Ok, so looking at the default rule in the driver config shipping with
3.6 (I think I used the V5 config), can someone tell me why this rule
would ever work?

Pub-Command rule:

<rule>
<description>Remove Equivalent To Me when removing object from a
group</description>
<comment xml:space="preserve">The identity Vault gives group members
the rights of the group by adding the object to the "Equivalent to Me"
attribute. Remove the object now.</comment>
<conditions>
<and>
<if-class-name mode="case" op="equal">Group</if-class-name>
<if-op-attr mode="regex" name="Member" op="changing-from">.+</if-op-attr>
</and>
</conditions>
<actions>
<do-remove-dest-attr-value name="Equivalent To Me">
<arg-value type="string">
<token-xpath
expression="./modify-attr[@attr-name='Member']/remove-value/value"/>
</arg-value>
</do-remove-dest-attr-value>
</actions>
</rule>

So if there is a <remove-value> node of attr-name=Member, then remove
the same Equiv to Me value.

Ok, that works fine for ONE remove-value node at a time.

What happens if you remove more than one User from a group at the same
time?

You get this event doc:

<nds dtdversion="2.2">
<source>
<product version="3.6.1.4427">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="Group" dest-dn="acme\Groups\TestGroup2"
dest-entry-id="38727" event-id="0" src-dn="CN=TestGroup2,OU=Test
Users,DC=ame
ricas,DC=acme,DC=corp">
<association>ceec2dcf59d1ad45b05f880174dc579c</association>
<modify-attr attr-name="Member">
<remove-value>
<value timestamp="1256243754#1"
type="dn">\acme-IDV\acme\Users\OrOtherT</value>
<value timestamp="1256243754#2"
type="dn">\acme-IDV\acme\Users\OtherOrST</value>
<value timestamp="1256243754#3"
type="dn">\acme-IDV\acme\Users\SomeOrOt</value>
</remove-value>
</modify-attr>
</modify>
</input>
</nds>


And this rule only fires on the first value...

I had never looked into this before, but this just plain ain't gonna
work... Argh!

I checked, and the exact same rule is there in 3.01, and 3.51 default
Designer configs. (I have a project with defaults of 3.01, 3.51, and
3.6 V5 imported for just this purpose!).

Here is some more trace...

Here is the rule firing:

[10/22/09 16:37:36.066]:AMERICAS-AD PT: Evaluating selection criteria
for rule 'Remove Equivalent To Me when removing object from a group'.
[10/22/09 16:37:36.066]:AMERICAS-AD PT: (if-class-name equal
"Group") = TRUE.
[10/22/09 16:37:36.067]:AMERICAS-AD PT: (if-op-attr 'Member'
changing-from ".+") = TRUE.
[10/22/09 16:37:36.067]:AMERICAS-AD PT: Rule selected.
[10/22/09 16:37:36.067]:AMERICAS-AD PT: Applying rule 'Remove
Equivalent To Me when removing object from a group'.
[10/22/09 16:37:36.068]:AMERICAS-AD PT: Action:
do-remove-dest-attr-value("Equivalent To
Me",token-xpath("./modify-attr[@attr-name='Membe
r']/remove-value/value")).
[10/22/09 16:37:36.068]:AMERICAS-AD PT:
arg-string(token-xpath("./modify-attr[@attr-name='Member']/remove-value/value"))
[10/22/09 16:37:36.069]:AMERICAS-AD PT:
token-xpath("./modify-attr[@attr-name='Member']/remove-value/value")
[10/22/09 16:37:36.069]:AMERICAS-AD PT: Token Value:
"\acme-IDV\acme\Users\OrOtherT".
[10/22/09 16:37:36.069]:AMERICAS-AD PT: Arg Value:
"\acme-IDV\acme\Users\OrOtherT".


Here is the resulting <modify> doc:

[10/22/09 16:37:36.115]:AMERICAS-AD PT:
<nds dtdversion="2.2">
<source>
<product version="3.6.1.4427">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="Group" dest-dn="acme\Groups\TestGroup2"
dest-entry-id="38727" event-id="0" src-dn="CN=TestGroup2,OU=Test
Users,DC=ame
ricas,DC=acme,DC=corp">
<association>ceec2dcf59d1ad45b05f880174dc579c</association>
<modify-attr attr-name="Member">
<remove-value>
<value timestamp="1256243754#1"
type="dn">\acme-IDV\acme\Users\OrOtherT</value>
<value timestamp="1256243754#2"
type="dn">\acme-IDV\acme\Users\OtherOrST</value>
<value timestamp="1256243754#3"
type="dn">\acme-IDV\acme\Users\SomeOrOt</value>
</remove-value>
</modify-attr>
<modify-attr attr-name="Object Class">
<add-value>
<value type="string">DirXML-ApplicationAttrs</value>
</add-value>
</modify-attr>
<modify-attr attr-name="DirXML-ADContext">
<remove-all-values/>
<add-value>
<value type="string">CN=TestGroup2,OU=Test
Users,DC=americas,DC=acme,DC=corp</value>
</add-value>
</modify-attr>
<modify-attr attr-name="Equivalent To Me">
<remove-value>
<value type="string">\acme-IDV\acme\Users\OrOtherT</value>
</remove-value>
</modify-attr>
</modify>
</input>
</nds>


Or am I being stupid, and missing something really obvious...

Basically we are treating a nodeset in a single valued context.

Should just wrap it in a for each XPATH (remove member) to fix...

But this is really annoying! Took a long time to track down. (Well
that is because it is in a 25 driver project, each user is in at least 2
AD's, 2 eDirs, and all touch these attrs...)