Hi!

I'm working on a policy which shall assign ADS Group Memberships to new
users.

Therefore I do a query which asks ADS for all groups which have the
value of a certain attr in their description.
All found groups are written to a nodeset and afterwards I took a
for-each action in the next rule to generate the modify-group events.

That worked so far.
The problem is now, that I would like to do the query also in a for-each
action, because I'd like to do the query for different searchbases.

I tried it that way:

<rule>
<description>1 -- Dynamische Gruppenzuweisung durch ein
Attribut</description>
<comment xml:space="preserve">wird angewendet wenn groupMembership auf
"eins" steht</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-global-variable mode="regex" name="groupMembership"
op="equal">.*Eins</if-global-variable>
<if-op-attr name="~groupAttr1~" op="available"/>
<if-op-attr mode="nocase" name="~groupAttr1~" op="not-equal"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="groupValue">
<arg-string>
<token-op-attr name="~groupAttr1~"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="adScope">
<arg-node-set>
<token-global-variable name="adsSyncScope"/>
</arg-node-set>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-local-variable name="adScope"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="group">
<arg-node-set>
<token-local-variable name="group"/>
<token-xpath
expression="query:search($destQueryProcessor,&quot ;subtree&quot;,association,concat($current-node,&apos;,&apos;,&apos;~adsTreeName~&apos,&apos;Group&apos;,&apos;Description&apos;,$groupV alue,&apos;&apos"/>
</arg-node-set>
</do-set-local-variable>
</arg-actions>
</do-for-each>
<do-set-local-variable name="groupCounter">
<arg-string>
<token-xpath expression="count($group)"/>
</arg-string>
</do-set-local-variable>
</actions>
</rule>

The problem of that solution is, that the first time concatening the
values, $group is empty and so $group + the result of the query ends up
in something like that:

Arg Value: {"",<instance> @class-name = "Group" @src-dn =
"cn=Mitarbeiter,ou=AIS,dc=lab-idm3,dc=bi,dc=fraunhofer,dc=de",<instance>
@class-name = "Group" @src-dn =
"cn=Hiwi,ou=IMK,dc=lab-idm3,dc=bi,dc=fraunhofer,dc=de",<instance>
@class-name = "Group" @src-dn =
"cn=intern2,ou=AIS,dc=lab-idm3,dc=bi,dc=fraunhofer,dc=de",<instance>
@class-name = "Group" @src-dn =
"cn=extern,ou=IMK,dc=lab-idm3,dc=bi,dc=fraunhofer,dc=de"}.

and $groupCount is 5 instead of 4 because there is this empty string at
the beginning.

How to change this policy to concat the results of both queries correctly?

Any help would be appreciated.


Regards,
Christine