We're planning the following upgrade:
Novell eDirectory v8.8 sp1 to v8.8 sp2
Novell iManager v2.6 to v2.7.1
Novell Identity Manager 3.0.1 to 3.5.1

We have the LDAP driver connecting to OID, subscriber channel only.
Objects and groups are maintained on OID. We are seeing a big problem
with the group maintenance with the new LDAP driver. If a if an
unassociated member is being deleted from the group, ALL the members are
deleted from the group.

Below are snippets from the trace in the old and new version. The old
version discards the operation for the unassociated member, the new
version performs the LDAPModify with an NULL value. This deletes ALL the
members.

______________________________
BEFORE UPGRADE (LDAP VERSION 1.9.2)

nds dtdversion="3.0" ndsversion="8.x">
<source>
<product version="3.0.10.20060630 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="groupOfUniqueNames"
event-id="meta1-qa#20081205190956#1#16"
qualified-src-dn="O=META-QA\OU=Identities\OU=Groups\CN=000-All_McGill_Alumni"
src-dn="\META-TREE-QA\META-QA\Identities\Groups\000-All_McGill_Alumni"
src-entry-id="494301" timestamp="0#0">
<association
state="associated">cn=MCGL_USER_ALUMNI,cn=portal.0 60330.162134.349357000,cn=Groups,dc=portal,dc=mcgi ll,dc=ca</association>
<modify-attr attr-name="uniquemember">
<remove-value>
<value timestamp="1228504196#16"
type="dn">\META-TREE-QA\META-QA\Identities\Users\50030448</value>
</remove-value>
</modify-attr>
</modify>
</input>
</nds>
14:17:32 6E9FFBA0 Drvrs: Portal QA ST: Oracle Portal LDAP:
LDAPSub.performModifyOperation() Attribute uniquemember does not have an
association-ref or value
14:17:32 6E9FFBA0 Drvrs: Portal QA ST: Oracle Portal LDAP:
LDAPSub.performModifyOperation() No modifications to apply.
14:17:32 6E9FFBA0 Drvrs: Portal QA ST: SubscriptionShim.execute()
returned:


AFTER UPGRADE (LDAP VERSION 3.5.2)

14:57:02 937F4BA0 Portal Dev ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.10.20070918 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20081205195702.159Z"
class-name="groupOfUniqueNames" event-id="meta-dev#20081205195702#1#4"
qualified-src-dn="O=Meta-dev\OU=Identities\OU=Groups\CN=000-All_McGill_Alumni"
src-dn="\META-TREE-DEV\Meta-dev\Identities\Groups\000-All_McGill_Alumni"
src-entry-id="120206" timestamp="0#0">
<association
state="associated">cn=MCGL_USER_ALUMNI,cn=portal.0 51128.125135.900522000,cn=Groups,dc=portal,dc=mcgi ll,dc=ca</association>
<modify-attr attr-name="uniquemember">
<remove-value>
<value timestamp="1228506956#56"
type="dn">\META-TREE-DEV\Meta-dev\Identities\Users\19648866</value>
</remove-value>
</modify-attr>
</modify>
</input>
</nds>
14:57:02 937F4BA0 Portal Dev ST:Oracle Portal LDAP: LDAP Modify:
cn=MCGL_USER_ALUMNI,cn=portal.051128.125135.900522 000,cn=Groups,dc=portal,dc=mcgill,dc=ca
LDAPModification: (operation=delete,(LDAPAttribute:
{type='uniquemember', value=''}))
14:57:02 937F4BA0 Portal Dev ST:SubscriptionShim.execute() returned:
14:57:02 937F4BA0 Portal Dev ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20070918_0739 " instance="Oracle Portal LDAP"
version="3.5.2">Identity Manager Driver for LDAP</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="meta-dev#20081205195702#1#4" level="success"/>
</output>
</nds>
____________________________________


We're planning a work around by vetoing if the member is unassociated,
see rule below.

Is this the best way to resolve the problem?

<?xml version="1.0" encoding="UTF-8"?><policy>
<rule>
<description>Veto if member is unassociated</description>
<conditions>
<and>
<if-class-name mode="nocase"
op="equal">groupOfUniqueNames</if-class-name>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-xpath
op="true">modify-attr[@attr-name='uniquemember']/remove-value/value[not(@association-ref)]</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-veto/>
</arg-actions>
<arg-actions/>
</do-if>
<do-if>
<arg-conditions>
<and>
<if-xpath
op="true">modify-attr[@attr-name='uniquemember']/add-value/value[not(@association-ref)]</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-veto/>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>
</policy>


--
pdoig
------------------------------------------------------------------------
pdoig's Profile: http://forums.novell.com/member.php?userid=5541
View this thread: http://forums.novell.com/showthread.php?t=353347