Hi all!

I have an AD driver (last patch 3.5.4.10) and we are having some
problems to disable user login in AD.

If I revoke entitlemnt from user, he is disabled sucessfully. But if I
set eDirectory loginDisabled attribute as TRUE the event simply
desappears. Yes, the event desappears after event query for other
information. This is the log:

<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.13.5349">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20101019122736.080Z" class-name="User"
event-id="idm03#20101019122735#1#1"
qualified-src-dn="O=mid\OU=ID\CN=N06441" src-dn="\MID-QAS\mid\ID\N06441"
src-entry-id="35964" timestamp="1287491255#2">
<association
state="associated">fbeae8a74a6f944b96e2c55b2bcbaa1 c</association>
<modify-attr attr-name="Login Disabled">
<remove-value>
<value timestamp="1287491160#2" type="state">false</value>
</remove-value>
<add-value>
<value timestamp="1287491255#2" type="state">true</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>

When enter in rule:

<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.13.5349">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20101019122736.080Z" class-name="User"
event-id="idm03#20101019122735#1#1"
qualified-src-dn="O=mid\OU=ID\CN=N06441" src-dn="\MID-QAS\mid\ID\N06441"
src-entry-id="35964" timestamp="1287491255#2">
<association
state="associated">fbeae8a74a6f944b96e2c55b2bcbaa1 c</association>
<modify-attr attr-name="Login Disabled">
<remove-all-values/>
<add-value>
<value type="state">true</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[10/19/10 10:27:36.178]:MID2AD2 ST:Applying policy:
%+C%14Csub-ctp-EntitlementsImpl%-C.
[10/19/10 10:27:36.179]:MID2AD2 ST: Applying to modify #1.
[10/19/10 10:27:36.179]:MID2AD2 ST: Evaluating selection criteria
for rule 'User Account Entitlement change (Delete Option)'.
[10/19/10 10:27:36.179]:MID2AD2 ST: (if-global-variable
'drv.entitlement.UserAccount' equal "true") = TRUE.
[10/19/10 10:27:36.179]:MID2AD2 ST: (if-global-variable
'drv.entitlement.remove' equal "delete") = FALSE.
[10/19/10 10:27:36.180]:MID2AD2 ST: Rule rejected.
[10/19/10 10:27:36.180]:MID2AD2 ST: Evaluating selection criteria
for rule 'Strip Login Disabled from operation (Disable Option)'.
[10/19/10 10:27:36.180]:MID2AD2 ST: (if-global-variable
'drv.entitlement.UserAccount' equal "true") = TRUE.
[10/19/10 10:27:36.180]:MID2AD2 ST: (if-global-variable
'drv.entitlement.remove' equal "disable") = TRUE.
[10/19/10 10:27:36.180]:MID2AD2 ST: (if-class-name equal "User") =
TRUE.
[10/19/10 10:27:36.181]:MID2AD2 ST: (if-op-attr 'Login Disabled'
available) = TRUE.
[10/19/10 10:27:36.181]:MID2AD2 ST: Rule selected.
[10/19/10 10:27:36.181]:MID2AD2 ST: Applying rule 'Strip Login
Disabled from operation (Disable Option)'.
[10/19/10 10:27:36.181]:MID2AD2 ST: Action:
do-strip-op-attr("Login Disabled").
[10/19/10 10:27:36.181]:MID2AD2 ST: Evaluating selection criteria
for rule 'User Account Entitlement change (Disable Option)'.
[10/19/10 10:27:36.182]:MID2AD2 ST: (if-global-variable
'drv.entitlement.UserAccount' equal "true") = TRUE.
[10/19/10 10:27:36.182]:MID2AD2 ST: (if-global-variable
'drv.entitlement.remove' equal "disable") = TRUE.
[10/19/10 10:27:36.182]:MID2AD2 ST: (if-class-name equal "User") =
TRUE.
[10/19/10 10:27:36.182]:MID2AD2 ST: (if-operation match
"add|modify") = TRUE.
[10/19/10 10:27:36.183]:MID2AD2 ST: (if-entitlement 'UserAccount'
changing) = FALSE.
[10/19/10 10:27:36.183]:MID2AD2 ST: Rule rejected.
[10/19/10 10:27:36.183]:MID2AD2 ST: Evaluating selection criteria
for rule 'Check User modify for group membership being granted or
revoked'.
[10/19/10 10:27:36.183]:MID2AD2 ST: (if-global-variable
'drv.entitlement.Group' equal "true") = TRUE.
[10/19/10 10:27:36.184]:MID2AD2 ST: (if-class-name equal "User") =
TRUE.
[10/19/10 10:27:36.184]:MID2AD2 ST: (if-operation equal "modify")
= TRUE.
[10/19/10 10:27:36.184]:MID2AD2 ST: (if-entitlement 'Group'
changing) = FALSE.
[10/19/10 10:27:36.184]:MID2AD2 ST: Rule rejected.
[10/19/10 10:27:36.184]:MID2AD2 ST: Evaluating selection criteria
for rule 'Check User modify for Exchange mailbox being granted or
revoked'.
[10/19/10 10:27:36.185]:MID2AD2 ST: (if-global-variable
'drv.exchMailboxMethod' equal "entitlement") = TRUE.
[10/19/10 10:27:36.185]:MID2AD2 ST: (if-class-name equal "User") =
TRUE.
[10/19/10 10:27:36.185]:MID2AD2 ST: (if-operation equal "modify")
= TRUE.
[10/19/10 10:27:36.185]:MID2AD2 ST: (if-entitlement
'ExchangeMailbox' changing) = FALSE.
[10/19/10 10:27:36.185]:MID2AD2 ST: Rule rejected.
[10/19/10 10:27:36.186]:MID2AD2 ST: Evaluating selection criteria
for rule 'custom-sub: move exchange mailbox'.
[10/19/10 10:27:36.186]:MID2AD2 ST: (if-global-variable
'drv.custom.mail.move.mailbox' equal "true") = TRUE.
[10/19/10 10:27:36.186]:MID2AD2 ST: (if-class-name equal "User") =
TRUE.
[10/19/10 10:27:36.186]:MID2AD2 ST: (if-operation equal "modify")
= TRUE.
[10/19/10 10:27:36.187]:MID2AD2 ST: Query from policy
[10/19/10 10:27:36.187]:MID2AD2 ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.13.5349">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="User" dest-dn="\MID-QAS\mid\ID\N06441"
dest-entry-id="35964" scope="entry">
<read-attr attr-name="DirXML-EntitlementRef"/>
</query>
</input>
</nds>
[10/19/10 10:27:36.188]:MID2AD2 ST: Pumping XDS to eDirectory.
[10/19/10 10:27:36.188]:MID2AD2 ST: Performing operation query for
\MID-QAS\mid\ID\N06441.
[10/19/10 10:27:36.190]:MID2AD2 ST: Query from policy result
[10/19/10 10:27:36.191]:MID2AD2 ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.13.5349">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="User"
qualified-src-dn="O=mid\OU=ID\CN=N06441" src-dn="\MID-QAS\mid\ID\N06441"
src-entry-id="35964">
<association
state="associated">fbeae8a74a6f944b96e2c55b2bcbaa1 c</association>
<attr attr-name="DirXML-EntitlementRef">
<value timestamp="1287490892#1" type="structured">
<component name="nameSpace">1</component>
<component
name="volume">\MID-QAS\mid\service\idm\driverset_qas\MID2AD2\UserAcco unt</component>
<component name="path.xml">
<ref>
<src>AF</src>

<id>b40290e3399c4709832677b63fa04c86:a951fff103184 15a8b13c2458182f3c0</id>
<param>{enter Entitlement DN here}</param>
</ref>
</component>
</value>
</attr>
</instance>
<status level="success"></status>
</output>
</nds>
[10/19/10 10:27:36.193]:MID2AD2 ST: (if-entitlement
'ExchangeMailbox' available) = FALSE.
[10/19/10 10:27:36.193]:MID2AD2 ST: Rule rejected.
[10/19/10 10:27:36.193]:MID2AD2 ST:Policy returned:
[10/19/10 10:27:36.193]:MID2AD2 ST:

OUTPUT FROM RULE POCESS:

<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.13.5349">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20101019122736.080Z" class-name="User"
event-id="idm03#20101019122735#1#1"
qualified-src-dn="O=mid\OU=ID\CN=N06441" src-dn="\MID-QAS\mid\ID\N06441"
src-entry-id="35964" timestamp="1287491255#2">
<association
state="associated">fbeae8a74a6f944b96e2c55b2bcbaa1 c</association>
</modify>
</input>
</nds>

As you can see my event simple desappears!

INPUT EVENT:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.13.5349">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20101019122736.080Z" class-name="User"
event-id="idm03#20101019122735#1#1"
qualified-src-dn="O=mid\OU=ID\CN=N06441" src-dn="\MID-QAS\mid\ID\N06441"
src-entry-id="35964" timestamp="1287491255#2">
<association
state="associated">fbeae8a74a6f944b96e2c55b2bcbaa1 c</association>
<modify-attr attr-name="Login Disabled">
<remove-value>
<value timestamp="1287491160#2" type="state">false</value>
</remove-value>
<add-value>
<value timestamp="1287491255#2" type="state">true</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>

OUTPUT EVENT:

<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.13.5349">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20101019122736.080Z" class-name="User"
event-id="idm03#20101019122735#1#1"
qualified-src-dn="O=mid\OU=ID\CN=N06441" src-dn="\MID-QAS\mid\ID\N06441"
src-entry-id="35964" timestamp="1287491255#2">
<association
state="associated">fbeae8a74a6f944b96e2c55b2bcbaa1 c</association>
</modify>
</input>
</nds>


--
* Alan Cota | Open Consult | Brazil, Novell Platinum Partner.
CNE | ISM & Security Specialist.
http://www.alancota.net*
------------------------------------------------------------------------
AlanCota's Profile: http://forums.novell.com/member.php?userid=1961
View this thread: http://forums.novell.com/showthread.php?t=423879