Novell Home

Avoiding Startup Vetos with Scoping Rules

Novell Cool Solutions: Tip
By Geoffrey Carman

Digg This - Slashdot This

Posted: 9 May 2007
 

Problem

Often when deploying pretty much any IDM driver, you will want to scope it so that only events from a certain container get processed. Usually, this is done in the Event Transform rule.

The test would be something like this: if source DN is not in subtree test.acme, then Veto.

For example:

<rule>
  <description>Scoping Rule</description>
    <conditions>
      <and>
        <if-src-dn op="not-in-subtree">acme\test</if-src-dn>
      </and>
    </conditions>
    <actions>
    <do-veto/>
  </actions>
</rule>

What often comes as a shocking surprise is that the driver may not restart when you are done. Reading the trace carefully, it is possible to see that in fact this rule vetoed one of the driver startup documents.

Solution

When a driver starts, the engine and shim send XML documents back and forth to handshake. This rule basically vetos the startup, so the driver will not start. The fix is simple, and it's a good general rule to follow.

Add a test for class name=User (or Group, or whatever other object classes are flowing).

For just Users, it would be more like this:

<rule>
  <description>Scoping Rule</description>
    <conditions>
      <and>
        <if-class-name mode="nocase" op="equal">User</if-class-name>
        <if-src-dn op="not-in-subtree">acme\test</if-src-dn>
      </and>
    </conditions>
  <actions>
    <do-veto/>
  </actions>
</rule>

If you are handling many object classes, this may be a better example:

<rule>
  <description>Scoping Rule</description>
    <conditions>
      <or>
        <if-class-name mode="nocase" op="equal">User</if-class-name>
        <if-class-name mode="nocase" op="equal">Group</if-class-name>
        <if-class-name mode="nocase" op="equal">Organizational Unit</if-class-name>
      </or>
      <or>
        <if-src-dn op="not-in-subtree">acme\test</if-src-dn>
      </or>
    </conditions>
  <actions>
    <do-veto/>
  </actions>
</rule>

This way, it checks to see if it is any of the list of User, Group, or Org Unit. If it is any of those, it tests the subtree of the SourceDN.

Checking the object class is a 'cheap' test, since the information is already in the XML document so there is no querying back to find it out.

Keep this is mind any time you use a Veto, or the Veto if Operational Attribute is not available. In both cases, you could inadvertantly stop the driver from loading.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell