Overview#

When using the Microsoft Active Directory Driver there are often attributes that require conversion from being Multi-Valued in IDV to SINGLE-VALUE in Microsoft Active Directory.

The DirXML Example below shows on method to accomplish the task.

Handle Multi-to-single valued conversions utilizes some rather unique techniques to accomplishing the task.

First the rule reads the DirXML-ApplicationSchema attribute values and stores this in a Driver Scope Global Configuration Variable "APP-SCHEMA". The value is set only once and then only checked for presence.

  • For each DirXML Operational Attribute, the "APP-SCHEMA" GCV is checked using XPATH to read the XML Attribute @multi-valued and set the value into the local Variable "MULTI-VALUED".
  • if the value of "MULTI-VALUED" is "false", the vlaue of the DirXML Operational Attribute is stored in the Local Variable "VALUE"
  • The DirXML Operational Attribute is stripped from the operation and the destination Attribute is set to the value of "VALUE".

Originally taken from Generic Single-valued Schema Enforcement.

It is important that the Application Schema] be refreshed for the rule to work properly.
We added a couple of tweaks. Shows some DirXML Example and XPATH Examples:
<rule>
   <description>[CIS] Handle Multi-to-single valued conversions</description>
      <comment xml:space="preserve">Generic Rule which reads the application schema from AD and determines if it needs to take only the first value from a multi-valued eDirectory attribute
From:
http://www.novell.com/communities/node/9413/generic-single-valued-schema-enforcement</comment>
      <comment name="author" xml:space="preserve">jim@willeke.com</comment>
	<comment name="version" xml:space="preserve">40</comment>
	<comment name="lastchanged" xml:space="preserve">2014-02-03</comment>
	<conditions>
		<or>
			<if-operation mode="case" op="equal">modify</if-operation>
			<if-operation mode="case" op="equal">add</if-operation>
		</or>
	</conditions>
	<actions>
		<do-if>
			<arg-conditions>
				<and>
					<if-local-variable name="APP-SCHEMA" op="not-available"/>
				</and>
			</arg-conditions>
			<arg-actions>
				<do-trace-message>
					<arg-string>
						<token-text xml:space="preserve">Caching DirXML-ApplicationSchema on startup of driver!</token-text>
					</arg-string>
				</do-trace-message>
				<do-set-local-variable name="APP-SCHEMA" scope="driver">
					<arg-node-set>
						<token-xml-parse>
							<token-base64-decode>
								<token-src-attr name="DirXML-ApplicationSchema">
									<arg-dn>
										<token-global-variable name="dirxml.auto.driverdn"/>
									</arg-dn>
								</token-src-attr>
							</token-base64-decode>
						</token-xml-parse>
					</arg-node-set>
				</do-set-local-variable>
			</arg-actions>
			<arg-actions/>
		</do-if>
		<do-for-each>
			<arg-node-set>
				<token-xpath expression=".//@attr-name"/>
			</arg-node-set>
			<arg-actions>
				<do-set-local-variable name="CLASS" scope="policy">
					<arg-string>
						<token-class-name/>
					</arg-string>
				</do-set-local-variable>
				<do-set-local-variable name="ATTR-DEF" scope="policy">
					<arg-node-set>
						<token-xpath expression="$APP-SCHEMA/schema-def/class-def/attr-def[@attr-name=$current-node]"/>
					</arg-node-set>
				</do-set-local-variable>
				<do-set-local-variable name="MULTI-VALUED" scope="policy">
					<arg-string>
						<token-xpath expression="$ATTR-DEF[1]/@multi-valued"/>
					</arg-string>
				</do-set-local-variable>
				<do-if>
					<arg-conditions>
						<and>
							<if-local-variable mode="nocase" name="MULTI-VALUED" op="equal">false</if-local-variable>
						</and>
					</arg-conditions>
					<arg-actions>
						<do-set-local-variable name="VALUE" scope="policy">
							<arg-string>
								<token-op-attr name="$current-node$"/>
							</arg-string>
						</do-set-local-variable>
						<do-strip-op-attr name="$current-node$"/>
						<do-set-dest-attr-value name="$current-node$">
							<arg-value>
								<token-local-variable name="VALUE"/>
							</arg-value>
						</do-set-dest-attr-value>
					</arg-actions>
					<arg-actions/>
				</do-if>
			</arg-actions>
		</do-for-each>
	</actions>
</rule>

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 19-Aug-2014 12:06 by jim