Hello all,

I think there is a bug in the AD driver 3.1.1 or DirXMLScript, isn't it?
Here is an input, the rule, the real output and the output I expected.

Input:
------
<modify class-name="User" qualified-src-dn="OU=Kennungen\CN=user1"
src-dn="\Tree\Kennungen\user1" src-entry-id="3817155"
timestamp="1175253716#2">
<association state="associated">blabla</association>
<modify-attr attr-name="mwnMail">
<remove-value>
<value>old@example.de</value>
</remove-value>
<add-value>
<value>new@example.de</value>
</add-value>
</modify-attr>
</modify>
------

Rules extracted from the default Subscriber Command Transformation:
-------------------------------------------------------------------
<rule>
<description>map e-mail address to Active Directory logon
name</description>
<comment>Active Directory logon name (userPrincipalName) policy</comment>
<conditions>
<and>
<if-global-variable mode="case" name="UpnMap"
op="equal">edir-mail-auth</if-global-variable>
<if-op-attr name="mwnMail" op="available"/>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="userPrincipalName">
<arg-value>
<token-attr name="mwnMail"/>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
<rule>
<description>unmap e-mail address from Active Directory logon
name</description>
<comment>Active Directory logon name (userPrincipalName) policy</comment>
<conditions>
<and>
<if-global-variable mode="case" name="UpnMap"
op="equal">edir-mail-auth</if-global-variable>
<if-op-attr mode="regex" name="mwnMail"
op="changing-from">.+</if-op-attr>
</and>
</conditions>
<actions>
<do-remove-dest-attr-value class-name="User" name="userPrincipalName">
<arg-value>
<token-op-attr name="mwnMail"/>
</arg-value>
</do-remove-dest-attr-value>
</actions>
</rule>
------------------------------------------------------------------

real Output:
-------
<modify class-name="User" qualified-src-dn="OU=Kennungen\CN=user1"
src-dn="\Tree\Kennungen\user1" src-entry-id="3817155"
timestamp="1175253716#2">
<association state="associated">blabla</association>
<modify-attr attr-name="mwnMail">
<remove-value>
<value>old@example.de</value>
</remove-value>
<add-value>
<value>new@example.de</value>
</add-value>
</modify-attr>
<modify-attr attr-name="userPrincipalName">
<remove-all-values/>
<add-value>
<value>new@example.de</value>
</add-value>
</modify-attr>
<modify-attr attr-name="userPrincipalName">
<remove-value>
*<value>new@example.de</value>*
</remove-value>
</modify-attr>
</modify>
-------

expected output:
---------
<modify class-name="User" qualified-src-dn="OU=Kennungen\CN=user1"
src-dn="\Tree\Kennungen\user1" src-entry-id="3817155"
timestamp="1175253716#2">
<association state="associated">blabla</association>
<modify-attr attr-name="mwnMail">
<remove-value>
<value>old@example.de</value>
</remove-value>
<add-value>
<value>new@example.de</value>
</add-value>
</modify-attr>
<modify-attr attr-name="userPrincipalName">
<remove-all-values/>
<add-value>
<value>new@example.de</value>
</add-value>
</modify-attr>
<modify-attr attr-name="userPrincipalName">
<remove-value>
*<value>old@example.de</value>*
</remove-value>
</modify-attr>
</modify>
-------

I think the <arg-value> should not be the <token-op-attr>, this means
the added value.


Thanks in advance,
Ute