eDir-to-eDir driver configuration with "scope"
David Gersic
bothers me even if it may not be a problem.
I'm syncing a corporate tree with lots of servers, partitions, replicas, etc. to
a single-server, flat, meta tree. Specifically, in my main tree, I have:
O=NIU
OU=Students
OU=0
OU=1
OU=2
OU=3
OU=4
OU=5
OU=6
OU=7
OU=8
OU=9
Where OU=Students is a partition root with replicas on servers StudentNode1 and
StudentNode2 (both R/W, there are other replicas elsewere, but on servers
without DirXML installed).
Each of the OU=x containers below OU=Students is also a partition root, with M
on StudentNode(X), and R/W on StudentNode(X+1). Ie: OU=1.OU=Students.O=NIU has
the Master on StudentNode1 and Read/Write on StudentNode2. OU=2 has M on
StudentNOde2, and R/W on StudentNode3.
All StudentNodeX servers have DirXML installed with the eDir-to-eDir driver.
This is obviously a case for scopes, so that the events get handled in an
orderly manner, and only once.
My scope list is (trimmed):
StudentNode1 - handles OU=Students, OU=1
StudentNode2 - handles OU=2
etc.
The single-server meta tree is pretty simple. One server. OU=Groups.O=NIU for
all objectClass=group objects, and OU=Users.O=NIU for all objectClass=user
objects.
I have established the scope via xslt on the Event Transformation Rule on the
Publisher channel. Not being entirely sure which publisher channel (since both
trees have one), I put it on both. I believe it only needs to be on the meta
tree.
The code looks like:
<?xml version="1.0" encoding="UTF-8"?>
<xsl:transform exclude-result-prefixes="jstring" version="1.0"
xmlns:jstring="http://www.novell.com/nxsl/java/java.lang.String"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<!--
To select different containers for scoping, add/delete/modify the
<value>
elements in the body of the variable "in-scope-containers-rtf"
Note that if the container is not in the root of the tree, then the DN
(minus the tree name) of the container must be specified, e.g.,
Corporate\Executives
Note: THESE MUST BE ENTERED IN THE TABLE AS ALL UPPERCASE
-->
<xsl:variable name="in-scope-containers-rtf">
<value>NIU\STUDENTS</value>
<value>NIU\STUDENTS\1</value>
<value>NIU\STUDENTS\6</value>
</xsl:variable>
<xsl:variable name="in-scope-containers"
select="document('')/xsl:transform/xsl:variable[@name='in-scope-containers-rtf']/value"/>
<!--
"identity" transformation - copies unchanged everything not explicitly
matched by other templates
-->
<xsl:template match="node()|@*">
<xsl:copy>
<xsl:apply-templates select="@*|node()"/>
</xsl:copy>
</xsl:template>
<!-- throw away events that are out of scope -->
<xsl:template match="input/*[@src-dn]">
<xsl:variable name="in-scope">
<xsl:call-template name="in-scope"/>
</xsl:variable>
<xsl:choose>
<xsl:when test="$in-scope = '1'">
<xsl:copy>
<xsl:apply-templates select="@*|node()"/>
</xsl:copy>
</xsl:when>
<xsl:otherwise>
<xsl:message>
<status level="warning">Operation vetoed by Event Transformation
Rule - out of scope</status>
</xsl:message>
</xsl:otherwise>
</xsl:choose>
</xsl:template>
<!--
check to see if an object is in the scope defined by the variable
"in-scope-containers"
-->
<xsl:template name="in-scope">
<xsl:param name="scope-value"/>
<!-- validate that the container is in scope -->
<xsl:variable name="src-dn"
select="substring-after(substring-after(@src-dn,'\'),'\')"/>
<xsl:variable name="src-dn-i"
select="jstring:lastIndexOf($src-dn,'\')"/>
<xsl:if test="$src-dn-i != -1">
<xsl:variable name="src-dn-container"
select="jstring:substring($src-dn, 0, $src-dn-i)"/>
<!--
the following test takes advantage of the XPath existential
quantification semantics: basically, if one node in the node-set has
a string value that matches the string, then the statement is true
-->
<xsl:if test="jstring:toUpperCase($src-dn-container) =
$in-scope-containers">
<xsl:value-of select="'1'"/>
</xsl:if>
</xsl:if>
</xsl:template>
</xsl:transform>
I think this is working. I created a Group in the corp tree
(.Test-Dxml-1.Students.NIU). Watching in DSTrace, I can see it get picked up by
the drivers on StudentNode1 and StudentNode2. Both submit the event over to the
driver on the server for the meta tree. The meta tree shows the event being
processed for one of them, and the "out of scope" message for the other.
Problems:
1) Despite all that, when I look at the DirXML tab on the group in the main
tree, I see two associations. One for StudentNode1 ("Processed"), and one for
StudentNode2 ("Pending"). I don't know if this is a problem, but having several
pending associations for each object in this tree is going to be a *LOT* of
pending associations. It seems like it would be better if I only had the
"Processed" one, and not the "Pending" one.
Am I missing something in the xslt code here that should be keeping that from
happening? Or, is there a way to remove the pending association so that it
doesn't hang around forever?
2) When I delete the test object from the main tree, I again see both servers
pick up the event and sync it over to the meta tree. The meta tree deletes the
object ok, but then sends that event to both StudentNode1 and StudentNode2. The
delete event sent to StudentNode2 has <association state="pending"> in it,
which is then followed by "operation vetoed on unassociated object". This looks
like it's related to #1, so that if I didn't have that dangling pending
association, I probably wouldn't see this attempt to delete the unassociated
object either.
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
I'm tired of receiving rubbish in my mailbox, so the E-mail address is
munged to foil the junkmail bots. Humans will figure it out on their own.
Father Ramon
the corporate tree will both get rid of the pending associations and the
extra traffic of sending the add across to the meta tree where it will
be deleted.
"Operation vetoed on unassociated object" will happen even if there is
no association, but having your scope filter on the subsriber channel
should also cause the deletes to be blocked because of scope before they
can be vetoed because they are unassociated.
--
Father Ramon
The Patron(izing) Saint of DirXML
David Gersic
>Putting your scope filter on the Subscriber channel of the drivers in
>the corporate tree will both get rid of the pending associations and the
>extra traffic of sending the add across to the meta tree where it will
>be deleted.
Ah. Yes, thanks, that did solve that problem. And introduced a new one. Now I'm
seeing the meta tree submit the event to all drivers it knows about, one of
which is the driver running on Node2, which then tries to process it. It can't,
so I end up with a "Pending" on the object in the meta tree.
Node1 in the corp gets the initial create event. The driver on Node1 submits it
to the meta tree. The server in the meta tree gets the event, sends it to the
driver on Node2 in the corp tree. Node2 fails to complete due to not being able
to handle the create event correctly, so the association in the meta tree goes
"Pending".
I'm trying to find a way to scope this out of my life, but I can't quite get it.
The scope filter for the corp->meta tree is simple enough, based on parsing the
src-dn of the object. But coming back in from meta->corp, the src-dn of the
original object is no longer available.
Is there an easy way to stop this that I'm not seeing?
I thought of having the corp->meta event processing add an attribute to the
object to denote what driver it came from, then using that on the meta->corp
event to filter out the other drivers that shouldn't process it. I think that
will work, but haven't figured out how to do it.
Father Ramon
in the meta tree that strips out events if their is not already an
association for that driver on that object. That is assuming that all
users originate in the corp tree.
Your idea about adding an attribute to determine which driver should
handle it would work as well, but the association is already there so
you might as well use it.
--
Father Ramon
The Patron(izing) Saint of DirXML
David Gersic
>You could add a subscriber event transformation on each of the drivers
>in the meta tree that strips out events if their is not already an
>association for that driver on that object. That is assuming that all
>users originate in the corp tree.
For now, yes, all users originate in the corp tree. I'll go this way, I guess,
for the moment.
Later, when we start working on the PeopleSoft driver, I have to flip the logic
around and all users will originate in the meta tree. At that point, I think
I'll have to go with the attribute to specify the driver (adding it via the
PeopleSoft driver publisher channel as the user object is created) so that the
create event isn't sent to dozens of drivers that don't need it.
I have to work out placement in the meta->corp tree for the PeopleSoft driver
setup anyway, so I think I can add the driver specification logic to that pretty
easily. Maybe. Or at least no harder than the placement logic.
It really seems like there ought to be an easier way to handle this. I'd like to
see a "Scope" object in the chain, similar to the current Publisher/Subscriber
Filter. This new "Scope Filter" would specify the parts of the tree (container,
or sub-tree) that this particular driver is interested in. Probably won't
happen, but I'll go put the enhancement request in anyway.
Thanks, Father. Off to figure out how to strip events that don't have the
association...
Father Ramon
Manager 2.
--
Father Ramon
The Patron(izing) Saint of DirXML
David Gersic
>Your idea about adding an attribute to determine which driver should
>handle it would work as well
Yes, it does. I just finished coding and testing it.
The corp tree subscriber channel now has a Create rule to specify the default
value for my new attribute (niuDriverScope). The meta tree has niuDriverScope
defined as part of an AuxClass as a C_I_String. The default value added is
simply the name of the driver.
The meta tree gained a Event Transform on the subscriber channel that checks the
value of the niuDriverScope attribute and either passes or drops the event
depending on the value found.
Seems to work fine. Thanks!
One last question: In a previous message (http://tinyurl.com/3f3tz), you
mentioned needing to have a similar or same rule on the Create rule, so that any
modify that synths an add will be correctly handled. I don't think that applies
here. Or does it?
Father Ramon
transformation rule. If it handles <add>, <modify>, and <sync> and
doesn't depend on the attribute being in the operation itself for
<modify> and <sync> then that is all that should be needed. The previous
comment was probably because the rule that was under discussion only
handled add events and didn't account for the fact that add commands can
be the result of other events.
--
Father Ramon
The Patron(izing) Saint of DirXML
David Gersic
>Scope filtering is very easy using Policy Builder in Nsure Identity
>Manager 2.
Is it? That's good news. I wish I had time to look at it. Too busy getting the
1.1a stuff rolled out here. I hope to get back to the development and testing
side in March or April and will give the new Nsure stuff a look then.
David Gersic
>It may or may not apply, depending on what your are doing in your event
>transformation rule. If it handles <add>, <modify>, and <sync> and
>doesn't depend on the attribute being in the operation itself for
><modify> and <sync> then that is all that should be needed.
Ok, thanks. I think I'm covered then.
David Gersic
>Your idea about adding an attribute to determine which driver should
>handle it would work as well, but the association is already there so
>you might as well use it.
Well, I thought I had it. I'm close, but still not there. Create events work
perfectly, but modify isn't working. Via Google, I think I know why, but am I on
the right track here?
To recap, I have:
Ou=Students
OU=0
OU=1
OU=2
OU=3
OU=4
OU=5
OU=6
OU=7
OU=8
OU=9
Each of these containers is a partition root. Replica placement is such that
server StudentNode1 is scoped for Ou=Students and OU=1, StudentNode2 is scoped
for OU=2, StudentNode3 is scoped for OU=3, etc.. Group objects are all in
OU=Students. User objects are in the OU=#.OU=Students containers. The scope code
looks like:
Subscriber -> Event Transformation on the corp tree (StudentNode1):
---------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<xsl:transform exclude-result-prefixes="jstring" version="1.0"
xmlns:jstring="http://www.novell.com/nxsl/java/java.lang.String"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<!--
To select different containers for scoping, add/delete/modify the <value>
elements in the body of the variable "in-scope-containers-rtf"
Note that if the container is not in the root of the tree, then the DN
(minus the tree name) of the container must be specified, e.g.,
Corporate\Executives
Note: THESE MUST BE ENTERED IN THE TABLE AS ALL UPPERCASE
-->
<xsl:variable name="in-scope-containers-rtf">
<value>NIU\STUDENTS</value>
<value>NIU\STUDENTS\1</value>
<value>NIU\STUDENTS\6</value>
</xsl:variable>
<xsl:variable name="in-scope-containers"
select="document('')/xsl:transform/xsl:variable[@name='in-scope-containers-rtf']/value"/>
<!--
"identity" transformation - copies unchanged everything not explicitly
matched by other templates
-->
<xsl:template match="node()|@*">
<xsl:copy>
<xsl:apply-templates select="@*|node()"/>
</xsl:copy>
</xsl:template>
<!-- throw away events that are out of scope -->
<xsl:template match="input/*[@src-dn]">
<xsl:variable name="in-scope">
<xsl:call-template name="in-scope"/>
</xsl:variable>
<xsl:choose>
<xsl:when test="$in-scope = '1'">
<xsl:copy>
<xsl:apply-templates
select="@*|node()"/>
</xsl:copy>
</xsl:when>
<xsl:otherwise>
<xsl:message>
<status level="warning">Operation vetoed
by Event Transformation Rule - out of scope</status>
</xsl:message>
</xsl:otherwise>
</xsl:choose>
</xsl:template>
<!--
check to see if an object is in the scope defined by the variable
"in-scope-containers"
-->
<xsl:template name="in-scope">
<xsl:param name="scope-value"/>
<!-- validate that the container is in scope -->
<xsl:variable name="src-dn"
select="substring-after(substring-after(@src-dn,'\'),'\')"/>
<xsl:variable name="src-dn-i"
select="jstring:lastIndexOf($src-dn,'\')"/>
<xsl:if test="$src-dn-i != -1">
<xsl:variable name="src-dn-container"
select="jstring:substring($src-dn, 0, $src-dn-i)"/>
<!--
the following test takes advantage of the XPath existential
quantification semantics: basically, if one node in the node-set has
a string value that matches the string, then the statement is true
-->
<xsl:if test="jstring:toUpperCase($src-dn-container) =
$in-scope-containers">
<xsl:value-of select="'1'"/>
</xsl:if>
</xsl:if>
</xsl:template>
</xsl:transform>
---------------------------------------------------------------------------------------
Subscriber -> Event Transformation on the Flat tree:
---------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<xsl:transform exclude-result-prefixes="jstring" version="1.0"
xmlns:jstring="http://www.novell.com/nxsl/java/java.lang.String"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:variable name="scopelist-rtf">
<value><![CDATA[eDirDriver-StudentNode1]]></value>
</xsl:variable>
<xsl:variable name="scopelist"
select="document('')/xsl:transform/xsl:variable[@name='scopelist-rtf']/value"/>
<xsl:template match="add|delete|rename|move|modify">
<xsl:choose>
<xsl:when test="$scopelist=string(add-attr[@attr-name =
'niuDriverScope']/value)">
<xsl:copy>
<xsl:apply-templates select="@*|node()"/>
</xsl:copy>
</xsl:when>
<xsl:otherwise>
<xsl:message>
<status level="warning">Operation vetoed by Event Transformation Rule - out
of driver scope</status>
</xsl:message>
</xsl:otherwise>
</xsl:choose>
</xsl:template>
<xsl:template match="@*|node()">
<xsl:copy>
<xsl:apply-templates select="@*|node()"/>
</xsl:copy>
</xsl:template>
</xsl:transform>
---------------------------------------------------------------------------------------
The corp tree is authoritative, and all changes are being made in this tree. It
is being synced with a flat tree, with all Users in OU=Users and all Groups in
OU=Groups. I have the Create rule in the Subscriber channel of the corp tree
drivers tacking on the appropriate niuDriverScope value via a required attribute
with default value.
Create events work fine for both User and Group objects. Associations look good
in both trees after the event processing is complete. No stray "pending" states.
Putting a User in to a Group, however, only works for Users in OU=1, since only
StudentNode1 is able to work with the User and Group objects by the association.
Users in OU=2, etc. cannot be added to a group. I'm getting this in the trace
(adding user Z900002 to group TEST-DXML-3):
Trace from StudentNode1:
---------------------------------------------------------------------------------------
TRACE: Start transaction
TRACE: submitEvent requested
TRACE: event for attr: Description
TRACE: created a DOM node for event
TRACE: submitEvent requested
TRACE: event for attr: Description
TRACE: created a DOM node for event
TRACE: submitEvent requested
TRACE: event for attr: Member
TRACE: created a DOM node for event
TRACE: Processing events for transaction
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="Group"
src-dn="\NIU\NIU\Students\TEST-DXML-3" src-entry-id="329294"
timestamp="1075757551#6">
<association
state="associated">{00BDD6AC-4653-d811-B79D-000BCD0DA5E1}</association>
<modify-attr attr-name="Member">
<add-value>
<value timestamp="1075757550#1"
type="dn">\NIU\NIU\Students\2\Z900002</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
TRACE: Applying event transformation rule
TRACE: Applying stylesheet based rule.
TRACE: Rule stylesheet returned:
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="Group"
src-dn="\NIU\NIU\Students\TEST-DXML-3" src-entry-id="329294"
timestamp="1075757551#6">
<association
state="associated">{00BDD6AC-4653-d811-B79D-000BCD0DA5E1}</association>
<modify-attr attr-name="Member">
<add-value>
<value timestamp="1075757550#1"
type="dn">\NIU\NIU\Students\2\Z900002</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
TRACE: Subscriber processing modify for \NIU\NIU\Students\TEST-DXML-3
TRACE: Re-reading associations in case they changed since this event was queued
TRACE: Applying output transformations
TRACE: Fixing up associations references
DirXML Log Event -------------------
Driver = \NIU\NIU\DirXML\DS1\eDirDriver-StudentNode1
Channel = subscriber
Object = \NIU\NIU\Students\TEST-DXML-3
Status = warning
Message = Unable to synchronize reference to \NIU\NIU\Students\2\Z900002
from attribute Member
TRACE: No mapping rule, skipping
TRACE: No output stylesheet, skipping
TRACE: Submitting document to subscriber shim
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="Group" event-id="0"
src-dn="\NIU\NIU\Students\TEST-DXML-3" src-entry-id="329294"
timestamp="1075757551#6">
<association
state="associated">{00BDD6AC-4653-d811-B79D-000BCD0DA5E1}</association>
<modify-attr attr-name="Member">
<add-value>
<value timestamp="1075757550#1"
type="dn">\NIU\NIU\Students\2\Z900002</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode1: Reusing connection.
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode1: Sending...
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode1: XML Document:
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="Group" event-id="0"
src-dn="\NIU\NIU\Students\TEST-DXML-3" src-entry-id="329294"
timestamp="1075757551#6">
<association
state="associated">{00BDD6AC-4653-d811-B79D-000BCD0DA5E1}</association>
<modify-attr attr-name="Member">
<add-value>
<value timestamp="1075757550#1"
type="dn">\NIU\NIU\Students\2\Z900002</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode1: Document sent.
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode1: Waiting for receive...
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode1: Receiving...
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode1: Received.
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode1: XML Document:
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="0" level="success"/>
</output>
</nds>
TRACE: SubscriptionShim.execute() returned:
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="0" level="success"/>
</output>
</nds>
TRACE: Applying input transformations
TRACE: No input stylesheet, skipping
TRACE: No mapping rule, skipping
TRACE: Resolving association references
TRACE:
TRACE: Handling returned document
TRACE: Handling operation, op: status for:
DirXML Log Event -------------------
Driver = \NIU\NIU\DirXML\DS1\eDirDriver-StudentNode1
Channel = subscriber
Object = \NIU\NIU\Students\TEST-DXML-3
Status = success
TRACE: End transaction
TRACE: Commit transaction requested
---------------------------------------------------------------------------------------
This sorta makes sense, since StudentNode1 does not have a replica of the
Z900002.2.Students.NIU User object. I think that's all it is complaining about,
which would be fine, since StudentNode2 can handle the changes to the Z900002
user object. However...
Trace from StudentNode2:
---------------------------------------------------------------------------------------
TRACE: Start transaction
TRACE: submitEvent requested
TRACE: event for attr: Description
TRACE: created a DOM node for event
TRACE: submitEvent requested
TRACE: event for attr: Description
TRACE: created a DOM node for event
TRACE: submitEvent requested
TRACE: event for attr: Member
TRACE: created a DOM node for event
TRACE: Processing events for transaction
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="Group"
src-dn="\NIU\NIU\Students\TEST-DXML-3" src-entry-id="343674"
timestamp="1075757550#1">
<modify-attr attr-name="Member">
<add-value>
<value timestamp="1075757550#1"
type="dn">\NIU\NIU\Students\2\Z900002</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
TRACE: Applying event transformation rule
TRACE: Applying stylesheet based rule.
xsl:message
<status level="warning">Operation vetoed by Event Transformation Rule - out of
scope</status>
DirXML Log Event -------------------
Driver = \NIU\NIU\DirXML\DS2\eDirDriver-StudentNode2
Channel = subscriber
Status = warning
Message = Operation vetoed by Event Transformation Rule - out of scope
TRACE: Rule stylesheet returned:
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
TRACE: End transaction
[-snip some other lines not needed to save space-]
TRACE: Start transaction
TRACE: submitEvent requested
TRACE: event for attr: Security Equals
TRACE: created a DOM node for event
TRACE: submitEvent requested
TRACE: event for attr: Group Membership
TRACE: created a DOM node for event
TRACE: Processing events for transaction
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User" src-dn="\NIU\NIU\Students\2\Z900002"
src-entry-id="344095" timestamp="1075757551#2">
<association
state="associated">{0039E3A0-9A55-d811-B79D-000BCD0DA5E1}</association>
<modify-attr attr-name="Security Equals">
<add-value>
<value timestamp="1075757551#2"
type="dn">\NIU\NIU\Students\TEST-DXML-3</value>
</add-value>
</modify-attr>
<modify-attr attr-name="Group Membership">
<add-value>
<value timestamp="1075757551#1"
type="dn">\NIU\NIU\Students\TEST-DXML-3</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
TRACE: Applying event transformation rule
TRACE: Applying stylesheet based rule.
TRACE: Rule stylesheet returned:
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User" src-dn="\NIU\NIU\Students\2\Z900002"
src-entry-id="344095" timestamp="1075757551#2">
<association
state="associated">{0039E3A0-9A55-d811-B79D-000BCD0DA5E1}</association>
<modify-attr attr-name="Security Equals">
<add-value>
<value timestamp="1075757551#2"
type="dn">\NIU\NIU\Students\TEST-DXML-3</value>
</add-value>
</modify-attr>
<modify-attr attr-name="Group Membership">
<add-value>
<value timestamp="1075757551#1"
type="dn">\NIU\NIU\Students\TEST-DXML-3</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
TRACE: Subscriber processing modify for \NIU\NIU\Students\2\Z900002
TRACE: Re-reading associations in case they changed since this event was queued
TRACE: Applying output transformations
TRACE: Fixing up associations references
DirXML Log Event -------------------
Driver = \NIU\NIU\DirXML\DS2\eDirDriver-StudentNode2
Channel = subscriber
Object = \NIU\NIU\Students\2\Z900002
Status = warning
Message = Unable to synchronize reference to \NIU\NIU\Students\TEST-DXML-3
from attribute Security Equals
DirXML Log Event -------------------
Driver = \NIU\NIU\DirXML\DS2\eDirDriver-StudentNode2
Channel = subscriber
Object = \NIU\NIU\Students\2\Z900002
Status = warning
Message = Unable to synchronize reference to \NIU\NIU\Students\TEST-DXML-3
from attribute Group Membership
TRACE: No mapping rule, skipping
TRACE: No output stylesheet, skipping
TRACE: Submitting document to subscriber shim
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User" event-id="0"
src-dn="\NIU\NIU\Students\2\Z900002" src-entry-id="344095"
timestamp="1075757551#2">
<association
state="associated">{0039E3A0-9A55-d811-B79D-000BCD0DA5E1}</association>
<modify-attr attr-name="Security Equals">
<add-value>
<value timestamp="1075757551#2"
type="dn">\NIU\NIU\Students\TEST-DXML-3</value>
</add-value>
</modify-attr>
<modify-attr attr-name="Group Membership">
<add-value>
<value timestamp="1075757551#1"
type="dn">\NIU\NIU\Students\TEST-DXML-3</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode2: Reusing connection.
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode2: Sending...
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode2: XML Document:
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User" event-id="0"
src-dn="\NIU\NIU\Students\2\Z900002" src-entry-id="344095"
timestamp="1075757551#2">
<association
state="associated">{0039E3A0-9A55-d811-B79D-000BCD0DA5E1}</association>
<modify-attr attr-name="Security Equals">
<add-value>
<value timestamp="1075757551#2"
type="dn">\NIU\NIU\Students\TEST-DXML-3</value>
</add-value>
</modify-attr>
<modify-attr attr-name="Group Membership">
<add-value>
<value timestamp="1075757551#1"
type="dn">\NIU\NIU\Students\TEST-DXML-3</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode2: Document sent.
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode2: Waiting for receive...
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode2: Receiving...
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode2: Received.
TRACE: NdsToNds Subscriber - eDirDriver-StudentNode2: XML Document:
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="0" level="success"/>
</output>
</nds>
TRACE: SubscriptionShim.execute() returned:
TRACE:
<nds dtdversion="1.1" ndsversion="8.6">
<source>
<product version="1.1a">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="0" level="success"/>
</output>
</nds>
TRACE: Applying input transformations
TRACE: No input stylesheet, skipping
TRACE: No mapping rule, skipping
TRACE: Resolving association references
TRACE:
TRACE: Handling returned document
TRACE: Handling operation, op: status for:
DirXML Log Event -------------------
Driver = \NIU\NIU\DirXML\DS2\eDirDriver-StudentNode2
Channel = subscriber
Object = \NIU\NIU\Students\2\Z900002
Status = success
TRACE: End transaction
TRACE: Commit transaction requested
---------------------------------------------------------------------------------------
StudentNode2 can't figure out what to do with this either. Now, despite the
"success" returns, the status messages in there seem to be indicating that the
problem is that the drivers want the association to pass along, but cannot
figure it out. StudentNode2 does have a local R/W replica of OU=Students, so
it's not a matter of replica placement.
I found a reference to this being a problem with "dn" being passed without an
"assocation-ref". That seems to describe the documents being shown in the trace
and seems likely to be the problem. The message I found (from you, BTW, Father
Ramon, in http://tinyurl.com/ywvaq), says that changing the type attribute from
"dn" to "string" will take care of this.
Ideally, it seems to me that both StudentNode1 and StudentNode2 need to handle
this change, since it involves changing the Group (StudentNode1) and User
(StudentNode2) objects. It seems like the drivers are attempting not to make one
change without the other, leading to neither one of them being made.
Finally, on to the questions:
1) Am I headed the right direction here with converting the "dn" to a "string"
so that both drivers will make 1/2 of the changes necessary to add a user to a
group?
2) If #1 is correct, can I do this on the Command Transformation of the
subscriber channel in the corp tree? Or should it be elsewhere?
3) A sample of how to do #2 would be helpful...