Hi all!

When I revoke the Exchange 2007 entitlement (ExchangeMailbox) from a
user the rule does not recognize that entitlement is losting. This is
the event:

<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20100715203703.859Z" class-name="User"
event-id="idm03#20100715203703#1#1"
qualified-src-dn="O=mid\OU=ID\CN=TESTUSER"
src-dn="\IDM-LAB\mid\ID\TESTUSER" src-entry-id="36286" timestamp="0#0">
<association
state="associated">dfd3348840c9e74e8a515a164d804fe 3</association>
<modify-attr attr-name="DirXML-EntitlementRef">
<remove-value>
<value timestamp="1279226137#1" type="structured">
<component name="nameSpace">1</component>
<component
name="volume">\IDM-LAB\mid\service\idm\driverset\MID2AD3\ExchangeMail box</component>
<component name="path.xml">
<ref>
<src>RBE</src>
<id>mid\service\idm\driverset\Entitlement
Policies\Conta de correio Exchange 2007</id>

<param>CN=MDB01,CN=TEST,CN=InformationStore,CN=SER VER,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=LABBMS,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=lab,DC=ne t</param>
</ref>
</component>
</value>
</remove-value>
</modify-attr>
</modify>
</input>
</nds>

This is the log of my rule:

[07/15/10 17:37:03.971]:MID2AD3 ST:Applying policy:
%+C%14Csub-ctp-EntitlementsImpl%-C.
[07/15/10 17:37:03.972]:MID2AD3 ST: Applying to modify #1.
[07/15/10 17:37:03.972]:MID2AD3 ST: Evaluating selection criteria
for rule 'User Account Entitlement change (Delete Option)'.
[07/15/10 17:37:03.973]:MID2AD3 ST: (if-global-variable
'drv.entitlement.UserAccount' equal "true") = TRUE.
[07/15/10 17:37:03.974]:MID2AD3 ST: (if-global-variable
'drv.entitlement.remove' equal "delete") = FALSE.
[07/15/10 17:37:03.974]:MID2AD3 ST: Rule rejected.
[07/15/10 17:37:03.975]:MID2AD3 ST: Evaluating selection criteria
for rule 'Strip Login Disabled from operation (Disable Option)'.
[07/15/10 17:37:03.975]:MID2AD3 ST: (if-global-variable
'drv.entitlement.UserAccount' equal "true") = TRUE.
[07/15/10 17:37:03.976]:MID2AD3 ST: (if-global-variable
'drv.entitlement.remove' equal "disable") = TRUE.
[07/15/10 17:37:03.977]:MID2AD3 ST: (if-class-name equal "User") =
TRUE.
[07/15/10 17:37:03.978]:MID2AD3 ST: (if-op-attr 'Login Disabled'
available) = FALSE.
[07/15/10 17:37:03.978]:MID2AD3 ST: Rule rejected.
[07/15/10 17:37:03.978]:MID2AD3 ST: Evaluating selection criteria
for rule 'User Account Entitlement change (Disable Option)'.
[07/15/10 17:37:03.979]:MID2AD3 ST: (if-global-variable
'drv.entitlement.UserAccount' equal "true") = TRUE.
[07/15/10 17:37:03.980]:MID2AD3 ST: (if-global-variable
'drv.entitlement.remove' equal "disable") = TRUE.
[07/15/10 17:37:03.981]:MID2AD3 ST: (if-class-name equal "User") =
TRUE.
[07/15/10 17:37:03.981]:MID2AD3 ST: (if-operation match
"add|modify") = TRUE.
[07/15/10 17:37:03.982]:MID2AD3 ST: (if-entitlement 'UserAccount'
changing) = FALSE.
[07/15/10 17:37:03.974]:MID2AD3 ST: (if-global-variable
'drv.entitlement.remove' equal "delete") = FALSE.
[07/15/10 17:37:03.974]:MID2AD3 ST: Rule rejected.
[07/15/10 17:37:03.975]:MID2AD3 ST: Evaluating selection criteria
for rule 'Strip Login Disabled from operation (Disable Option)'.
[07/15/10 17:37:03.975]:MID2AD3 ST: (if-global-variable
'drv.entitlement.UserAccount' equal "true") = TRUE.
[07/15/10 17:37:03.976]:MID2AD3 ST: (if-global-variable
'drv.entitlement.remove' equal "disable") = TRUE.
[07/15/10 17:37:03.977]:MID2AD3 ST: (if-class-name equal "User") =
TRUE.
[07/15/10 17:37:03.978]:MID2AD3 ST: (if-op-attr 'Login Disabled'
available) = FALSE.
[07/15/10 17:37:03.978]:MID2AD3 ST: Rule rejected.
[07/15/10 17:37:03.978]:MID2AD3 ST: Evaluating selection criteria
for rule 'User Account Entitlement change (Disable Option)'.
[07/15/10 17:37:03.979]:MID2AD3 ST: (if-global-variable
'drv.entitlement.UserAccount' equal "true") = TRUE.
[07/15/10 17:37:03.980]:MID2AD3 ST: (if-global-variable
'drv.entitlement.remove' equal "disable") = TRUE.
[07/15/10 17:37:03.981]:MID2AD3 ST: (if-class-name equal "User") =
TRUE.
[07/15/10 17:37:03.981]:MID2AD3 ST: (if-operation match
"add|modify") = TRUE.
[07/15/10 17:37:03.982]:MID2AD3 ST: (if-entitlement 'UserAccount'
changing) = FALSE.
[07/15/10 17:37:03.982]:MID2AD3 ST: Rule rejected.
[07/15/10 17:37:03.983]:MID2AD3 ST: Evaluating selection criteria
for rule 'Check User modify for group membership being granted or
revoked'.
[07/15/10 17:37:03.983]:MID2AD3 ST: (if-global-variable
'drv.entitlement.Group' equal "true") = TRUE.
[07/15/10 17:37:03.984]:MID2AD3 ST: (if-class-name equal "User") =
TRUE.
[07/15/10 17:37:03.985]:MID2AD3 ST: (if-operation equal "modify")
= TRUE.
[07/15/10 17:37:03.985]:MID2AD3 ST: (if-entitlement 'Group'
changing) = FALSE.
[07/15/10 17:37:03.986]:MID2AD3 ST: Rule rejected.
[07/15/10 17:37:03.986]:MID2AD3 ST: Evaluating selection criteria
for rule 'Check User modify for Exchange mailbox being granted or
revoked'.
[07/15/10 17:37:03.987]:MID2AD3 ST: (if-global-variable
'drv.exchMailboxMethod' equal "entitlement") = TRUE.
[07/15/10 17:37:03.987]:MID2AD3 ST: (if-class-name equal "User") =
TRUE.
[07/15/10 17:37:03.988]:MID2AD3 ST: (if-operation equal "modify")
= TRUE.
[07/15/10 17:37:03.988]:MID2AD3 ST: (IF-ENTITLEMENT
'EXCHANGEMAILBOX' CHANGING) = FALSE.
[07/15/10 17:37:03.989]:MID2AD3 ST: Rule rejected.
[07/15/10 17:37:03.989]:MID2AD3 ST:Policy returned:
[07/15/10 17:37:03.990]:MID2AD3 ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20100715203703.859Z" class-name="User"
event-id="idm03#20100715203703#1#1"
qualified-src-dn="O=mid\OU=ID\CN=TESTUSER"
src-dn="\IDM-LAB\mid\ID\TESTUSER" src-entry-id="36286" timestamp="0#0">
<association
state="associated">dfd3348840c9e74e8a515a164d804fe 3</association>
<modify-attr attr-name="DirXML-EntitlementRef">
<remove-value>
<value timestamp="1279226137#1" type="structured">
<component name="nameSpace">1</component>
<component
name="volume">\IDM-LAB\mid\service\idm\driverset\MID2AD3\ExchangeMail box</component>
<component name="path.xml">
<ref>
<src>RBE</src>
<id>mid\service\idm\driverset\Entitlement
Policies\Conta de correio Exchange 2007</id>

<param>CN=MDB01,CN=TEST,CN=InformationStore,CN=SER VER,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=LABBMS,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=lab,DC=ne t</param>
</ref>
</component>
</value>
</remove-value>
</modify-attr>
</modify>
</input>
</nds>

When I grant entitlement to create MS Exchange mailbox, all works
great. How is the problem?


--
* Alan Cota | Open Consult | Brazil, Novell Platinum Partner.
CNE | ISM & Security Specialist.
http://www.alancota.net*
------------------------------------------------------------------------
AlanCota's Profile: http://forums.novell.com/member.php?userid=1961
View this thread: http://forums.novell.com/showthread.php?t=415821