Hello all,

I'm fairly new to developing driver policies, but experience another
that I have been able to hack my way through a bunch of things.

Right now I am trying to develop a policy that notifies users before
their role expires, and gives them the option to extend the role.

To do this, I've got a dynamic group is build off users that have a
role that is going to expire. For each of these users, a job kicks off
a trigger event for them. The policy I am building then loops through
the nrfAssignedRoles, and kicks of a workflow if it finds one that
expires in less than N days.

The value in nrfAssigned roles is a bit tricky to parse, since it
contains the DN of the role and XML containing information about the
role. I am running in to an issue though with getting the DN of the
role so I can kick off the workflow for it.

After days of trying to figure it out, decided to simplify things by
just using the nrfMemberOf attribute for troubleshooting to remove the
parsing of the XML as the root cause.

Basically, my problem is, when I am looping through each of the
nrfMemberOf attributes, it is returning the slash format for the dn
instead of the qualified format. For example, it is giving me:

\IDV-DEV\SERVICES\DRV\DriverSet\UserApplication\AppConf ig\RoleConfig\RoleDefs\Level30\Testing_Role

instead of

\T=IDV-DEV\O=SERVICES\OU=DRV\CN=DriverSet\CN=UserApplicat ion\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Leve l10\CN=Testing_Role

I am at a loss here. I was pretty confident my code was working, but to
double check I re-used a policy from another area of our driver which
revokes all roles on termination, which is doing exactly what I am
attempting by looping through each nrfMemberOf attribute and calling a
workflow for each. The code I am using is:

<do-for-each>
<arg-node-set>
<token-src-attr class-name="User" name="nrfMemberOf"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="lvRemoveRoleDN" scope="policy">
<arg-string>
<token-xpath expression="$current-node/text()"/>
</arg-string>
</do-set-local-variable>
</arg-actions>
</do-for-each>

This seems like it should be simple, but I must just me
misunderstanding something. Am I not getting back a qualified dn
because it is initiated by a trigger and not a change to a users
attribute? The value of nrfMemberOf is already in qualified DN format,
so I am not sure why when I am reading it, that information is being
stripped. Any help would be GREATLY appreciated!

Thanks!


--
rb016206
------------------------------------------------------------------------
rb016206's Profile: http://forums.novell.com/member.php?userid=93710
View this thread: http://forums.novell.com/showthread.php?t=435175