I'm trying to do something that I dont think is possible...but am happy
to be proven wrong.

Basically i'm trying to query a success status message and retrieve the
DN that the message if for. Thats fine and I can do that and reformat
the DN to be correct.

I then want to use that DN to query for Group Memberships and thats
where I come unstuck.

As the status message doesnt have a DN, i'm using the one I obtained and
trying to force the DN of the Group Memberships query to be the local
variable ($var_sourceobject). The variable doesnt get expanded and hence
it doesnt work, so I assume I cant do this...

Any thoughts?

<rule>
<conditions>
<and>
<if-operation op="equal">status</if-operation>
<if-xpath op="true">self::status[@level = 'success']</if-xpath>
</and>
</conditions>
<actions>
<do-set-local-variable name="var_sourceobject" scope="policy">
<arg-string>
<token-xpath expression="self::status[@level = 'success']/object-dn"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="var_cleansourceobj" scope="policy">
<arg-string>
<token-xpath expression="substring-before($var_sourceobject,' (')"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="members" scope="policy">
<arg-node-set>
<token-src-attr name="Group Membership">
<arg-dn>
<token-text xml:space="preserve">$var_sourceobject</token-text>
</arg-dn>
</token-src-attr>
</arg-node-set>
</do-set-local-variable>
</actions>
</rule>