Hello,

I have two edir synchronized by a eDir-2-eDir driver, one being slave of
the other.
When a user is deleted from the slave, I used (or dreamed) to be able to
trigger a migrate from.

Here is the logic I use (it works perfectly for an AD driver).

In sub-etp on the slave side I have this policy:
<policy>
<rule>
<description>Recreate Deleted Object</description>
<comment xml:space="preserve">MOB is Salve to GID, direct deletion of
associated objects is illegal</comment>
<conditions>
<and>
<if-operation mode="case" op="equal">delete</if-operation>
<if-association op="available"/>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-xml-attr mode="regex" name="event-id" op="not-equal">WorkOrder
Driver.+</if-xml-attr>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="deleted-class" scope="policy">
<arg-node-set>
<token-dest-attr name="objectClass">
<arg-association>
<token-association/>
</arg-association>
</token-dest-attr>
</arg-node-set>
</do-set-local-variable>
</arg-actions>
</do-if>
</actions>
</rule>
</policy>

As a Query for "objectClass" is rather uncommon, on the slave side in
OTP, I have the following policy:
<policy>
<rule>
<description>Add Operation Data to Query "objectClass"</description>
<conditions>
<and>
<if-operation mode="case" op="equal">query</if-operation>
<if-association op="available"/>
<if-xpath op="true">read-attr[@attr-name="objectClass"]</if-xpath>
</and>
</conditions>
<actions>
<do-set-op-property name="from-delete">
<arg-string>
<token-text xml:space="preserve">True</token-text>
</arg-string>
</do-set-op-property>
</actions>
</rule>
</policy>

and to "track" the reply on the slave side in ITP, I have this policy:
<policy>
<rule>
<description>Use Instance to trigger a Migrate</description>
<comment xml:space="preserve">The rule creates a file that will be
processed outside of DirXML by the migrate.sh script</comment>
<conditions>
<and>
<if-operation mode="case" op="equal">instance</if-operation>
<if-op-property mode="nocase" name="from-delete"
op="equal">True</if-op-property>
</and>
</conditions>
<actions>
<do-set-local-variable name="event-data" scope="policy">
<arg-string>
<token-text xml:space="preserve">&lt;nds dtdversion="4.0"
ndsversion="8.x">
&lt;source>
&lt;product edition="Advanced"
version="4.0.1.0">DirXML&lt;/product>
&lt;contact>Novell, Inc.&lt;/contact>
&lt;/source>
&lt;input>
&lt;query dest-dn="</token-text>
<token-src-dn/>
<token-text xml:space="preserve">" scope="subtree">
&lt;/query>
&lt;/input>
&lt;/nds></token-text>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="migrate-file" scope="policy">
<arg-string>
<token-global-variable name="idv.system.temp"/>
<token-text xml:space="preserve">migrate-</token-text>
<token-parse-dn dest-dn-format="slash" length="1" start="-1">
<token-global-variable name="dirxml.auto.driverdn"/>
</token-parse-dn>
<token-text xml:space="preserve">-</token-text>
<token-time format="!CTIME" tz="UTC"/>
<token-text xml:space="preserve">.xml</token-text>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="write-log" scope="policy">
<arg-string>
<token-xpath expression="es:writeLog($migrate-file, $event-data,
'UTF-8')"/>
</arg-string>
</do-set-local-variable>
</actions>
</rule>
</policy>

The "magic" works the file is correctly created as:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.1.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query dest-dn="\MDP-GID-DEV\data\MdP\CABMAIRIE\Utilisateurs\123456"
scope="subtree">
</query>
</input>
</nds>

This file is then submitted "back" to the driver with dxcmd thanks to a
cron job:
$DxCmd -user "$LDAPUser" -host $Host -password "$LDAPPassword" -dnform
ldap -nossl -migrateapp "$Driver" $Event

On the trace I can see the query going out:
[10/30/13 16:44:40.814]:SLAVE ST:Start transaction.
[10/30/13 16:44:40.814]:SLAVE ST:Processing events for transaction.
[10/30/13 16:44:40.815]:SLAVE ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.3">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query dest-dn="\SOURCE\data\XXX\YYY\Utilisateurs\123456"
scope="subtree">
</query>
</input>
</nds>

And then the reply comes in:
[10/30/13 16:44:40.824]:SLAVE ST:: Document sent.
[10/30/13 16:44:40.824]:SLAVE ST:: Waiting for receive...
[10/30/13 16:44:40.847]:SLAVE ST:: Received.
[10/30/13 16:44:40.847]:SLAVE ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.3">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="User" event-id="0"
qualified-src-dn="O=data\OU=XXX\OU=YYY\OU=Utilisateurs\CN=123456 "
src-dn="\SOURCE\data\XXX\YYY\\Utilisateurs\123456"
src-entry-id="146114"/>
<status event-id="0"
level="success"><application>DirXML</application>
<module>GID-2-Nomade</module>
<object-dn>
(\MDP-GID-DEV\data\MdP\CABMAIRIE\Utilisateurs\123456)</object-dn>
<component>Publisher</component>
</status>
</output>
</nds>

And ... *there is no association element* ... So, of course, the
migrate from poorly fails:
[10/30/13 16:44:40.855]:SLAVE ST:Found 1 objects to migrate.
[10/30/13 16:44:40.855]:SLAVE ST:Instance 0 doesn't have enough
information to migrate.
[10/30/13 16:44:40.856]:SLAVE ST:No objects could be migrated.

I've tried to "craft" and Association on the SOURCE side thanks to AJC
and source attribute GUID.

When I do so, the SLAVE side is happy and performs a query for relevant
attributes based on the "fake" association.
But, the SOURCE fails claiming that the association is "invalid".

Don't ask, I've checked, the value of my "fake" association is correct.

I'm sure this used to work ... as it was accepted (long time ago) by my
customer (or my customer didn't test it)...

Now in eDir 8.8.7.4 FP1 and IDM 4.0.2.3 ... It fails.

The same action triggered by iManager also fails, as if in eDir-2-eDir
"Migrate into Identity Vault" just doesn't work.

Any help welcome.


--
oruff_rn
------------------------------------------------------------------------
oruff_rn's Profile: https://forums.netiq.com/member.php?userid=4440
View this thread: https://forums.netiq.com/showthread.php?t=49098