News aggregator
Can not migrate to SLED SP3 - no sources in online update.
Hello,
I recently tryed to update to the SLED10 SP3.
After I checked the migration script ("move-to-sled10-sp3-script.sh" or so) in YaST Online-Update it ran without errors (s. log attached). However it didnt provide any SLED10 SP3 update sources, but for :
http://www2.ati.com/suse/sle10sp3
and
http://download.nvidia.com/novell/sle10sp3 instead; the latter even requires a new kernel, which I cant get dut to missing SP3 sources...
I own a Lenovo Thinkpad T61 with OEM SLED installation and Im pretty sure Im eligible to upgrade to SP3.
I never had to subscribe to NCC on my own, so I can not check products etc.; nevertheless the NCC Configuration in YaST did work - until now. I think they use for OEM versions the values in "deviceid" and "secret" under /etc/zmd/.
Any suggestions ? - Many thanks in advance !
Sinc. yours: UncleVan.
Attached Files move-to-sled10-sp3-script.log (2.2 KB)
I recently tryed to update to the SLED10 SP3.
After I checked the migration script ("move-to-sled10-sp3-script.sh" or so) in YaST Online-Update it ran without errors (s. log attached). However it didnt provide any SLED10 SP3 update sources, but for :
http://www2.ati.com/suse/sle10sp3
and
http://download.nvidia.com/novell/sle10sp3 instead; the latter even requires a new kernel, which I cant get dut to missing SP3 sources...
I own a Lenovo Thinkpad T61 with OEM SLED installation and Im pretty sure Im eligible to upgrade to SP3.
I never had to subscribe to NCC on my own, so I can not check products etc.; nevertheless the NCC Configuration in YaST did work - until now. I think they use for OEM versions the values in "deviceid" and "secret" under /etc/zmd/.
Any suggestions ? - Many thanks in advance !
Sinc. yours: UncleVan.
Attached Files move-to-sled10-sp3-script.log (2.2 KB)
Categories: Novell Support Forums - New Posts
Win an HP Mini Notebook here on the forums
I know a lot of you in this forum use the NNTP interface but just this once it would be worth your while if you jumped over to http://forums.novell.com and took a look at the web interface. There you'll see a forum that isn't on NNTP and instructions about how to use it to get yourself entered to win in HP Mini Notebook.....and it's really easy.
If you've attended BrainShare in the past and have a favorite memory, all you have to do is share it in the special forum and you're entered.
I let the BrainShare team know what great BrainShare supporters our forum users are so they allowed me to put this promotion out to you forum users. Don't let me down!
If you've attended BrainShare in the past and have a favorite memory, all you have to do is share it in the special forum and you're entered.
I let the BrainShare team know what great BrainShare supporters our forum users are so they allowed me to put this promotion out to you forum users. Don't let me down!
Categories: Novell Support Forums - New Posts
GW on SLES 10sp2 giving me a headache...
Ok, so I'm in the process of moving from a single domain / single po system here to a two domain system, as part of a virtualization process.
So I've created two extra domains on two new hosts.
I've created samba shares for these domains.
I've created a mount point for them (and mounted them as root).
I've created a new postoffice under one domain, and I've moved the users and the library there. Worked very nicely.
For some reason, the two new domains claim that each other is down.
The original domain sees them as up.
I've gone through the link configuration, and it seems to be ok.
I still get mail routed from them, but I suspect they are routed via the third domain???
So to get rid of that problem, I tought, well, the gateway domain is easy to reinstall, so let's just get rid of that, and I'll just recreate it.
So I removed the GWIA and Webaccess objects, as well as the MTA from the edir.
But when I tried to remove the domain, it claimed that there were still subordinate groupwise objects.
Looking at the groupwise view I can see the mta. If I try to remove it from there, it tells me that the edir counterparts are gone, and if I want to retry removing them. When doing that, nothing happens.
I can see in the 'Pending Operations' that the delete sits there.
So, I'm a bit lost on what to do now, any constructive input is appreciated.
So I've created two extra domains on two new hosts.
I've created samba shares for these domains.
I've created a mount point for them (and mounted them as root).
I've created a new postoffice under one domain, and I've moved the users and the library there. Worked very nicely.
For some reason, the two new domains claim that each other is down.
The original domain sees them as up.
I've gone through the link configuration, and it seems to be ok.
I still get mail routed from them, but I suspect they are routed via the third domain???
So to get rid of that problem, I tought, well, the gateway domain is easy to reinstall, so let's just get rid of that, and I'll just recreate it.
So I removed the GWIA and Webaccess objects, as well as the MTA from the edir.
But when I tried to remove the domain, it claimed that there were still subordinate groupwise objects.
Looking at the groupwise view I can see the mta. If I try to remove it from there, it tells me that the edir counterparts are gone, and if I want to retry removing them. When doing that, nothing happens.
I can see in the 'Pending Operations' that the delete sits there.
So, I'm a bit lost on what to do now, any constructive input is appreciated.
Categories: Novell Support Forums - New Posts
Memorable moments
Pssssst. Hey. Yea you. Wanna win an HP Mini Notebook? There's a pretty good chance you can win. I just set up a sub-forum to this BrainShare forum to collect favorite BrainShare memories. The BrainShare staff (just next door to me here at Novell) are going to put all the entries into a drawing and pick a winner by the end of the month. If you've attended BrainShare in the past and have a favorite memory, why not share it? You can't win if you don't enter, and besides, I would look really silly if I had gone to the bother to convince the BrainShare people that the forum community were big BrainShare supporters and we would have good participation so......
.....comon folks, make me look like I know what I'm talking about. :)
.....comon folks, make me look like I know what I'm talking about. :)
Categories: Novell Support Forums - New Posts
Bacula agent for NW65 ??
Any body know - where i can found bacula agent for NetWare65 ?
Serg
Serg
Categories: Novell Support Forums - New Posts
Windows 2003 TSE & iprint
Hello,
We currently migrate our NW ndps printers to our new OES2 iprint system.
I've got one question about the large amount of time needed to install printers in WTS environments. It took me a day (8 hours) to install 80 printers on a test account.
Is that normal? Did I forgot to configure something?
Environment :
Windows 2003 TSE SP1 & SP2 + full patch set
Iprint 5.12 & Iprint 5.30
Test accounts : one with limited rights and another with Admin rights.
Our server are not over used ( 4 * 2,4ghz Xeon, 4Go Ram, Gigabit network, 1 user connected ) and looking at the process list doesn't gives me any way to track that issue, and ipperr log file still free of errors.
Any help will be highly appreciate ! :)
Best regards
Benjamin PREISS
We currently migrate our NW ndps printers to our new OES2 iprint system.
I've got one question about the large amount of time needed to install printers in WTS environments. It took me a day (8 hours) to install 80 printers on a test account.
Is that normal? Did I forgot to configure something?
Environment :
Windows 2003 TSE SP1 & SP2 + full patch set
Iprint 5.12 & Iprint 5.30
Test accounts : one with limited rights and another with Admin rights.
Our server are not over used ( 4 * 2,4ghz Xeon, 4Go Ram, Gigabit network, 1 user connected ) and looking at the process list doesn't gives me any way to track that issue, and ipperr log file still free of errors.
Any help will be highly appreciate ! :)
Best regards
Benjamin PREISS
Categories: Novell Support Forums - New Posts
KDE Founder Receives Highest German Honor
KDE Founder Receives Highest German HonorJiilik Oiolosse writes "KDE founder Matthias Ettrich was decorated today with the German Federal Cross of Merit for his contributions to Free Software. The Federal Cross of Merit is both the most prestigious as well as the only general decoration awarded by the Federal Republic ...
Red Hat Virtualization Manager for Windows Only?
Say it isn't so, Red Hat caught in apparent ultre-hypocrisy...Red Hat Virtualization Manager for Windows Only?InternetNews: "That's no typo: A Linux vendor is requiring its users to run one of its key new products on the rival, closed source Windows operating system." Posted ...
SUSE Studio – new web buttons and more…
Who doesn't love robots?!? Check out the new desktop wallpaper, posters, robots and web buttons -- for fans of SUSE Studio.
5 Free Linux Apps You Can’t Do Without
5 Free Linux Apps You Can't Do WithoutPC Authority: "Like a digital Swiss Army knife, these are the Linux utilities and tools that are so useful you won't know how you ever did without them." Posted via email from MonkeyBoy's Brain ...
What’s Your Favorite Google Wave Gadget?
What’s Your Favorite Google Wave Gadget?Google Wave is still a new phenomenon in the social media world. There is no Google Wave App Store yet and the API is relatively new, which means that Google Wave Gadgets are hard to find. The crux of Google Wave is the extensions/apps or ...
What’s Your Favorite Google Wave Gadget?
What’s Your Favorite Google Wave Gadget?Google Wave is still a new phenomenon in the social media world. There is no Google Wave App Store yet and the API is relatively new, which means that Google Wave Gadgets are hard to find. The crux of Google Wave is the extensions/apps or ...
CO Customer succeeds with Zero cost Xen virtualization
Most of you are probably aware that SUSE Linux Enterprise Server is a great virtual machine guest that is optimized for use on VMware, Hyper-V and XenServer... but did you also know that the open source Xen hypervisor is included in SUSE Linux Enterprise Server? It is, and it costs ...
Despite Windows 7, Linux raps harder at company doors
Despite Windows 7, Linux raps harder at company doorsUSA Today: "The launch of the Windows 7 computer operating system on Thursday should help Microsoft (MSFT) tighten its grip as the dominant supplier of desktops and laptops to the business world." Posted via email ...
Ryan Gordon Wants To Bring Universal Binaries To Linux
Ryan Gordon Wants To Bring Universal Binaries To Linuxwisesifu writes "One of the interesting features of Mac OS X is its 'universal binaries' feature that allows a single binary file to run natively on both PowerPC and Intel x86 platforms. While this comes at a cost of a larger binary ...
Getting comfortable with Linux plumbing
Getting comfortable with Linux plumbingIBM Developerworks: "If you think streams and pipes make a Linux® expert sound like a plumber, here's your chance to learn about them and how to redirect and split them. You even learn how to turn a stream into command arguments." ...
xen 3.4.0 cant create domU with tap:aio
hi guys,
we have running sles11 and xen3.4.0 with convirt.
we have many domU running created with vm-install and clone one finished to other domUs. The harddisk of the domU is created with file. i want now create a new domU with tap:aio on local disk. This doesnt work.
i created it with vm-install. The setup start and hardware probing was ok. But than by formatting the harddisk the setup hangs at 8% and never finished. after 30 minutes waiting a decided to kill this setup. And now i cant start any domU (file-based harddis) on this server. i must restart. after that i can start filebased harddisk domUs. but no tap:aio - based domU.
Quote: Quote: # Automtically generated by ConVirt
name='sles11-1111'
uuid='a820e748-fcbb-66ef-b8a4-615a3364bc61'
memory=512
maxmem=512
vcpus=1
on_poweroff='destroy'
on_reboot='restart'
on_crash='destroy'
localtime=0
keymap='de'
builder='linux'
bootloader='/usr/bin/pygrub'
bootargs=''
extra=' '
disk=['file:/var/cache/convirt/vm_disks/sles11-1111,xvda,w']
vif=['mac=00:16:3e:55:e6:e8,bridge=br0']
vfb=['type=vnc,vncunused=1']
kernel=''
ramdisk=''
root=''
STORAGE_STATS={'DISK_STATS': {'/var/cache/convirt/vm_disks/sles11-1111': {'DEV_TYPE': 'FILE', 'IS_LOCAL': True, 'DISK_SIZE': 3221225472, 'DISK_NAME': '/var/cache/convirt/vm_disks/sles11-1111'}}, 'LOCAL_ALLOCATION': 3221225472, 'SHARED_ALLOCATION': 0}
on_shutdown=None the xenblk is loaded in kernel. all needed modules are loaded!
we use the xenkernel which comes with sles11.
again Problem: i want to create a domU with a tap:aio based harddisk and cdrom. i have no problems with domUs with file basd harddisk
Thank you for your help.
Please write back.
we have running sles11 and xen3.4.0 with convirt.
we have many domU running created with vm-install and clone one finished to other domUs. The harddisk of the domU is created with file. i want now create a new domU with tap:aio on local disk. This doesnt work.
i created it with vm-install. The setup start and hardware probing was ok. But than by formatting the harddisk the setup hangs at 8% and never finished. after 30 minutes waiting a decided to kill this setup. And now i cant start any domU (file-based harddis) on this server. i must restart. after that i can start filebased harddisk domUs. but no tap:aio - based domU.
Quote: Quote: # Automtically generated by ConVirt
name='sles11-1111'
uuid='a820e748-fcbb-66ef-b8a4-615a3364bc61'
memory=512
maxmem=512
vcpus=1
on_poweroff='destroy'
on_reboot='restart'
on_crash='destroy'
localtime=0
keymap='de'
builder='linux'
bootloader='/usr/bin/pygrub'
bootargs=''
extra=' '
disk=['file:/var/cache/convirt/vm_disks/sles11-1111,xvda,w']
vif=['mac=00:16:3e:55:e6:e8,bridge=br0']
vfb=['type=vnc,vncunused=1']
kernel=''
ramdisk=''
root=''
STORAGE_STATS={'DISK_STATS': {'/var/cache/convirt/vm_disks/sles11-1111': {'DEV_TYPE': 'FILE', 'IS_LOCAL': True, 'DISK_SIZE': 3221225472, 'DISK_NAME': '/var/cache/convirt/vm_disks/sles11-1111'}}, 'LOCAL_ALLOCATION': 3221225472, 'SHARED_ALLOCATION': 0}
on_shutdown=None the xenblk is loaded in kernel. all needed modules are loaded!
we use the xenkernel which comes with sles11.
again Problem: i want to create a domU with a tap:aio based harddisk and cdrom. i have no problems with domUs with file basd harddisk
Thank you for your help.
Please write back.
Categories: Novell Support Forums - New Posts
Using DNS Aliases with SPNEGO
Using DNS Aliases with SPNEGO
06-Nov-2009 05:46 PM
One of the great features of Novell Access Manager is the integrated single sign-on capability from Microsoft Active Directory (AD) domain member workstations. Through the use of Kerberos and the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO), the Access Manager Identity Server (IdS) can seamlessly authenticate a Windows desktop.
Users logon to the desktop using their normal credentials and then when they attempt to access an Access Manager protected site, they are not required to login again. Instead, a token is passed to the Access Manager IdS from the workstation. The IdS then verifies that token and allows the user access per the policies as defined in Access Manager.
Complete details on configuring Access Manager can be found in the product documentation. This basically works by the client requesting a service ticket from the domain controller for the IdS. The actual name it passes to the domain controller is known as the Service Principal Name (SPN).
The SPN is made up of three components, the protocol, the fully qualified domain name of the IdS and the clients own AD domain name (known as the realm). So, for example, lets say that the DNS name of our IdS (the Base URL) is ids1.appdomain.com and our AD domain (the realm) is ad.appdomain.com. This would make our SPN, as sent by the workstation, the following:
HTTP/ids1.appdomain.com@AD.APPDOMAIN.COM This is what would be sent to the domain controller (the protocol is always listed as HTTP even if it is HTTPS). The client gets back a token that has information about the user in a service ticket encrypted within the token. This is passed in the header to the IdS where it is decrypted (using the shared secret in the nidpkey.keytab file). At this point the user is authenticated and Access Manager will grant or deny access as appropriate.
This all works fine as long as the fully qualified domain name used to build the SPN matches the actual DNS host record (A record) returned when the Windows desktop does a DNS query for ids1.appdomain.com. But what happens if a DNS alias record (CNAME record) is used? Lets say now that the actual hostname of the server acting as the IdS is linux1.appdomain.com and that the DNS record for ids1.appdomain.com is actually a CNAME pointing at linux1.appdomain.com:
linux1.appdomain.com. IN A 10.1.1.1 ids1.appdomain.com. IN CNAME linux1.appdomain.com. What happens in this scenario? When the client builds the SPN, it will look up ids1.appdomain.com which results in the CNAME being returned. It will then take the actual host record and use that to build the SPN, resulting in:
HTTP/linux1.appdomain.com@AD.APPDOMAIN.COM This will be sent to the domain controller and will obviously fail since the SPN is incorrect, resulting in the browser being presented with a basic authentication dialog box (the IdS falls back to NTLM authentication).
The preferred solution to this problem is to put in a second host entry for the IdS, not a CNAME:
linux1.appdomain.com. IN A 10.1.1.1 ids1.appdomain.com. IN A 10.1.1.1This would result in a host record being returned to the client when it looks up ids1.appdomain.com and that is the value that would be used to build the SPN. However, there are situations where it may not be possible to enter another host record in DNS. For example, some fault tolerant layer-4 switching solutions provide for management of DNS entries as well in order to support disaster recovery scenarios (such as F5 Networks Global Traffic Manager). In this case, the switch may be managing and changing the DNS entries for the virtual IP addresses. Some organizations might use a dedicated or unique zone name for this and therefore have all application names referencing the switch managed entries thorough DNS aliases. In this case, a CNAME must be used.
This will work with Access Manager as long as the true, resolvable, host entry is used for the SPN. So in this example, if a CNAME is used for ids1, the value of linux1.appdomain.com would need to be used for the user ID in AD, in the Kerberos class properties (see figure 1), and in the bcsLogin.conf on the IdS server as shown below:
com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required debug="true" useTicketCache="true" ticketCache="/opt/novell/java/jre/lib/security/spnegoTicket.cache" doNotPrompt="true" principal="HTTP/linux1.appdomain.com@AD.APPDOMAIN.COM" useKeyTab="true" keyTab="/opt/novell/java/jre/lib/security/nidpkey.keytab" storeKey="true"; }; http://www.novell.com/communities/fi...s_Config_0.png
Figure 1: Kerberos Class Properties
Click to view.
However, the URL listed in the local trusted site list in the browser must still be the actual IdS base URL (ids1.appdomain.com in this example), not the true hostname as referenced in the A record.
Using the Kerberos feature in Access Manager is a great way to provide seamless single sign-on to Windows desktops. But it is important to understand how the client is resolving the IdS and building the SPN in order to ensure it functions reliably.
More...
06-Nov-2009 05:46 PM
One of the great features of Novell Access Manager is the integrated single sign-on capability from Microsoft Active Directory (AD) domain member workstations. Through the use of Kerberos and the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO), the Access Manager Identity Server (IdS) can seamlessly authenticate a Windows desktop.
Users logon to the desktop using their normal credentials and then when they attempt to access an Access Manager protected site, they are not required to login again. Instead, a token is passed to the Access Manager IdS from the workstation. The IdS then verifies that token and allows the user access per the policies as defined in Access Manager.
Complete details on configuring Access Manager can be found in the product documentation. This basically works by the client requesting a service ticket from the domain controller for the IdS. The actual name it passes to the domain controller is known as the Service Principal Name (SPN).
The SPN is made up of three components, the protocol, the fully qualified domain name of the IdS and the clients own AD domain name (known as the realm). So, for example, lets say that the DNS name of our IdS (the Base URL) is ids1.appdomain.com and our AD domain (the realm) is ad.appdomain.com. This would make our SPN, as sent by the workstation, the following:
HTTP/ids1.appdomain.com@AD.APPDOMAIN.COM This is what would be sent to the domain controller (the protocol is always listed as HTTP even if it is HTTPS). The client gets back a token that has information about the user in a service ticket encrypted within the token. This is passed in the header to the IdS where it is decrypted (using the shared secret in the nidpkey.keytab file). At this point the user is authenticated and Access Manager will grant or deny access as appropriate.
This all works fine as long as the fully qualified domain name used to build the SPN matches the actual DNS host record (A record) returned when the Windows desktop does a DNS query for ids1.appdomain.com. But what happens if a DNS alias record (CNAME record) is used? Lets say now that the actual hostname of the server acting as the IdS is linux1.appdomain.com and that the DNS record for ids1.appdomain.com is actually a CNAME pointing at linux1.appdomain.com:
linux1.appdomain.com. IN A 10.1.1.1 ids1.appdomain.com. IN CNAME linux1.appdomain.com. What happens in this scenario? When the client builds the SPN, it will look up ids1.appdomain.com which results in the CNAME being returned. It will then take the actual host record and use that to build the SPN, resulting in:
HTTP/linux1.appdomain.com@AD.APPDOMAIN.COM This will be sent to the domain controller and will obviously fail since the SPN is incorrect, resulting in the browser being presented with a basic authentication dialog box (the IdS falls back to NTLM authentication).
The preferred solution to this problem is to put in a second host entry for the IdS, not a CNAME:
linux1.appdomain.com. IN A 10.1.1.1 ids1.appdomain.com. IN A 10.1.1.1This would result in a host record being returned to the client when it looks up ids1.appdomain.com and that is the value that would be used to build the SPN. However, there are situations where it may not be possible to enter another host record in DNS. For example, some fault tolerant layer-4 switching solutions provide for management of DNS entries as well in order to support disaster recovery scenarios (such as F5 Networks Global Traffic Manager). In this case, the switch may be managing and changing the DNS entries for the virtual IP addresses. Some organizations might use a dedicated or unique zone name for this and therefore have all application names referencing the switch managed entries thorough DNS aliases. In this case, a CNAME must be used.
This will work with Access Manager as long as the true, resolvable, host entry is used for the SPN. So in this example, if a CNAME is used for ids1, the value of linux1.appdomain.com would need to be used for the user ID in AD, in the Kerberos class properties (see figure 1), and in the bcsLogin.conf on the IdS server as shown below:
com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required debug="true" useTicketCache="true" ticketCache="/opt/novell/java/jre/lib/security/spnegoTicket.cache" doNotPrompt="true" principal="HTTP/linux1.appdomain.com@AD.APPDOMAIN.COM" useKeyTab="true" keyTab="/opt/novell/java/jre/lib/security/nidpkey.keytab" storeKey="true"; }; http://www.novell.com/communities/fi...s_Config_0.png
Figure 1: Kerberos Class Properties
Click to view.
However, the URL listed in the local trusted site list in the browser must still be the actual IdS base URL (ids1.appdomain.com in this example), not the true hostname as referenced in the A record.
Using the Kerberos feature in Access Manager is a great way to provide seamless single sign-on to Windows desktops. But it is important to understand how the client is resolving the IdS and building the SPN in order to ensure it functions reliably.
More...
Categories: Novell Support Forums - New Posts
Field Memo: Windows 7 Support on EUC Products
Field Memo: Windows 7 Support on EUC Products
05-Nov-2009 08:50 PM
Podcast: Windows 7 Support on EUC Products
Randal covers which End-User Computing products currently have Windows 7 support and when others will support Windows 7. He also gives you some tips on how you can support Novell's customer communication effort around Windows 7. Want to listen to podcasts on your BlackBerry? Check this out.
Your Time Investment: (4:44 audio)
Localized: No
Good Selling,
The End-User Computing Enablement Team
Partners, visit our Wiki where you can find everything you need to be enabled on selling End-User Computing Solutions!
EUC Enablement Resources:
Wiki: http://tr.im/novell_euc
More...
05-Nov-2009 08:50 PM
Podcast: Windows 7 Support on EUC Products
Randal covers which End-User Computing products currently have Windows 7 support and when others will support Windows 7. He also gives you some tips on how you can support Novell's customer communication effort around Windows 7. Want to listen to podcasts on your BlackBerry? Check this out.
Your Time Investment: (4:44 audio)
Localized: No
Good Selling,
The End-User Computing Enablement Team
Partners, visit our Wiki where you can find everything you need to be enabled on selling End-User Computing Solutions!
EUC Enablement Resources:
Wiki: http://tr.im/novell_euc
More...
Categories: Novell Support Forums - New Posts
Example walk through of using XPATH in Identity Manager
Example walk through of using XPATH in Identity Manager
06-Nov-2009 12:41 PM
Example of using XPATH in Identity Manager:
Novell Identity Manager originally started as Novell DirXML and required all work to be done in XSLT (XML Style sheets). XSLT is powerful language but not my personal favorite to work in.
With the release of Novell NSure Identity Manager 2.0 we saw the advent of DirXML Script an XML based language designed for the task of managing XML event documents. With each release of Identity Manager since, it has gotten better and better.
Just for the heck of it, I even wrote this article trying to track down what you can only do in XSLT at the moment, with the goal of chipping away at that list, where possible!
Open Call: What Can You Do in XSLT that You Cannot Do in DirXML Script?
There have been new features that make life a lot easier, and new tokens that are very powerful.
The nicest thing about using DirXML Script is that the management tools, iManager with the Identity Manager snapins, or Designer for Identity Manager (an Eclipse based tool for offline editing of a project) parse the XML into a really nice GUI interface that allows you to type it free form in XML, manipulate it in a GUI, or any combination of both. In fact, sometimes, due to the way nested items (if then code blocks, or for each loops) are shown in the GUI it is easier to fix things by switching over to the XML view and working there.
Some examples of the various tokens and things that can be done with DirXML Script are:
However there is just not enough out there in terms of how to use XPATH in an Identity Manager context for people learning Identity Manager.
I have been working hard on that topic, and you can read some of my articles on the topic at:
XPATH General Concepts:
For those who do not know, Designer has an XPATH tool built in. It is not perfect, we are told in the forums that there is one or two major issues that make it not 100% complaint with the way Identity Manager views XPATH, but for 99% of the things you need to do in XPATH in Identity Manager it should be fine.
Whenever you use an XPATH related token (strip by XPATH expression, if XPATH expression condition token, clone by XPATH expression, or the XPATH token in Argument Builder) you get a little icon to the right of the text box, that pops open the XPATH tool.
http://www.novell.com/communities/fi...gBuilder_0.jpg
Click to view.
I will try and include some screen shots to make it clear what I mean, where it makes sense.
So what problem was I working on? Well we are syncing POSIX attributes (that is uidNumber, gidNumber, gecos, homeDirectory, loginShell and so on) between two trees. However, the posixAccount auxiliary class that often is used to contain the POSIX attributes that Unix and Linux need to define a user, has some mandatory values.
On a side note, it is a really bad idea in general to make an Auxiliary class have mandatory attributes. It makes it a ROYAL pain to work with! You cannot just add the class to an object by editing say Object Class, in Console One, since you need to save that change, before the UI will let you add one of the new attributes, but if the new attribute is mandatory, you cannot add the Object Class value without the mandatory attribute!
I do not dispute the logic behind this specific case, since it makes little sense to have just uidNumber without gidNumber, from a Unix server perspective, nonetheless it is really annoying.
Now in this particular tree, somehow the base class User got extended with the needed posixAccount attributes. Thus when we originally set this up and populated the tree, all was good, as we could add the POSIX attributes without problem to users in either tree. It was just part of base schema, no need for a posixAccount attribute.
Then things got strange. We found that some LDAP applications, I think it was AIX's equivalent to PAM on Linux, (Pluggable Authentication Modules, which I was sure AIX called LAM, but the AIX guy says he has never heard of that, not that it matters) when doing an LDAP bind to get user information we found that NMAS was throwing a strange failure error, and it looks like you explicitly require the posixAccount object class on the user for it to work. It is not enough to just have all the needed attribute, even though the query does not look for posixAccount. But if the object class does not include posixAccount it does not work. Crazy, but easy to fix.
Thus to fix it, we started adding posixAccount to users. However, we had a couple of edge cases where we should not have been sending it and I wanted to strip out the add object class for posixAccount. Usually when we are missing one of the POSIX attributes, in which case the entire event fails with a 609 Missing Mandatory error. (Because we are missing a mandatory attribute, that posixAccount requires)
Well you say, thats easy, that is what the token, strip operational attribute is for. Just do a strip operational attribute Object Class, and all will be fine.
Well there are way more instances where this might occur, and in fact there are legal cases where there might be several object class changes in one document, so what I really want is just to strip the specific object class add value of posixAccount.
Well thats what strip by XPATH expression is for. So what is my XPATH expression to remove the add of the value posixAccount into the Object Class attribute.
Off the top of my head, I tried the following XPATH statement:
modify-attr/add-attr[@attr-name="Object Class' and value/text()="posixAccount] I opened it in the XPATH editor, (here is what it looks like empty)
http://www.novell.com/communities/fi...Builder2_0.jpg
Click to view.
and tracked down an example event document, to paste into the sample document on the left hand side in the XML source tab:
DirXML Novell, Inc. {2F95C242-557F-3c40-A3B8-2F95C242557F} LDAPTEST@acme.corp posixAccount http://www.novell.com/communities/fi...Builder3_0.jpg
Click to view.
</p> Before we start using the XPATH editor for real, lets make sure we can get it to work at all! So lets try a simple common XPATH selection. Lets select the src-dn XML attribute of the node. With XPATH, you can do a couple of very different things, which sometimes gets confusing, and the different uses depend on the context of tier use, which makes it more confusing.
Basically you can use XPATH to select a node, value, or attribute. That is the sort of thing you do in a set local variable kind of context. Makes sense, you want to set a variable to something in the event document.
Conversely you also can use XPATH to do math, and some string functions, in which case, you might also in a set local variable context try to add 86400 seconds to a Time value, to set the value to tomorrows time. erPrincipalName"] but wanted the value before the @ sign. Well you could combine the two into something like substring-before( attr[@attr-name="userPrincipalName"], "@") to get what you wanted.
Back to our example, lets make sure we can get the XPATH editor working with a simple test or two, starting with our @src-dn, which KNOW will work, since it is the most common example used in Identity Manager.
http://www.novell.com/communities/fi...Builder4_0.jpg
Click to view.
Ok, so I have my event doc on the left hand side, looks good, type in @src-dn as my expression, hit the arrow button to Go, and no nodes are found. What the dickens?
Well this stymied me for the longest time, and I just assumed this was broken, but it is really the simplest thing to resolve. The XPATH editor is a very generic XPATH editor. Identity Manager is a specific XPATH usage case, and it all comes down to the context node!
Its almost as easy to show it, as it to explain it... Look at this screen shot:
http://www.novell.com/communities/fi...Builder5_0.jpg
Click to view.
Here you can see I switched over to the XML Tree view on the left has side. The most important thing is I clicked on the Modify node. This sets the current context to the modify node (Which the XPATH Select Context bit on the right says is now /nds/input/modify) which is the default context in an Identity Manager example. Now suddenly we see a result! Once you do this, it starts being a really useful tool!
Back to my actual example now, and I had thought that this ought to be close:
modify-attr/add-attr[@attr-name="Object Class' and value/text()="posixAccount] Well first thing the editor complained about where my typos. Miss matched the " and ' around the Object Class, and missed a close " at the end of posixAccount.
http://www.novell.com/communities/fi...Builder6_0.jpg
Click to view.
That left me with:
modify-attr/add-attr[@attr-name="Object Class" and value/text()="posixAccount"] I switched the left hand pane to the tree node view of the sample XML event document and start looking at the actual document, and I realized my memory stinks!
First off, I got an and event mixed up. In an event, you get add-attr nodes, with an attr-name attribute, and then an add-value node and then a value node, or something like that. But in a modify, you get a modify-attr node, with an XML attribute of attr-name and then an add-value or remove-value (or remove-all-values) node under that, followed by a value node.
Thus no need for the add-attr, and the predicate (the stuff in square brackets []) needs to be on the modify-attr node.
That gets me closer with:
modify-attr[@attr-name="Object Class" and value/text()="posixAccount"] But I get nothing the XPATH Editor, since nothing matches that criteria, and as I looked closer I realized I forgot that there is an add-value node to include in there. That leads me closer with:
http://www.novell.com/communities/fi...Builder7_0.jpg
Click to view.
modify-attr[@attr-name="Object Class"]/add-value/value="posixAccount"] But there is an error at the end I am told. Oops, left a trailing ] and then I take that off and still an error.
Well I think I need to put a predicate on the add-value test, so that it looks more like:
modify-attr[@attr-name="Object Class"]/add-value[value/text()="posixAccount"] So lets parse that out. Select the modify-attr node that matches the condition where the XML attribute attr-name is equal to the string "Object Class" and then under that node, lets select a add-value node, who has a value whose text string is equal to "posixAccount".
Now you can see the in the XPATH editor what it should look like:
http://www.novell.com/communities/fi...Builder8_0.jpg
Click to view.
I switched tabs over to the XML Source view, since in this case it is more useful when looking at results. Then you can see on the right hand side the XPATH Selected Context is still /nds/input/modify, which is what we want, and the XPATH expression is what I typed above, and in the results section, it selected an element, lines 16-18.
Look over the to the left hand side, and you can see that lines 16-18 is the node to the close version of . In this case I selected a node set, and it since what I originally wanted was to strip this out by XPATH, that looks to be what I wanted. This way if there is more than one Object class change, I will only remove this one node, and it is the only one, it leaves an empty modify-attr node, which usually gets cleaned up by the engine.
Tada. See was that so hard? Well yes, a little bit, but it gets a lot easier as you do it more often, and get better at it.
More...
06-Nov-2009 12:41 PM
Example of using XPATH in Identity Manager:
Novell Identity Manager originally started as Novell DirXML and required all work to be done in XSLT (XML Style sheets). XSLT is powerful language but not my personal favorite to work in.
With the release of Novell NSure Identity Manager 2.0 we saw the advent of DirXML Script an XML based language designed for the task of managing XML event documents. With each release of Identity Manager since, it has gotten better and better.
Just for the heck of it, I even wrote this article trying to track down what you can only do in XSLT at the moment, with the goal of chipping away at that list, where possible!
Open Call: What Can You Do in XSLT that You Cannot Do in DirXML Script?
There have been new features that make life a lot easier, and new tokens that are very powerful.
The nicest thing about using DirXML Script is that the management tools, iManager with the Identity Manager snapins, or Designer for Identity Manager (an Eclipse based tool for offline editing of a project) parse the XML into a really nice GUI interface that allows you to type it free form in XML, manipulate it in a GUI, or any combination of both. In fact, sometimes, due to the way nested items (if then code blocks, or for each loops) are shown in the GUI it is easier to fix things by switching over to the XML view and working there.
Some examples of the various tokens and things that can be done with DirXML Script are:
- New IDM 3.6 enhancement to do-find-matching-object
- Examples of using the ParseDN Token in Identity Manager
- The different attribute options in Identity Manager
- More thoughts on Source/Destination/Operation attribute tokens in Identity Manager
- The Query token in Identity Manager
- Unique Name Token Functionality in IDM 3.5
- Reformat Operation Attribute
- Using the Time Tokens in IDM 3.5
- IDM 3.5 - Update on New Features
- Troubleshooting IF-THEN-ELSE Blocks with IDM Code
- Mapping tables and Render browsed DN relative to policy option
However there is just not enough out there in terms of how to use XPATH in an Identity Manager context for people learning Identity Manager.
I have been working hard on that topic, and you can read some of my articles on the topic at:
XPATH General Concepts:
- Some thoughts on XPATH in Novell Identity Manager
- XPATH and the context node
- XPATH and math
- Using String Compares in XPATH Statements
- Another attempt at explaining the XPATH Context Node
- Using XPATH to examine Association values
- Cool tricks using XPATH on nodesets
- Using Global Configuration Values in XPATH
- Using XPATH to Get the Position of a Node in a Node Set
For those who do not know, Designer has an XPATH tool built in. It is not perfect, we are told in the forums that there is one or two major issues that make it not 100% complaint with the way Identity Manager views XPATH, but for 99% of the things you need to do in XPATH in Identity Manager it should be fine.
Whenever you use an XPATH related token (strip by XPATH expression, if XPATH expression condition token, clone by XPATH expression, or the XPATH token in Argument Builder) you get a little icon to the right of the text box, that pops open the XPATH tool.
http://www.novell.com/communities/fi...gBuilder_0.jpg
Click to view.
I will try and include some screen shots to make it clear what I mean, where it makes sense.
So what problem was I working on? Well we are syncing POSIX attributes (that is uidNumber, gidNumber, gecos, homeDirectory, loginShell and so on) between two trees. However, the posixAccount auxiliary class that often is used to contain the POSIX attributes that Unix and Linux need to define a user, has some mandatory values.
On a side note, it is a really bad idea in general to make an Auxiliary class have mandatory attributes. It makes it a ROYAL pain to work with! You cannot just add the class to an object by editing say Object Class, in Console One, since you need to save that change, before the UI will let you add one of the new attributes, but if the new attribute is mandatory, you cannot add the Object Class value without the mandatory attribute!
I do not dispute the logic behind this specific case, since it makes little sense to have just uidNumber without gidNumber, from a Unix server perspective, nonetheless it is really annoying.
Now in this particular tree, somehow the base class User got extended with the needed posixAccount attributes. Thus when we originally set this up and populated the tree, all was good, as we could add the POSIX attributes without problem to users in either tree. It was just part of base schema, no need for a posixAccount attribute.
Then things got strange. We found that some LDAP applications, I think it was AIX's equivalent to PAM on Linux, (Pluggable Authentication Modules, which I was sure AIX called LAM, but the AIX guy says he has never heard of that, not that it matters) when doing an LDAP bind to get user information we found that NMAS was throwing a strange failure error, and it looks like you explicitly require the posixAccount object class on the user for it to work. It is not enough to just have all the needed attribute, even though the query does not look for posixAccount. But if the object class does not include posixAccount it does not work. Crazy, but easy to fix.
Thus to fix it, we started adding posixAccount to users. However, we had a couple of edge cases where we should not have been sending it and I wanted to strip out the add object class for posixAccount. Usually when we are missing one of the POSIX attributes, in which case the entire event fails with a 609 Missing Mandatory error. (Because we are missing a mandatory attribute, that posixAccount requires)
Well you say, thats easy, that is what the token, strip operational attribute is for. Just do a strip operational attribute Object Class, and all will be fine.
Well there are way more instances where this might occur, and in fact there are legal cases where there might be several object class changes in one document, so what I really want is just to strip the specific object class add value of posixAccount.
Well thats what strip by XPATH expression is for. So what is my XPATH expression to remove the add of the value posixAccount into the Object Class attribute.
Off the top of my head, I tried the following XPATH statement:
modify-attr/add-attr[@attr-name="Object Class' and value/text()="posixAccount] I opened it in the XPATH editor, (here is what it looks like empty)
http://www.novell.com/communities/fi...Builder2_0.jpg
Click to view.
and tracked down an example event document, to paste into the sample document on the left hand side in the XML source tab:
DirXML Novell, Inc. {2F95C242-557F-3c40-A3B8-2F95C242557F} LDAPTEST@acme.corp posixAccount http://www.novell.com/communities/fi...Builder3_0.jpg
Click to view.
</p> Before we start using the XPATH editor for real, lets make sure we can get it to work at all! So lets try a simple common XPATH selection. Lets select the src-dn XML attribute of the node. With XPATH, you can do a couple of very different things, which sometimes gets confusing, and the different uses depend on the context of tier use, which makes it more confusing.
Basically you can use XPATH to select a node, value, or attribute. That is the sort of thing you do in a set local variable kind of context. Makes sense, you want to set a variable to something in the event document.
Conversely you also can use XPATH to do math, and some string functions, in which case, you might also in a set local variable context try to add 86400 seconds to a Time value, to set the value to tomorrows time. erPrincipalName"] but wanted the value before the @ sign. Well you could combine the two into something like substring-before( attr[@attr-name="userPrincipalName"], "@") to get what you wanted.
Back to our example, lets make sure we can get the XPATH editor working with a simple test or two, starting with our @src-dn, which KNOW will work, since it is the most common example used in Identity Manager.
http://www.novell.com/communities/fi...Builder4_0.jpg
Click to view.
Ok, so I have my event doc on the left hand side, looks good, type in @src-dn as my expression, hit the arrow button to Go, and no nodes are found. What the dickens?
Well this stymied me for the longest time, and I just assumed this was broken, but it is really the simplest thing to resolve. The XPATH editor is a very generic XPATH editor. Identity Manager is a specific XPATH usage case, and it all comes down to the context node!
Its almost as easy to show it, as it to explain it... Look at this screen shot:
http://www.novell.com/communities/fi...Builder5_0.jpg
Click to view.
Here you can see I switched over to the XML Tree view on the left has side. The most important thing is I clicked on the Modify node. This sets the current context to the modify node (Which the XPATH Select Context bit on the right says is now /nds/input/modify) which is the default context in an Identity Manager example. Now suddenly we see a result! Once you do this, it starts being a really useful tool!
Back to my actual example now, and I had thought that this ought to be close:
modify-attr/add-attr[@attr-name="Object Class' and value/text()="posixAccount] Well first thing the editor complained about where my typos. Miss matched the " and ' around the Object Class, and missed a close " at the end of posixAccount.
http://www.novell.com/communities/fi...Builder6_0.jpg
Click to view.
That left me with:
modify-attr/add-attr[@attr-name="Object Class" and value/text()="posixAccount"] I switched the left hand pane to the tree node view of the sample XML event document and start looking at the actual document, and I realized my memory stinks!
First off, I got an and event mixed up. In an event, you get add-attr nodes, with an attr-name attribute, and then an add-value node and then a value node, or something like that. But in a modify, you get a modify-attr node, with an XML attribute of attr-name and then an add-value or remove-value (or remove-all-values) node under that, followed by a value node.
Thus no need for the add-attr, and the predicate (the stuff in square brackets []) needs to be on the modify-attr node.
That gets me closer with:
modify-attr[@attr-name="Object Class" and value/text()="posixAccount"] But I get nothing the XPATH Editor, since nothing matches that criteria, and as I looked closer I realized I forgot that there is an add-value node to include in there. That leads me closer with:
http://www.novell.com/communities/fi...Builder7_0.jpg
Click to view.
modify-attr[@attr-name="Object Class"]/add-value/value="posixAccount"] But there is an error at the end I am told. Oops, left a trailing ] and then I take that off and still an error.
Well I think I need to put a predicate on the add-value test, so that it looks more like:
modify-attr[@attr-name="Object Class"]/add-value[value/text()="posixAccount"] So lets parse that out. Select the modify-attr node that matches the condition where the XML attribute attr-name is equal to the string "Object Class" and then under that node, lets select a add-value node, who has a value whose text string is equal to "posixAccount".
Now you can see the in the XPATH editor what it should look like:
http://www.novell.com/communities/fi...Builder8_0.jpg
Click to view.
I switched tabs over to the XML Source view, since in this case it is more useful when looking at results. Then you can see on the right hand side the XPATH Selected Context is still /nds/input/modify, which is what we want, and the XPATH expression is what I typed above, and in the results section, it selected an element, lines 16-18.
Look over the to the left hand side, and you can see that lines 16-18 is the node to the close version of . In this case I selected a node set, and it since what I originally wanted was to strip this out by XPATH, that looks to be what I wanted. This way if there is more than one Object class change, I will only remove this one node, and it is the only one, it leaves an empty modify-attr node, which usually gets cleaned up by the engine.
Tada. See was that so hard? Well yes, a little bit, but it gets a lot easier as you do it more often, and get better at it.
More...
Categories: Novell Support Forums - New Posts