1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. IDENTITY MANAGER 3.6.1 - UNDERSTANDING POLICIES...
  6. Reference manual

Novell IDENTITY MANAGER 3.6.1 - DTD REFERENCE 05-06-2009 Reference Manual

Dtd reference
Hide thumbs Also See for IDENTITY MANAGER 3.6.1 - DTD REFERENCE 05-06-2009:
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
Table of Contents

Advertisement

Quick Links

Download this manual See also: Manual
AUTHORIZED DOCUMENTATION
DTD Reference
Novell
®
Identity Manager
3.6.1
June 05, 2009
www.novell.com
Identity Manager 3.6 DTD Reference

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the IDENTITY MANAGER 3.6.1 - DTD REFERENCE 05-06-2009 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Novell IDENTITY MANAGER 3.6.1 - DTD REFERENCE 05-06-2009

Summary of Contents for Novell IDENTITY MANAGER 3.6.1 - DTD REFERENCE 05-06-2009

  • Page 1 AUTHORIZED DOCUMENTATION DTD Reference Novell ® Identity Manager 3.6.1 June 05, 2009 www.novell.com Identity Manager 3.6 DTD Reference...
  • Page 2 Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Identity Manager 3.6 DTD Reference...

  • Page 5: Table Of Contents

    Contents About This Guide 1 DTD Overview 2 Filter DTD Filter Elements ............. 15 filter .
  • Page 6 matching-rule ............. . 86 matching-rules .
  • Page 7 arg-association ............184 arg-component .
  • Page 8 do-set-src-password............304 do-set-sso-credential .
  • Page 9 token-password ............440 token-query .
  • Page 10 cc ..............535 containment .

  • Page 11: About This Guide

    Identity Manager Documentation Web site (http://www.novell.com/ documentation/idm36/). Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark.
  • Page 12 Identity Manager 3.6 DTD Reference...

  • Page 13: Dtd Overview

    DTD Overview This guides is a reference for the Identity Manager document type definitions (DTD). There are separate DTDs for different components of Identity Manager: “Filter DTD” on page 15 “NDS DTD” on page 23 “Map DTD” on page 161 “DirXML Script DTD”...
  • Page 14 Identity Manager 3.6 DTD Reference...

  • Page 15: Filter Dtd

    Filter DTD An Identity Manager filter is primarily for controlling which object classes are synchronized and which attributes are synchronized for those object classes. Additionally, other behaviors of those classes and attributes within Identity Manager are controlled through the filter. An Identity Manager filter consists of a top level <filter>...

  • Page 16: Filter

    filter Consists of a set of <filter-class> elements that describe the object classes used by a particular instance of an Identity Manager driver. Example <filter> <filter-class class-name="User" subscriber="sync" publisher="sync"> <filter-attr attr-name="CN" subscriber="sync" publisher="ignore" merge-authority="none"/> <filter-attr attr-name="Surname" subscriber="sync"/> <filter-attr attr-name="Given name" subscriber="sync"/>...
  • Page 17 Attributes None Content Rule (filter-class*) Parent Elements None Filter DTD...

  • Page 18: Filter-Attr

    filter-attr Describes an attribute of the enclosing <filter-class> that is used by a particular instance of an Identity Manager driver. The attr-name attribute specifies the name of an attribute in eDirectory .The publisher and subscriber attributes control whether this attribute is synchronized on the respective channels according to the following table.
  • Page 19 Value Behavior Valid default 1. If an attribute is not being synchronized in either Always channel, then no merging occurs. 2. If an attribute is being synchronized in one channel and not the other, then all existing values on the destination for that channel are removed and replaced with the values from the source for that channel.
  • Page 20 Attributes Attribute Possible Values Default Value attr-name CDATA #REQUIRED Name of the attribute. merge-authority default | edir | app | none default Flag that controls how this attribute is merged. publisher ignore | notify | sync | reset ignore Flag that controls Publisher channel synchronization.

  • Page 21: Filter-Class

    filter-class Describes an object class that is used by a particular instance of an Identity Manager driver. The class-name attribute specifies the name of an effective (that is, structural or base) class in eDirectory and only applies to objects that have that particular base class. Remarks The Publisher and Subscriber attributes control whether this class is synchronized on the respective channels.
  • Page 22 Attribute Possible Values Default Value publisher-create-homedir true | false true Flag that controls automatic creation of home directories. publisher-track-template-member true | false false Flag that controls the tracking of objects. subscriber ignore | sync ignore Flag that controls Publisher channel synchronization. Content Rule filter-attr Parent Elements...

  • Page 23: Nds Dtd

    NDS DTD The NDS document type definition file ( ) defines the schema of the XML documents that nds.dtd the Identity Manager engine can process. XML documents that do not conform to this schema generate errors. file defines the following: nds.dtd Input and output commands and events (such as add, delete, modify, and rename) that can be performed on entries and the data that must be included with each.
  • Page 24 Element Description association Unique key of the application object. attr Current state of an attribute. attr-def Schema attribute definition. attr-name Maps an attribute name. attr-name-map Top-level element for Schema Mapping policies. authentication-info Information for connecting and authenticating to the application. check-object-password Checks the password against an eDirectory object.
  • Page 25 Element Description tinput Input events or commands. instance Current state of an instance of an object. match-attr Matches an attribute. Deprecated as of Identity Manager 2.0. match-class Matches a class name. Deprecated as of Identity Manager 2.0. match-path Matches a path. Deprecated as of Identity Manager 2.0.
  • Page 26 Element Description query-ex Query command with result count limit. query-schema Query schema command. query-token Opaque handle for query-ex commands rread-attr Returns specified object attribute values. read-parent Returns the object parent container. remove-all-values Removes all attribute values. remove-association Removes an association. remove-value Removes specified attribute values.

  • Page 27: Add

    Used as an event notification from the PublicationShim to Identity Manager when an object is added in the application. When it is used as a notification, an <association> is required. It is also used as a command from Identity Manager to the SubsciptionShim to add an object in the application. Remarks <add>...
  • Page 28 Attributes Attribute Possible Values Default Value class-name CDATA #REQUIRED The name of the base class of the object. The class name is mapped between the application and eDirectory namespaces by the Schema Mapping policy so that Identity Manager sees the name in the eDirectory namespace and a driver sees the name in the application...
  • Page 29 Attribute Possible Values Default Value src-entry-id CDATA #IMPLIED The entry ID of source object that generated the event in the namespace of the sender. Should be copied to the dest- entry-id attribute of the resulting <add-association> for commands. template-dn CDATA #IMPLIED The distinguished name of a template in the receiver's...

  • Page 30: Add-Association

    add-association Used to return the unique key of an object added as the result of an <add> command. Example <add-association dest-dn="\Users\Samuel" dest-entry-id="33974"> {BC3E7155-CDF9-d311-9846-0008C76B16C2} </add-association> Allowed Content #PCDATA Element Description operation-data Operation adds additional custom data. Attributes Attribute Possible Values Default Value dest-dn CDATA #REQUIRED...
  • Page 31 Parent Elements Element Description input Input events or commands. output Results of events or commands. NDS DTD...

  • Page 32: Add-Attr

    add-attr Used to specify the attribute values for an <add> operation or event. Each <add-attr> should contain at least one <value> Example See <add>. Allowed Content Element Description value The attribute value. Attributes Attribute Possible Values Default Value attr-name CDATA #REQUIRED The name of the attribute.
  • Page 33 Parent Elements Element Description Adds an object when an add event occurs. NDS DTD...

  • Page 34: Add-Value

    add-value Used to specify values added to the attribute specified in the enclosing <modify-attr>. A driver should gracefully ignore an <add-value> for a value that already exists and continue to process the remainder of the enclosing <modify>. Example See <modify>. Allowed Content Element Description...

  • Page 35: Allow-Attr

    allow-attr Used to specify attributes that are allowed in the event filter for the class specified in the enclosing <allow-class>. Example See <init-params>. Allowed Content EMPTY Attributes Attribute Possible Values Default Value attr-name CDATA #REQUIRED The name of the attribute. The name is mapped between the application and eDirectorynamespaces by the...
  • Page 36 Parent Elements Element Description allow-class Allow a class in the filter. Identity Manager 3.6 DTD Reference...

  • Page 37: Allow-Class

    allow-class Used to specify classes that are allowed in the event filter specified by the enclosing <driver-filter>. Example See <init-params>. Allowed Content Element Description allow-attr Allow an attribute in the filter. Attributes Attribute Possible Values Default Value class-name CDATA #REQUIRED The name of the base class of the object.

  • Page 38: App-Name

    app-name Used to specify a class or attribute name in the application namespace. Example See <attr-name-map>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description attr-name Maps an attribute name. class-name Maps a class name. Identity Manager 3.6 DTD Reference...

  • Page 39: Association

    association Used to specify the unique key of an application object that is the source of an event notification from the PublicationShim to Identity Manager, the target of a command sent form Identity Manager to the SubscriptionShim, or the base object of a <query> sent to the SubscriptionShim. Example <association state="associated">...
  • Page 40 Element Description parent The parent container of an object. query Query command. query-ex Query command with a result count limit. rename Renames an object when a rename event occurs. sync Resynchronization or migrate event. Identity Manager 3.6 DTD Reference...

  • Page 41: Attr

    attr Used to specify the attribute values for the object specified by the enclosing <instance>. Each <attr> should contain at least one <value>. Example See <instance>. Allowed Content Element Description value The attribute value. Attributes Attribute Possible Values Default Value attr-name CDATA #REQUIRED...

  • Page 42: Attr-Def

    attr-def Used to specify a schema attribute for the class specified by the enclosing <class-def>. Example See <schema-def>. Allowed Content EMPTY Attributes Attribute Possible Values Default Value asn1id CDATA #IMPLIED The ASN.1 Object ID of the attribute. attr-name CDATA #REQUIRED The name of the attribute.
  • Page 43 Attribute Possible Values Default Value type string | teleNumber | int | state | string counter | dn | interval | octet | time | structured The data type of the attribute. Content Declaration Empty Parent Elements Element Description class-def Schema class definition.

  • Page 44: Attr-Name

    attr-name Used to specify a mapping between an attribute name in the eDirectory namespace and the application namespace. Example See <attr-name-map>. Allowed Content Element Description nds-name Name in the eDirectory namespace. The names specified must be unique for the given class. app-name Name in the application namespace.

  • Page 45: Attr-Name-Map

    attr-name-map The top-level (document) element for Schema Mapping policies. Schema Mapping policies are stored in the DirXML-XmlData attribute of a DirXML-Rule object that is pointed to by the DirXML-MappingRule attribute of a DirXML-Driver object. Remarks <attr-name-map> contains <attr-name> and <class-name> elements that specify a one-to-one mapping between class and attribute names in eDirectory and the application namespace.
  • Page 46 Element Description class-name Maps a class name. Attributes None Content Rule ( attr-name | class-name ) * Parent Elements None Identity Manager 3.6 DTD Reference...

  • Page 47: Authentication-Info

    authentication-info Used to specify the parameters needed for the driver to connect to and authenticate to an application server. Example See <init-params>. Allowed Content Element Description server The authentication server. user The authentication username. password The authentication password. Attributes None Content Rule ( server ? , user ? , password ? ) Parent Elements...

  • Page 48: Check-Object-Password

    check-object-password Used to validate a password against an eDirectory object. A <status> result is returned indicating success or failure. Remarks An <association> element, a dest-dn attribute, or a dest-entry-id attribute is used to specify the eDirectory object against which the password is to be checked. If the eDirectory object's Login Disabled attribute is set to true, then the <status>...
  • Page 49 Content Rule ( association ? , password , operation-data ? ) Parent Elements Element Description input Input events or commands. NDS DTD...

  • Page 50: Check-Password

    check-password Used to validate a password against the eDirectory driver object. A <status> result is returned indicating success or failure. Example <check-password>abdc1234</check-password> Allowed Content #PCDATA Element Description operation-data The operation adds additional custom data. Attributes None Content Rule ( #PCDATA | operation-data ) * Parent Elements Element Description...

  • Page 51: Class-Def

    class-def Used to specify a schema class the enclosing <schema-def>. Example See <schema-def>. Allowed Content Element Description attr-def Schema attribute definition. Attributes Attribute Possible Values Default Value asn1id CDATA #IMPLIED The ASN.1 Object ID of the class. class-name CDATA #REQUIRED The name of the schema class.

  • Page 52: Class-Name

    class-name Used to specify a mapping between a class name in the eDirectory namespace and the application namespace. Example See <attr-name-map>. Allowed Content Element Description nds-name Name in the eDirectory namespace. The names specified must be unique to this <class-name>. app-name Name in the eDirectory namespace.

  • Page 53: Component

    component Used to specify an individual field of the enclosing <value> if the data type of the value is structured. Example See <value>. Allowed Content #PCDATA Attributes Attribute Possible Values Default Value association-ref CDATA #IMPLIED The association value (application object unique key) of the object being referenced by this component.

  • Page 54: Config-Object

    config-object Used to specify objects and attributes where additional configuration information is obtained. Remarks During driver startup, the contained <query> is processed and the resulting <instance> element replaces the <config-object> in the <init-params> passed to the DriverShim.init(), SubscriptionShim.init(), and PublicationShim.init() methods. Example See <init-params>.

  • Page 55: Contact

    contact Used to specify the point of contact for the creator of the enclosing document. Example See <nds>. Allowed Content #PCDATA Attributes None Content Rule #PCDATA Parent Elements Element Description source The source or creator of the document. NDS DTD...

  • Page 56: Copy-Attr

    copy-attr Deprecated as of Identity Manager 2.0. Use DirXMLScript <token-op-attr> instead. Remarks <copy-attr> is used as a token to specify a string replacement in the distinguished name generated by the enclosing <placement>. The replacement string is generated by copying the first value for the attribute specified by attr- name from the <add>...
  • Page 57 Parent Elements Element Description placement Object placement specifier. Deprecated as of Identity Manager 2.0. NDS DTD...

  • Page 58: Copy-Name

    copy-name Deprecated as of Identity Manager 2.0. Use DirXMLScript <token-src-dn> instead. Remarks <copy-name> is used as a token to specify a string replacement in the distinguished name generated by the enclosing <placement>. The replacement string is generated by copying the unqualified portion of the leaf-most component of the src-dn attribute from the <add>...

  • Page 59: Copy-Path

    copy-path Deprecated as of Identity Manager 2.0. Use DirXMLScript <token-src-dn> instead. Remarks <copy-path> is used as a token to specify a string replacement in the distinguished name generated by the enclosing <placement>. The replacement string is generated by copying the src-dn attribute from the <add> event that is being processed.

  • Page 60: Copy-Path-Suffix

    copy-path-suffix Deprecated as of Identity Manager 2.0. Use DirXMLScript <token-unmatched-src-dn> instead. Remarks <copy-path-suffix> is used as a token to specify a string replacement in the distinguished name generated by the enclosing <placement>. The replacement string is generated by copying src-dn attribute from the <add> event that is being processed, and then stripping away the portion of the src-dn matched by a <match-path>...

  • Page 61: Create-Rule

    create-rule Deprecated as of Identity Manager 2.0. Use DirXMLScript <rule> instead. Remarks <create-rule> is used to specify the criteria for creating a new object as a result of an <add> event. When a <create-rule> is evaluated, it first checks whether or not this is a suitable rule for the <add> event in question.
  • Page 62 Attribute Possible Values Default Value description CDATA #IMPLIED Description of this rule, primarily for use in ConsoleOne. Content Rule ( match-attr * , required-attr * , template ? ) Parent Elements Element Description create-rules Top-level element for object creation rules. Deprecated as of Identity Manager 2.0.

  • Page 63: Create-Rules

    create-rules Deprecated as of Identity Manager 2.0. Use DirXMLScript <policy> instead. Remarks <create-rules> is the top-level (document) element for object creation rules. Object creation rules are stored in the DirXML-XmlData attribute of a DirXML-Rule object that is pointed to by the DirXML-CreateRule attribute of a DirXML-Subscriber or DirXML-Publisher object.
  • Page 64 Allowed Content Element Description create-rule Object creation rule. Deprecated as of Identity Manager 2.0. Attributes None Content Rule ( create-rule ) * Parent Elements None Identity Manager 3.6 DTD Reference...

  • Page 65: Delete

    delete Used as an event notification from the PublicationShim to Identity Manager when an object is deleted in the application. When used as a notification, an <association> is required. Also used as a command from Identity Manager to the SubsciptionShim to delete an object in the application. When used as a command, an <association>...
  • Page 66 Attribute Possible Values Default Value dest-entry-id CDATA #IMPLIED The entry ID of the target object in the namespace of the receiver. Should be left empty for event notifications. event-id CDATA #IMPLIED An identifier used to tag the results of an event or command. qualified-src-dn CDATA #IMPLIED...

  • Page 67: Driver-Config

    <driver-config name="Netscape DirXML Driver"> <driver-options> <display-method display-name="Debug Output (0-none, 1-Window, 2-DSTrace)">1</display-method> </driver-options> <subscriber-options> <config-object display-name="Super driver configuration data"> <query dest-dn="novell/Driver Set/Super Driver/Config Object" scope="entry" event-id="config1"> <read-attr attr-name="Some Attribute"/> <read-attr attr-name="XmlData" type="xml"/> </query> </config-object> </subscriber-options> <publisher-options> <pollRate display-name="Poll rate in seconds">5</pollRate>...
  • Page 68 Allowed Content Element Description driver-options Driver-specific DriverShim configuration options. subscriber-options Driver-specific SubscriptionShim configuration options. publisher-options Driver-specific PublicationShim configuration options. Attributes Attribute Possible Values Default Value name CDATA #IMPLIED Human readable name of the driver shim. Content Rule ( driver-options ? , subscriber-options ? , publisher-options ? ) Parent Elements None Identity Manager 3.6 DTD Reference...

  • Page 69: Driver-Filter

    driver-filter Used to specify the event filter that is being used by a particular channel. It is generated from the DirXML-DriverFilter attribute on the DirXML-Subscriber or DirXML-Publisher object. Example See <init-params>. Allowed Content Element Description allow-class Allows a class in the filter. Attributes Attribute Possible Values...

  • Page 70: Driver-Options

    driver-options Used to specify driver-specific configuration options. It comes from the DirXML-ShimConfigInfo attribute of the DirXML-Driver object in eDirectory. Example See <driver-config>. Allowed Content Attributes None Content Rule Parent Elements Element Description driver-config Driver specific DriverShim configuration options. init-params Initialization parameters for a DriverShim, SubscriptionShim, or PublicationShim.

  • Page 71: Driver-State

    driver-state Used specify driver specific state information. Example See <init-params>. Allowed Content Attributes None Content Rule Parent Elements Element Description init-params Initialization parameters for a DriverShim, SubscriptionShim, or PublicationShim. NDS DTD...

  • Page 72: Get-Named-Password

    get-named-password Used to retrieve a named password for a driver. A <status> result is returned indicating success or failure. If the status is success, then a <password> element is also returned containing the password value. The content of <get-namedpassword> is the name or key of the password that is retrieved. Example <get-named-password event-id="gnp37">...

  • Page 73: Init-Params

    init-params Used to specify initialization parameters for a DriverShim, SubscriptionShim, or PublicationShim. Remarks <init-params> is also included in any <output> or <input> from the driver to Identity Manager, which instructs Identity Manager to store the contents of the enclosed <driver-state>, <subscriber- state>, and <publisher-state>...
  • Page 74 <!-- some driver defined subscriber options --> </subscriber-options> <subscriber-state> <!-- some driver defined subscriber state --> </subscriber-state> </init-params> <!-- for PublicationShim.init() --> <init-params src-dn="\MY_TREE\MyOrg\MyDriverSet\MyDriver\Publisher"> <authentication-info> <server>localhost</server> <user>Fred</user> <password>foobar</password> </authentication-info> <driver-filter type="publisher"> <allow-class class-name="User"> <allow-attr attr-name="Telephone Number"/> <allow-attr attr-name="CN"/ <allow-attr attr-name="Surname"/> <allow-attr attr-name="Given Name"/>...
  • Page 75 <allow-attr attr-name="OU"/> </allow-class> <allow-class class-name="Organizational"> <allow-attr attr-name="O"/> </allow-class> </driver-filter> <driver-filter type="publisher"> <allow-class class-name="User"> <allow-attr attr-name="Telephone Number"/> <allow-attr attr-name="CN"/> <allow-attr attr-name="Surname"/> <allow-attr attr-name="Given Name"/> <allow-attr attr-name="Description"/> <allow-attr attr-name="Title"/> <allow-attr attr-name="Postal Address"/> <allow-attr attr-name="GUID"/> <allow-attr attr-name="Full Name"/> </allow-class> <allow-class class-name="Organizational Unit"> <allow-attr attr-name="OU"/> </allow-class>...
  • Page 76 Element Description subscriber-options Driver-specific SubscriptionShim configuration options. publisher-options Driver-specific PublicationShim configuration options. driver-state Driver-specific state information. subscriber-state Driver SubscriptionShim state information. publisher-state Driver PublicationShim state information. operation-data The operation adds additional custom data. Attributes Attribute Possible Values Default Value src-dn CDATA #IMPLIED The distinguished name of...

  • Page 77: Input

    input Used to encapsulate events or commands sent as input to a driver or Identity Manager. All <nds> documents sent as a parameter to Identity Manager or driver interface method should contain exactly one <input>. Example See <nds>. Allowed Content Element Description Adds an object when an add event occurs.
  • Page 78 Content Rule ( add | modify | delete | rename | move | query | query-ex | query-schema | add-association | modify- association | remove-association | init-params | status | check-password | modify-password | check- object-password | sync | get-named-password ) * Parent Elements Element Description...

  • Page 79: Instance

    instance Used to represent an object in eDirectory or the application as part of the response to a <query> command or a <query-ex> command. <instance> does not necessarily represent the complete state of object, but just the information requested by the <query> or <query-ex>. When returned from a driver, an <association>...
  • Page 80 Attributes Attribute Possible Values Default Value class-name CDATA #REQUIRED The name of the base class of the object. The class name is mapped between the application and eDirectory namespaces by the Schema Mapping policy so that Identity Manager sees the name in the eDirectory namespace and a driver sees the name in the application namespace.

  • Page 81: Match-Attr

    match-attr Deprecated as of Identity Manager 2.0. Use DirXMLScript <if-op-attr> for an object creation and Placement policy or <do-find-matching-object> and <arg-match-attr> for an object Matching policy. Remarks <match-attr> is used to specify: Rule selection criteria for the enclosing <create-rule> or <placement-rule>. When used as such, it must contain at least one <value>.
  • Page 82 Element Description placement-rule Object placement rule. Deprecated as of Identity Manager 2.0. Identity Manager 3.6 DTD Reference...

  • Page 83: Match-Class

    match-class Deprecated as of Identity Manager 2.0. Use DirXMLScript <if-object-class> instead. Remarks <match-class> is used to specify rule selection criteria for the enclosing <matching-rule> or <placement-rule>. Example See <matching-rules> and <placement-rules>. Allowed Content EMPTY Attributes Attribute Possible Values Default Value class-name CDATA #REQUIRED...

  • Page 84: Match-Path

    match-path Deprecated as of Identity Manager 2.0. Use DirXMLScript <if-src-dn> for object placement policy or <do-find-matching-object> and <arg-dn> for object matching policy. Remarks <match-path> is used to specify: Rule selection criteria for the enclosing <placement-rule>. When used as such, the src-dn attribute of the source <add>...
  • Page 85 Parent Elements Element Description matching-rule Object matching rule. Deprecated as of Identity Manager 2.0. placement-rule Object matching rule. Deprecated as of Identity Manager 2.0. NDS DTD...

  • Page 86: Matching-Rule

    matching-rule Deprecated as of Identity Manager 2.0. Use DirXMLScript <rule> and <do-find-matching-object> instead. Remarks <matching-rule> is used to specify the criteria for finding a matching object for automatic association of a new object as a result of an <add> event. When a <matching-rule>...
  • Page 87 Content Rule ( match-class * , match-path ? , match-attr * ) Parent Elements Element Description matching-rules Top-level element for object matching rules. Deprecated as of Identity Manager 2.0. NDS DTD...

  • Page 88: Matching-Rules

    <match-class class-name="User"/> <match-attr attr-name="Surname"/> <match-attr attr-name="Given Name"/> <match-attr attr-name="Location"/> </matching-rule> <!-- for Users, then try to match on Surname only in --> <!-- the o=novell subtree --> <matching-rule> <match-class class-name="User"/> <match-path prefix="o=novell"/> <match-attr attr-name="Surname"/> </matching-rule> <!-- for all classes try to match on CN only -->...
  • Page 89 Allowed Content Element Description matching-rule Object matching rule. Deprecated as of Identity Manager 2.0. Attributes None Content Rule ( matching-rule * ) Parent Elements None NDS DTD...

  • Page 90: Modify

    modify Used as an event notification from the PublicationShim to Identity Manager that an object is modified in the application. When it is used as a notification, an <association> is required. It is also used as a command from Identity Manager to the SubsciptionShim to modify an object in the application.
  • Page 91 Attributes Attribute Possible Values Default Value class-name CDATA #IMPLIED The name of the base class of the object. The class name is mapped between the application and eDirectory namespaces by the Schema Mapping policy so that Identity Manager sees the name in the eDirectory namespace and a driver sees the name in the application namespace.
  • Page 92 Attribute Possible Values Default Value src-entry-id CDATA #IMPLIED The entry id of the source object that generated the event in the namespace of the sender. Reserved. Should be ignored by the driver. timestamp CDATA #IMPLIED Reserved. Should be ignored by the driver.

  • Page 93: Modify-Association

    modify-association Used to notify Identity Manager that an application object's unique key is modified. <modify- association> should be sent when the unique key is changed for an object that passes the event filter for either the SubscriptionShim or the PublicationShim. <modify-association> can be included in any <output>...

  • Page 94: Modify-Attr

    modify-attr Used to specify the modified attribute values for a <modify> operation or event. Remarks Each <modify-attr> should contain at least one <add-value>, <remove-value>, or <remove-all- values>. The order of the above elements is significant. Example See <modify>. Allowed Content Element Description remove-value...
  • Page 95 Content Rule ( remove-value | remove-all-values | add-value ) + Parent Elements Element Description modify Modifies an object when a modify event occurs. NDS DTD...

  • Page 96: Modify-Password

    modify-password Used as an event notification from the PublicationShim to Identity Manager that an object password is modified in the application. When used as a notification, an <association> is required. Also used as a command from Identity Manager to the SubsciptionShim to modify an object password in the application.
  • Page 97 Attributes Attribute Possible Values Default Value class-name CDATA #IMPLIED The name of the base class of the object. The class name is mapped between the application and eDirectory namespaces by the Schema Mapping policy so that Identity Manager sees the name in the eDirectory namespace and a driver sees the name in the application namespace.
  • Page 98 Attribute Possible Values Default Value timestamp CDATA #IMPLIED Reserved. Should be ignored by the driver. Content Rule ( association ? , old-password ? , password , operation-data ? ) Parent Elements Element Description input Input events or commands. Identity Manager 3.6 DTD Reference...

  • Page 99: Move

    move Used as an event notification from the PublicationShim to Identity Manager when an object is moved to a different container in the application. When used as a notification, an <association> is required. Also used as a command from Identity Manager to the SubsciptionShim to move an object to a different container in the application.
  • Page 100 Attributes Attribute Possible Values Default Value class-name CDATA #IMPLIED The name of the base class of the object. The class name is mapped between the application and eDirectory namespaces by the Schema Mapping policy so that Identity Manager sees the name in the eDirectory namespace and a driver sees the name in the application namespace.
  • Page 101 Attribute Possible Values Default Value src-dn CDATA #IMPLIED The distinguished name of the source object that generated the event in the namespace of the sender. The new distinguished name of the source object that generated the event in the namespace of the sender.

  • Page 102: Nds

    <input>. All <nds> documents returned from Identity Manager or driver interface method should contain exactly one <output>. Example DirXML sends: <nds dtdversion="2.0"> <source> <product version="2.0.0.0">DirXML</product> <contact>Novell, Inc.</contact> </source> <input> <modify class-name="User" event-id="0" qualified-src- dn="\T=ATREE\O=Users\CN=Julia" src-dn="\ATREE\Users\Julia" src-entry-id="33967"> <association state="associated"> {B43E7155-CDF9-d311-9846-0008C76B16C2} </association>...
  • Page 103 Allowed Content Element Description source The source or creator of the document. input Input events or commands. output Results of events or commands. Attributes Attribute Possible Values Default Value dtdversion CDATA #REQUIRED Should be set to the major.minor version of Identity Manager that the driver is designed for.

  • Page 104: Nds-Name

    nds-name Used to specify a class or attribute name in the eDirectory namespace. Example See <attr-name-map>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description attr-name Maps an attribute name. class-name Maps a class name. 104 Identity Manager 3.6 DTD Reference...

  • Page 105: New-Name

    new-name Used to specify the new name for the object specified by the enclosing <rename> event or command. Example See <rename>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description rename Renames an object when a rename event occurs. NDS DTD 105...

  • Page 106: Old-Password

    old-password Used to specify old password for the enclosing <modify-password>. Example See <modify-password>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description modify-password Modifies an object password when a modify event for a password occurs. 106 Identity Manager 3.6 DTD Reference...

  • Page 107: Operation-Data

    operation-data Used to allow policies to inject an additional custom data payload to be carried along with any event or command. It is stripped from the event or command before it is submitted to the application shim and then reassociated with any corresponding response elements (as determined by matching event- id) after they are returned to Identity Manager.
  • Page 108 Element Description delete Deletes an object when a delete event occurs. get-named-password Retrieves a named password for a driver. init-params initialization parameters for the DriverShim, SubscriptionShim, or PublicationShim. instance Current state of an instance of an object. modify Modifies an object when a modify event occurs. modify-association Modifies an association command.

  • Page 109: Output

    output Used to encapsulate events or commands returned to a driver or Identity Manager. All <nds> documents returned from Identity Manager or the driver interface method should contain exactly one <output>. Example See <nds>. Allowed Content Element Description status Status of the processing of a command or event. add-association Adds an association command.

  • Page 110: Parent

    parent Used to specify the destination container for a <move> event or command, or the current container of an object represented by an <instance>. Remarks When originating from a driver, the <parent> must contain an <association> containing the unique key of the container object. When originating from Identity Manager, <parent> contains an <association>...
  • Page 111 Attribute Possible Values Default Value src-dn CDATA #IMPLIED The distinguished name of the source object that generated the event in the namespace of the sender. src-entry-id CDATA #IMPLIED The entry ID of the source object that generated the event in the namespace of the sender.

  • Page 112: Password

    password Used to specify the initial password for an object in an <add>, to specify the authentication password for a driver in an <authentication-info> element (it comes from the DirXML- ShimAuthPassword attribute on the DirXML-Driver object), or to return the value of a named password as the result of processing a <get-named-password>...

  • Page 113: Placement

    placement Deprecated as of Identity Manager 2.0. Use DirXMLScript <do-set-op-dest-dn> instead. Remarks <placement> is used to specify the distinguished name for an object that is about to be created and match the selection criteria for the enclosing <placement-rule>. The DN is generated by concatenating in order the text and the text substitutions generated by the enclosed token elements.

  • Page 114: Placement-Rule

    placement-rule Deprecated as of Identity Manager 2.0. Use DirXMLScript <rule>. Remark <placement-rule> is used to specify the criteria for generating a distinguished name for an object that is about to be created. When a <placement-rule> is evaluated, it first checks whether or not this is a suitable rule for the <add>...
  • Page 115 Content Rule ( match-class * , match-path * , match-attr * , placement ) Parent Elements Element Description placement-rules Top-level element for object placement rules. Deprecated as of Identity Manager 2.0. NDS DTD 115...

  • Page 116: Placement-Rules

    placement-rules Deprecated as of Identity Manager 2.0. Use DirXMLScript <policy> instead. Remarks <placement-rules> is the top level (document) element for object placement rules. Object matching rules are stored in the DirXML-XmlData attribute of a DirXML-Rule object that is pointed to by the DirXML-PlacementRule attribute of a DirXML-Subscriber or DirXML-Publisher object.
  • Page 117 Example <placement-rules src-dn-format="slash" dest-dn-format="ldap"> <!-- for Users coming from the subtree \Tree\novell in eDirectory --> <!-- place them in the same relative hierarchy under o=novell --> <placement-rule> <match-class class-name="User"/> <match-path prefix="\TREE\novell"/> <placement><copy-path-suffix/>,o=novell</placement> </placement-rule> <!-- for all other users and groups -->...
  • Page 118 Attribute Possible Values Default Value src-dn-format dot | qualified-dot | slash | slash qualified-slash | ldap Format of the src-dn. Content Rule ( placement-rule * ) Parent Elements None 118 Identity Manager 3.6 DTD Reference...

  • Page 119: Publisher-Options

    publisher-options Used to specify driver-specific configuration options. It comes from the DirXML-ShimConfigInfo attribute of the DirXML-Driver object in eDirectory. See <driver-config> for details on the contents. Example See <driver-config>. Allowed Content Attributes None Content Rule Parent Elements Element Description driver-config Driver-specific DriverShim configuration options.

  • Page 120: Publisher-State

    publisher-state Used to specify driver-specific state information for the PublicationShim. Remarks <publisher-state> can be included inside of <init-params> in any <output> or <input> from the driver to Identity Manager, which instructs Identity Manager to store the contents on the DirXML- DriverStorage attribute of the DirXML-Driver object in eDirectory.

  • Page 121: Query

    query A command used to find and read objects from eDirectory or the application. Full functionality for Identity Manager rules, object migration, etc. depends on full implementation of the query command by the driver. Remarks The base object of the <query> is specified by either by the dest-dn attribute or by an <association>. If both are present, the dest-dn attribute takes precedence when querying eDirectory, and the <association>...
  • Page 122 Example <!-- search the whole application for a User object with the Surname of Jones --> <!-- don't read any attributes but read the parent --> <query class-name="User" event-id="0" scope="subtree"> <search-class class-name="User"/> <search-attr attr-name="Surname"> <value type="string">Jones</value> </search-attr> <read-attr/> <read-parent/> </query> <!-- read the User object whose foreign key is 1011 -->...
  • Page 123 Attributes Attribute Possible Values Default Value class-name CDATA #IMPLIED The name of the base class of the object. The class name is mapped between the application and eDirectory namespaces by the Schema Mapping policy so that Identity Manager sees the name in the eDirectory namespace and a driver sees the name in the application namespace.
  • Page 124 Parent Elements Element Description config-object eDirectory object to use for additional configuration data. input Input events or commands. 124 Identity Manager 3.6 DTD Reference...

  • Page 125: Query-Ex

    query-ex A <query> variant used to limit the number of search results returned at one time. See <query> for general information on searches and queries. Remarks The results of a query-ex command might include a <query-token> element. The query-token element is used in subsequent query-ex commands to retrieve additional results. If query-ex results do not contain a query-token element, then all of the available results for that query-ex command are returned.
  • Page 126 <query-ex> <query- token>rO0ABXNyACxjb20ubm92ZWxsLm5kcy5kaXJ4bWwuZW5naW5lLk5EU1JlYWRlciRUb2tlbuW eJE0ga5xBAgACSgAFc3RhbXBJAAlzdGF0ZUhhc2h4cAAAAQQLokQbAbjW9w==</query-token> </query-ex> <!-- cancel a query-ex before having read all results --> <query-ex cancel="true"> <query- token>rO0ABXNyACxjb20ubm92ZWxsLm5kcy5kaXJ4bWwuZW5naW5lLk5EU1JlYWRlciRUb2tlbuW eJE0ga5xBAgACSgAFc3RhbXBJAAlzdGF0ZUhhc2h4cAAAAQQLokQbAbjW9w==</query-token> </query-ex> Allowed Content Element Description association Unique key of the application object. query-token Opaque handle for query-ex commands. search-class Query search class filter. search-attr Query search attribute value filter read-attr...
  • Page 127 Attribute Possible Values Default Value class-name CDATA #IMPLIED he name of the base class of the object. The class name is mapped between the application and eDirectory namespaces by the Schema Mapping policy so that Identity Manager sees the name in the eDirectory namespace and a driver sees the name in the application namespace.
  • Page 128 Parent Elements Element Description input Input events or commands. 128 Identity Manager 3.6 DTD Reference...

  • Page 129: Query-Schema

    query-schema A command used read the schema definition from eDirectory or the application. Drivers are not currently required to implement it, but this might change. Drivers are required to implement the DriverShim.getSchema() method, which does exactly the same thing. Remarks A response to <query-schema>...

  • Page 130: Query-Token

    query-token Used in conjunction with the query-ex command. The content of the query-token element is an opaque token or handle that is used to refer to unreturned search results that are the result of a query- ex command. Remarks A <query-token> element might be returned in the result set of a query-ex command and is used as a child of a <query-ex>...

  • Page 131: Read-Attr

    read-attr Used to specify the object attributes to be read by the enclosing <query> command. Example See <query>. Allowed Content EMPTY Attributes Attribute Possible Values Default Value attr-name CDATA #IMPLIED The name of the attribute. The name is mapped between the application and eDirectory namespaces by the Schema Mapping policy so that Identity...

  • Page 132: Read-Parent

    read-parent Used to specify that a <parent> should be included in all instances returned by the enclosing <query> command. Example See <query>. Allowed Content EMPTY Attributes None Content Declaration Empty Parent Elements Element Description query Query command. query-ex Query command with a result count limit. 132 Identity Manager 3.6 DTD Reference...

  • Page 133: Remove-All-Values

    remove-all-values Used to specify all values that are removed from the attribute specified in the enclosing <modify- attr>. Example See <modify>. Allowed Content EMPTY Attributes None Content Declaration Empty Parent Elements Element Description modify-attr Modify attribute. NDS DTD 133...

  • Page 134: Remove-Association

    remove-association Used to notify Identity Manager that a particular unique key is not valid. <remove-association> should generally occur when an invalid association value is sent to the driver by Identity Manager. It can also be useful as part of an Event Transformation policy. Can be included in any <output> or <input>...

  • Page 135: Remove-Value

    remove-value Used to specify values removed from the attribute specified in the enclosing <modify-attr>. Each <add-attr> should contain at least one <value>. A driver should gracefully ignore a <remove-value> for a value that does not exist and continue to process the remainder of the enclosing <modify>. Example See <modify>.

  • Page 136: Rename

    rename Used as an event notification from the PublicationShim to Identity Manager that an object is renamed in the application. When it is used as a notification, an <association> is required. Also used as a command from Identity Manager to the SubsciptionShim to rename an object in the application. When it is used as a command, an <association>...
  • Page 137 Attribute Possible Values Default Value old-src-dn CDATA #IMPLIED The original distinguished name of the source object that generated the event in the namespace of the sender. qualified-old-src-dn CDATA #IMPLIED The qualified version of the old- src-dn. Only used for describing objects from eDirectory.
  • Page 138 Parent Elements Element Description input Input events or commands. 138 Identity Manager 3.6 DTD Reference...

  • Page 139: Required-Attr

    required-attr Deprecated as of Identity Manager 2.0. Use DirXMLScript <do-veto-if-op-attr-not-available> or <do-set-default-attr-value> instead. Remarks <required-attr> is used to specify an attribute required to create an object as part of the criteria for the enclosing <create-rule>. <required-attr> can contain one or more <value> elements. If it contains any value elements, there are used as default values if the <add>...
  • Page 140 Parent Elements Element Description create-rule Object creation rule. Deprecated as of Identity Manager 2.0. 140 Identity Manager 3.6 DTD Reference...

  • Page 141: Schema-Def

    schema-def Used as part of the response to a query-schema command and to the DriverShim.getSchema() method. It specifies the schema for an application or edirectory. It is also the top-level element of the XML stored in the DirXML-ApplicationSchema attribute of the DirXML-Driver object. Remarks The distinguished name format for the application is specified by dn-format or dn-delims (but not both) and must match what the source application actually uses.
  • Page 142 type="string"/> <attr-def attr-name="Unique Id" case-sensitive="false" multi-valued="false" naming="false" read-only="false" required="true" type="string"/> </class-def> <class-def class-name="User" container="false"> <attr-def attr-name="cn" case-sensitive="false" multi-valued="false" naming="true" read-only="false" required="true" type="string"/> <attr-def attr-name="Surname" case-sensitive="false" multi-valued="false" naming="false" read-only="false" required="false" type="string"/> <attr-def attr-name="Given Name" case-sensitive="false" multi-valued="false" naming="false" read-only="false" required="false" type="string"/> <attr-def attr-name="Telephone Number" case-sensitive="false" multi-valued="true"...
  • Page 143 Attributes Attribute Possible Values Default Value application-name CDATA #IMPLIED Specifies the name of the application that uses the schema. dn-delims CDATA #IMPLIED The custom DN format used by the application dn-format dot | qualified-dot | slash | slash qualified-slash | ldap The DN format used by the application.

  • Page 144: Search-Attr

    search-attr Used to specify the object attributes to be searched for by the enclosing <query> command. Each <search-attr> should contain at least one <value>. Example See <query>. Allowed Content Element Description value The attribute value. Attributes Attribute Possible Values Default Value attr-name CDATA #REQUIRED...

  • Page 145: Search-Class

    search-class Used to specify the object base classes to be searched for by the enclosing <query> command. Example See <query>. Allowed Content EMPTY Attributes Attribute Possible Values Default Value class-name CDATA #REQUIRED The name of the base class of the object.

  • Page 146: Server

    server Used to specify the application server for a driver in an <authentication-info> It comes from the DirXML-ShimAuthServer attribute on the DirXML-Driver object. Example See <init-params>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description authentication-info Information for connecting and authenticating to the application.

  • Page 147: Source

    source Used to specify the source of the enclosing document. Example See <nds>. Allowed Content Element Description product The product from which this document originated. contact Point of contact for the originating product. Attributes None Content Rule ( product ? , contact ? ) Parent Elements Element Description...

  • Page 148: Status

    status Used to return the status of an operation or event. More than one <status> can be returned for each operation or event. <status> can also be included in an input from the driver to Identity Manager when the driver wants to log status of the driver to the Identity Manager log. Remarks Possible values for the level attribute are: Value...
  • Page 149 Allowed Content Attributes Attribute Possible Values Default Value event-id CDATA #IMPLIED An identifier used to tag the results of an event or command. Should be the same as the event- id of the operation or event that this status is associated with level fatal | error | warning | success | #REQUIRED...

  • Page 150: Subscriber-Options

    subscriber-options Used to specify driver-specific configuration options. It comes from the DirXML-ShimConfigInfo attribute of the DirXML-Driver object in eDirectory. See <driver-config> for details on the contents. Example See <driver-config>. Allowed Content Attributes None Content Rule Parent Elements Element Description driver-config Driver-specific DriverShim configuration options.

  • Page 151: Subscriber-State

    subscriber-state Used to specify driver-specific state information for the SubscriptionShim. Remarks <subscriber-state> can be included inside of <init-params> in any <output> or <input> from the driver to Identity Manager, which instructs Identity Manager to store the contents on the DirXML- DriverStorage attribute of the DirXML-Driver object in eDirectory.

  • Page 152: Sync

    sync Appears on the Subscriber channel as the result of a resync (manual or automatic) or as the result of a Migrate from Identity Vault operation. Remarks The <sync> is generally only visible in the Event Transformation policy. If the Event Transformation policy is used to perform scope-based filtering, then the <sync>...
  • Page 153 Attribute Possible Values Default Value qualified-src-dn CDATA #IMPLIED The qualified version of the src- dn. Only used for describing objects from eDirectory. src-dn CDATA #IMPLIED The distinguished name of the source object that generated the event in the namespace of the sender.

  • Page 154: Template

    template Deprecated as of Identity Manager 2.0. Use DirXMLScript <do-set-op-template-dn> instead. Used to specify a template that is used for object creation as part of the criteria specified by the enclosing <create-rule>. Example See <create-rules>. Allowed Content EMPTY Attributes Attribute Possible Values template-dn CDATA...

  • Page 155: User

    user Used to specify a user name to authenticate to the application server for a driver in an <authentication-info>. It comes from the DirXML-ShimAuthID attribute on the DirXML-Driver object. Example See <init-params>. Allowed Content #PCDATA Attributes None Content Rule #PCDATA Parent Elements Element Description...

  • Page 156: Value

    value Used specify an individual attribute value of the attribute specified by the enclosing element. Remarks If the type is structured, the <value> contains at least one <component>. If the type is octet, the content of the <value> is base64 encoded binary data. If the type is anything else, the content is text. The following table shows the types used to represent the various eDirectory syntaxes.
  • Page 157 Syntax Type Components (Notes) SYN_REPLICA_POINTER structured server (referential) replicaType replicaNumber repeated 0 or more times { netAddrType netAddr (Base64-encoded data) SYN_OBJECT_ACL structured protectedName trustee (referential) privileges SYN_PO_ADDRESS structured string (exactly 6) SYN_TIMESTAMP structured seconds replicaNumber eventId SYN_CLASS_NAME classname SYN_STREAM octet (Base64-encoded data) SYN_COUNTER counter...
  • Page 158 Allowed Content #PCDATA Element Description component Component of a structured attribute. Attributes Attribute Possible Values Default Value association-ref CDATA #IMPLIED The association value (application object unique key) of the object being referenced by this value. This is required on all components that refer to other objects when the value is part of a notification event from the driver.
  • Page 159 Parent Elements Element Description add-attr Adds an attribute. add-value Adds values. attr Matches an attribute. Deprecated as of Identity Manager 2.0. match-attr Inputs events or commands. remove-value Removes specified attribute values. required-attr Required attribute. Deprecated as of Identity Manager 2.0. search-attr Query search attribute value filter.
  • Page 160 160 Identity Manager 3.6 DTD Reference...

  • Page 161: Map Dtd

    Map DTD An Identity Manager mapping table is used by a DirXML Script policy to map a set of values to another set of corresponding values. An Identity Manager mapping table consists of a top level <mapping-table> that contains a set of <col-def>...

  • Page 162: Col

    Defines the value of a column within a row in the mapping table. Example See <mapping-table>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description Mapping table row. 162 Identity Manager 3.6 DTD Reference...

  • Page 163: Col-Def

    col-def Defines a column in the mapping table. The name of the column is specified by name. The type of the column is specified by type. The type of the column defaults to nocase and is used; to determine the comparison rules used when the column is used a the key column for a mapping operation. Remarks The legal values for type are: Value...
  • Page 164 Parent Elements Element Description mapping-table Mapping table. 164 Identity Manager 3.6 DTD Reference...

  • Page 165: Mapping-Table

    mapping-table A mapping table consists of a top level <mapping-table> that contains a set of <col-def> elements and a set of <row> elements. A <col-def> defines the name of each column and the type that it contains. A <row> consists of a set of <col> elements. DirXML Script uses <token-map> to map a value using a specified key column to a different value or values in a specified value column.
  • Page 166 Parent Elements None 166 Identity Manager 3.6 DTD Reference...

  • Page 167: Row

    A <row> defines a row in the mapping table. The values for the columns within the row are defined by the enclosing <col> elements and correspond to the columns defined for the mapping table and must occur in the same order as the <col-def> elements. If there are fewer columns than there are columns defined for the table, then the missing columns will be assumed to be blank.
  • Page 168 168 Identity Manager 3.6 DTD Reference...

  • Page 169: Dirxml Script Dtd

    DirXML Script DTD DirXML Script is the primary method of implementing policies in the Novell Identity Manager Metadirectory engine. DirXML Script describes a <policy> that is implemented by an ordered set of <rule> elements. A <rule> consists of a set of <conditions> to be tested and an ordered set of <actions>...
  • Page 170 Element Description do-add-src-attr-value Adds a value to an attribute in the source data store. do-add-src-object Adds an object in the source data store. do-append-xml-element Appends a custom XML element to existing elements. do-append-xml-text Appends custom XML text to existing elements. do-break Stops processing the current operation with this policy.
  • Page 171 Element Description do-rename-op-attr Changes an attribute name for all operations on that attribute in the current operation. do-rename-src-object Renames an object in the source data store. do-send-email Generates an e-mail notification. do-send-email-from-template Generates an e-mail notification using SMTP configuration and e-mail template objects. do-set-default-attr-value Sets the default value for an attribute created in the destination data store...
  • Page 172 Element Description if-association Tests an association. if-attr Tests an attribute in the current operation or the current object in the source data store. if-class-name Tests the object class of the current operation. if-dest-attr Tests an attribute of the current object in the destination data store.
  • Page 173 Element Description token-dest-attr The values of an attribute of current object in the destination data store. token-dest-dn A value derived from the destination DN from the current operation. token-dest-name The unqualified RDN derived from the destination DN from the current operation. token-document Reads an XML document.
  • Page 174 Element Description token-src-dn A value derived from the source DN from the current operation. token-src-name The unqualified RDN derived from source DN from the current operation. token-substring Substring of a string. token-text Constant text. token-time The current date/time. token-unique-name Generates a unique name. token-unmatched-src-dn A DN relative to the one matched by if-src-dn.

  • Page 175: Actions

    actions The <actions> that are performed when <conditions> of the enclosing <rule> are met. All individual <actions> are represented by an element of the form <do-*>. Remarks Most actions take arguments that further describe the action to be taken. Arguments that take a fixed string that never changes at runtime are represented by attributes on the action element.
  • Page 176 Element Description do-clone-xpath Clones and appends a set of nodes to existing elements. do-delete-dest-object Deletes an object in the destination data store. do-delete-src-object Deletes an object in the source data store. do-find-matching-object Automatically associates the current object. do-for-each Repeats actions for each node in a node set. do-generate-event Generates a user-defined event.
  • Page 177 Element Description do-set-op-property Sets an operation property. do-set-op-src-dn Sets the source DN for the current operation. do-set-op-template-dn Sets the template DN for the current add operation. do-set-src-attr-value Sets the value of an attribute in the source data store. do-set-src-password Sets the password for the current object in the source data store.
  • Page 178 Parent Elements Element Description rule Rule within a policy. 178 Identity Manager 3.6 DTD Reference...

  • Page 179: And

    Specifies a set of tests that are performed and whose results are logically ANDed together. A set of <and> elements enclosed by a <conditions> are ORed together. Example See <policy>. Allowed Content Element Description if-association Tests an association. if-attr Tests an attribute in the current operation or the current object in the source data store.
  • Page 180 Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. notrace true | false false True if this element should not be traced during execution of policy. Content Rule ( if-association | if-attr | if-class-name | if-dest-attr | if-dest-dn | if-entitlement | if-global-variable | if- local-variable | if-named-password | if-op-attr | if-op-property | if-operation | if-password | if-src-attr | if-src-dn | if-xml-attr | if-xpath ) * Parent Elements...

  • Page 181: Arg-Actions

    arg-actions Specifies the actions that are performed for each iteration of the enclosing <do-for-each>. It is different from other argument types because it contains actions instead of tokens. Example See <do-for-each>, <do-if>, <do-while>, <do-implement-entitlement>. Allowed Content Element Description do-add-association Associates the current object. do-add-dest-attr-value Adds a value to an attribute in the destination data store.
  • Page 182 Element Description do-if Conditionally perform actions. do-implement-entitlement Implements an entitlement. do-move-dest-object Moves an object in the destination data store. do-move-src-object Moves an object in the source data store. do-reformat-op-attr Changes the format of all values of a particular attribute in the current operation. do-remove-association Disassociates an application object.
  • Page 183 Element Description do-set-sso-passphrase Sets a passphrase in an SSO credential store. do-set-xml-attr Sets custom XML attributes on existing elements. do-start-workflow Starts a workflow. do-status Reports status. do-strip-op-attr Strips an attribute from the current operation. do-strip-xpath Strips arbitrary data from the current operation do-trace-message Sends a trace message.

  • Page 184: Arg-Association

    arg-association Specifies an association value for the enclosing action. Each of the enclosed tokens is evaluated and the resulting string values are concatenated to form an association value. Example See <do-add-association>. Allowed Content Element Description token-added-entitlement The values of an entitlement granted in the current operation.
  • Page 185 Element Description token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation. token-parse-dn Parses or converts a DN.
  • Page 186 Attributes None Content Rule ( token-added-entitlement | token-association | token-attr | token-base64-decode | token-base64- encode | token-char | token-class-name | token-convert-time | token-dest-attr | token-dest-dn | token- dest-name | token-document | token-entitlement | token-escape-for-dest-dn | token-escape-for-src-dn | token-global-variable | token-join | token-local-variable | token-lower-case | token-named-password | token-map | token-op-attr | token-op-property | token-operation | token-parse-dn | token-password | token-removed-attr | token-removed-entitlement | token-replace-all | token-replace-first | token- resolve | token-src-attr | token-src-dn | token-src-name | token-substring | token-text | token-time |...
  • Page 187 Element Description do-set-dest-password Sets the password for the current object in the destination data store. do-set-op-association Sets that association value for the current operation. do-set-src-attr-value Sets the value of an attribute in the source data store. do-set-src-password Sets the password for the current object in the source data store.

  • Page 188: Arg-Component

    arg-component Provides values for components of the enclosing <arg-value> if the type attribute of <arg-value> is structured. Each of the enclosed tokens is evaluated and the resulting string values are concatenated to form the value of the component. The name of the component is specified by the name attribute. Example See <arg-value>.
  • Page 189 Element Description token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation. token-parse-dn Parses or converts a DN.
  • Page 190 Attributes Attribute Possible Values Default Value name CDATA #REQUIRED Name of the component. Supports variable expansion. Content Rule ( token-added-entitlement | token-association | token-attr | token-base64-decode | token-base64- encode | token-char | token-class-name | token-convert-time | token-dest-attr | token-dest-dn | token- dest-name | token-document | token-entitlement | token-escape-for-dest-dn | token-escape-for-src-dn | token-global-variable | token-join | token-local-variable | token-lower-case | token-named-password | token-map | token-op-attr | token-op-property | token-operation | token-parse-dn | token-password |...

  • Page 191: Arg-Conditions

    arg-conditions Specifies the conditions associated with the enclosing action. It is different from other argument types in that it contains conditions instead of tokens. Example See <do-if>, <do-while>. Allowed Content Element Description A logical conjunction. A logical disjunction. Attributes None Content Rule ( and * | or * ) Parent Elements...

  • Page 192: Arg-Dn

    arg-dn Specifies a DN value for the enclosing action. Each of the enclosed tokens is evaluated and the resulting string values are concatenated to form a DN value. Example See <do-add-association>. Allowed Content Elements Description token-added-entitlement The values of an entitlement granted in the current operation.
  • Page 193 Elements Description token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation. token-parse-dn Parses or converts a DN.
  • Page 194 Content Rule ( token-added-entitlement | token-association | token-attr | token-base64-decode | token-base64- encode | token-char | token-class-name | token-convert-time | token-dest-attr | token-dest-dn | token- dest-name | token-document | token-entitlement | token-escape-for-dest-dn | token-escape-for-src-dn | token-global-variable | token-join | token-local-variable | token-lower-case | token-named-password | token-map | token-op-attr | token-op-property | token-operation | token-parse-dn | token-password | token-removed-attr | token-removed-entitlement | token-replace-all | token-replace-first | token- resolve | token-src-attr | token-src-dn | token-src-name | token-substring | token-text | token-time |...
  • Page 195 Element Description do-set-op-dest-dn Sets the destination DN for the current operation. do-set-op-src-dn Sets the source DN for the current operation do-set-op-template-dn Sets the template DN for the current add operation. do-set-src-attr-value Sets the value of an attribute in the source data store.

  • Page 196: Arg-Match-Attr

    arg-match-attr Specifies the attributes to be used to find a match for the enclosing <do-find-matching-object>. The name attribute provides the name of the attribute to use for matching. If there is an enclosed <arg- value>, then it provides the attribute value to use for matching, otherwise the values are from the values available in the current operation.

  • Page 197: Arg-Node-Set

    arg-node-set Specifies an XPath 1.0 node set for the enclosing action. Each of the enclosed tokens are evaluated and if the token returns a node set then the nodes in that set are added to the result set otherwise, a text node is created and added to the node set.
  • Page 198 Elements Description token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation. token-parse-dn Parses and converts a DN.
  • Page 199 Content Rule ( token-added-entitlement | token-association | token-attr | token-base64-decode | token-base64- encode | token-char | token-class-name | token-convert-time | token-dest-attr | token-dest-dn | token- dest-name | token-document | token-entitlement | token-escape-for-dest-dn | token-escape-for-src-dn | token-global-variable | token-join | token-local-variable | token-lower-case | token-named-password | token-map | token-op-attr | token-op-property | token-operation | token-parse-dn | token-password | token-removed-attr | token-removed-entitlement | token-replace-all | token-replace-first | token- resolve | token-src-attr | token-src-dn | token-src-name | token-substring | token-text | token-time |...

  • Page 200: Arg-Object

    arg-object Specifies a Java object for storing in the local variable specified by the enclosing <do-set-local- variable> action. The enclosed token must a <token-xpath> that specifies an expression that returns a Java object or a <token-local-variable> for a variable that already contains a Java object. Example See <do-set-local-variable>.

  • Page 201: Arg-Password

    arg-password Specifies a password to be used bye the enclosing action. Each of the enclosed tokens is evaluated and the resulting string values are concatenated to form a string value. Example See <do-start-workflow>. Allowed Content Element Description token-added-entitlement The values of an entitlement granted in the current operation.
  • Page 202 Element Description token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation. token-parse-dn Parses or converts a DN.
  • Page 203 Element Description token-added-entitlement The values of an entitlement granted in the current operation. token-association The association value from the current operation. token-attr The values of an attribute in the current operation or current object in the source data store. token-base64-decode Decodes base64 data into a string.
  • Page 204 Element Description token-removed-attr The values of an attribute removed in the current operation. token-removed-entitlement The values of an entitlement revoked in the current operation. token-replace-all Replaces all instances of a substring within a string. token-replace-first Replaces a single instance of a substring within a string.
  • Page 205 resolve | token-src-attr | token-src-dn | token-src-name | token-substring | token-text | token-time | token-unique-name | token-unmatched-src-dn | token-upper-case | token-xml-parse | token-xml- serialize | token-xpath ) * Parent Elements Element Description do-send-email Generates an e-mail notification. do-send-email-from-template Generates an e-mail notification using SMTP configuration and e-mail template objects.

  • Page 206: Arg-String

    arg-string Specifies string value for the enclosing action. Each of the enclosed tokens is evaluated and the resulting string values are concatenated to form a string value. Example See <do-set-op-class-name>. Allowed Content Element Description token-added-entitlement The values of an entitlement granted in the current operation.
  • Page 207 Element Description token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation. token-parse-dn Parses or converts a DN.
  • Page 208 Attributes Attribute Possible Values Default Value name CDATA #IMPLIED Name of the argument. Supports variable expansion. Content Rule ( token-added-entitlement | token-association | token-attr | token-base64-decode | token-base64- encode | token-char | token-class-name | token-convert-time | token-dest-attr | token-dest-dn | token- dest-name | token-document | token-entitlement | token-escape-for-dest-dn | token-escape-for-src-dn | token-global-variable | token-join | token-local-variable | token-lower-case | token-named-password | token-map | token-op-attr | token-op-property | token-operation | token-parse-dn | token-password |...
  • Page 209 Element Description do-set-xml-attr Sets custom XML attributes on existing elements. do-start-workflow Starts a workflow. do-status Reports status. do-trace-message Sends a trace message. token-document Reads an XML document. token-query Queries the source or destination data store. token-unique-name Generates a unique name. DirXML Script DTD 209...

  • Page 210: Arg-Value

    arg-value Specifies an attribute value for the enclosing action. If the type attribute is structured, then the content of <arg-value> must be a set of <arg-component> elements. If the type attribute is other than structured, then each of the enclosed tokens is evaluated and the resulting string values are concatenated to form a value.
  • Page 211 Element Description token-entitlement The values of a granted entitlement of the current object. token-escape-for-dest-dn Converts a string for use in a destination DN. token-escape-for-src-dn Converts a string for use in a source DN. token-generate-password Generates a random password. token-global-variable The value of a global variable. token-join Joins a node-set into a string.
  • Page 212 Element Description token-time The current date/time. token-unique-name Generates a unique name. token-unmatched-src-dn A DN relative to the one matched by if-src-dn. token-upper-case Converts a string to uppercase. token-xml-parse Parses XML. token-xml-serialize Serializes XML. token-xpath The result of an XPath expression. Attributes Attribute Possible Values...
  • Page 213 Element Description do-remove-src-attr-value Removes a value from an attribute in the source data store. do-set-default-attr-value Sets the default value for an attribute to be created in the destination data store. do-set-dest-attr-value Sets the value of an attribute in the destination data store.

  • Page 214: Comment

    comment A long description or other textual information relating to the containing <rule>. It does not affect the execution of the <rule>. Remarks A comment has a name that can have special meaning to a user interface agent that displays or edits the rule.

  • Page 215: Component

    component Provides values for components of the enclosing if-condition if the mode attribute of that conditions is structured. Example See <if-attr>. Allowed Content #PCDATA Attributes Attribute Possible Values Default Value name CDATA #REQUIRED Name of the component. Supports variable expansion. Content Rule ( #PCDATA ) Parent Elements...

  • Page 216: Conditions

    conditions The conditions under which the <actions> of the enclosing <rule> are performed. The <conditions> are always specified in Conjunctive Normal Form (CNF) or Disjunctive Normal Form (DNF). As such, the content of <conditions> is either a disjunction of conjunctions specified by a (possibly empty) set of <and>...
  • Page 217 Allowed Content Element Description Logical conjunction. Logical disjunction. Attributes None Content Rule ( and * | or * ) Parent Elements Element Description rule Rule within a policy. DirXML Script DTD 217...

  • Page 218: Description

    description A description of the containing <rule> or <policy>. It does not affect the execution of the <rule> or <policy>. Example See <policy>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description policy A policy. rule Rule within a policy.

  • Page 219: Do-Add-Association

    do-add-association Sends an <add-association> command to eDirectory . The dest-dn for the command comes from the value <arg-dn> if it is specified, or from the current object if not specified. The association value sent is provided by <arg-association>. Example <do-add-association> <arg-dn>...
  • Page 220 Attribute Possible Values Default Value when auto | before | after | direct auto When this action should be performed: auto - Automatically determined (either in or after the current operation). before - Before the current operation. after - After the current operation. direct - Written directly to the destination data store instead of being added to the current...

  • Page 221: Do-Add-Dest-Attr-Value

    do-add-dest-attr-value Adds the value specified by <arg-value> to the named attribute on an object in the destination data store. The target object is specified by either <arg-dn> or <arg-association> if specified, or by the current object if not specified. Example <do-add-dest-attr-value name="Member">...
  • Page 222 Attribute Possible Values Default Value name CDATA #REQUIRED Name of the attribute. Supports variable expansion. when auto | before | after | direct auto When this action should be performed: auto - Automatically determined (either in or after the current operation).

  • Page 223: Do-Add-Dest-Object

    do-add-dest-object Creates an object of type class-name that in the destination data store with a name and location provided by <arg-dn>. Any attribute values added as part of the object creation must be done in subsequent <do-add-dest-attr-value> actions using the same <arg-dn>. Example <do-add-dest-object class-name="User">...
  • Page 224 Attribute Possible Values Default Value when auto | before | after | direct auto When this action should be performed: auto - Automatically determined (either in or after the current operation). before - before the current operation. after - After the current operation. direct - Written directly to the destination data store instead of being added to the current...

  • Page 225: Do-Add-Role

    If any type of error occurs while requestion the role assignment, the error string is available to the enclosing policy in the local variable named error.do-add-role. Otherwise that local variable is not available. Example <do-add-role id="cn=RoleAdmin,o=People" url="http://localhost:8080/IDMProv" role-id="cn=Contractor,cn=Level30,cn=RoleDefs,cn=RoleConfig, cn=AppConfig,cn=UserApplication,cn=DriverSet,o=novell"> <arg-password> <token-named-password name="role-admin"/> </arg-password> <arg-string name="description"> <token-text>Requested by policy because isContractor attribute set to true</token-text>...
  • Page 226 dest-tz="UTC" offset="6" offset-unit="month" src-format="!CTIME" src-tz="UTC"> <token-src-attr name="Hire Date"/> </token-convert-time> </arg-string> </do-add-role> Allowed Content Element Description arg-password Password argument. arg-dn DN argument. arg-association Association argument. arg-string String argument. Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. CDATA #REQUIRED The LDAP format DN of a user...
  • Page 227 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Association argument. DirXML Script DTD 227...

  • Page 228: Do-Add-Src-Attr-Value

    do-add-src-attr-value Adds the value specified by <arg-value> to the named attribute on an object in the source data store. The target object is specified by either <arg-dn> or <arg-association> if specified, or by the current object if not specified. Example <do-add-src-attr-value name="Member">...
  • Page 229 Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. Content Rule (( arg-dn | arg-association ) ? , arg-value ) Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Association argument.

  • Page 230: Do-Add-Src-Object

    do-add-src-object Creates an object of type class-name in the source data store with a name and location provided by <arg-dn>. Any attribute values to be added as part of the object creation must be done in subsequent <do-add-src-attr-value> actions using the same <arg-dn>. Example <do-add-src-object class-name="User">...
  • Page 231 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 231...

  • Page 232: Do-Append-Xml-Element

    do-append-xml-element Appends a custom element named by the name attribute to the set of elements selected by an expression. Example <do-append-xml-element name="jdbc:statement" expression=".."/> <do-append-xml-element name="jdbc:sql" expression="../jdbc:statement[last()]"/> <do-append-xml-text expression="../jdbc:statement[last()]/jdbc:sql"> <arg-string> <token-text> UPDATE dirxml.emp SET fname = '</token-text> <token-op-attr name="Given Name"/> <token-text>' </token-text> </arg-string>...
  • Page 233 Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. Content Declaration Empty Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 233...

  • Page 234: Do-Append-Xml-Text

    do-append-xml-text Appends the text provided by <arg-string> to the set of elements selected by expression. Example See <do-append-xml-element>. Allowed Content Element Description arg-string String argument. Attributes Attribute Possible Values Default Value before CDATA #REQUIRED XPath 1.0 expression evaluated relative to each of the nodes select by expression that returns a node-set containing the child nodes which the text should be...
  • Page 235 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 235...

  • Page 236: Do-Break

    do-break Stops the current operation from being processed by any more actions or rules within the current policy. Example <do-break/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. notrace true | false false...

  • Page 237: Do-Clear-Dest-Attr-Value

    do-clear-dest-attr-value Removes all the values for the named attribute from an object in the destination data store. The target object is specified by either <arg-dn> or <arg-association> if specified, or by the current object if not specified. Example <do-clear-dest-attr-value name="Member"> <arg-dn>...
  • Page 238 Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. when auto | before | after | direct auto When this action should be performed: auto - Automatically determined (either in or after the current operation).

  • Page 239: Do-Clear-Op-Property

    do-clear-op-property Clears any operation property with the given name from the current operation. Example <do-clear-op-property name="myProperty"/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. name NMTOKEN #REQUIRED Name of the operation property. notrace true | false false...

  • Page 240: Do-Clear-Src-Attr-Value

    do-clear-src-attr-value Removes all values for the named attribute from an object in the source data store. The target object is specified by either <arg-dn> or <arg-association> if specified, or by the current object if not specified. Example <do-clear-src-attr-value name="Member"> <arg-dn> <token-text>Users/ManagerGroup</token-text>...
  • Page 241 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 241...

  • Page 242: Do-Clear-Sso-Credential

    do-clear-sso-credential Clears a credential from the object specified by the <arg-dn> element in the Single Sign On credential store specified by the <store-def-dn> element for the application specified by the <app- id> element. Additional information about the credential to be cleared can be specified by additional named <arg-string>...
  • Page 243 Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. store-def-dn CDATA #REQUIRED Slash form DN of the credential store definition object. Can be relative to the including policy.

  • Page 244: Do-Clone-Op-Attr

    do-clone-op-attr Duplicates all elements that are children of the current operation with the attr-name attribute equal to the name specified by src-name within the operation with attr-name set to dest-name. Example <do-clone-op-attr src-name="Member" dest-name="Equivalent to Me"/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value...

  • Page 245: Do-Clone-Xpath

    do-clone-xpath Appends deep copies of the nodes selected by <src-expression> to the set of elements selected by <dest-expression>. Example <do-append-xml-element name="delete" expression=".."/> <do-clone-xpath src-expression="@*" dest-expression="../modify[last()]"/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value before CDATA #REQUIRED XPath 1.0 expression evaluated relative to each of the nodes select by dest-expression that returns a node-set containing the...
  • Page 246 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. 246 Identity Manager 3.6 DTD Reference...

  • Page 247: Do-Delete-Dest-Object

    do-delete-dest-object Deletes an object in the destination data store. The target object is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. Example <do-delete-dest-object> <arg-dn> <token-text>Users/Fred Flintstone</token-text> </arg-dn> </do-delete-dest-object> Allowed Content Element Description arg-dn DN argument. arg-association Association argument.
  • Page 248 Attribute Possible Values Default Value when auto | before | after | direct auto When this action should be performed: auto - Automatically determined (either in or after the current operation). before - Before the current operation. after - After the current operation. direct - Written directly to the destination data store instead of being added to the current...

  • Page 249: Do-Delete-Src-Object

    do-delete-src-object The <do-delete-src-object> action deletes the object in the source data store. The target object is specified by either <arg-dn> or <arg-association> if specified, or by the current object if not specified. Example <do-delete-src-object> <arg-dn> <token-text>Users/Fred Flintstone</token-text> </arg-dn> </do-delete-src-object> Allowed Content Element Description arg-dn...
  • Page 250 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. 250 Identity Manager 3.6 DTD Reference...

  • Page 251: Do-Find-Matching-Object

    do-find-matching-object Performs a query in the destination data store and in the dest-dn or the dest-dn <association> to be added to the current operation. It is only valid when the current operation is <add>. Remarks <arg-dn> is required when scope=“entry” and optional otherwise. At least one <arg-match-attr>...
  • Page 252 <arg-match-attr name="L"/> <arg-value> <token-text>Provo</token-text> </arg-value> </do-find-matching-object> Allowed Content Element Description arg-dn DN argument. arg-match-attr Match attribute argument. Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. notrace true | false false True if this element should not be traced during execution of the policy.

  • Page 253: Do-For-Each

    do-for-each Repeats the actions specified by <arg-actions> once for each node in <arg-node-set> with the local variable current-node set to a node-set containing only that node. If the current-node is <entitlement- impl>, then the actions are also marked as if they were also enclosed in <do-implement- entitlement>.
  • Page 254 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. 254 Identity Manager 3.6 DTD Reference...

  • Page 255: Do-Generate-Event

    The remaining event data fields are provided by four <arg-string> elements with name attributes. The Novell Audit event structure contains two strings (text1, text2) along with one integer (value) and generic field (data). The two text fields are limited to 256 bytes and the data field can contain up to 3 KB of information.
  • Page 256 | log-alert | log- log-info critical | log-error | log-warning | log-notice | log-info | log-debug Novell Audit log level. notrace true | false false True if this element should not be traced during execution of the policy.
  • Page 257 Element Description arg-actions Actions argument. DirXML Script DTD 257...

  • Page 258: Do-If

    do-if Causes the actions specified by the first <arg-actions> to be performed if the conditions specified by <arg-conditions> evaluate to true or the actions specified by the second <arg-actions> (if it exists) to be performed if the conditions specified by <arg-conditions> evaluate to false. Example <do-if>...
  • Page 259 Content Rule ( arg-conditions , arg-actions , arg-actions ? ) Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 259...

  • Page 260: Do-Implement-Entitlement

    do-implement-entitlement Marks the actions specified by <arg-actions> with the <entitlement-impl> elements specified in <arg-node-set> so that the Metadirectory engine knows to report the results of those actions to the DirXML-EntitlementResult attribute of the current object. Example <do-implement-entitlement> <arg-node-set> <token-removed-entitlement name="Account"/> </arg-node-set>...
  • Page 261 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 261...

  • Page 262: Do-Move-Dest-Object

    do-move-dest-object Moves an object in the destination data store. If two arguments are provided, the object identified by the first argument is moved to the container identified by the second argument. If only a single argument is provided, the current object is moved to the container identified by the single argument. Example <do-move-dest-object>...
  • Page 263 Attribute Possible Values Default Value when auto | before | after | direct auto When this action should be performed: auto - Automatically determined (either in or after the current operation). before - Before the current operation. after - After the current operation. direct - Written directly to the destination data store instead of being added to the current...

  • Page 264: Do-Move-Src-Object

    do-move-src-object Moves an object in the source data store. If two arguments are provided then the object identified by the first argument is moved to the container identified by the second argument. If only a single argument is provided, then the current object is moved to the container identified by the single argument.
  • Page 265 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 265...

  • Page 266: Do-Reformat-Op-Attr

    do-reformat-op-attr Replaces all values for the named attribute within the current operation with the <arg-value>. The value of <arg-value> is evaluated once for each value being replaced with the local variable current- value set to the original value. Example <do-reformat-op-attr name="CN"> <arg-value>...
  • Page 267 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 267...

  • Page 268: Do-Remove-Association

    do-remove-association Sends a <remove-association> command to eDirectory. The association value sent is provided by <arg-association>. Example <do-remove-association> <arg-association> <token-src-name/> </arg-association> </do-remove-association> Allowed Content Element Description arg-association Association argument. Attributes Attribute Possible Values Default Value direct true | false false Use destCommandProcessor to carry out this action.
  • Page 269 Attribute Possible Values Default Value when auto | before | after | direct auto When this action should be performed: auto - Automatically determined (either in or after the current operation). before - Before the current operation. after - After the current operation. direct - Written directly to the destination data store instead of being added to the current...

  • Page 270: Do-Remove-Dest-Attr-Value

    do-remove-dest-attr-value Removes the value specified by <arg-value> from the named attribute on an object in the destination data store. The target object is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. Example <do-remove-dest-attr-value name="Member"> <arg-dn>...
  • Page 271 Attribute Possible Values Default Value name CDATA #REQUIRED Name of the attribute. notrace true | false false True if this element should not be traced during execution of the policy. when auto | before | after | direct auto When this action should be performed: auto - Automatically determined (either in or after the current...

  • Page 272: Do-Remove-Role

    If any type of error occurs while requestion the role assignment, the error string is available to the enclosing policy in the local variable named error.do-remove-role. Otherwise that local variable is not available. Example <do-remove-role id="cn=RoleAdmin,o=People" url="http://localhost:8080/ IDMProv" role-id="cn=Contractor,cn=Level30,cn=RoleDefs,cn=RoleConfig, cn=AppConfig,cn=UserApplication,cn=DriverSet,o=novell"> <arg-password> <token-named-password name="role-admin"/> </arg-password> <arg-string name="description"> <token-text>Requested by policy because isContractor attribute set to false</token-text>...
  • Page 273 Element Description arg-string String argument. Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. CDATA #REQUIRED The LDAP format DN of a user authorized to make the request. Supports variable expansion. notrace true | false false True if this element should not be...

  • Page 274: Do-Remove-Src-Attr-Value

    do-remove-src-attr-value Removes the value specified by <arg-value> from the named attribute on an object in the source data store. The target object is specified by either <arg-dn> or <arg-association> if specified, or by the current object if not specified. Example <do-remove-src-attr-value name="Member">...
  • Page 275 Content Rule (( arg-dn | arg-association ) ? , arg-value ) Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 275...

  • Page 276: Do-Rename-Dest-Object

    do-rename-dest-object Renames an object in the destination data store to the name specified by <arg-string>. The target object is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. Example <do-rename-dest-object> <arg-dn> <token-text>Users/Active/Fred Flintstone</token-text> </arg-dn> <arg-string> <token-text>Fat Freddy</token-text>...
  • Page 277 Attribute Possible Values Default Value when auto | before | after | direct auto When this action should be performed: auto - Automatically determined (either in or after the current operation). before - Before the current operation. after - After the current operation. direct - Written directly to the destination data store instead of being added to the current...

  • Page 278: Do-Rename-Op-Attr

    do-rename-op-attr Causes all elements that are children of the current operation with the attr-name attribute equal to the name specified by src-name to have attr-name set to dest-name. Example <do-rename-op-attr src-name="Surname" dest-name="sn"/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value dest-name CDATA #REQUIRED...

  • Page 279: Do-Rename-Src-Object

    do-rename-src-object Renames an object in the source data store to the name specified by <arg-string>. The target object is specified by either <arg-dn> or <arg-association> if specified, or by the current object if not specified. Example <do-rename-src-object> <arg-dn> <token-text>Users/Active/Fred Flintstone</token-text> </arg-dn>...
  • Page 280 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. 280 Identity Manager 3.6 DTD Reference...

  • Page 281: Do-Send-Email

    do-send-email Sends an e-mail notification to the specified server. Optional credentials for authentication to the SMTP server are provided in the ID and password attributes. The type attribute identifies if the e- mail message contains plain text or HTML data. The various e-mail addresses, subject, and message are provided within <arg-string>...
  • Page 282 <token-text>This is the email subject</token-text> </arg-string> <arg-string name="message"> <token-text>This is the email body</token-text> </arg-string> </do-send-email> Allowed Content Element Description arg-string String argument. arg-password Password argument. Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. CDATA #IMPLIED User account on the SMTP...
  • Page 283 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 283...

  • Page 284: Do-Send-Email-From-Template

    do-send-email-from-template Generates an e-mail notification using an SMTP notification configuration object, e-mail template object, and replacement tokens. The target SMTP server along with credentials for authentication and the originating address are read from the SMTP notification configuration object. The subject and e-mail message are created using the template object and template replacement tokens.
  • Page 285 </arg-string> <arg-string name="FailureReason"> <token-text> <use-html><p>sample reason 1</p><p>sample reason 2</p></use-html> </token-text> </arg-string> </do-send-email-from-template> Allowed Content Element Description arg-password Password argument. arg-string String argument. Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. notification-dn CDATA #REQUIRED Slash form DN of the SMTP...
  • Page 286 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. 286 Identity Manager 3.6 DTD Reference...

  • Page 287: Do-Set-Default-Attr-Value

    do-set-default-attr-value Adds the values specified by <arg-value> to the current operation for named attribute if no values for that attribute already exist. It is only valid when the current operation is <add>. If write- back=true default values are also written back to the source object. Example <do-set-default-attr-value name="L">...
  • Page 288 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. 288 Identity Manager 3.6 DTD Reference...

  • Page 289: Do-Set-Dest-Attr-Value

    do-set-dest-attr-value Adds the value specified by <arg-value> to the named attribute on an object in the destination data store, and removes all other values for that attribute. The target object is specified by either <arg- dn> or <arg-association> if specified, or by the current object if not specified. Example <do-set-dest-attr-value name="OU">...
  • Page 290 Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. when auto | before | after | direct auto When this action should be performed: auto - Automatically determined (either in or after the current operation).

  • Page 291: Do-Set-Dest-Password

    do-set-dest-password Sets the value specified by <arg-string>’s as the old password (optional) and new password for the current object in the destination data store. The target object is specified by <arg-dn> or <arg- association> if specified or by the current object otherwise. Example <do-set-dest-password>...
  • Page 292 Attribute Possible Values Default Value disabled true | false false True if this element is disabled. notrace true | false false True if this element should not be traced during execution of the policy. when auto | before | after | direct auto When this action should be performed:...

  • Page 293: Do-Set-Local-Variable

    </arg-node-set> </do-set-local-variable> <!-- sets variable equal to an instance of java.util.Random --> <!-- note that the prefix jrandom needs to have been mapped to --> <!-- the URI http://www.novell.com/nxsl/java/java.util.Random --> <!-- on the <policy> --> <do-set-local-variable name="lastName"> <arg-object> <token-xpath expression="jrandom:new()"/>...
  • Page 294 Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. scope policy | driver policy Scope of the variable. Policy: Variable is visible only within the current policy during the current invocation of the policy.

  • Page 295: Do-Set-Op-Association

    do-set-op-association Sets the association value for the current operation to the value provided by <arg-association>. Example <do-set-op-association> <arg-association> <token-src-name/> </arg-association> </do-set-op-association> Allowed Content Element Description arg-association Association argument. Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. notrace true | false false...

  • Page 296: Do-Set-Op-Class-Name

    do-set-op-class-name Causes the object class name for the current operation to be set to the value provided by <arg- string>. Example <do-set-op-class-name> <arg-string> <token-text>User</token-text> <token-src-name/> </arg-string> </do-set-op-class-name> Allowed Content Element Description arg-string String argument. Attributes Attribute Possible Values Default Value disabled true | false false...

  • Page 297: Do-Set-Op-Dest-Dn

    Sets the destination DN for the current operation to the value provided by <arg-dn>. Example <do-set-op-dest-dn> <arg-dn> <token-text>Novell\Users\</token-text> </arg-dn> </do-set-op-dest-dn> Allowed Content Element Description arg-dn DN argument. Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled.

  • Page 298: Do-Set-Op-Property

    do-set-op-property Sets an operation property with the given name to the value specified by <arg-string> on the current operation. An operation property is a named value that is stored as an attribute on an <operation- data> element within an operation and is typically used to supply additional context that might be needed by the policy that handles the results of an operation.
  • Page 299 Element Description arg-actions Actions argument. DirXML Script DTD 299...

  • Page 300: Do-Set-Op-Src-Dn

    Sets the source DN for the current operation to the value provided by <arg-dn>. Example <do-set-op-src-dn> <arg-dn> <token-text>Novell\Users\</token-text> <token-attr name="CN"/> </arg-dn> </do-set-op-src-dn> Allowed Content Element Description arg-dn DN argument. Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled.

  • Page 301: Do-Set-Op-Template-Dn

    Sets the template DN for the current operation to the value provided by <arg-dn>. It is only valid when the current operation is <add>. Example <do-set-op-template-dn> <arg-dn> <token-text>Novell\Users\UserTemplate</token-text> </arg-dn> </do-set-op-template-dn> Allowed Content Element Description arg-dn DN argument. Attributes Attribute...

  • Page 302: Do-Set-Src-Attr-Value

    do-set-src-attr-value Adds the value specified by <arg-value> to the named attribute on an object in the source data store and all other values for that attribute are removed. The target object is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. Example <do-set-src-attr-value name="OU">...
  • Page 303 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 303...

  • Page 304: Do-Set-Src-Password

    do-set-src-password Sets the value specified by <arg-string>s as the old password (optional) and new password for the current object in the destination data store. The target object is specified by either <arg-dn> or <arg- association> if specified or by the current object otherwise. Example <do-set-src-password>...
  • Page 305 Content Rule (( arg-dn | arg-association ) ? , arg-string, arg-string ? ) Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 305...

  • Page 306: Do-Set-Sso-Credential

    do-set-sso-credential Sets a credential on the object specified by the <arg-dn> element in the Single Sign On credential store specified by the <store-def-dn> element for the application specified by the <app-id> element. The credential information is specified by additional named <arg-string> elements. The number of the strings and the names used are dependent on the credential store and application for which the credential is targeted.
  • Page 307 Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. store-def-dn CDATA #REQUIRED Slash form DN of the credential store definition object. Can be relative to the including policy.

  • Page 308: Do-Set-Sso-Passphrase

    do-set-sso-passphrase Sets the passphrase question and answer specified by <arg-string> elements on the object specified by the <arg-dn> element in the Single Sign On credential store specified by the <store-def-dn> element. Example <do-set-sso-passphrase store-def-dn="../Library/SSO1"> <arg-dn> <token-parse-dn src-dn-format="src-dn" dest-dn-format="ldap" start="0" length="-1"> <token-src-dn/>...
  • Page 309 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 309...

  • Page 310: Do-Set-Xml-Attr

    do-set-xml-attr Sets a custom XML attribute named by the name attribute on the set of elements selected by expression. Example <do-set-xml-attr name="cert-id" expression="."> <arg-string> <token-text>c:\lotus\domino\data\eng.id</token-text> </arg-string> </do-set-xml-attr> <do-set-xml-attr name="cert-pwd" expression="."> <arg-string> <token-text>certify2eng</token-text> </arg-string> </do-set-xml-attr> Allowed Content Element Description arg-string String argument. Attributes Attribute Possible Values...
  • Page 311 Content Rule ( arg-string ) Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 311...

  • Page 312: Do-Start-Workflow

    If any type of error occurs while starting the workflow, the error string is available to the enclosing policy in the local variable named . Otherwise that local variable is error.do-start-workflow unavailable. Example <do-start-workflow workflow- id="CN=ApproveCellPhone,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=Dri verSet,O=novell" url="http://localhost:8080/IDMProv" id="cn=WorkflowAdmin,o=People"> <arg-password> <token-named-password name="workflow-admin"/> </arg-password> <arg-dn> <token-parse-dn src-dn-format="qualified-slash" dest-dn-format="ldap"> <token-xpath expression="@qualified-src-dn"/> </token-parse-dn>...
  • Page 313 Element Description arg-string String argument. Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. CDATA #REQUIRED The LDAP format DN of a user authorized to start workflows on the User Application server. Supports variable expansion.

  • Page 314: Do-Status

    do-status Generates a status notification with the specified level and with a message provided by <arg-string>. Remarks If the level is retry, then the policy immediately halts processing of the input document and schedule a retry of the event currently being processed. If the level is fatal, then the policy immediately halts processing of the input document and initiates a shutdown of the driver.
  • Page 315 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 315...

  • Page 316: Do-Strip-Op-Attr

    do-strip-op-attr Strips all elements that are children of the current operation with the attr-name attribute equal to the name specified by name from the current operation. Example <do-strip-op-attr name="Member"/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled.

  • Page 317: Do-Strip-Xpath

    do-strip-xpath Removes nodes selected by the XPath 1.0 expression from the current operation. The expression must evaluate to a node set. Example <do-strip-xpath expression="*[@attr-name='OU']"/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. expression CDATA #REQUIRED...

  • Page 318: Do-Trace-Message

    do-trace-message Causes the trace message provided by <arg-string> to DSTRACE if the specified level is less than or equal to the currently configured trace level. Example <do-trace-level level="0" color="blue"> <arg-string> <token-text>placing new object at </token-text> <token-dest-dn/> </arg-string> </do-status > Allowed Content Element Description arg-string...
  • Page 319 Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument. DirXML Script DTD 319...

  • Page 320: Do-Veto

    do-veto Cancels the current operation. Example <do-veto/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. notrace true | false false True if this element should not be traced during execution of the policy.

  • Page 321: Do-Veto-If-Op-Attr-Not-Available

    do-veto-if-op-attr-not-available Cancels the current operation if the named attribute is not available in the current operation. Example <do-veto-if-op-attr-not-available name="CN"/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. name CDATA #REQUIRED Name of the attribute.

  • Page 322: Do-While

    do-while Causes the actions specified by <arg-actions> to be repeated while the conditions specified by <arg- conditions> evaluate to true. Example <do-set-local-variable name="counter"> <arg-string> <token-text>1</token-text> </arg-string> </do-set-local-variable> <do-while> <arg-conditions> <and> <if-local-variable name="counter" op="not-gt" mode="numeric">10</if- local-variable> </and> </arg-conditions> <arg-actions> <do-trace-message level="0" color="yellow"> <arg-string>...
  • Page 323 Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. Content Rule ( arg-conditions , arg-actions ) Parent Elements Element Description actions Actions that are performed by a <rule>. arg-actions Actions argument.

  • Page 324: If-Association

    if-association Performs a test on the association value of the current operation or the current object. The type of test performed depends on the operator specified by the op attribute. The following table shows the type of test performed by each operator. Remarks Operator Returns true when...
  • Page 325 Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. mode case | nocase | regex | src-dn | nocase dest-dn | numeric | octet Comparison mode if op implies a comparison. notrace true | false false True if this element should not be...

  • Page 326: If-Attr

    if-attr Performs a test on attribute values of the current object in either the current operation or the source data store. Remarks It can logically be thought of as equivalent to: <or> <if-op-attr/> <if-src-attr/> </or> Operator Returns true when... available There is a value available in either the current operation or the source data store for the specified attribute.
  • Page 327 Allowed Content #PCDATA Element Description component Value component. Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. mode case | nocase | regex | src-dn | nocase dest-dn | numeric | octet | structured Comparison mode if op implies a comparison.

  • Page 328: If-Class-Name

    if-class-name Performs a test on the object class name in the current operation. Remarks Operator Returns true when... available There is an object class name available in the current operation. equal There is an object class name available in the current operation and it equals the content of <if- class-name>...
  • Page 329 Attribute Possible Values Default Value mode case | nocase | regex | src-dn | nocase dest-dn | numeric | octet Comparison mode if op implies a comparison. notrace true | false false True if this element should not be traced during execution of the policy.

  • Page 330: If-Dest-Attr

    if-dest-attr Performs a test on attribute values of the current object in the destination data store. The type of test performed depends on the operator specified by the op attribute. The table below shows the type of test performed by each operator. Remarks Operator Returns true when...
  • Page 331 Allowed Content #PCDATA Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. mode case | nocase | regex | src-dn | nocase dest-dn | numeric | octet | structured Comparison mode if op=“equal” or op=”not-equal”...

  • Page 332: If-Dest-Dn

    Supports variable expansion. not-available Available returns false. not-equal Equal returns false. not-lt Less than returns false. not-gt Greater than returns false. Example <if-dest-dn op="available"/> <if-dest-dn op="equal">Novell\Users\Fred</if-dest-dn> <if-dest-dn op="in-container">Novell\Users</if-dest-dn> <if-dest-dn op="in-subtree">Novell</if-dest-dn > Allowed Content #PCDATA 332 Identity Manager 3.6 DTD Reference...
  • Page 333 Attributes Attribute Possible Values Default Value Attribute disabled true | false false True if this element is disabled. notrace true | false false True if this element should not be traced during execution of the policy. available | equal | in-container | #REQUIRED in-subtree | not-available | not- equal | not-in-container | not-in-...

  • Page 334: If-Entitlement

    if-entitlement Performs a test on entitlements of the current object in either the current operation or the Identity Vault data store. Remarks Operator Returns true when... available The named entitlement is available and granted in either the current operation or the Identity Vault data store.
  • Page 335 Operator Returns true when... not-lt Less than returns false. not-gt Greater than returns false. Example <if-entitlement op="available" name="notes-group"/> <if-entitlement op="changing" name="notes-group"/> <if-entitlement op="changing-from" name="notes-group"/>Sales</if-entitlement> <if-entitlement op="changing-to" name="notes-group"/>Sales</if-entitlement> <if-entitlement op="equal" mode="nocase" name="notes-group">Sales</if- entitlement> Allowed Content #PCDATA Attributes Attribute Possible Values Default Value disabled true | false false...
  • Page 336 Content Rule ( #PCDATA ) Parent Elements Element Description Logical conjunction. Logical disjunction. 336 Identity Manager 3.6 DTD Reference...

  • Page 337: If-Global-Variable

    if-global-variable Performs a test on a global configuration variable. The type of test performed depends on the operator specified by the op attribute. The following table shows the type of test performed by each operator. Remarks Operator Returns true when... available There is a global configuration variable with the specified name.
  • Page 338 Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. mode case | nocase | regex | src-dn | nocase dest-dn | numeric | octet comparison mode if op implies a comparison. name CDATA #REQUIRED Name of the variable.

  • Page 339: If-Local-Variable

    if-local-variable Performs a test on a local variable. The type of test performed depends on the operator specified by the op attribute. The following table shows the type of test performed by each operator. If local variable holds a node set, the string value of each node in the node set is used for comparison purposes.
  • Page 340 Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. mode case | nocase | regex | src-dn | nocase dest-dn | numeric | octet Comparison mode if op=“equal” or op=“not-equal”. name CDATA #REQUIRED Name of the variable.

  • Page 341: If-Named-Password

    if-named-password Performs a test on a named password from the driver. The type of test performed depends on the operator specified by the op attribute. The following table shows the type of test performed by each operator. Remarks Operator Returns true when... available There is password with the specified name available.
  • Page 342 Parent Elements Element Description Logical conjunction. Logical disjunction. 342 Identity Manager 3.6 DTD Reference...

  • Page 343: If-Op-Attr

    if-op-attr Performs a test on attribute values in the current operation. Remarks Operator Returns true when... available There is a value available in the current operation (<add-attr>, <add-value> or <attr>) for the specified attribute. changing The current operation contains a change (<modify- attr>...
  • Page 344 Operator Returns true when... not-available Available returns false. not-changing Changing returns false not-changing-from Changing-from returns false. not-changing-to Changing-to returns false. not-equal Equal returns false. not-lt Less than returns false. not-gt Greater than returns false. Example <if-op-attr op="available" name="OU"/> <if-op-attr op="changing" name="OU"/> <if-op-attr op="changing-from"...
  • Page 345 Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. available | changing | changing- #REQUIRED from | changing-to | equal | lt | gt | not-available | not-changing | not- changing-from | not-changing-to | not-equal | not-lt | not-gt Test operator.

  • Page 346: If-Op-Property

    if-op-property Performs a test on an operation property on the current operation. The type of test performed depends on the operator specified by the op attribute. The following table shows the type of test performed by each operator. Remarks Operator Returns true when...
  • Page 347 Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. mode case | nocase | regex | src-dn | nocase dest-dn | numeric | octet Comparison mode if op=“equal” or op=“not-equal”. name CDATA #REQUIRED Name of the operation property.

  • Page 348: If-Operation

    if-operation Performs a test on the name of the current operation. The type of test performed depends on the operator specified by the op attribute. The following table shows the type of test performed by each operator. Remarks Operator Returns true when... equal The name of the current operation is exactly equal to content of <if-operation>.
  • Page 349 Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. equal | lt | gt | not-equal | not-lt | #REQUIRED not-gt Test operator. Content Rule ( #PCDATA ) Parent Elements Element Description...

  • Page 350: If-Password

    if-password Performs a test on a password in the current operation. The type of test performed depends on the operator specified by the op attribute. The following table shows the type of test performed by each operator. Remarks Operator Returns true when... available There is password available in the current operation.
  • Page 351 Attribute Possible Values Default Value mode case| nocase | regex | scr-dn | case dest-dn | numeric | octet Comparison mode if op implies a comparison. notrace true | false false True if this element should not be traced during execution of the policy.

  • Page 352: If-Src-Attr

    if-src-attr Performs a test on attribute values of the current object in the source data store. The type of test performed depends on the operator specified by the op attribute. The following table shows the type of test performed by each operator. Remarks Operator Returns true when...
  • Page 353 Allowed Content #PCDATA Element Description component Value component. Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. mode case | nocase | regex | src-dn | nocase dest-dn | numeric | octet | structured Comparison mode if op implies a comparison.

  • Page 354: If-Src-Dn

    Available returns false. not-equal Equal returns false. not-lt Less than returns false. not-gt Greater than returns false. Example <if-src-dn op="available"/> <if-src-dn op="equal">Novell\Users\Fred</if-src-dn> <if-src-dn op="in-container">Novell\Users</if-src-dn> <if-src-dn op="in-subtree">Novell</if-src-dn> Allowed Content #PCDATA Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled.
  • Page 355 Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. available | equal | in-container | #REQUIRED in-subtree | not-available | not- equal | not-in-container | not-in- subtree est operator.

  • Page 356: If-Xml-Attr

    if-xml-attr Performs a test on an XML attribute of the current operation. The type of test performed depends on the operator specified by the op attribute. The following table shows the type of test performed by each operator. Remarks Operator Returns true when...
  • Page 357 Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. mode case | nocase | regex | src-dn | nocase dest-dn | numeric | octet Comparison mode if op implies a comparison. name CDATA #REQUIRED Tag name of the XML attribute.

  • Page 358: If-Xpath

    if-xpath Performs a test on the results of evaluating an XPath 1.0 expression. The type of test performed depends on the operator specified by the op attribute. The following table shows the type of test performed by each operator. Remarks Operator Returns true when...
  • Page 359 Parent Elements Element Description Logical conjunction. Logical disjunction. DirXML Script DTD 359...

  • Page 360: Include

    include Includes the rules from the policy referenced by the name attribute at runtime into the including policy as if they are part of the including policy at the point of inclusion. Remarks The name attribute should be the slash form DN of the object containing the policy to be included. The DN might be relative to the including policy.
  • Page 361 Specifies a set of tests that are to be performed and whose results are to be logically ORed together. A set of <or> elements enclosed by a <conditions> are ANDed together. Example See <policy>. Allowed Content Element Description if-association Tests an association. if-attr Tests an attribute in the current operation or the current object in the source data store.
  • Page 362 Attributes Attribute Possible Values Default Value disabled true | false false True if this element is disabled. notrace true | false false True if this element should not be traced during execution of the policy. Content Rule ( if-association | if-attr | if-class-name | if-dest-attr | if-dest-dn | if-entitlement | if-global-variable | if- local-variable | if-named-password | if-op-attr | if-op-property | if-operation | if-password | if-src-attr | if-src-dn | if-xml-attr | if-xpath ) * Parent Elements...

  • Page 363: Policy

    policy A policy consists of an ordered set of <rule>s. A <rule> consists of a set of <conditions> to be tested and an ordered set of <actions> to be performed when the conditions are met. Remarks A <policy> operates on an XDS document and its primary purpose is to examine and modify that document.
  • Page 364 Name Type Description fromNDS policy local/boolean True if the source data store is eDirectory. False if the source data store is the connected application. destQueryProcessor policy local/java object Instance of XdsQueryProcessor used to query the destination data store. srcQueryProcessor policy local/java object Instance of XdsQueryProcessor used to query the destination data store.
  • Page 365 Date/Time Parameters Tokens that deal with dates and times have arguments that deal with the format, language, and time zone of the date and time representation. Date formats arguments may be specified in one of two ways. If the format begins with a '!' character, then the format is a named format. Legal names are defined in the following table: Name Description...
  • Page 366 XPath Evaluation Arguments to some conditions and actions take an XPath 1.0 expression. This XPath is evaluated with the following context: The context node is the current operation unless otherwise specified in the description of the expression. The context position and size are 1. Available variables Those available as parameters to style sheets within the Identity Manager Metadirectory engine (currently fromNDS, srcQueryProcessor, destQueryProcessor,...
  • Page 367 <if-class-name op="equal" mode="nocase">Group</if-class-name> </or> <or> <if-attr op="equal" mode="nocase" name="Login Disabled">true</if-attr> </or> </conditions> <actions> <veto/> </actions> </rule> </policy> Allowed Content Element Description description Description of a <policy> or a <rule>. rule Rule within a policy. include Include rules from another policy. Attributes None Content Rule...

  • Page 368: Rule

    rule Specifies a set of <actions> and a set of <conditions> under which those <actions> are performed. Example See <policy>. Allowed Content Element Description description Description of a <policy> or a <rule>. comment Long description of a <rule>. conditions Conditions under which the actions of a <rule> are performed.

  • Page 369: Token-Added-Entitlement

    token-added-entitlement Expands to the granted values of the named entitlement in the current operation. If its parent element is <arg-node-set>, then all the available values are returned as <entitlement-impl> elements in a node set. Otherwise, the first available value is returned as a string. Example <token-added-entitlement name="manager"/>...
  • Page 370 Element Description token-base64-encode Encodes a string into base64 data. token-convert-time Converts a date/time from one format to another format. token-escape-for-dest-dn Converts a string for use in a destination DN. token-escape-for-src-dn Converts a string for use in a source DN. token-join Joins a node set into a string.

  • Page 371: Token-Association

    token-association Expands to the association value specified in the current operation. Example <token-association/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. Content Declaration Empty Parent Elements...
  • Page 372 Element Description token-join Joins a node set into a string. token-lower-case Converts a string to lowercase. token-map Maps a string through a mapping table. token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring within a string. token-replace-first Replaces a single instance of a substring within a string.

  • Page 373: Token-Attr

    token-attr Expands to the attribute values of the current object in either the current operation or the source data store. It can logically be thought of as the union of <token-op-attr> and <token-src-attr>. If its parent element is <arg-node-set> then all the available <value> elements are returned as nodes in a node set.
  • Page 374 Element Description token-base64-decode Decodes base64 data into a string. token-base64-encode Encodes a string into base64 data. token-convert-time Converts a date/time from one format to another. token-escape-for-dest-dn Converts a string for use in a destination DN. token-escape-for-src-dn Converts a string for use in a source DN. token-join Joins a node set into a string.

  • Page 375: Token-Base64-Decode

    token-base64-decode Decodes the result of the enclosed tokens from base64 encoded data to bytes and then converts the bytes into a string using the character set specified by the character set. Example <token-base64-decode charset="UTF-8"> <token-op-attr name="data"/> </token-base64-decode> Allowed Content Element Description arg-association Association argument.
  • Page 376 Element Description token-xml-serialize Serializes XML. Attributes Attribute Possible Values Default Value charset CDATA #IMPLIED The character set used to convert the decoded bytes to a string. If not specified, the encoding specified by the system property file.encoding is used. Supports variable expansion.
  • Page 377 Element Description token-base64-decode Decodes base64 data into a string. token-base64-encode Encodes a string into base64 data. token-convert-time Converts a date/time from one format to another. token-escape-for-dest-dn Converts a string for use in a destination DN. token-escape-for-src-dn Converts a string for use in a source DN. token-join Joins a node-set into a string.

  • Page 378: Token-Base64-Encode

    token-base64-encode Converts the result of the enclosed tokens to bytes using the character set specified by the character set, and then base64 encodes the bytes. Example <token-base64-encode charset="UTF-8"> <token-op-attr name="Surname"/> </token-base64-encode> Allowed Content Elements Description token-added-entitlement The values of an entitlement granted in the current operation.
  • Page 379 Elements Description token-lower-case Converts a string to lower case. token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation.
  • Page 380 Attributes Attribute Possible Values Default Value charset CDATA #REQUIRED The character set used to convert the string to bytes. If not specified, the encoding specified by the system property file.encoding is used. Supports variable expansion. notrace true | false false True if this element should not be traced during execution of the policy.
  • Page 381 Element Description token-escape-for-dest-dn Converts a string for use in a destination DN. token-escape-for-src-dn Converts a string for use in a source DN. token-join Joins a node set into a string. token-lower-case Converts a string to lowercase. token-map Maps a string through a mapping table. token-parse-dn Parses or converts a DN.

  • Page 382: Token-Char

    token-char Expands to the character specified by the Unicode code point specified by the value. Example <token-char value="10"/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy.
  • Page 383 Element Description token-convert-time Converts a date/time from one format to another. token-escape-for-dest-dn Converts a string for use in a destination DN. token-escape-for-src-dn Converts a string for use in a source DN. token-join Joins a node set into a string. token-lower-case Converts a string to lowercase.

  • Page 384: Token-Class-Name

    token-class-name Expands to the object class name specified in the current operation. Example <token-class-name/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy.
  • Page 385 Element Description token-join Joins a node-set into a string. token-lower-case Converts a string to lowercase. token-map Maps a string through a mapping table. token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring within a string. token-replace-first Replaces a single instance of a substring within a string.

  • Page 386: Token-Convert-Time

    token-convert-time Converts the date/time represented by the result of the enclosed tokens from the format, language and time zone specified by src-format, src-lang, and src-tz, to the format, language, and time zone specified by dest-format, dest-lang, and dest-tz and adds an optional offset time specified by offset and offset-unit.
  • Page 387 Element Description token-global-variable The value of a global variable. token-join Joins a node-set into a string. token-local-variable The value of a local variable. token-lower-case Converts a string to lowercase. token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation.
  • Page 388 Element Description token-xml-serialize Serializes XML. token-xpath The result of an XPath expression. Attributes Attribute Possible Values Default Value dest-format CDATA #REQUIRED The destination date/time format. Supports variable expansion. dest-lang CDATA #IMPLIED The destination language (defaults to the current system language). Supports variable expansion.
  • Page 389 Attribute Possible Values Default Value src- tz CDATA #IMPLIED The source time zone (defaults to the current system time zone). Supports variable expansion. Content Rule ( token-added-entitlement | token-association | token-attr | token-base64-decode | token-base64- encode | token-char | token-class-name | token-convert-time | token-dest-attr | token-dest-dn | token- dest-name | token-document | token-entitlement | token-escape-for-dest-dn | token-escape-for-src-dn | token-generate-password | token-global-variable | token-join | token-local-variable | token-lower- case | token-named-password | token-map | token-op-attr | token-op-property | token-operation |...
  • Page 390 Element Description token-replace-first Replaces a single instance of a substring within a string. token-split Splits a string into a node set. token-substring Substring of a string. token-upper-case Converts a string to uppercase. token-xml-parse Parses XML. token-xml-serialize Serializes XML. 390 Identity Manager 3.6 DTD Reference...

  • Page 391: Token-Dest-Attr

    token-dest-attr Expands to the attribute values of the current object in the destination data store. If its parent element is <arg-node-set>, then all the available <value> elements are returned as nodes in a node set. Otherwise, the first available value is returned as a string. Example <token-dest-attr name="OU"/>...
  • Page 392 Element Description arg-component Component argument. arg-dn DN argument. arg-node-set Node set argument. arg-password Password argument. arg-string String argument arg-value Value argument. token-base64-decode Decodes base64 data into a string. token-base64-encode Encodes a string into base64 data. token-convert-time Converts a date/time from one format to another. token-escape-for-dest-dn Converts a string for use in a destination DN.

  • Page 393: Token-Dest-Dn

    token-dest-dn Expands to the destination DN specified in the current operation or a portion thereof. If start and length are not specified or are set to the default values {0,-1}, then the entire DN is used; otherwise only the portion of the DN specified by start and length is used. The format of the DN is automatically set to the format of the source data store if convert attribute is set to true.
  • Page 394 Parent Elements Element Description arg-association Association argument. arg-component Component argument. arg-dn DN argument. arg-node-set Node set argument. arg-password Password argument. arg-string String argument arg-value Value argument. token-base64-decode Decodes base64 data into a string. token-base64-encode Encodes a string into base64 data. token-convert-time Converts a date/time from one format to another.

  • Page 395: Token-Dest-Name

    token-dest-name Expands to the unqualified RDN of the destination DN specified in the current operation. Example <token-dest-name/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy.
  • Page 396 Element Description token-join Joins a node-set into a string. token-lower-case Converts a string to lowercase. token-map Maps a string through a mapping table. token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring within a string. token-replace-first Replaces a single instance of a substring within a string.

  • Page 397: Token-Document

    token-document Reads the XML document pointed to by the URI specified by the arg-string and returns the document node in a node set. The URI can be relative to the URI of the including policy. If the URI or DN cannot be resolved to a well-formed XML document, the result is an empty node set. Example <token-document>...
  • Page 398 Element Description arg-value Value argument. token-base64-decode Decodes base64 data into a string. token-base64-encode Encodes a string into base64 data. token-convert-time Converts a date/time from one format to another. token-escape-for-dest-dn Converts a string for use in a destination DN. token-escape-for-src-dn Converts a string for use in a source DN. token-join Joins a node-set into a string.

  • Page 399: Token-Entitlement

    token-entitlement Expands to the granted values of the named entitlement for the current object. If its parent element is <arg-node-set>, then all the available values are returned as <entitlement-impl> elements in a node set. Otherwise, the first available value is returned as a string. Example <token-entitlement name="manager"/>...
  • Page 400 Element Description token-base64-encode Encodes a string into base64 data. token-convert-time Converts a date/time from one format to another. token-escape-for-dest-dn Converts a string for use in a destination DN. token-escape-for-src-dn Converts a string for use in a source DN. token-join Joins a node-set into a string. token-lower-case Converts a string to lowercase.

  • Page 401: Token-Escape-For-Dest-Dn

    token-escape-for-dest-dn Expands to a version of the expansion of the concatenation of the enclosed tokens, which has been escaped for use in a DN according to the rules of the destination DN format. Example <token-escape-for-dest-dn> <token-attr name="Surname"/> </token-escape-for-dest-dn> Allowed Content Element Description token-added-entitlement...
  • Page 402 Element Description token-lower-case Converts a string to lowercase. token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation.
  • Page 403 Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. Content Rule ( token-added-entitlement | token-association | token-attr | token-base64-decode | token-base64- encode | token-char | token-class-name | token-convert-time | token-dest-attr | token-dest-dn | token- dest-name | token-document | token-entitlement | token-escape-for-dest-dn | token-escape-for-src-dn | token-generate-password | token-global-variable | token-join | token-local-variable | token-lower- case | token-named-password | token-map | token-op-attr | token-op-property | token-operation |...
  • Page 404 Element Description token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring within a string. token-replace-first Replaces a single instance of a substring within a string. token-split Splits a string into a node set. token-substring Substring of a string. token-upper-case Converts a string to uppercase.

  • Page 405: Token-Escape-For-Src-Dn

    token-escape-for-src-dn Expands to a version of the expansion of the concatenation of the enclosed tokens that has been escaped for use in a DN according to the rules of the source DN format. Example <token-escape-for-src-dn> <token-attr name="Surname"/> </token-escape-for-src-dn> Allowed Content Element Description token-added-entitlement...
  • Page 406 Element Description token-lower-case Converts a string to lowercase. token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation.
  • Page 407 Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. Content Rule ( token-added-entitlement | token-association | token-attr | token-base64-decode | token-base64- encode | token-char | token-class-name | token-convert-time | token-dest-attr | token-dest-dn | token- dest-name | token-document | token-entitlement | token-escape-for-dest-dn | token-escape-for-src-dn | token-generate-password | token-global-variable | token-join | token-local-variable | token-lower- case | token-named-password | token-map | token-op-attr | token-op-property | token-operation |...
  • Page 408 Element Description token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring within a string. token-replace-first Replaces a single instance of a substring within a string. token-split Splits a string into a node set. token-substring Substring of a string. token-upper-case Converts a string to uppercase.

  • Page 409: Token-Generate-Password

    token-generate-password Expands to a randomly generated password that conforms to the password policy specified by policy-dn. If policy-dn is not specified, the effective password policy of the current object in eDirectory is used. If the current object does not yet exist in eDirectory (e.g. the target of an add operation on the publisher channel), the effective password policy of the target container is used.
  • Page 410 Element Description arg-value Value argument. token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN.

  • Page 411: Token-Global-Variable

    token-global-variable Expands to the value of the named global configuration variable. Example <token-global-variable name="Fred"/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value name CDATA #REQUIRED Name of the variable. Supports variable expansion. notrace true | false false True if this element should not be traced during execution of the policy.
  • Page 412 Element Description token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string. token-lower-case Convert a string to lowercase.

  • Page 413: Token-Join

    token-join Joins the values of the nodes in the node-set result of the enclosed tokens, separating the values by the characters specified by the delimiter. If csv is true, then CSV quoting rules are applied to the values. Example <!-- combine all of the members of the group into a CSV record --> <token-join delimiter=","...
  • Page 414 Element Description token-local-variable The value of a local variable. token-lower-case Converts a string to lowercase. token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property.
  • Page 415 Attributes Attribute Possible Values Default Value true | false false Applies CSV quoting to values. delimiter CDATA #REQUIRED The string use to delimit the joined values. Supports variable expansion. notrace true | false false True if this element should not be traced during execution of the policy.
  • Page 416 Element Description token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string. token-lower-case Convert a string to lowercase. token-map Map a string through a mapping table. token-parse-dn Parses or converts a DN.

  • Page 417: Token-Local-Variable

    token-local-variable Expands to the value of the named local variable. If its parent element is not <arg-node-set> and the variable holds a node set, then the string value of the node set is returned. If the same local variable exists in both the policy scope and the driver scope, the variable in the policy scope takes precedence.
  • Page 418 Element Description token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string.

  • Page 419: Token-Lower-Case

    token-lower-case Converts each character of the result of the enclosed tokens to lowercase. Example <token-lower-case> <token-attr name="Surname"/> </token-lower-case> Allowed Content Element Description token-added-entitlement The values of an entitlement granted in the current operation. token-association The association value from the current operation. token-attr The values of an attribute in the current operation or current object in the source data store.
  • Page 420 Element Description token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation. token-parse-dn Parses or converts a DN.
  • Page 421 Attributes Attribute Possible Values Default Value name CDATA #REQUIRED Name of the attribute. Supports variable expansion. notrace true | false false True if this element should not be traced during execution of the policy. Content Rule ( token-added-entitlement | token-association | token-attr | token-base64-decode | token-base64- encode | token-char | token-class-name | token-convert-time | token-dest-attr | token-dest-dn | token- dest-name | token-document | token-entitlement | token-escape-for-dest-dn | token-escape-for-src-dn | token-generate-password | token-global-variable | token-join | token-local-variable | token-lower-...
  • Page 422 Element Description token-join Join a node set into a string. token-lower-case Convert a string to lowercase. token-map Map a string through a mapping table. token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring with a string. token-replace-first Replaces a single instance of a substring within a string.

  • Page 423: Token-Map

    token-map Maps the result of the enclosed tokens from the values specified by the src column to the dest column in the mapping table specified by table. Remarks The table attribute should be the slash form DN of the DirXML-Resource object containing the mapping table to be used.
  • Page 424 Element Description token-dest-name The unqualified RDN derived from the destination DN from the current operation. token-document Reads an XML document. token-entitlement The values of a granted entitlement of the current object. token-escape-for-dest-dn Converts a string for use in a destination DN. token-escape-for-src-dn Converts a string for use in a source DN.
  • Page 425 Element Description token-substring Substring of a string. token-text Constant text. token-time The current date/time. token-unique-name Generates a unique name. token-unmatched-src-dn A DN relative to the one matched by if-src-dn. token-upper-case Converts a string to uppercase. token-xml-parse Parses XML. token-xml-serialize Serializes XML. token-xpath The result of an XPath expression.
  • Page 426 | token-generate-password | token-global-variable | token-join | token-local-variable | token-lower- case | token-named-password | token-map | token-op-attr | token-op-property | token-operation | token-parse-dn | token-password | token-removed-attr | token-removed-entitlement | token-replace- all | token-replace-first | token-resolve | token-src-attr | token-src-dn | token-src-name | token- substring | token-text | token-time | token-unique-name | token-unmatched-src-dn | token-upper-case | token-xml-parse | token-xml-serialize | token-xpath ) + Parent Elements...

  • Page 427: Token-Named-Password

    token-named-password Expands to the named password from the driver. Example <token-named-password name="extraPassword"/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value name CDATA #REQUIRED Name of the attribute. Supports variable expansion. notrace true | false false True if this element should not be traced during execution of the policy.
  • Page 428 Element Description token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string. token-lower-case Convert a string to lowercase.

  • Page 429: Token-Op-Attr

    token-op-attr Expands to the attribute values in the current operation (<add-attr>, <add-value> or <attr>). If it's parent element is <arg-node-set>, then all the available <value> elements are returned as nodes in a node set. Otherwise, the first available value is returned as a string. Example <token-op-attr name="OU"/>...
  • Page 430 Element Description token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string.

  • Page 431: Token-Op-Property

    token-op-property Expands to the value of the named operation property on the current operation. Example <token-op-property name="myProperty"/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value name CDATA #REQUIRED Name of the attribute. Supports variable expansion. notrace true | false false True if this element should not be traced during execution of the...
  • Page 432 Element Description token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string. token-lower-case Convert a string to lowercase.

  • Page 433: Token-Operation

    token-operation Expands to the name of the current operation. Example <token-operation/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. Content Declaration Empty Parent Elements Element...
  • Page 434 Element Description token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string. token-lower-case Convert a string to lowercase. token-map Map a string through a mapping table. token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring with a string.

  • Page 435: Token-Parse-Dn

    token-parse-dn Expands to a version of the DN specified by expansion of the concatenation of the enclosed tokens. The DN is parsed according the format specified by <src-dn-format>. The portion of the DN specified by start and length is then converted to the format specified by <dest-dn-format>. Remarks <src-dn-delims>...
  • Page 436 Element Description token-char A Unicode character. token-class-name The object class name from the current operation token-convert-time Converts a date/time from one format to another. token-dest-attr The values of an attribute of current object in the destination data store. token-dest-dn A value derived from the destination DN from the current operation.
  • Page 437 Element Description token-resolve Resolves a DN to an association key or an association key to a DN. token-split Splits a string into a node set. token-src-attr The values of an attribute of the current object in the source data store. token-src-dn A value derived from the source DN from the current operation.
  • Page 438 Attribute Possible Values Default Value length CDATA The number of DN segments to include negative numbers are interpreted as (total # of segments + length) + 1. For example, for a DN with 5 segments a length of -1 = (5 + (- 1)) + 1 = 5, -2 = (5 + (-2)) + 1 = 4, etc.
  • Page 439 Parent Elements Element Description arg-association Association argument. arg-component Component argument. arg-dn DN argument. arg-node-set Node set argument. arg-password Password argument. arg-string String argument. arg-value Value argument. token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format.

  • Page 440: Token-Password

    token-password Expands to the password specified in the current operation. Example <token-password/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. Content Declaration Empty Parent Elements Element...
  • Page 441 Element Description token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string. token-lower-case Convert a string to lowercase. token-map Map a string through a mapping table. token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring with a string.

  • Page 442: Token-Query

    token-query Causes a <query> to be performed in the source or destination data store and returns the resulting <instance> elements. Remarks The data store to search is specified by the data store. The base of the query is specified by either <arg-dn> or <arg-association>. If neither are specified, then the base is the root of the data store.
  • Page 443 Element Description arg-dn DN argument. arg-match-attr Matches the attribute argument. arg-string String argument Attributes Attribute Possible Values Default Value class-name CDATA #IMPLIED The class name of the query. Supports variable expansion. datastore src | dest dest The data store to be queried. max-result-count CDATA #IMPLIED...
  • Page 444 Element Description arg-node-set Node set argument. arg-password Password argument. arg-string String argument. arg-value Value argument. token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN.

  • Page 445: Token-Removed-Attr

    token-removed-attr Expands to the attribute values removed in the current operation (<remove-attr>). If its parent element is <arg-node-set>, then all the available <value> elements are returned as nodes in a node- set. Otherwise, the first available value is returned as a string. Example <token-removed-attr name="OU"/>...
  • Page 446 Element Description token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string. token-lower-case Convert a string to lowercase.

  • Page 447: Token-Removed-Entitlement

    token-removed-entitlement Expands to the revoked values of the named entitlement in the current operation. If its parent element is <arg-node-set>, then all the available values are returned as <entitlement-impl> elements in a node set. Otherwise, the first available value is returned as a string. Example <token-removed-entitlement name="manager"/>...
  • Page 448 Element Description token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string. token-lower-case Convert a string to lowercase.

  • Page 449: Token-Replace-All

    token-replace-all Expands to a version of the expansion of the concatenation of the enclosed tokens where all matching instances of the regular expression specified by regex are replaced by the string specified by replace-with. Remarks See http://java.sun.com/j2se/1.4/docs/api/java/util/regex/Pattern.html and http://java.sun.com/j2se/ 1.4/docs/api/java/util/regex/Matcher.html#replaceAll(java.lang.String) The pattern options CASE_INSENSITIVE, DOTALL, and UNICODE_CASE are used but can be reversed using the appropriate embedded escapes.
  • Page 450 Element Description token-escape-for-dest-dn Converts a string for use in a destination DN. token-escape-for-src-dn Converts a string for use in a source DN. token-generate-password Generates a random password. token-global-variable The value of a global variable. token-join Joins a node-set into a string. token-local-variable The value of a local variable.
  • Page 451 Element Description token-unmatched-src-dn A DN relative to the one matched by if-src-dn. token-upper-case Converts a string to uppercase. token-xml-parse Parses XML. token-xml-serialize Serializes XML. token-xpath The result of an XPath expression. Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the...
  • Page 452 Element Description arg-node-set Node set argument. arg-password Password argument. arg-string String argument. arg-value Value argument. token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN.

  • Page 453: Token-Replace-First

    token-replace-first Expands to a version of the expansion of the concatenation of the enclosed tokens where the first matching instance of the regular expression specified by regex is replaced by the string specified by replace-with. Remarks See http://java.sun.com/j2se/1.4/docs/api/java/util/regex/Pattern.html and http://java.sun.com/j2se/ 1.4/docs/api/java/util/regex/Matcher.html#replaceAll(java.lang.String) The pattern options CASE_INSENSITIVE, DOTALL, and UNICODE_CASE are used but can be reversed using the appropriate embedded escapes.
  • Page 454 Element Description token-escape-for-dest-dn Converts a string for use in a destination DN. token-escape-for-src-dn Converts a string for use in a source DN. token-generate-password Generates a random password. token-global-variable The value of a global variable. token-join Joins a node-set into a string. token-local-variable The value of a local variable.
  • Page 455 Element Description token-unmatched-src-dn A DN relative to the one matched by if-src-dn. token-upper-case Converts a string to uppercase. token-xml-parse Parses XML. token-xml-serialize Serializes XML. token-xpath The result of an XPath expression. Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the...
  • Page 456 Element Description arg-node-set Node set argument. arg-password Password argument. arg-string String argument. arg-value Value argument. token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN.

  • Page 457: Token-Resolve

    token-resolve <token-split> resolved the DN specified by <arg-dn> to an association key, or the association key specified by <arg-association> to a DN in the data store specified by data store. Example <token-resolve datastore="src"> <arg-dn> <token-op-attr name="manager"/> </arg-dn> </token-resolve> Allowed Content Element Description arg-association...
  • Page 458 Element Description arg-password Password argument. arg-string String argument. arg-value Value argument. token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN.

  • Page 459: Token-Split

    token-split Splits the result of the enclosed tokens into a node set consisting of text nodes based on the pattern specified by the delimiter. If csv is true, then CSV quoting rules will be honored during the parsing of the string. Example <token-split delimiter=","...
  • Page 460 Element Description token-lower-case Converts a string to lowercase. token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation.
  • Page 461 Attributes Attribute Possible Values Default Value true | false false Honor CSV style quoting. delimiter CDATA #REQUIRED Regular expression that matches the delimiter characters. Supports variable expansion. notrace true | false false True if this element should not be traced during execution of the policy.
  • Page 462 Element Description token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string. token-lower-case Convert a string to lowercase. token-map Map a string through a mapping table. token-parse-dn Parses or converts a DN.

  • Page 463: Token-Src-Attr

    token-src-attr Expands to the attribute values of the current object in the source data store. If its parent element is <arg-node-set>, then all the available <value> elements are returned as nodes in a node set. Otherwise, the first available value is returned as a string. Example <token-src-attr name="OU"/>...
  • Page 464 Element Description arg-component Component argument. arg-dn DN argument. arg-node-set Node set argument. arg-password Password argument. arg-string String argument. arg-value Value argument. token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format.

  • Page 465: Token-Src-Dn

    token-src-dn Expands to the source DN specified in the current operation or a portion thereof. If start and length are not specified or are set to the default values {0,-1}, then the entire DN is used; otherwise, only the portion of the DN specified by start and length is used. The format of the DN is converted to the format of the destination data store if the convert attribute is set to true.
  • Page 466 Parent Elements Element Description arg-association Association argument. arg-component Component argument. arg-dn DN argument. arg-node-set Node set argument. arg-password Password argument. arg-string String argument. arg-value Value argument. token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format.

  • Page 467: Token-Src-Name

    token-src-name Expands to the unqualified RDN of the source DN specified in the current operation. Example <token-src-name/> Allowed Content EMPTY Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy.
  • Page 468 Element Description token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string. token-lower-case Convert a string to lowercase. token-map Map a string through a mapping table. token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring with a string.

  • Page 469: Token-Substring

    token-substring Expands to a substring of the expansion of the concatenation of the enclosed tokens. Example <token-substring start="0" length="1"> <token-attr name="Given Name"/> </token-substring> Allowed Content Element Description token-added-entitlement The values of an entitlement granted in the current operation. token-association The association value from the current operation. token-attr The values of an attribute in the current operation or current object in the source data store.
  • Page 470 Element Description token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation. token-parse-dn Parses or converts a DN.
  • Page 471 Attributes Attribute Possible Values Default Value length CDATA The number of characters to include negative numbers are interpreted as (total # of characters + length) + 1. For example, for a string with 5 characters a length of -1 = (5 + (- 1)) + 1 = 5, -2 = (5 + (-2)) + 1 = 4, etc.
  • Page 472 Element Description arg-password Password argument. arg-string String argument. arg-value Value argument. token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN.

  • Page 473: Token-Text

    token-text Expands to the enclosed text. Example <token-text>Fred</token-text> Allowed Content #PCDATA Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. Content Rule ( #PCDATA ) Parent Elements Element Description...
  • Page 474 Element Description token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string. token-lower-case Convert a string to lowercase. token-map Map a string through a mapping table. token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring with a string.

  • Page 475: Token-Time

    token-time Expands to the current date/time in the format, language and time zone specified by format, language, and time zone. See “Date/Time Parameters” on page 365 for information on specifying formats, languages, and time zones. Example <token-time src-format="!CTIME" tz="UTC"/> Allowed Content EMPTY Attributes Attribute...
  • Page 476 Element Description arg-dn DN argument. arg-node-set Node set argument. arg-password Password argument. arg-string String argument. arg-value Value argument. token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format.

  • Page 477: Token-Unique-Name

    token-unique-name Expands to a pattern based name that is unique in the destination data store according to the criteria specified. Remarks Each <arg-string> element provides a pattern to be used to create a proposed name. A proposed name is tested by performing a query for that value in the name attribute against the destination data store using the <arg-dn>...
  • Page 478 <token-upper-case> <token-substring start="0" length="1"> <token-attr name="Given Name"/> </token-substring> <token-substring start="0" length="1"> <token-attr name="MI"/> </token-substring> <token-attr name="Surname"/> </token-upper-case> </arg-string> <arg-string> <token-upper-case> <token-attr name="Given Name"/> <token-attr name="Surname"/> </token-upper-case> </arg-string> </token-substring> Allowed Content Element Description arg-association Association argument. arg-dn DN argument. arg-string String argument Attributes Attribute Possible Values...
  • Page 479 Attribute Possible Values Default Value counter-use always | never | fallback fallback When to use counters: Never: Don't use counters. Always: Always use counters on the patterns indicated by counter- pattern. Fallback: Use counters counter the patterns indicated by counter- pattern only after all patterns have failed without counters.
  • Page 480 Element Description arg-component Component argument. arg-dn DN argument. arg-node-set Node set argument. arg-password Password argument. arg-string String argument. arg-value Value argument. token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format.

  • Page 481: Token-Unmatched-Src-Dn

    token-unmatched-src-dn Expands to the portion of the source DN in the current operation that corresponds to the part of the DN that was not matched by the most recent match of an <if-src-dn> in the conditions for this rule (taking into account short circuit evaluation). If there were no matches, then the entire DN is used. The format of the DN is converted to the format of the destination data store if the convert attribute is set to true.
  • Page 482 Element Description token-base64-decode Decode base64 data into a string. token-base64-encode Encode a string into base64 data. token-convert-time Convert a data/time from one format to another format. token-escape-for-dest-dn Convert a string for use in the destination DN. token-escape-for-src-dn Convert a string for use in a source DN. token-join Join a node set into a string.

  • Page 483: Token-Upper-Case

    token-upper-case Expands to a version of the expansion of the concatenation of the enclosed tokens with each character converted to uppercase. Example <token-upper-case> <token-attr name="Surname"/> </token-upper-case> Allowed Content Element Description token-added-entitlement The values of an entitlement granted in the current operation.
  • Page 484 Element Description token-lower-case Converts a string to lowercase. token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation.
  • Page 485 Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. Content Rule ( token-added-entitlement | token-association | token-attr | token-base64-decode | token-base64- encode | token-char | token-class-name | token-convert-time | token-dest-attr | token-dest-dn | token- dest-name | token-document | token-entitlement | token-escape-for-dest-dn | token-escape-for-src-dn | token-generate-password | token-global-variable | token-join | token-local-variable | token-lower- case | token-named-password | token-map | token-op-attr | token-op-property | token-operation |...
  • Page 486 Element Description token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring with a string. token-replace-first Replaces a single instance of a substring within a string. token-split Splits a string into a node set. token-substring Substring of a string. token-upper-case Converts a string to uppercase.

  • Page 487: Token-Xml-Parse

    token-xml-parse Parses the result of the enclosed tokens as XML and returns the resulting document node in a node set. If the result of the enclosed tokens is not well-formed XML or cannot be parsed for any reason, an empty node set is returned. Example <token-xml-parse>...
  • Page 488 Element Description token-local-variable The value of a local variable. token-lower-case Converts a string to lowercase. token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property.
  • Page 489 Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. Content Rule ( token-added-entitlement | token-association | token-attr | token-base64-decode | token-base64- encode | token-char | token-class-name | token-convert-time | token-dest-attr | token-dest-dn | token- dest-name | token-document | token-entitlement | token-escape-for-dest-dn | token-escape-for-src-dn | token-generate-password | token-global-variable | token-join | token-local-variable | token-lower- case | token-named-password | token-map | token-op-attr | token-op-property | token-operation |...
  • Page 490 Element Description token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring with a string. token-replace-first Replaces a single instance of a substring within a string. token-split Splits a string into a node set. token-substring Substring of a string. token-upper-case Converts a string to uppercase.

  • Page 491: Token-Xml-Serialize

    token-xml-serialize Serializes the node set result enclosed tokens as XML. Depending on the content of the node set, the resulting string is either a well-formed XML document or a well-formed parsed general entity. A parsed general entity cannot be parsed as a standalone XML document. Example <token-xml-serialize>...
  • Page 492 Element Description token-lower-case Converts a string to lowercase. token-map Maps a string through a mapping table. token-named-password The value of the named password. token-op-attr The values of an attribute in the current operation. token-op-property The value of an operation property. token-operation The name of the current operation.
  • Page 493 Attributes Attribute Possible Values Default Value notrace true | false false True if this element should not be traced during execution of the policy. Content Rule ( token-added-entitlement | token-association | token-attr | token-base64-decode | token-base64- encode | token-char | token-class-name | token-convert-time | token-dest-attr | token-dest-dn | token- dest-name | token-document | token-entitlement | token-escape-for-dest-dn | token-escape-for-src-dn | token-generate-password | token-global-variable | token-join | token-local-variable | token-lower- case | token-named-password | token-map | token-op-attr | token-op-property | token-operation |...
  • Page 494 Element Description token-parse-dn Parses or converts a DN. token-replace-all Replaces all instances of a substring with a string. token-replace-first Replaces a single instance of a substring within a string. token-split Splits a string into a node set. token-substring Substring of a string. token-upper-case Converts a string to uppercase.

  • Page 495: Token-Xpath

    token-xpath Expands to results of evaluating an XPath 1.0 expression. If its parent element is <arg-node-set> and the expression returns a node set, then the node set is returned as is. If its parent element is <arg- node-set> and the expression returns a data type other than node set, then a text node is containing the string value of the result is returned.
  • Page 496 Element Description arg-value Value argument. token-base64-decode Decodes base64 data into a string. token-base64-encode Encodes a string into base64 data. token-convert-time Converts a date/time from one format to another. token-escape-for-dest-dn Converts a string for use in a destination DN. token-escape-for-src-dn Converts a string for use in a source DN. token-join Joins a node set into a string.

  • Page 497: Dirxml Entitlements Dtd

    DirXML Entitlements DTD Conceptually, a DirXML entitlement is a named flag that causes an Identity Manager driver configuration to perform some arbitrary action that is usually related to granting access to some resource in a connected system. Entitlements (as embodied in Role-based Entitlements) have thus far been used for three basic actions: Creating and deleting or disabling a connected-system account.

  • Page 498: 6.1 Dirxml Entitlements Dtd Elements

    entitlement tokens return a nodeset containing 0 or more <entitlement-impl> elements that can be used to get information about the entitlements and can be passed as an arguments to <do-implement- entitlement>. “DirXML Entitlements DTD Elements” on page 498 for a list of all of the elements in the DirXML Elements DTD.
  • Page 499 Element Description value Enumerated value. values Legal values of the entitlement. DirXML Entitlements DTD 499...

  • Page 500: Description

    description Specifies how to obtain the description for each of the XDS instance element returned from an XDS query used to dynamically obtain a list of possible values from the connected application for the enclosing <entitlement>. Example See <entitlement>. Allowed Content Element Description token-association...

  • Page 501: Display-Name

    display-name Specifies how to obtain a display-name for each of the XDS instance element returned from an XDS query used to dynamically obtain a list of possible values from the connected application for the enclosing <entitlement>. Example See <entitlement>. Allowed Content Element Description token-association...
  • Page 502 Contains the LDAP format DN of the DirXML-Entitlement object referenced by the enclosing <result>. Example See <result>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description result-set Interpretation of the query results. 502 Identity Manager 3.6 DTD Reference...

  • Page 503: Ent-Value

    ent-value Specifies how to obtain the actual parameter value for each of the XDS instance element returned from an XDS query used to dynamically obtain a list of possible values from the connected application for the enclosing <entitlement>. Example See <entitlement>. Allowed Content Element Description...

  • Page 504: Entitlement

    entitlement An entitlement definition that is stored in the XmlData attribute of a DirXML-Entitlement object. The actual name of the entitlement comes from the RDN of the DirXML-Entitlement object. The entitlement definition defines a display name and description for the entitlement for use in UI agents, and can define whether or not an entitlement requires a single parameter value.
  • Page 505 Allowed Content Element Description values Legal values of the entitlement. Attributes Attribute Possible Values Default Value conflict-resolution priority | union priority The conflict resolution method to be used by the Entitlements driver when the entitlement is used in conjunction with Role- based Entitlements and is granted via more than one role.

  • Page 506: Entitlement-Impl

    Represents a granted or revoked entitlement within DirXML Script. Example <entitlement-impl id="xxx" src="AF" state="1" name="Group" src- dn="\MYTREE\Novell\Users\Fred" src-entry-id="65535"> cn=Managers,o=People </entitlement-impl> Allowed Content #PCDATA Attributes Attribute Possible Values Default Value CDATA #IMPLIED The ID provided by the granting agent. name...
  • Page 507 Parent Elements None DirXML Entitlements DTD 507...
  • Page 508 An ID provided to a granted or revoked entitlement that is provided by the granting/revoking agent and is carried forward on the result of the granted/revoked entitlement. The meaning of the id is transparent to the entitlements system and is primarily intended to be used by the granting/revoking agent to correlate the entitlement results with the original grant or revocation.

  • Page 509: Item

    item A cached query result item of a query used to dynamically discover the possible parameter values for an entitlement. Example See <items>. Allowed Content Element Description item-display-name Cached entitlement query result item display name. item-description Cached entitlement query result item description. item-value Cached entitlement query result item value.

  • Page 510: Item-Description

    item-description The description of a cached query result item of a query used to dynamically discover the possible parameter values for an entitlement. Example See <items>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description item Cached entitlement query result item.

  • Page 511: Item-Display-Name

    item-display-name The display name of a cached query result item of a query used to dynamically discover the possible parameter values for an entitlement. Example See <items>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description item Cached entitlement query result item.

  • Page 512: Item-Value

    item-value The parameter value of a cached query result item of a query used to dynamically discover the possible parameter values for an entitlement. Example See <items>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description item Cached entitlement query result item.

  • Page 513: Items

    items Holds the cached query result items of a query used to dynamically discover the possible parameter values for an entitlement. It is stored in the DirXML-SPCacheExternalQuery attribute of a DirXML- Entitlement object. Example <items> <item> <item-display-name>cn=Managers,o=People</display-name> <item-description>Managers</description> <item-value>cn=Managers,o=People</value > </item>...

  • Page 514: Msg

    Contains the status message of the entitlement grant/revocation referenced by the enclosing <result>. Example See <result>. Allowed Content Attributes None Content Rule Parent Elements Element Description result Entitlement result. 514 Identity Manager 3.6 DTD Reference...

  • Page 515: Param

    param The parameter value of the entitlement as represented in a granted or revoked entitlement, and entitlement associated with a an RBE policy, or the result of granting/revoking an entitlement. Example See <ref>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element...

  • Page 516: Query-App

    query-app If present, a set of query-apps specifies an XDS query that can be used that can be used to dynamically obtain a list of possible values from the connected application for the enclosing <entitlement>. It also specifies how to obtain a display-name, description, and actual parameter value for each of the XDS instance elements returned from the query.

  • Page 517: Query-Xml

    query-xml Specifies an XDS query that can be used that can be used to dynamically obtain a list of possible values from the connected application for the enclosing <entitlement>. Example See <entitlement>. Allowed Content Attributes None Content Rule Parent Elements Element Description query-app...

  • Page 518: Ref

    The value of the “path” (or string) portion of the DirXML-EntitlementRef attribute. When used on a DirXML-EntitlementRecipient it represents a granted or revoked entitlement and contains information about the granting/revoking agent as well as the parameter value if the entitlement requires one.

  • Page 519: Result

    Written as a value of the DirXML-EntitlementResult attribute of a DirXML-EntitlementRecipient. It contains the results of granting or revoking an entitlement, as implemented by policy. Example <result> <dn>cn=Group,cn=LDAP Driver,cn=DriverSet,o= novell</dn> <src>RBE</src> <id>{26dfb70f-0371-4fe2-a67f-bc101101e5d7}</id> <param>cn=Managers,o=People</param> <state>1</state> <status>error</status> <msg>Access denied</msg> <timestamp>1112101901523</timestamp> </result>...

  • Page 520: Result-Set

    result-set Specifies how to obtain a display-name, description, and actual parameter value for each of the XDS instance element returned from an XDS query used to dynamically obtain a list of possible values from the connected application for the enclosing <entitlement>. Example See <entitlement>.

  • Page 521: Src

    Used to identify the granting or revoking agent for an granted/revoked entitlement. Well know values are RBE when the agent is the Role Based Entitlements system, or AF when the granting agent is the Approval Flow system. Other agents that grant entitlements should provide their own unique identifier.

  • Page 522: State

    state Contains the state (1=granted, 0=revoked) of the entitlement referenced by the enclosing <result>. Example See <result>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description result Entitlement result. 522 Identity Manager 3.6 DTD Reference...

  • Page 523: Status

    status Contains the status (success, error, warning, retry, fatal) of the entitlement grant/revocation referenced by the enclosing <result>. Example See <result>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description result Entitlement result DirXML Entitlements DTD 523...

  • Page 524: Timestamp

    timestamp Contains the time stamp of the entitlement grant/revocation referenced by the enclosing <result>. The time stamp is an integer that represents the number of milliseconds since midnight January 1, 1970. Example See <result>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element...

  • Page 525: Token-Association

    token-association Specifies that the value of the association key of the XDS instance element should be used as the value of the enclosing <display-name>, <description>, or <ent-value>. Example See <entitlement>. Allowed Content EMPTY Attributes None Content Rule Empty Parent Elements Element Description description...

  • Page 526: Token-Attr

    token-attr Specifies that the first value of the named attribute from the XDS instance element should be used as the value of the enclosing <display-name>, <description>, or <ent-value>. Example See <entitlement>. Allowed Content EMPTY Attributes Attribute Possible Values Default Value attr-name CDATA #REQUIRED...

  • Page 527: Token-Src-Dn

    token-src-dn Specifies that the value of the src-dn attribute of the XDS instance element should be used as the value of the enclosing <display-name>, <description>, or <ent-value>. Example See <entitlement>. Allowed Content EMPTY Attributes None Content Declaration Empty Parent Elements Element Description description...

  • Page 528: Value

    value If present, a set of <value> elements specifies a static list of possible values for the enclosing <entitlement>. Example See <entitlement>. Allowed Content #PCDATA Attributes None Content Rule ( #PCDATA ) Parent Elements Element Description values Legal values of the entitlement. 528 Identity Manager 3.6 DTD Reference...

  • Page 529: Values

    values If present, <values> specifies that the enclosing <entitlement> requires a parameter value. If multi- valued="false" then the entitlement can only be granted to a given recipient with single value at a time, otherwise the entitlement can be granted to the same recipient more than once, each with a different value.
  • Page 530 530 Identity Manager 3.6 DTD Reference...

  • Page 531: Jobs Dtd

    Jobs DTD The Identity Manager Job Scheduler lets you create and schedule jobs that you want to perform on Identity Manager servers. This section introduces the XML structure of the job objects used by the Job Scheduler, and includes the following topics: Section 7.1, “Jobs XML,”...
  • Page 532 “bcc” on page 534 “cc” on page 535 “containment” on page 536 “description” on page 537 “email” on page 538 “java-class” on page 539 “job-aggregation” on page 540 “job-definition” on page 541 “reply-to” on page 542 “result-processing” on page 543 “to”...

  • Page 533: Audit

    Indicates that job result notification will be issued through the Novell Audit system. Attributes Attribute Possible Values Default Value on-level success | warning | error | aborted #REQUIRED Specifies the result level for which this audit notification applies. You can include an audit elements for each result level that you want to generate a notification.

  • Page 534: Bcc

    Specifies a list of email addresses to place in the blind copy (BCC) field when sending a results notification email. Attributes None Parent Elements email 534 Identity Manager 3.6 DTD Reference...
  • Page 535 Specifies a list of email addresses to place in the carbon copy (CC)) field when sending a results notification email. Attributes None Parent Elements email Jobs DTD 535...

  • Page 536: Containment

    containment Zero or more containment elements describe any restrictions to the eDirectory objects that can contain the object representing the job. If no containment element appears then the DirXML-Job object may be contained by either a object. DirXML-Job DirXML-DriverSet DirXML-Driver Attributes None Parent Elements...

  • Page 537: Description

    description The description element contains a human-readable description of the job. Attributes None Parent Elements job-definition Jobs DTD 537...

  • Page 538: Email

    email Indicates that job result notifications are issued via an email message. The email message is constructed from an email template specified by the attribute on the DirXML-EmailTemplates object. The email recipients are specified in the email element's child elements: DirXML-Job .

  • Page 539: Java-Class

    java-class Contains the fully-qualified name of the java class that implements the job. There must be exactly one java-class element per job. Attributes None Parent Elements job-definition Jobs DTD 539...

  • Page 540: Job-Aggregation

    job-aggregation Functions as the container object for a job and aggregates the job-definition information and any xliff data used for language translation. Attributes None Parent Elements None 540 Identity Manager 3.6 DTD Reference...

  • Page 541: Job-Definition

    job-definition Contains XML attributes and elements which define much of the job. Attributes Attribute Possible Values Default Value display-name CDATA #REQUIRED Specifies the job name displayed in the Job Scheduler UI. type java #REQUIRED Specifies the language used to write the job. The only supported option is java.

  • Page 542: Reply-To

    reply-to Specifies a Reply To email address to place in the From field when sending a results notification email. Attributes None Parent Elements email 542 Identity Manager 3.6 DTD Reference...

  • Page 543: Result-Processing

    result-processing Describes how the job results (both intermediate and final) are reported. There can be zero or more result-processing elements. A result-processing element describes how notification of job results is made; and contains one or more audit or email elements. Each result-processing element applies to either "final"...
  • Page 544 Specifies a list of email addresses to place in the To field when sending a results notification email. Attributes None Parent Elements email 544 Identity Manager 3.6 DTD Reference...

  • Page 545: Xliff

    For more information about xliff, see the XLIFF Web site (http://www.oasis-open.org/committees/ xliff). Parent Elements job-aggregation 7.2 Example Job XML Example 1 <job-aggregation> <job-definition type="java" schedule="0 2 * * 1-5" > <containment>DirXML-Driver</containment> <java-class>com.novell.nds.dirxml.jobs.builtin.PasswordGeneration</java- class> <configuration-values> <definitions> <definition type="dn-ref" name="password-policy" display-name="Password policy object" attr-name="DirXML-PasswordPolicyRef" aux-class-name="DirXML-PasswordGenAttrs" > <value/> </definition>...
  • Page 546 <value> <nds> <input> <query scope="subtree"> <association>{123456}</association> <search-class class-name="User"/> <read-attr/> </query> </input> </nds> </value> </definition> </definitions> </configuration-values> </job-definition> </job-aggregation> 546 Identity Manager 3.6 DTD Reference...

This manual is also suitable for:

Identity manager 3.6.1

Table of Contents