Article

(View Disclaimer)

Problem

Often when deploying pretty much any IDM driver, you will want to scope it so that only events from a certain container get processed. Usually, this is done in the Event Transform rule.

The test would be something like this: if source DN is not in subtree test.acme, then Veto.

For example:

<rule>
  <description>Scoping Rule</description>
    <conditions>
      <and>
        <if-src-dn op="not-in-subtree">acme\test</if-src-dn>
      </and>
    </conditions>
    <actions>
    <do-veto/>
  </actions>
</rule>

What often comes as a shocking surprise is that the driver may not restart when you are done. Reading the trace carefully, it is possible to see that in fact this rule vetoed one of the driver startup documents.

Solution

When a driver starts, the engine and shim send XML documents back and forth to handshake. This rule basically vetos the startup, so the driver will not start. The fix is simple, and it's a good general rule to follow.

Add a test for class name=User (or Group, or whatever other object classes are flowing).

For just Users, it would be more like this:

<rule>
  <description>Scoping Rule</description>
    <conditions>
      <and>
        <if-class-name mode="nocase" op="equal">User</if-class-name>
        <if-src-dn op="not-in-subtree">acme\test</if-src-dn>
      </and>
    </conditions>
  <actions>
    <do-veto/>
  </actions>
</rule>

If you are handling many object classes, this may be a better example:

<rule>
  <description>Scoping Rule</description>
    <conditions>
      <or>
        <if-class-name mode="nocase" op="equal">User</if-class-name>
        <if-class-name mode="nocase" op="equal">Group</if-class-name>
        <if-class-name mode="nocase" op="equal">Organizational Unit</if-class-name>
      </or>
      <or>
        <if-src-dn op="not-in-subtree">acme\test</if-src-dn>
      </or>
    </conditions>
  <actions>
    <do-veto/>
  </actions>
</rule>

This way, it checks to see if it is any of the list of User, Group, or Org Unit. If it is any of those, it tests the subtree of the SourceDN.

Checking the object class is a 'cheap' test, since the information is already in the XML document so there is no querying back to find it out.

Keep this is mind any time you use a Veto, or the Veto if Operational Attribute is not available. In both cases, you could inadvertantly stop the driver from loading.

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.