do-find-matching-object

Performs a query in the destination data store and in the dest-dn or the dest-dn <association> to be added to the current operation. It is only valid when the current operation is <add>.

Remarks

<arg-dn> is required when scope=“entry” and optional otherwise.

At least one <arg-match-attr> is required when scope=“subtree” or scope=“subordinates”. Because it is undefined what <query> does with <search-attr> when scope=“entry”, it is also undefined what <do-find-matching-object> does.

The <query> generates a scope attribute based on the scope attribute of the <do-find-matching-object>. It is a dest-dn attribute set to the content of <arg-dn>, if any. It is a class-name attribute and <search-class> based on the class-name attribute from the current object. For each <arg-match-attr> there is a <search-attr> for the same attribute, populated with either the <arg-value> content of <arg-match-attr> (if it exists) or the values available in the current operation. If no value is available, then no query is performed and the action does not find a match.

Any <instance> elements returned from the <query> are considered matches.

If the destination data store is the application, then an association is added to the current operation for each <instance> that is returned. No query is performed if the current operation already has a non-empty association, thus allowing multiple <do-find-matching-object> actions to be strung together in the same rule.

If the destination data store is eDirectory, then the dest-dn attribute for the current operation is set. No query is performed if the current operation already has a non-empty dest-dn attribute, thus allowing multiple <do-find-matching-object> actions to be strung together in the same rule. If only a single <instance> is returned and that <instance> is not already associated, then the dest-dn of the current operation is set to the src-dn of the <instance>. If only a single <instance> is returned and that <instance> is already associated, then the dest-dn of the current operation is set to the single character . If multiple <instance> elements are returned then the dest-dn of the current operation is set to the single character �.

Example

<do-find-matching-object scope="subordinates"> <arg-dn>  <token-text>Users/</token-text> <token-attr name="OU"/> </arg-dn>  <arg-match-attr name="CN"/> <arg-match-attr name="L"/> <arg-value>  <token-text>Provo</token-text> </arg-value> </arg-match-attr></do-find-matching-object>

Allowed Content

Element	Description
arg-dn	DN argument.
arg-match-attr	Match attribute argument.

Attributes

Attribute	Possible Values	Default Value
disabled	true \| false True if this element is disabled.	false
notrace	true \| false True if this element should not be traced during execution of the policy.	false
scope	entry \| subordinates \| subtree The scope to be searched.	subtree

Attribute

Possible Values

Default Value

disabled

true | false

True if this element is disabled.

false

notrace

true | false

True if this element should not be traced during execution of the policy.

false

scope

entry | subordinates | subtree

The scope to be searched.

subtree

Content Rule

(( arg-dn ? , arg-match-attr + ) | ( arg-dn , arg-match-attr * ) )

Parent Elements

Element	Description
actions	Actions that are performed by a <rule>.
arg-actions	Actions argument.