Hi,

I'm trying now to add a rule to match NIM's *NSCP:employeeNumber
*attribute to AD's employeeID attribute (they are already mapped). The
reason is that the CN comparison is not working do to some spell
errors.

To do it, I did the following rule :

Code:
--------------------
<rule>
<description>Concordance - par valeur d'attribut</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-find-matching-object scope="subtree">
<arg-dn>
<token-global-variable name="drv.user.container"/>
</arg-dn>
<arg-match-attr name="NSCP:employeeNumber"/>
<arg-match-attr name="employeeID"/>
</do-find-matching-object>
</actions>
</rule>
--------------------


But I don't know why it doesn't work. The user I'm trying to sync has
the same argument on both directories:
NSCP:employeeNumber : 2981
employeeID : 2981

I put this rule inside the matching policies :

Code:
--------------------
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\Novell\IdentityManager\Designer\plugins\com.no vell.idm.policybuilder_4.0.0.201206110753\DTD\dirx mlscript4.0.1.dtd"><policy xmlns:jstring="http://www.novell.com/nxsl/java/java.lang.String">
<description>Find matching object in Active Directory</description>
<rule>
<description>veto out-of-scope events</description>
<comment>When scoping by container, events outside of the Identity Vault containers defined in the above rule will not have a unmatched-src-dn operational property and will be vetoed. If you do not want to use container based scoping, this rule should be modified or removed.</comment>
<conditions>
<or>
<if-op-property name="attempt-to-match" op="not-available"/>
<if-op-property mode="nocase" name="attempt-to-match" op="equal">false</if-op-property>
</or>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>
<rule>
<description>generate full name if not in Identity Vault</description>
<comment xml:space="preserve">Full name policy: Generate a Full Name from Given Name + Surname if one does not already exist. The value is set in the Identity Vault and in the current operation to Active Directory. This policy assumes that Full Name synchronization is enabled in the subscriber filter. If you disable Full Name in the subscriber filter you should not use Full Name mapping.</comment>
<conditions>
<and>
<if-class-name mode="case" op="equal">User</if-class-name>
<if-global-variable mode="nocase" name="FullNameMap" op="equal">true</if-global-variable>
<if-attr name="Full Name" op="not-available"/>
<if-attr name="Given Name" op="available"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="gen-full-name">
<arg-string>
<token-attr name="Given Name"/>
<token-text xml:space="preserve"> </token-text>
<token-attr name="Surname"/>
</arg-string>
</do-set-local-variable>
<do-set-src-attr-value name="Full Name">
<arg-value>
<token-xpath expression="normalize-space($gen-full-name)"/>
</arg-value>
</do-set-src-attr-value>
<do-set-dest-attr-value name="Full Name">
<arg-value>
<token-xpath expression="normalize-space($gen-full-name)"/>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
*<rule>
<description>Concordance - par valeur d'attribut</description>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-find-matching-object scope="subtree">
<arg-dn>
<token-global-variable name="drv.user.container"/>
</arg-dn>
<arg-match-attr name="NSCP:employeeNumber"/>
<arg-match-attr name="employeeID"/>
</do-find-matching-object>
</actions>
</rule>*
<rule>
<description>match users based on NT logon name</description>
<comment xml:space="preserve">Logon name policy: Match object name from the Identity Vault to the NT logon name in Active Directory. Because sAMAccountName (CN) is unique in the domain, objects are matched anywhere in the destination hierarchy, not just the relative position in the hierarchy.</comment>
<conditions>
<and>
<if-class-name mode="case" op="equal">User</if-class-name>
<if-global-variable mode="nocase" name="LogonNameMap" op="equal">true</if-global-variable>
</and>
</conditions>
<actions>
<do-find-matching-object scope="subtree">
<arg-dn>
<token-global-variable name="drv.user.container"/>
</arg-dn>
<arg-match-attr name="CN">
<arg-value type="string">
<token-replace-all regex="[^a-zA-Z0-9\x21\x23-\x29\x2d\x2e\x40\x5e-\x60\x7b\x7d\x7e\xc0-\xf6\xf8-\xff\u0410-\u044f]" replace-with="">
<token-src-name/>
</token-replace-all>
</arg-value>
</arg-match-attr>
</do-find-matching-object>
</actions>
</rule>
<rule>
<description>match users based on full name</description>
<comment xml:space="preserve">Full name policy: Match user objects in Active Directory whose object name matches the Identity Vault Full Name. Because objects names are only unique within a container, this rule only looks for objects in the same relative position in the hierarchy. This match is not performed if a matching object was found in a previous rule.</comment>
<conditions>
<and>
<if-class-name mode="case" op="equal">User</if-class-name>
<if-global-variable mode="nocase" name="FullNameMap" op="equal">true</if-global-variable>
<if-op-attr name="Full Name" op="available"/>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-global-variable mode="nocase" name="drv.subPlacementType" op="equal">flat</if-global-variable>
</and>
</arg-conditions>
<arg-actions>
<do-find-matching-object scope="entry">
<arg-dn>
<token-text xml:space="preserve">CN=</token-text>
<token-escape-for-dest-dn>
<token-attr name="Full Name"/>
</token-escape-for-dest-dn>
<token-text>,</token-text>
<token-global-variable name="drv.user.container"/>
</arg-dn>
</do-find-matching-object>
</arg-actions>
<arg-actions>
<do-find-matching-object scope="entry">
<arg-dn>
<token-text xml:space="preserve">CN=</token-text>
<token-escape-for-dest-dn>
<token-attr name="Full Name"/>
</token-escape-for-dest-dn>
<token-text>,</token-text>
<token-replace-first regex="(.+)" replace-with="$1,">
<token-parse-dn length="-2" src-dn-format="dest-dn">
<token-op-property name="unmatched-src-dn"/>
</token-parse-dn>
</token-replace-first>
<token-global-variable name="drv.user.container"/>
</arg-dn>
</do-find-matching-object>
</arg-actions>
</do-if>
</actions>
</rule>
<rule>
<description>match everything else</description>
<comment xml:space="preserve">Match objects in Active Directory based on the object name and relative position in the hierarchy.</comment>
<conditions>
<and/>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-global-variable mode="nocase" name="drv.subPlacementType" op="equal">flat</if-global-variable>
</and>
</arg-conditions>
<arg-actions>
<do-find-matching-object scope="entry">
<arg-dn>
<token-src-dn convert="true" length="1" start="-1"/>
<token-text xml:space="preserve">,</token-text>
<token-global-variable name="drv.user.container"/>
</arg-dn>
</do-find-matching-object>
</arg-actions>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-op-property mode="nocase" name="unmatched-src-dn" op="not-equal"/>
</and>
</arg-conditions>
<arg-actions>
<do-find-matching-object scope="entry">
<arg-dn>
<token-op-property name="unmatched-src-dn"/>
<token-text xml:space="preserve">,</token-text>
<token-global-variable name="drv.user.container"/>
</arg-dn>
</do-find-matching-object>
</arg-actions>
<arg-actions>
<do-veto/>
</arg-actions>
</do-if>
</arg-actions>
</do-if>
</actions>
</rule>
</policy>
--------------------


What do you think it's wrong?

Thanks again in advance,
Marc



--
MuadDib_II
------------------------------------------------------------------------
MuadDib_II's Profile: https://forums.netiq.com/member.php?userid=8754
View this thread: https://forums.netiq.com/showthread.php?t=52444