Based on the description, I'm guessing that what is wanted is the source
attribute, not the destination attribute. And there is no need to assign
to a variable, just use "if source attribute".

-Father Ramon

Geoffrey Carman wrote:
> Your Dest attr token is missing the attribute you want... Named Object
> Class. That should return the list of all object classes on the user.
>
> Then your further test ought to work better.
>
> mJg2XW wrote:
>> geoffc;1857973 Wrote:
>>> mJg2XW wrote:
>>>> Dear IDM Forum
>>>>
>>>> Is there a way to check if a user has an indeed objectclass, other
>>> then
>>>> inetOrgPerson?
>>>> Im syncing user from a LDAP directory to eDir. I want to Check if
>>> the
>>>> user have objectclass = inetOrgPerson and xxxPerson associated. Else
>>> I
>>>> want to veto.
>>>> Using IDM 361 running on SLES 10, eDir 8.8 sp4/5, and my connected
>>>> system is a LDAP database (X.500 V3 homemade directory database)
>>>> Best regards
>>> Set local variable to nodeset of destination attr objectClass.
>>>
>>> Then test if local variable = your string and if any of the values in
>>> the nodeset match it should return true, else false.

>>
>> Like this?
>>
>> <rule disabled="true">
>> <description>Set object Classe</description>
>> <conditions>
>> <and/>
>> </conditions>
>> <actions>
>> <do-set-local-variable name="xxxPerson" scope="policy">
>> <arg-node-set>
>> <token-dest-attr name="xxxPerson"/>
>> </arg-node-set>
>> </do-set-local-variable>
>> </actions>
>> </rule>
>> <rule>
>> <description>Check objectclass</description>
>> <conditions>
>> <and>
>> <if-local-variable mode="nocase" name="xxxPerson"
>> op="not-equal">xxxPerson</if-local-variable>
>> </and>
>> </conditions>
>> <actions>
>> <do-veto/>
>> </actions>
>> </rule>
>>
>>