="driver">
<arg-node-set>
<token-document>
<arg-string>
<token-text xml:space="preserve">vnd.nds.stream:</token-text>
<token-text xml:space="preserve">/</token-text>
<token-parse-dn dest-dn-delims="00,/+=*\" dest-dn-format="custom" src-dn-format="slash">
<token-global-variable name="dirxml.auto.driverdn"/>
</token-parse-dn>
<token-text xml:space="preserve">#</token-text>
<token-text xml:space="preserve">DirXML-ApplicationSchema</token-text>
</arg-string>
</token-document>
</arg-node-set>
</do-set-local-variable>
--------------------


Fix #2 Don't attempt to rewrite a clear destination attribute operation

From:
Code:
--------------------
<token-xpath expression=".//@attr-name"/>
--------------------

To:
Code:
--------------------
<token-xpath expression=".//@attr-name[not(../remove-all-values and not(../add-value))]"/>
--------------------


Fix #3 (When converting an attribute from MV to SV, preserve type
[string, dn, state etc])

Code:
--------------------
<do-set-local-variable name="TYPE" scope="policy">
<arg-string>
<token-xpath expression="(.//@type[ancestor-or-self::*[@attr-name=$current-node]])[1]"/>
</arg-string>
</do-set-local-variable>
--------------------


I'm unsure if I need to explicitly select the first node when using a
"string" local variable rather than "nodeset". I'd expect that multiple
nodes would be concatenated together when returned as a string, but I
didn't see that in my testing.

Fix #4 Exclude structured values from MV to SV conversion, these are
mangled by the current rule

From:
Code:
--------------------
<token-xpath expression=".//@attr-name[not(../remove-all-values and not(../add-value))]"/>
--------------------


To:
Code:
--------------------
<token-xpath expression=".//@attr-name[not(../remove-all-values and not(../add-value)) and not(..//@type='structured')]"/>
--------------------


Anyone else played with this (fantastic) piece of code and found/fixed
any bugs?

Here's the complete fixed rule.

Code:
--------------------
<rule>
<description>Handle Multi-to-single valued conversions</description>
<comment xml:space="preserve">Generic Rule which reads the saved application (connected system) schema and determines if it needs to take only the first value from a multi-valued eDirectory attribute.
To use this rule you must first run the "refresh application schema" option under within Designer's Live menu. Don't rely on the bundle a "baseline schema" often bundled with a driver. This is usually outdated and almost certianly will not reflect your specific deployment.

NOTE: Not all drivers support the &lt;query-schema> command, most notably, eDir2eDir drivers do not.

This generically handles the MV to SV attr problem. Handles inherited attributes also. So the object class User in AD, for example, does not always contain all the attributes. Sometimes they are inherited from other classes. Like physicalDeliveryOfficeName is not in User, rather it inherits from Organization.

Based on: https://www.netiq.com/communities/co...a-enforcement/ by Rob Rawson
Changes (Alex McHugh)
1. Uses document token to read schema (IDM3.6+)
2. Don't attempt to rewrite a clear destination attribute operation
3. Preserves the value type (string, dn, state etc) when converting multi-to-single valued
4. Exclude values of type structured (as the existing rule can't really handle these)</comment>
<conditions>
<or>
<if-operation mode="regex" op="equal">add|modify</if-operation>
</or>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-local-variable name="APP-SCHEMA" op="not-available"/>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="APP-SCHEMA" notrace="true" scope="driver">
<arg-node-set>
<token-document>
<arg-string>
<token-text xml:space="preserve">vnd.nds.stream:</token-text>
<token-text xml:space="preserve">/</token-text>
<token-parse-dn dest-dn-delims="00,/+=*\" dest-dn-format="custom" src-dn-format="slash">
<token-global-variable name="dirxml.auto.driverdn"/>
</token-parse-dn>
<token-text xml:space="preserve">#</token-text>
<token-text xml:space="preserve">DirXML-ApplicationSchema</token-text>
</arg-string>
</token-document>
</arg-node-set>
</do-set-local-variable>
</arg-actions>
<arg-actions/>
</do-if>
<do-for-each>
<arg-node-set>
<token-xpath expression=".//@attr-name[not(../remove-all-values and not(../add-value)) and not(..//@type='structured')]"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="ATTR-DEF" notrace="true" scope="policy">
<arg-node-set>
<token-xpath expression="$APP-SCHEMA/schema-def/class-def/attr-def[@attr-name=$current-node]"/>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="MULTI-VALUED" scope="policy">
<arg-string>
<token-xpath expression="$ATTR-DEF[1]/@multi-valued"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="MULTI-VALUED" op="equal">false</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="VALUE" scope="policy">
<arg-string>
<token-op-attr name="$current-node$"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="TYPE" scope="policy">
<arg-string>
<token-xpath expression="(.//@type[ancestor-or-self::*[@attr-name=$current-node]])[1]"/>
</arg-string>
</do-set-local-variable>
<do-strip-op-attr name="$current-node$"/>
<do-set-dest-attr-value name="$current-node$">
<arg-value type="$TYPE$">
<token-local-variable name="VALUE"/>
</arg-value>
</do-set-dest-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-for-each>
</actions>
</rule>
--------------------


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
------------------------------------------------------------------------
alexmchugh's Profile: https://forums.netiq.com/member.php?userid=461
View this thread: https://forums.netiq.com/showthread.php?t=48674