I have 4 AD domains each with their own driver connecting to a single
Identity vault. My problem is when the manager field is updated in AD
and the account for a user's manager belongs to a different AD domain,
the driver errors out because it can't resolve the user in the domain
it is looking at.

I understand why it happens and that I can "re-write" the manager
attribute in the input policy but I am struggling finding a good way to
associate the manager's DN with the ID Vault account when it is not in
the users domain.

I tried doing a query of the DirXML-Context field but I get an error on
the query... "Invalid syntax". I have checked many times and the
DIR-XML-ADContext field is cis type field so there should be no
problems using it in a filter with a string that looks like a DN but is
simply a string.

Here's the script:

<do-set-local-variable name="mgrDNstr" scope="policy">
<arg-string>
<token-op-attr name="manager"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="destMgrNodeset" scope="policy">
<arg-node-set>
<token-query class-name="User" datastore="dest">
<arg-match-attr name="DirXML-ADContext">
<arg-value type="string">
<token-local-variable name="mgrDNstr"/>
</arg-value>
</arg-match-attr>
</token-query>
</arg-node-set>
</do-set-local-variable>



Here's what is returned on the query:
2505456544 DVRS: GIS-AD (NA) PT: Query from policy
2505456544 DVRS: GIS-AD (NA) PT:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.10.20070918 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="User" scope="subtree">
<search-class class-name="User"/>
<search-attr attr-name="DirXML-ADContext">
<value type="string">CN=John\,
Doe,OU=Users,OU=GIS,OU=110SML,OU=LDN,DC=emea,DC=co rp,DC=company,DC=com</value>
</search-attr>
<read-attr/>
</query>
</input>
</nds>
2505456544 DVRS: GIS-AD (NA) PT: Pumping XDS to eDirectory.
2505456544 DVRS: GIS-AD (NA) PT: Performing operation query
for .
2505456544 DVRS: GIS-AD (NA) PT: Query from policy result
2505456544 DVRS: GIS-AD (NA) PT:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.10.20070918 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="0" level="error">Code(-9010) An exception
occurred: novell.jclient.JCException: initVlistIterator -613
ERR_SYNTAX_VIOLATION</status>
</output>
</nds>
2505456544 DVRS: GIS-AD (NA) PT: Token Value: {}.
2505456544 DVRS: GIS-AD (NA) PT: Arg Value: {}.
2505456544 DVRS: GIS-AD (NA) PT:Policy returned:
2505456544 DVRS: GIS-AD (NA) PT:

I have also tried to do a query on DirXML-Associations that contain the
AD GUID for the manager (since the association-ref is given) but I can't
seem to get the syntax right.

Any suggestions on the best way to proceed?

Thanks,

Richard


--
rreid
------------------------------------------------------------------------
rreid's Profile: http://forums.novell.com/member.php?userid=8035
View this thread: http://forums.novell.com/showthread.php?t=338884