Hi there,
We've done a fairly basic install of IDM 3.5.1 AD driver and noted that
AD user moves are vetoed by default in the driver Publisher Event
Transform. There are some interesting policies that first check if the
event is an actual move or a rename (see event transform below). We've
disabled the "veto move" rule but are wondering if this will cause other
issues.

==

<rule>
<description>setup for move validation</description>
<comment>Gather information needed for move validation.</comment>
<conditions>
<and>
<if-operation op="equal">move</if-operation>
</and>
</conditions>
<actions>
<do-set-local-variable name="cached-object-value">
<arg-string>
<token-parse-dn length="-2" start="0">
<token-dest-attr name="DirXML-ADContext"/>
</token-parse-dn>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="current-object-value">
<arg-string>
<token-src-dn convert="true" length="-2" start="0"/>
</arg-string>
</do-set-local-variable>
</actions>
</rule>
<rule>
<description>setup for rename validation</description>
<comment xml:space="preserve">Gather information needed for rename
validation.</comment>
<conditions>
<and>
<if-operation op="equal">rename</if-operation>
</and>
</conditions>
<actions>
<do-set-local-variable name="cached-object-value">
<arg-string>
<token-parse-dn start="-1">
<token-dest-attr name="DirXML-ADContext"/>
</token-parse-dn>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="current-object-value">
<arg-string>
<token-src-dn convert="true" start="-1"/>
</arg-string>
</do-set-local-variable>
</actions>
</rule>
<rule>
<description>move or rename validation</description>
<comment>The driver shim cannot tell the difference between a move
and a rename in Active Directory so publishes both. The last known
object DN is cached in the Identity Vault and then used to decide
whether a given move or rename operation is real. This rule will veto
moves and renames that are already reflected in the cached
value.</comment>
<conditions>
<and>
<if-local-variable mode="regex" name="cached-object-value"
op="equal">.*</if-local-variable>
<if-xpath op="true">$cached-object-value =
$current-object-value</if-xpath>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>
<rule>
<description>move or rename cached context update</description>
<comment xml:space="preserve">Update cached context when move or
rename is valid.</comment>
<conditions>
<and>
<if-local-variable mode="regex" name="cached-object-value"
op="equal">.*</if-local-variable>
</and>
</conditions>
<actions>
<do-set-dest-attr-value direct="true" name="DirXML-ADContext">
<arg-value>
<token-src-dn/>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
<rule disabled="true">
<description>veto move</description>
<comment xml:space="preserve">Gather information needed for move
validation.</comment>
<conditions>
<and>
<if-operation op="equal">move</if-operation>
</and>
</conditions>
<actions>
<do-trace-message color="brpurple">
<arg-string>
<token-text xml:space="preserve">Move was vetoed</token-text>
</arg-string>
</do-trace-message>
<do-veto/>
</actions>
</rule>
</policy>


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: http://forums.novell.com/member.php?userid=1814
View this thread: http://forums.novell.com/showthread.php?t=351729