How to Convert Slash Format eDir Names to LDAP Formatted eDir Names



By: marklamont

February 10, 2009 2:03 pm

Reads: 305

Comments:1

Rating:1.0

The background to this article is a need to convert a typical slash formatted edir name, \org name\org unit 1\org unit 2\object , to an LDAP formatted edir name, cn=object,ou=org unit 2,ou=org unit 1,o=org name.

The reason we had to do this was to use the value set by this attribute value as a lookup for UserApp, which needed to resolve the DN to display the description to the end user.

There is of course a token that will convert the slash format to LDAP format but it doesn’t know how to fill in all the object types so it only swaps the order round.

In most edirectories the top object in the returned path is an Organisation and the bottom is a CN. I have used this in my example rules but they could quite easily be tweaked if you have to deal with other configurations.

First we set up a node set containing the slash formatted DN , in this example I am using the input from another variable that has been set from a two part operational attribute containing location and location floor;

input variable; Corp\SERVICES\LOCATIONS\Corp Location|Corp\SERVICES\LOCATIONS\LOCATION-FLOORS\2nd Floor

In this example I am splitting the input round a “|” delimiter then using a delimiter of \ to split the result into a node set. Note that you have to escape the \delimiter with another \ or it doesn’t work!

<;do-set-local-variable name="Var_Loc" scope="policy">
	<;arg-node-set>
		<token-split delimiter="\\">
			<token-xpath expression='substring-before($Var_Location,"|")'/>
		</token-split>
	</arg-node-set>
</do-set-local-variable>

Which will give us a node set “Var_Loc” which contains;

Arg Value: {"Corp","SERVICES","LOCATIONS","Corp Location"}

Next we work out how many parts (NP=Number of Parts) are in the DN by counting the node objects. We will be using this count several times to extract separate parts of the node set;

 <do-set-local-variable name="Var_Loc_NP" scope="policy">
	<arg-string>
		<token-xpath expression="count($Var_Loc)"/>
	</arg-string>
</do-set-local-variable>

Which gives us;

Arg Value: "4"

Next we pull out the part of the node set that is the Organisation “O=” part of the LDAP DN
we do this by using the xpath “position” function and picking the first node;

<do-set-local-variable name="Var_Loc_O" scope="policy">
	<arg-string>
		<token-text xml:space="preserve">O=</token-text>
		<token-xpath expression="$Var_Loc[position()=1]"/>
	</arg-string>
</do-set-local-variable>

Which gives us;

Arg Value: "O=Corp"

Next we pull out the part of the node set that is the CN= part of the LDAP DN’
we do this by again using the xpath position function and picking the node that equals the total number of parts;

 <do-set-local-variable name="Var_Loc_CN" scope="policy">
	<arg-string>
		<token-text xml:space="preserve">CN=</token-text>
		<token-xpath expression="$Var_Loc[position()=$Var_Loc_NP]"/>
		<token-text xml:space="preserve">,</token-text>
	</arg-string>
</do-set-local-variable>

Which gives us;

Arg Value: "CN=Corp Location,"

Note: We have added the “CN=” and the “,” ready for later use.

Next we loop round the node set ignoring the first and last parts which we have already extracted. this is what makes the code portable in differing Directories as long as all the intermediate levels are all OUs.

If the structure contains other fixed level parts then the code above can be reused with differing positions and code below varied by using differing looping check values.
This rule creates the Middle of the DN, hence the “Mid” in the variable name. It works by writting “OU=”, then the second part of the node set, then “,” and then it loops back around adding to the variable.

This technique is useful in many situations.

<do-for-each>
	<arg-node-set>
		<token-local-variable name="Var_Loc"/>
	</arg-node-set>
	<arg-actions>
		<do-if>
			<arg-conditions>
				<and>
					<if-xpath op="true">$Var_Loc_NP >2</if-xpath>
				</and>
			</arg-conditions>
			<arg-actions>
				<do-set-local-variable name="Var_Loc_NP" scope="policy">
					<arg-string>
						<token-xpath expression="$Var_Loc_NP - 1"/>
					</arg-string>
				</do-set-local-variable>
				<do-set-local-variable name="Var_Loc_Mid" scope="policy">
					<arg-string>
						<token-local-variable name="Var_Loc_Mid"/>
						<token-text xml:space="preserve">OU=</token-text>
						<token-xpath expression="$Var_Loc[position()=$Var_Loc_NP]"/>
						<token-text xml:space="preserve">,</token-text>
					</arg-string>
				</do-set-local-variable>
			</arg-actions>
			<arg-actions/>
		</do-if>
	</arg-actions>
</do-for-each>

Which gives us;

Arg Value: "OU=LOCATIONS,OU=SERVICES,"

Finally we stich all the parts together in one more variable;

<do-set-local-variable name="Var_Loc_LDAP" scope="policy">
	<arg-string>
		<token-local-variable name="Var_Loc_CN"/>
		<token-local-variable name="Var_Loc_Mid"/>
		<token-local-variable name="Var_Loc_O"/>
	</arg-string>
</do-set-local-variable>

Which gives us;

Arg Value: "CN=Corp Location,OU=LOCATIONS,OU=SERVICES,O=Corp"

And there you go, converted from \ format to LDAP format.

VN:F [1.9.22_1171]
Rating: 1.0/5 (1 vote cast)
How to Convert Slash Format eDir Names to LDAP Formatted eDir Names, 1.0 out of 5 based on 1 rating

Tags: ,
Categories: eDirectory, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

1 Comment

  1. By:Alexander McHugh

    Far better to do it this way:

    <do-set-local-variable name="ldap-src-dn" scope="policy">
    <arg-string>
    <token-parse-dn dest-dn-format="ldap" src-dn-format="qualified-slash">
    <token-xpath expression='query:readObject($srcQueryProcessor,"",@src-dn,"","")[1]/@qualified-src-dn'/>
    </token-parse-dn>
    </arg-string>
    </do-set-local-variable>

    This technique will return an empty value when the object doesn’t exist.

    or

    <do-set-local-variable name="ldap-src-dn" scope="policy">
    <arg-string>
    <token-xpath expression='com.novell.nds.dirxml.driver.DNConverter:convert($dnConverter, @src-dn, "slash", "qualified-slash")'/>
    </arg-string>
    </do-set-local-variable>

    DNConverter only works against objects in eDirectory.

    However it doesn’t require the additional token-parse-dn step, but will return back the supplied source DN value if the DN conversion cannot be performed (for example if the object doesn’t actually exist in the vault)

Comment