Performs a query in the destination data store and in the dest-dn or the dest-dn <association> to be added to the current operation. It is only valid when the current operation is <add>.
<arg-dn> is required when scope=“entry” and optional otherwise.
At least one <arg-match-attr> is required when scope=“subtree” or scope=“subordinates”. Because it is undefined what <query> does with <search-attr> when scope=“entry”, it is also undefined what <do-find-matching-object> does.
The <query> generates a scope attribute based on the scope attribute of the <do-find-matching-object>. It is a dest-dn attribute set to the content of <arg-dn>, if any. It is a class-name attribute and <search-class> based on the class-name attribute from the current object. For each <arg-match-attr> there is a <search-attr> for the same attribute, populated with either the <arg-value> content of <arg-match-attr> (if it exists) or the values available in the current operation. If no value is available, then no query is performed and the action does not find a match.
Any <instance> elements returned from the <query> are considered matches.
If the destination data store is the application, then an association is added to the current operation for each <instance> that is returned. No query is performed if the current operation already has a non-empty association, thus allowing multiple <do-find-matching-object> actions to be strung together in the same rule. If more than one <instance> is returned, then the local variable error.do-find-matching-object will be set to a node-set containing the list of src-dn's from the instances if they are available, or the list of associations if the src-dn's are not available.
If the destination data store is eDirectory, then the dest-dn attribute for the current operation is set. No query is performed if the current operation already has a non-empty dest-dn attribute, thus allowing multiple <do-find-matching-object> actions to be strung together in the same rule. If only a single <instance> is returned and that <instance> is not already associated, then the dest-dn of the current operation is set to the src-dn of the <instance> and the local variable error.do-find-matching-object is not available. If only a single <instance> is returned and that <instance> is already associated, then the dest-dn of the current operation is set to the single character  and the local variable error.do-find-matching-object is set to the src-dn from that <instance>. If multiple <instance> elements are returned then the dest-dn of the current operation is set to the single character � and the local variable error.do-find-matching-object is set to a node-set containing the src-dn's from those <instance>'s..
<do-find-matching-object scope="subordinates"> <arg-dn> <token-text>Users/</token-text> <token-attr name="OU"/> </arg-dn> <arg-match-attr name="CN"/> <arg-match-attr name="L"/> <arg-value> <token-text>Provo</token-text> </arg-value> </do-find-matching-object>
Element |
Description |
---|---|
DN argument. |
|
Match attribute argument. |
Attribute |
Possible Values |
Default Value |
---|---|---|
disabled |
true | false True if this element is disabled. |
false |
notrace |
true | false True if this element should not be traced during execution of the policy. |
false |
scope |
entry | subordinates | subtree The scope to be searched. |
subtree |
(( arg-dn ? , arg-match-attr + ) | ( arg-dn , arg-match-attr * ) )
Element |
Description |
---|---|
Actions that are performed by a <rule>. |
|
Actions argument. |