October, 2008 was the month when Novell Identity Audit (NIA) was released to the public. This product is made to replace Novell Audit to some degree and also starts a move from the current Sentinel product to a new version that is a bit more flexible and including simpler tools that still provide Sentinel’s historic power. As part of this change was a move to Sentinel’s user management setup that is based on database users. While the previous Sentinel users existed exclusively in Oracle or mssql the new Identity Audit product keeps users in PostsgreSQL, an Open Source database that is shipped with the product. The purpose of this AppNote is to demonstrate a way to provision accounts to Identity Audit via IDM directly to ease administration of a large environment.

First to get through all of this it is recommended you be fairly familiar with Novell Identity Manager (IDM) at the very least. Any experience you have with PostgreSQL will be useful for the work in NIA though I will explain all of that as completely as possible. Also experience with databases in general could help with some of the JDBC pieces of IDM and NIA. This will not cover the installation of IDM or NIA in general so it is assumed you have a default installation of IDM 3.6.0 with the latest patches as well as NIA 1.0 HF1. Installation and use of the Remote Loader whenever possible is also highly encouraged in order to minimize the load on the engine as much as possible.

So first a bit of architecture information. Identity Manager runs as a module in eDirectory and therefore is able to pick up the events as they happen within eDirectory. The Identity Vault (the environment where IDM is running, also known as the Metadirectory) sends events via IDM to the various applications connected to it via driver policies and rules which eventually use a driver shim (the driver) to connect to the remote application in some manner. These drivers come in JDBC, LDAP, SOAP, eDirectory, Domino (Notes), Scripting, and Delimited Text variants and generally can connect to anything under the sun.

Novell Identity Audit has a large number of pieces that work together, but the ones we care about most revolved around PostgreSQL, the Relational Database Management System (RDBMS) that stores the data long term and against which reports are run. Along with all the event data it is the user store for any identities able to login to NIA. As mentioned above this is similar with how Sentinel is implemented; all of the users in the system are simply database users that may or may not have rights to do things directly in the database.

Out of the box two users are setup including admin (the user you use) and dbauser (the one that controls the DB and is the superuser for the entire system). The former user is used to login to NIA via the web interface located at https://ipAddressHere:8443/novellidentityaudit while the latter is generally not seen anywhere. All users, including these two, only have their passwords stored in the database directly stored however the database system (in this case PostgreSQL) stores it (hashed presumably). With this information in hand we can use a JDBC driver configuration that comes with IDM and modify it a bit to account for the schema in PostgreSQL for NIA. We shouldn’t need to worry much about password storage since PostgreSQL will store them for us however the developers there have determined is best.

One thing that should be noted here is that by default the PostgreSQL instance that comes with NIA does not listen to the outside world at all. NIA is meant to be an all-in-one system so there is no reason to allow for reporting from an external server since reporting and searching is all built into the software appliance. Because of this analysis of the DB needs to either be done from the server itself via the command line or by some magic of forwarded ports and tunnels. Another option is to set PostgreSQL to listen to the outside world. In production running this way is not recommended because it’s never been meant to work that way. Not having an open port means all of the potential attacks for NIA are completely worthless unless somebody had access directly to the system from the system itself (all network users are out of luck) so be sure you understand the implications of opening anything up before you do so. To do this with NiA make the following changes to the following files where $APP_PATH is the path to your NIA installation which, by default, is /opt/novell/identity_audit_1.0_x86-64

$APP_PATH/3rdparty/postgresql/data/postgresql.conf
modify “#listen_address = ‘localhost'” to listen to something besides localhost. This can be set to ‘*’ to listen on all bound IPv4 (if not IPv6) addresses.

$APP_PATH/3rdparty/postgresql/data/pg_hba.conf
modify ‘host all all 127.0.0.1/32 md5′ to ‘host all all 0.0.0.0/0 md5′ to allow users to access the server from any IPv4 address.

Finally you will need to set the firewall to allow traffic to TCP port 5432 assuming the firewall is enabled as it is by default. This can be done by going into Yast: Security and Users: Firewall and then setting TCP port 5432 to be available, probably via the Advanced section. Once completed you can use any JDBC-compatible database utility to view the database. I use DB Visualizer of which there is a simple free version available for multiple platforms. As a Java-based application it works well under Linux and windows and implementing JDBC it can talk to any database that has a JDBC connector (MySQL, PostgreSQL, Oracle, etc.) once the 3rd-party JDBC connector is made available to the application (if it is not there already).

A bit more depth on the NIA side is probably in order. The default database used by the NIA application includes a SIEM database, and inside that for our use there is a ‘users’ table with a definition as follows:

COLUMN_NAME TYPE_NAME COLUMN_SIZE
usr_id int4 4
name varchar 64
cnt_id int4 4
stt_id int4 4
description varchar 512
date_created timestamptz 8
date_modified timestamptz 8
created_by int4 4
modified_by int4 4
permissions varchar 4000
filter varchar 128
upper_name varchar 64
domain_auth_ind bool 1

As we can see there is a usr_id column that is just an integer to keep track of things uniquely, a description that is fairly unimportant, some timestamps to keep track of creation and modification, a name field that is the username, an upper_name field that is fairly self-explanatory (regarding case), a filter field, and a permissions field that is really important and worthy of some exploration. The filter field for a default user simply contains ‘ALL’. In the full Sentinel product a filter controls which data a user can see while using the Sentinel Control Center (SCC) or other components of Sentinel that are tied into the main event systems. In NiA the permissions are significantly less-granular so this filter value will not change for any users. This same field will be of use for a Sentinel 6.1 driver (see a later article if things go according to plan) assuming that those types of assignments will be restricted via IDM. It’s possible to set the filter for a user via the SCC as well in the full Sentinel product.

The final field mention is named ‘permissions’ and is four thousand characters long. it’s probably not hard to guess what goes in here, but let’s look at the default ‘admin’ user just for fun to see what is in each of the fields:

usr_id	name	cnt_id	stt_id	description	date_created	date_modified	created_by	modified_by	permissions	filter	upper_name	domain_auth_ind
1	admin	1	12	(null)	2008-10-27 13:08:40.085	2008-10-27 13:08:40.085	(null)	(null)	MAIN_PERMISSION:RT_MS:RT_MS_SW:RT_MS_CM:RT_MS_SS:RT_FL_PUBFL:RT_FL_PUBFL_CR:RT_FL_PUBFL_MO:RT_FL_PUBFL_DE:RT_FL_PRIFL:RT_FL_PRIFL_CR:RT_FL_PRIFL_MO:RT_FL_PRIFL_DE:RT_FL_PRIFL_VW:RT:RT_VW:RT_MI:RT_MI_VW:RT_MI_AI:RT_MI_RI:RT_MI_EE:RT_MI_VA:RT_MI_VV:RT_SD_VW:ITRAC:ITRAC_VW:ITRAC_AM:ITRAC_TM:ITRAC_TM_VW:ITRAC_TM_CR:ITRAC_PM:ITRAC_PM_VW:ITRAC_PM_CR:ITRAC_WM:IN:IN_VW:IN_ADM:IN_VWIN:IN_CI:IN_MOI:IN_DI:IN_AI:IN_EML:IN_ACT:IN_NOTES:WZ:WZ_VW:WZ_VW_SP:WZ_ADM:WZ_CTRL:WZ_PLUGIN:WZ_VW_RAW:WZ_DEBUG:AN:AN_VW:AD:AD_VW:ADM:ADM_VW:RT_FL_GLOFL:RT_FL_GLOFL_VW:RT_FL_GLOFL_MO:ADM_DAS_STATS:ADM_EVT_CFG:ADM_MENU_EVT:ADM_MAP_CFG:ADM_MENU_CFG:ADM_REP_DATA:ADM_SRVVW:ADM_SRVVW_VW:ADM_SRVVW_CNTRL:ADM_USRADM:ADM_USR_SESS:ADM_ROLEADM:INTEGRATORS:INT_VW:INT_ADM:INT_PLUGINS:ACTIONS:VIEW_ACT:MANAGE_ACT:MANAGE_ACTION_PLUGINS:CORR:CORR_TAB_VW:CORR_MGR:CORR_ENG:DYN_MGR:CP:CP_EX:CP_IM:IDENT:VIEW_ADD_BOOK:SCOUT_ADMIN:	ALL	ADMIN	false

This output shows the usr_id of 1, name of ‘admin’, some timestamps, some null values (created_by/modified_by), the big list of permissions, and the last few fields. The permissions field is made up of a set of colon-delimited strings that, together, make up the permissions a user has. Unfortunately in this article, like the filter, the permissions don’t mean a whole lot. NIA has two types of users: those who can login and are regular, and those who can login and are an admin. The very last permission for the admin user is ‘SCOUT_ADMIN’ which essentially makes the user an admin. A regular user will have all of the other permissions except SCOUT_ADMIN if created via the normal NIA interface. There can be unlimited users of either type but those are the only two things we care about. Feel free to tinker with other permissions combinations, but no other combination is supported so don’t break things too badly. For our driver to work we’ll just set the lesser set of permissions, or maybe add a second entitlement that grants the greater set, but that will probably end up being a task for your own entertainment if you are so inclined.

Another table of interest is the ‘contacts’ table, defined as shown below:

COLUMN_NAME TYPE_NAME COLUMN_SIZE
cnt_id int4 4
first_name varchar 20 20
last_name varchar 30
title varchar 128 128
department varchar 128
phone varchar 64 64
email varchar 255
pager varchar 64
cell varchar 64
date_created timestamptz 8
date_modified timestamptz 8
created_by int4 4
modified_by int4 4

This table is used to just keep track of user-specific data for each of the users in the ‘users’ table. An example, for admin, is shown below:

cnt_id	first_name	last_name	title	department	phone	email	pager	cell	date_created	date_modified	created_by	modified_by
1	(null)	(null)	(null)	(null)	(null)	(null)	(null)	(null)	2008-10-27 13:08:40.036728	2008-10-27 13:08:40.036728	1	1

In this case you can see that most of the fields (first_name, last_name) are normally blank. These can be filled in for any user including ‘admin’ but having default values is not easy to do when an admin could be named anything. The values in here are not critical to survival but they are expected by the system so we’ll be filling them in with the driver.

The next thing to analyze from NIA is how users are typically created. We could probably insert the values into the tables manually and while that would be fun it does not work well as changes are made to the product over time. Sentinel developers (and in turn NIA developers) use stored procedures to help with this. Stored Procedures (and for similar reasons, views) are used to provide a way to do a certain task that does not change frequently, even as the backend tables and other data structures may be variable. For our purposes the esec_insert_user stored procedure will be used in order to create the users. On the other side the ‘esec_delete_user’ stored procedure will be used to delete users that we no longer care about. The former procedure takes a fair number of variables while the latter simply takes the username of the user being deleted. A sample insertion follows:

select * from esec_insert_user('testniauser3', 'novell', 'ALL', true, '', 'MAIN_PERMISSION:RT_MS:RT_MS_SW:RT_MS_CM:RT_MS_SS:RT_FL_PUBFL:RT_FL_PUBFL_CR:RT_FL_PUBFL_MO:RT_FL_PUBFL_DE:RT_FL_PRIFL:RT_FL_PRIFL_CR:RT_FL_PRIFL_MO:RT_FL_PRIFL_DE:RT_FL_PRIFL_VW:RT:RT_VW:RT_MI:RT_MI_VW:RT_MI_AI:RT_MI_RI:RT_MI_EE:RT_MI_VA:RT_MI_VV:RT_SD_VW:ITRAC:ITRAC_VW:ITRAC_AM:ITRAC_TM:ITRAC_TM_VW:ITRAC_TM_CR:ITRAC_PM:ITRAC_PM_VW:ITRAC_PM_CR:ITRAC_WM:IN:IN_VW:IN_ADM:IN_VWIN:IN_CI:IN_MOI:IN_DI:IN_AI:IN_EML:IN_ACT:IN_NOTES:WZ:WZ_VW:WZ_VW_SP:WZ_ADM:WZ_CTRL:WZ_PLUGIN:WZ_VW_RAW:WZ_DEBUG:AN:AN_VW:AD:AD_VW:ADM:ADM_VW:RT_FL_GLOFL:RT_FL_GLOFL_VW:RT_FL_GLOFL_MO:ADM_DAS_STATS:ADM_EVT_CFG:ADM_MENU_EVT:ADM_MAP_CFG:ADM_MENU_CFG:ADM_REP_DATA:ADM_SRVVW:ADM_SRVVW_VW:ADM_SRVVW_CNTRL:ADM_USRADM:ADM_USR_SESS:ADM_ROLEADM:INTEGRATORS:INT_VW:INT_ADM:INT_PLUGINS:ACTIONS:VIEW_ACT:MANAGE_ACT:MANAGE_ACTION_PLUGINS:CORR:CORR_TAB_VW:CORR_MGR:CORR_ENG:DYN_MGR:CP:CP_EX:CP_IM:IDENT:VIEW_ADD_BOOK:', 'testniauser3', 'testniauser3lname', '', '', '', '', '' , '')

and a sample deletion comes next:

select * from esec_delete_user('testniauser3')

Several of the fields at the end are for the contact information which is why they are null from the start although you can see that the permissions are all granted together, the username data and password all come together as well (‘novell’ is the password), and the rest we can extrapolate by how the tables are populated in the end.

So with an understanding of how the NIA side works we can move onto the driver. The JDBC driver makes a connection using PostgreSQL’s JDBC connector to the database itself. From there we can either map directly to tables, create indirect tables and use triggers to do the data transfer from those indirect tables to the real tables, or we can make SQL calls directly which lets us take advantage of existing stored procedures provided by the database for its specific application. In our case we’ll go for the last option. A few different SQL queries will come into play and we’ll construct their calls via XSLT.

For example to add a user the following XSLT will do our bidding:

<stylesheet name="Embedded SQL - Add Event">
	<xsl:stylesheet exclude-result-prefixes="query cmd dncv" version="1.0" xmlns:cmd="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsCommandProcessor" xmlns:dncv="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.DNConverter" xmlns:jdbc="urn:dirxml:jdbc" xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQueryProcessor" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
		<!-- parameters passed in from the DirXML engine -->
		<xsl:param name="srcQueryProcessor"/>
		<xsl:param name="destQueryProcessor"/>
		<xsl:param name="srcCommandProcessor"/>
		<xsl:param name="destCommandProcessor"/>
		<xsl:param name="dnConverter"/>
		<xsl:param name="fromNds"/>
		<!-- identity transformation template -->
		<!-- in the absence of any other templates this will cause -->
		<!-- the stylesheet to copy the input through unchanged to the output -->
		<xsl:template match="node()|@*">
			<xsl:copy>
				<xsl:apply-templates select="@*|node()"/>
			</xsl:copy>
		</xsl:template>
		<xsl:template match="add">
			<xsl:copy>
				<xsl:apply-templates select="@*"/>
				<xsl:attribute name="jdbc:transaction-id">0</xsl:attribute>
				<xsl:attribute name="jdbc:op-id">0</xsl:attribute>
				<xsl:apply-templates select="node()"/>
			</xsl:copy>
			<xsl:call-template name="add-user"/>
			<!-- <xsl:call-template name="add-contact"/> -->
		</xsl:template>
		<xsl:template name="add-user">
			<xsl:variable name="CN" select="add-attr[@attr-name='CN']/value"/>
			<xsl:variable name="pwd" select="add-attr[@attr-name='nspmDistributionPassword']/value"/>
			<xsl:variable name="desc" select="add-attr[@attr-name='Description']/value"/>
			<xsl:variable name="SN" select="add-attr[@attr-name='Surname']/value"/>
			<xsl:variable name="GN" select="add-attr[@attr-name='Given Name']/value"/>
			<xsl:variable name="title" select="add-attr[@attr-name='Title']/value"/>
			<xsl:variable name="dept" select="add-attr[@attr-name='Department']/value"/>
			<xsl:variable name="phone" select="add-attr[@attr-name='Telephone Number']/value"/>
			<xsl:variable name="email" select="add-attr[@attr-name='Internet EMail Address']/value"/>
			<jdbc:statement jdbc:op-id="0" jdbc:transaction-id="0" jdbc:transaction-type="auto" jdbc:type="query">
				<jdbc:sql>
					<xsl:text>select * from esec_insert_user('</xsl:text>
					<xsl:value-of select="$CN"/>
					<xsl:text>', '</xsl:text>
					<xsl:value-of select="$pwd"/>
					<xsl:text>', 'ALL', </xsl:text>
					<xsl:text>true, '</xsl:text>
					<xsl:value-of select="$desc"/>
					<xsl:text>', '</xsl:text>
					<xsl:text>MAIN_PERMISSION:RT_MS:RT_MS_SW:RT_MS_CM:RT_MS_SS:RT_FL_PUBFL:RT_FL_PUBFL_CR:RT_FL_PUBFL_MO:RT_FL_PUBFL_DE:RT_FL_PRIFL:RT_FL_PRIFL_CR:RT_FL_PRIFL_MO:RT_FL_PRIFL_DE:RT_FL_PRIFL_VW:RT:RT_VW:RT_MI:RT_MI_VW:RT_MI_AI:RT_MI_RI:RT_MI_EE:RT_MI_VA:RT_MI_VV:RT_SD_VW:ITRAC:ITRAC_VW:ITRAC_AM:ITRAC_TM:ITRAC_TM_VW:ITRAC_TM_CR:ITRAC_PM:ITRAC_PM_VW:ITRAC_PM_CR:ITRAC_WM:IN:IN_VW:IN_ADM:IN_VWIN:IN_CI:IN_MOI:IN_DI:IN_AI:IN_EML:IN_ACT:IN_NOTES:WZ:WZ_VW:WZ_VW_SP:WZ_ADM:WZ_CTRL:WZ_PLUGIN:WZ_VW_RAW:WZ_DEBUG:AN:AN_VW:AD:AD_VW:ADM:ADM_VW:RT_FL_GLOFL:RT_FL_GLOFL_VW:RT_FL_GLOFL_MO:ADM_DAS_STATS:ADM_EVT_CFG:ADM_MENU_EVT:ADM_MAP_CFG:ADM_MENU_CFG:ADM_REP_DATA:ADM_SRVVW:ADM_SRVVW_VW:ADM_SRVVW_CNTRL:ADM_USRADM:ADM_USR_SESS:ADM_ROLEADM:INTEGRATORS:INT_VW:INT_ADM:INT_PLUGINS:ACTIONS:VIEW_ACT:MANAGE_ACT:MANAGE_ACTION_PLUGINS:CORR:CORR_TAB_VW:CORR_MGR:CORR_ENG:DYN_MGR:CP:CP_EX:CP_IM:IDENT:VIEW_ADD_BOOK:</xsl:text>
					<xsl:text>', '</xsl:text>
					<xsl:value-of select="$GN"/>
					<xsl:text>', '</xsl:text>
					<xsl:value-of select="$SN"/>
					<xsl:text>', '</xsl:text>
					<xsl:value-of select="$title"/>
					<xsl:text>', '</xsl:text>
					<xsl:value-of select="$dept"/>
					<xsl:text>', '</xsl:text>
					<xsl:value-of select="$phone"/>
					<xsl:text>', '</xsl:text>
					<xsl:value-of select="$email"/>
					<xsl:text>', '' , '')</xsl:text>
					<jdbc:param/>
				</jdbc:sql>
			</jdbc:statement>
		</xsl:template>
	</xsl:stylesheet>
</stylesheet>

The first section sets up variables based on the attributes that are in the operation document, for example copying the value of the ‘CN’ attribute to the ‘CN variable, the nspmDistributionPassword attribute to the ‘pwd’ variable, etc. The section that starts with <jdbc:statement jdbc:op-id=”0″ and continues until the </xsl:template> line creates a document like the following which eventually goes to the JDBC shim and is executed in PostgreSQL:

<jdbc:statement event-id="0" jdbc:op-id="0" jdbc:transaction-id="0" jdbc:transaction-type="auto" jdbc:type="query" xmlns:jdbc="urn:dirxml:jdbc">
  <jdbc:sql>select * from esec_insert_user('testniauser3', 'novell', 'ALL', true, '', 'MAIN_PERMISSION:RT_MS:RT_MS_SW:RT_MS_CM:RT_MS_SS:RT_FL_PUBFL:RT_FL_PUBFL_CR:RT_FL_PUBFL_MO:RT_FL_PUBFL_DE:RT_FL_
PRIFL:RT_FL_PRIFL_CR:RT_FL_PRIFL_MO:RT_FL_PRIFL_DE:RT_FL_PRIFL_VW:RT:RT_VW:RT_MI:RT_MI_VW:RT_MI_AI:RT_MI_RI:RT_MI_EE:RT_MI_VA:RT_MI_VV:RT_SD_VW:ITRAC:ITRAC_VW:ITRAC_AM:ITRAC_TM:ITRAC_TM_VW:ITRAC_TM_CR:IT
RAC_PM:ITRAC_PM_VW:ITRAC_PM_CR:ITRAC_WM:IN:IN_VW:IN_ADM:IN_VWIN:IN_CI:IN_MOI:IN_DI:IN_AI:IN_EML:IN_ACT:IN_NOTES:WZ:WZ_VW:WZ_VW_SP:WZ_ADM:WZ_CTRL:WZ_PLUGIN:WZ_VW_RAW:WZ_DEBUG:AN:AN_VW:AD:AD_VW:ADM:ADM_VW:
RT_FL_GLOFL:RT_FL_GLOFL_VW:RT_FL_GLOFL_MO:ADM_DAS_STATS:ADM_EVT_CFG:ADM_MENU_EVT:ADM_MAP_CFG:ADM_MENU_CFG:ADM_REP_DATA:ADM_SRVVW:ADM_SRVVW_VW:ADM_SRVVW_CNTRL:ADM_USRADM:ADM_USR_SESS:ADM_ROLEADM:INTEGRATO
RS:INT_VW:INT_ADM:INT_PLUGINS:ACTIONS:VIEW_ACT:MANAGE_ACT:MANAGE_ACTION_PLUGINS:CORR:CORR_TAB_VW:CORR_MGR:CORR_ENG:DYN_MGR:CP:CP_EX:CP_IM:IDENT:VIEW_ADD_BOOK:', 'testniauser3', 'testniauser3lname', '', '
', '', '', '' , '')<jdbc:param/>
  </jdbc:sql>
  <operation-data add-event-cn="testniauser3" add-event-srcdn="\IDM0TREE0\org\suse\niatest0driverset0\testniauser3"/>
</jdbc:statement>

Duplicating this same process but in different stylesheets for different purposes integrating with the database doing multiple types of operations (password changes, adds, deletes, updates, renames) should all be fairly straight forward.

In the end we end up with the following code that includes the entire driver configuration plus some of the default code from the JDBC preconfig that was not used in the finished product but which is still present due to my not having removed it yet:

<?xml version="1.0" encoding="UTF-8"?><driver-configuration dn="jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" driver-set-dn="LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" name="jdbc-nia">
	<attributes>
		<application-schema>
			<schema-def dn-format="ldap" hierarchical="false" jdbc:number-of-classes="1" jdbc:number-of-visible-tables="2">
				<class-def class-name="contacts" container="false" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE">
					<attr-def attr-name="cnt_id" jdbc:java-type="java.sql.Types.INTEGER" jdbc:native-type="int4" jdbc:nullable="false" jdbc:position="1" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="10" multi-valued="false" naming="true" required="true" type="int"/>
					<attr-def attr-name="first_name" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="true" jdbc:position="2" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="20" multi-valued="false"/>
					<attr-def attr-name="last_name" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="true" jdbc:position="3" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="30" multi-valued="false"/>
					<attr-def attr-name="title" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="true" jdbc:position="4" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="128" multi-valued="false"/>
					<attr-def attr-name="department" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="true" jdbc:position="5" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="128" multi-valued="false"/>
					<attr-def attr-name="phone" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="true" jdbc:position="6" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="64" multi-valued="false"/>
					<attr-def attr-name="email" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="true" jdbc:position="7" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="255" multi-valued="false"/>
					<attr-def attr-name="pager" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="true" jdbc:position="8" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="64" multi-valued="false"/>
					<attr-def attr-name="cell" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="true" jdbc:position="9" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="64" multi-valued="false"/>
					<attr-def attr-name="date_created" jdbc:java-type="java.sql.Types.TIMESTAMP" jdbc:native-type="timestamptz" jdbc:nullable="false" jdbc:position="10" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="35" multi-valued="false" required="true" type="time"/>
					<attr-def attr-name="date_modified" jdbc:java-type="java.sql.Types.TIMESTAMP" jdbc:native-type="timestamptz" jdbc:nullable="false" jdbc:position="11" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="35" multi-valued="false" required="true" type="time"/>
					<attr-def attr-name="created_by" jdbc:java-type="java.sql.Types.INTEGER" jdbc:native-type="int4" jdbc:nullable="true" jdbc:position="12" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="10" multi-valued="false" type="int"/>
					<attr-def attr-name="modified_by" jdbc:java-type="java.sql.Types.INTEGER" jdbc:native-type="int4" jdbc:nullable="true" jdbc:position="13" jdbc:privileges="DELETE, INSERT, REFERENCES, SELECT, TRIGGER, UNKNOWN, UPDATE" jdbc:size="10" multi-valued="false" type="int"/>
					<attr-def attr-name="users.usr_id" jdbc:java-type="java.sql.Types.INTEGER" jdbc:native-type="int4" jdbc:nullable="false" jdbc:position="1" jdbc:size="10" type="int"/>
					<attr-def attr-name="users.name" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="false" jdbc:position="2" jdbc:size="64"/>
					<attr-def attr-name="users.stt_id" jdbc:java-type="java.sql.Types.INTEGER" jdbc:native-type="int4" jdbc:nullable="false" jdbc:position="4" jdbc:size="10" type="int"/>
					<attr-def attr-name="users.description" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="true" jdbc:position="5" jdbc:size="512"/>
					<attr-def attr-name="users.date_created" jdbc:java-type="java.sql.Types.TIMESTAMP" jdbc:native-type="timestamptz" jdbc:nullable="false" jdbc:position="6" jdbc:size="35" type="time"/>
					<attr-def attr-name="users.date_modified" jdbc:java-type="java.sql.Types.TIMESTAMP" jdbc:native-type="timestamptz" jdbc:nullable="false" jdbc:position="7" jdbc:size="35" type="time"/>
					<attr-def attr-name="users.created_by" jdbc:java-type="java.sql.Types.INTEGER" jdbc:native-type="int4" jdbc:nullable="true" jdbc:position="8" jdbc:size="10" type="int"/>
					<attr-def attr-name="users.modified_by" jdbc:java-type="java.sql.Types.INTEGER" jdbc:native-type="int4" jdbc:nullable="true" jdbc:position="9" jdbc:size="10" type="int"/>
					<attr-def attr-name="users.permissions" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="true" jdbc:position="10" jdbc:size="4000"/>
					<attr-def attr-name="users.filter" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="true" jdbc:position="11" jdbc:size="128"/>
					<attr-def attr-name="users.upper_name" jdbc:java-type="java.sql.Types.VARCHAR" jdbc:native-type="varchar" jdbc:nullable="true" jdbc:position="12" jdbc:size="64"/>
					<attr-def attr-name="users.domain_auth_ind" jdbc:java-type="java.sql.Types.BIT" jdbc:native-type="bool" jdbc:nullable="true" jdbc:position="13" jdbc:size="1" type="int"/>
				</class-def>
			</schema-def>
		</application-schema>
		<configuration-manifest>
			<manifest>
				<capability name="password-subscribe"/>
				<capability name="password-check"/>
			</manifest>
		</configuration-manifest>
		<global-config-values>
			<configuration-values>
				<definitions>
					<definition display-name="Application accepts passwords from DirXML" name="enable-password-subscribe" type="boolean">
						<description>If true, allows passwords to flow from the DirXML data store to the connected system.</description>
						<value>true</value>
					</definition>
					<definition display-name="DirXML accepts passwords from application" name="enable-password-publish" type="boolean">
						<description>If true, allows passwords to flow from the connected system to the DirXML data store.</description>
						<value>false</value>
					</definition>
					<definition display-name="Publish passwords to NDS password" name="publish-password-to-nds" type="boolean">
						<description>Use the password from the connected system to set the non-reversible NDS password in eDirectory.</description>
						<value>false</value>
					</definition>
					<definition display-name="Publish passwords to Distribution Password" name="publish-password-to-dp" type="boolean">
						<description>Use the password from the connected system to set the NMAS Distribution Password used for DirXML password synchronization.</description>
						<value>true</value>
					</definition>
					<definition display-name="Require password policy validation before publishing passwords" name="enforce-password-policy" type="boolean">
						<description>If true, applies NMAS password policies during publish password operations. Password is not written to the data store if it does not comply.</description>
						<value>true</value>
					</definition>
					<definition display-name="Reset user's external system password to the DirXML password on failure" name="reset-external-password-on-failure" type="boolean">
						<description>If true, on a publish Distribution Password failure, attempt to reset the password in the connected system using the Distribution Password from the DirXML data store.</description>
						<value>false</value>
					</definition>
					<definition display-name="Notify the user of password synchronization failure via e-mail" name="notify-user-on-password-dist-failure" type="boolean">
						<description/>
						<value>true</value>
					</definition>
					<definition display-name="Connected System or Driver Name" name="ConnectedSystemName" type="string">
						<description>The name of the connected system, application or DirXML driver. This value is used by the e-mail notification templates.</description>
						<value xml:space="preserve">jdbc-nia</value>
					</definition>
					<definition display-name="Disable Publisher Channel" name="disablepublisher" type="boolean">
						<value>false</value>
						<description>GCV user to disable the publisher channel</description>
					</definition>
					<definition display-name="Group Membership" name="group" type="string">
						<value>NOVELL\WORKFORCE\GROUPS\Scout</value>
						<description>This can be used to add a user to a selected eDir group. If your using the User Application and running the Identity Audit UI in an iFrame portlet. This will allow you to show a custom page only for users who are provisioned into Identity Audit. You will need to configure the custom shared page and make the privileges dependant on being a member of this group.</description>
					</definition>
				</definitions>
			</configuration-values>
		</global-config-values>
		<global-engine-values>
			<configuration-values>
				<definitions>
					<definition display-name="Subscriber channel retry interval in seconds" display-name-ref="ecnm_rint" name="dirxml.engine.retry-interval" range-lo="1" type="integer">
						<description description-ref="ecds_rint">The subscriber channel retry interval controls how frequently the DirXML Engine will retry the processing of a cached transaction after the application shim's Subscriber object returns a retry status.</description>
						<value>30</value>
					</definition>
					<definition display-name="Qualified form for DN-syntax attribute values" display-name-ref="ecnm_dnvf" name="dirxml.engine.qualified-dn-values" type="boolean">
						<description description-ref="ecds_dnvf">The qualified form for DN-syntax attribute values controls whether values for DN-syntax attribute values are presented in unqualified slash form or qualified slash form. A "true" setting means the values are presented in qualified form.</description>
						<value>false</value>
					</definition>
					<definition display-name="Qualified form for rename events" display-name-ref="ecnm_refm" name="dirxml.engine.qualified-rename-values" type="boolean">
						<description description-ref="ecds_refm">The qualified form for rename events controls whether the new-name portion of rename events coming from the Identity Vault are presented to the Subscriber channel with type qualifier(s) (e.g. CN=). A "true" setting means the names are presented in qualified form.</description>
						<value>false</value>
					</definition>
					<definition display-name="Maximum eDirectory replication wait time in seconds" display-name-ref="ecnm_mrpw" name="dirxml.engine.max-replication-wait" range-lo="1" type="integer">
						<description description-ref="ecds_mrpw">The maximum eDirectory replication wait time controls the maximum time that the DirXML Engine will wait for a particular change to replicate between the local replica and a remote replica. This only affects operations where the DirXML Engine is required to contact a remote eDirectory server in the same tree to perform an operation and may need to wait until some change has replicated to or from the remote server before the operation can be completed (e.g. object moves when the DirXML server does not hold the master replica of the moved object ;file system rights operations for Users created from a template.)</description>
						<value>180</value>
					</definition>
					<definition display-name="Use non-compliant backwards-compatible mode for XSLT" display-name-ref="ecnm_xbcm" name="dirxml.engine.xslt-bc-mode" type="boolean">
						<description description-ref="ecds_xbcm">This control sets the XSLT processor used by the DirXML Engine to a backwards-compatible mode. The backwards-compatible mode causes the XSLT processor to use one or more behaviors that are not XPath 1.0 and/or XSLT 1.0 standards-compliant. This is done in the interest of backwards-compatiblity with existing DirXML stylesheets that depend on the non-standard behavior(s). 
 
 In particular: 
 
 The behavior of the XPath "!=" operator when one operand is a node-set and the other operand is other than a node-set is incorrect in DirXML releases up to and including DirXML 2.0 (Novell Identity Manager 2.0). This behavior has been corrected; however, the corrected behavior is disabled by default through this control in favor of backwards-compatibility with existing DirXML stylesheets.</description>
						<value>true</value>
					</definition>
					<definition display-name="Maximum application objects to migrate at once" display-name-ref="ecnm_mxappm" name="dirxml.engine.max-migrate-app-count" range-lo="1" type="integer">
						<description description-ref="ecds_mxappm">This control is used to limit the number of application objects that the DirXML Engine will request from an application during a single query that is performed as part of a "migrate objects from application" operation. 
 
 If "java.lang.OutOfMemoryError" errors are encountered during a migrate from application operation then this number should be set lower than the default. 
 
 Note that this control does not limit the number of application objects that can be migrated; it merely limits the "batch size".</description>
						<value>50</value>
					</definition>
					<definition display-name="Set creatorsName on objects created in Identity Vault" display-name-ref="ecnm_scrnm" name="dirxml.engine.set-creators-name" type="boolean">
						<description description-ref="ecds_scrnm">This control is used by the DirXML Engine to determine if the creatorsName attribute should be set to the DN of this driver on all objects created in the Identity Vault by this driver.
 
 Setting the creatorsName attribute allows for easily identifying objects created by this driver, but also carries a performance penalty. If not set, the creatorsName attribute will default to the DN of the NCP Server object that is hosting the driver.</description>
						<value>false</value>
					</definition>
					<definition display-name="Write pending associations" display-name-ref="ecnm_pass" name="dirxml.engine.use-pending-association" type="boolean">
						<description description-ref="ecds_pass">This control determines whether the DirXML Engine will write a pending association on an object during subscriber channel processing.
 
 Writing a pending association confers little or no benefit but does incur a performance penalty. Nevertheless, the option exists to turn it on for backward compatibility.</description>
						<value>false</value>
					</definition>
					<definition display-name="Use password event values" display-name-ref="ecnm_pevvl" name="dirxml.engine.use-password-event-values" type="boolean">
						<description description-ref="ecds_pevvl">This control determines the source of the value reported for the nspmDistributionPassword attribute for subscriber channel add and modify events.
 
 Setting the control to false means that the current value of nspmDistributionPassword is obtained and reported as the value of the attribute event. This means that only the current password value is available. This is the default behavior.
 
 Setting the control to true means that the value recorded with the eDirectory event will be decrypted and reported as the value of the attribute event. This means that both the old password value (if it exists) and the replacement password value at the time of the event are available. This is useful for synchronizing passwords to certain applications that require the old password to enable setting a new password.</description>
						<value>false</value>
					</definition>
					<definition display-name="Enable password synchronization status reporting" display-name-ref="ecnm_pss" name="dirxml.engine.pwd-sync-status" type="boolean">
						<description description-ref="ecds_pss">This control determines whether the DirXML Engine will report the status of subscriber channel password change events. 
 
 Reporting the status of subscriber channel password change events allows applications such as the Identity Manager User Application to monitor the synchronization progress of a password change that should be synchronized to the connected application.</description>
						<value>true</value>
					</definition>
					<definition display-name="Combine values from template object with those from add operation" display-name-ref="ecnm_ctv" name="dirxml.engine.combine-template-values" type="boolean">
						<description description-ref="ecds_ctv">This control determines how the DirXML Engine will use values from a template object when the template is used to create objects in the Identity Vault. Setting the control to true causes multi-valued attribute values from the template to be used in addition to those values for the same attribute that are  specified in the add operation. Setting the control to false causes the value(s) from the template to be ignored if there are values for the same attribute specified in the add operation.</description>
						<value>true</value>
					</definition>
					<definition display-name="Allow event loopback from publisher to subscriber channel" display-name-ref="ecnm_ael" name="dirxml.engine.allow-event-loopback" type="boolean">
						<description description-ref="ecds_ael">This control determines whether the DirXML Engine will allow an event to loopback from the publisher channel of a driver to the subscriber channel of the same driver. Setting the control to false means that the loopback of the event from the publisher to the subscriber channel will not be allowed. Setting the control to true means that events would flow from the publisher channel to the subscriber channel of the same driver.  </description>
						<value>false</value>
					</definition>
					<definition display-name="Revert to calculated membership value behavior" display-name-ref="ecnm_cavl" name="dirxml.engine.use-calculated-values" type="boolean">
						<description description-ref="ecds_cavl">Prior to Identity Manager 3.6 the DirXML Engine retrieved "calculated" values for the attributes "Member" and "Group Membership". The Engine now retrieves static values. This behavior is more generally useful and makes synchronizing Nested Groups possible. Setting this control to true reverts to the pre-3.6 behavior. 
 
 It is possible even with the post-3.6 default behavior to read the calculated values for "Member" and "Group Membership" by using the special attribute names "[pseudo].Member" and "[pseudo].Group Membership".</description>
						<value>false</value>
					</definition>
				</definitions>
			</configuration-values>
		</global-engine-values>
		<driver-filter-xml>
			<filter>
				<filter-class class-name="User" publisher="sync" publisher-create-homedir="true" publisher-track-template-member="false" subscriber="sync">
					<filter-attr attr-name="Surname" merge-authority="default" publisher="notify" publisher-optimize-modify="true" subscriber="sync"/>
					<filter-attr attr-name="nspmDistributionPassword" merge-authority="none" publisher="ignore" publisher-optimize-modify="false" subscriber="notify"/>
					<filter-attr attr-name="CN" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="notify"/>
					<filter-attr attr-name="departmentNumber" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="sync"/>
					<filter-attr attr-name="Internet EMail Address" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="sync"/>
					<filter-attr attr-name="Telephone Number" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="sync"/>
					<filter-attr attr-name="Title" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="sync"/>
					<filter-attr attr-name="Given Name" merge-authority="default" publisher="sync" publisher-optimize-modify="true" subscriber="sync"/>
					<filter-attr attr-name="DirXML-EntitlementRef" merge-authority="edir" publisher="ignore" publisher-optimize-modify="true" subscriber="notify"/>
					<filter-attr attr-name="Description" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="notify"/>
				</filter-class>
			</filter>
		</driver-filter-xml>
		<reciprocal-attr-map/>
		<driver-image><![CDATA[R0lGODlhYgBPAPflAP///9vb29jX4+WvsPz8/B4eHvr6+gEBAfbl5aSjo7i2xKuqquzb2p2bm/DLzMu6u1BQUOrr6srJyfX09EFBQcC+1dbW1YODg6+ZmtHR0ejo6JOSkt3d3Dw8PFVVVe7u7tPS3eTl5MvK2+vCwuzs7LKxsfLz8sbFxUxMS87NzSMjI4qKivDw8BQUFP7+/nx7e+bm5RoaGmtra+Tk4vb29ubm5ry61N7e3nNyc7q5uWVlZfHV1cPB2lpaWsHBwbW1tOLi4ujo5/r09Ozs6769vuDg4C0tLQoKCufo5sPC1fLy8fDw78/P2/j4+IF/f7az1Nzb25mXmOrq6TQ0NO7u7eTk6Z6dq9nZ39TV07i20+Hi4ODf356buNjY2Nvb2trb2/b19eDf5/X29b6829va28/Pzqinu7OyssTEw9rZ2cHBzbKwx6+urq2qx/f398PDwtra2t7V1e7t7sC/v9XS0tfX2srJ38men+Li4dzc29DQ0LCvsby8u9va2tfX15iVlpCOjubl5sfHxt7e3eDg39/f46moqMjIx9/f3qOir/v7+9ra2YeGhrOyuv7//v///uTk5uLh4OPj46elpdHR1+rp6urq7d3d3bu7ur28vPj39/Dq6v/+/tTT1Ojn69jY22BgYNvc3Le2ttvc2svK1L++x8TExbm4uPX086Cfn/39/d3d4OHi4svLy8zMzOnp6cfG1+3u7vn3+M3LzOTj4+Xl5efn6dra2/Pz87W0s93e3nd3d7Cwr6mop09PT9PT0m5ubhsbG+vs7EZHRuvr69zb3MrKzuvr7ff4+Orp6dna2dna2trZ2v7+/+/v7+Pj5OXj5+Xm5ubl5UhJSOfo6MfG3Ofn59/g4P79/tLR4fn5+fr6+drb2u3t7f39/u3t7PHx8P7+/bSytbi11xAQD////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAEAAOUALAAAAABiAE8AAAj/AMsJHEiwoMGDCBMqXJhQEpEXPSioUNHBF7BUcMAw3Mixo8eNZYCpOHCghYopU1TEOHLgCIQSH2PKnGmwG7AYBwqA2sDLhx4LJ0SlwtGBJIoTNJMqXejKSEknJwJInUo1RYIpJaMs3coVTYEDHlpRDeDFy1ipFpyQO7CBq9uZcFQceZGnmFQyAb546XP2i9QFLQ4YekuYoyoKB3BcyhNKqp5cDRjt2sWoQS49YxMcISehsOeEKw4M65KndIBcgF5cYLRiBaMLLwDlgiPVrBPRND7rHggmWAtelxZbMORkxYYoqRIkSBVlwwonhjpN9VN0we7dtz0EZ7zgwoZUhkqI/8KESVQJQ6k2XFjAl+ykAyhyHzzBSAcECvjz69/Pv7///R0EKOCAAlJAjgpzBMfBKYz8MUkuRAjiShlluCIIEblM8gcjokz1SwdHWGCQHz3glFMBKKao4oosohjMizDGKOOMMcZg440xTMHGDcH90sAfhpxygh5p3LDFFjekoccJpxjyRwMZTPXCAakUdAZORvyBSDdKTIALLiYooQQ44LDAgjPOfPABFd18Q4IwEUjxyisaWGNNDbXUEoIkkgABRCRFIILIDTyadgszaXShqB9+WGBBJ4QGl8kGk5wigQVFaECCHHKQoEERFkhwyiQbYFJbKkfoQJAo5JBzgQEAxP8KgCMuuOCNKqoQQIAiihhggDbaNKGJGzTQAAYYXuIypplpftDNm8RIUQmd1NwZjZ57+hkJoIESyuMlC6SSywkWhNANLmC44QYYuHQTAlC5pLLAVJgUQMFAlxRwRC6yyspJrdjkqiuvvgLbBDLqGjtBssuemeazJEQ7rQa23BlILZBkC4QW3Ap6gy7BJbAAEXoU0Q0YBuiqqwFgdFOEHkQYkgBZAaRgxBQCKQLMASv062+t4eA6cK+/BttEwmCI4WWYZZ6pJsTRyqlBEHfiGcKefbIC6DUef5tKCYKkoQEuKddaKwEG4KJBGoKU0MBUFkxhhEBFkGMEMT7HSqsLQYf/sEURgB+J5Lfb5SEVHGkk3gWjjjrayeOd/CJ5BhnooQeFZfySQgqztHKIHpd8W6krN5AABgEu9OsCAWCQcIMrosxM1i9yC8TGAYzkHesjtdaSCw67vODE8MQXb/zxyCd//Asv4ADMLl18e0Ymemwhhxuoq06AG3JsUQYmbEzVys0C7XKEKLoDUCt9TjACyAZ//BHF/PTXb//9+OdP/x8bALLCBTjAxLfmQL0iXC97slod97yHiRxM5RQxGIZAelAAC6SPE7Mozh9SMYkFsKEEJTiDCEdIwhKa8IQoFGEJ2ICeDf0AEcFpRSZSULrTpS6BrHMd7AQxlSgcABgC8UUB/0KQPmIAAhDyEkUm3nACQRxCAlCMohSnSMUqWhGKgkBDJnIhv1QQgkddeIMExEY21JkNbWpjWyawUJudsUEgECiABnTnAh8gkRdEkMBP0tAHKPjxj4AMpCAHScg/psECS8IABv5gAUHpIgVv+EUkTpYylbHMZTCTwFQkoIIW3ACOctSdARLQgJ6UIQ2RqIEG5iSFVrrylbCMpSxn2UoN1OIGnbgDBhKQA8Bd43WH8IO50KUudrkLKIegygYOoAMDgHKOeXMDeDJRhjzUQA5KwMXCtsnNbnrzm+D0JjiksIU73CEXCYADt/JQhlb4IVOb6tSnQuXOqehBBeTwwUDiCP9Nn9Hga4LoQg2cQQNtGIBXCE2oQhfK0IYu1A1KiMMdHuADQ/wACForQiQ6UYYMFOlISdLDhMbiAWYqYp+hjOYkclCGLYFBEQRQhdlmStOa2vSmNlWFItwwggHQQQI5SMAb/PSnSFzCAr+4XBku94suUOULuziAEUhAEH7qzg0jywAQPuAGReDqq2ANq1jHSlayKgIBA3DAFjLwBshIoE9E9VNtzhKANJgvBr8oiFWjyQYfdCIELGhCTMtK2MIaFgEjGMEmatAHVxCBFw3wAZ8mKwm6SuUMEDiACohgkL36zA1seIMFAgEObRj2tKj9KgEYkNhN4IIEQPADUNlgmXL/XS0EY/HLHEARmA744SCe7ZcmeIEGP9QAHAZIrXIJS4AdJBYBBnDDOOPwgAfkgBfLOUMfriYVvwQgAz1gSQtWoBHgptRnmgjtaMOmKyVQ7r0ZyIPKVJYH+Mp3viqrASYmMQlM1GC+QnDuCBDQK21swgEjoAMdDpEJXkwiCvzzwVhkoFkcaEAhwZWVJvYg2kBA4AW6+oUHZGCIEhNnJ+BQmRM8UOJUyEAGl5jvJZwggzNILhWgWIGuEIBgB2xCV5vYgQMY8A0NbMECrZjDGSbRAEBcwLt4gUAMAsCQDMdqw2/wQyBk4ARdBaEHC8DvIHahAyXoKgo9UJkSgAEMlQ1C/wdRwG8Q5kCAAzvAAULY8QgcAI4mTIAFr4hEGsrQ1gczgqQF+ORCrAyA4Yq2Fu1DKCjYsNAbgKIBvGIDKBKqaYTigBENVcKddyAEXvF4B7IwwNFwwQIp1AIKZfDBGVIBiABwAy9e8EABqLzo8wqXF49mDUJ1UAKGrkAHvCoBshGaihXw6g06cAVDZSFkPJv6zqXuVROaAAYlfEAaUEgBERbwB0TzGsO+1nBfLVALYfOqxgw9gwz8oAh5IxQTjEAEr1ysBIby2AEEVoQQ7hxwXm0jWG5ABRVq4QdBzJoMZpGKrs+dEEZrYgFzkGQPgGFQAwDjB74Kua9+AAw/GIDkG//YwC428IqQbwAYIhc5AxyAal/9exMxNxgNWGCNPrTiFAnwC14CMPEqpztWNBjZL4owjGEUiwYq+MO2gRVykpuc5L7SwAl2AXIDvDzmIT91x//NgG2ri1jGAgM4knGJMmRiEuY2ej/7lXQiZOAaw5iGGPbuqr37XQxu0MEU1NWAaSDj8MgQRQ9qoY1ULP5giD88WkeACnXtYACYd8bf/24CKSACZnAfOtF3LXfd1T0DiMj7scDgqtWv3hrk6MGxLkAO1/OBHHwAAxvIsQHXu76nCDjWJjA/AMr7/lhKeMXnidCLuPd67rKqux5uMI1pbLMFF/AmBbuwsAu0gJsbaAH/9yeAAiPA4JvDH8E2L4/5HXATFQsDhwZuUAYiwD3io6c4QhiddGpeYhoo8CV+gH1fIoA9oAISUIA90AIFiAkqsAsF6AdG4FsFiAt+sAG4wAADwABfAg49VXzZVIGsZg1t93bOh27Qh3QLwAdlwAEdgAImYAKYYBIoUIMqgAIbUAsxGIMo0AI1+IKpsIMxWAu7oAI9cAEXgAIdgAkx6AADsAkxOHyYBw5CGINLYA0ckAJ8AHdUUXTPZ3qGgAlL1QKAICZmeIZomIZqeIaHQB4zgIbORQVi4oQOoIbOAAN5kAL71V0BQAZeiIJgiAk+AAodUARkcoiImIiKuIiMCA7O/8ACh8gADEAmTrgJiegMnhAGVwAHroAJskMzf1hxRwcANNALOUABF9AF37AErNiKrviKsBiLrngMYSAA2RAGJOCKq7gJI8AAsBgG2WAHT7AGpRBUfTgVobh/o1iKOeAKizADQ4Am0jiN1FiN1ogmH1AF2cADdrAKlmCNH7ADDDCNH3AMsRALzjAEV9AGXLAHnyhxpPeFeeMMCXAKrZAGtEAMarKPVLCP/viPAOmPJGAHNjAOPICLsdANCrmQx1AJ0FAFtRiMdhAGx6AmxCAJasAFViA7EZeM5pWCpFgp95iPVFCSJnmSKJmSKtkNAlANPDAGNjAGY8ADNFmTMnmT3P+YDVVwkhcJCxr5jvlXevOYAKIgAV2AB1LwDUq5lEzZlE75lEupAWFQCAJgi9lwlVdZlWFQBa9AAk8pBXigAFyQCDMDcX7hkZ21jJNQlH4QCa8wBHAZl3I5l3RZl3SpAXaZl3H5CnXQBmYgDqkwFWWBlnq1jER5CJgSBMSwmIzZmI75mJDZmLZgBzxgC5G5mFIAkZXgmAKwBgpgCkLRh95FmFVlmKKAmEWABBGwmqzZmq75mrDZmmEwDgYpAkyQDVVZldnABC5ZkAe5mjUgAlkACxYgCKHZhfEIiHkDBgnwA4KABVtgDbQ0ndTpSldQDTaQBU+wndz5BOOQBTaQk8//IAWFIALZUAiIgAWC8AOBiZz695G6w5y58JyIAANzcp/4mZ/6uZ/8CQmrYItMYJvZAAICsArPgAT4yQq18AowMAhYcALxwodBKY8+AwbicgK/MAi1EAQc2qEe+qEgGqIhygo1IKImGgS1wAG/AKGpgBdDR5ooBZITkApngKGDEAJIkKM6uqM82qM+2qMgMAZXUAvWwKPW8AxXsAo+GgIqigazdoKiCJIWWqO/wAEzYCdYmqVauqVcuqU1wANPYAMVwAPVIAJmCgtJkJ3DeQVIkKUzkAe/4KRvMxVfAKPPFJ80igYZMAozAAN++qeAGqiCOqh+CgSF8AwwUAiwUAHZ/9mdT5AF4FkBSSAAgToDo5ABcgqlyiilNPoGGeAFkkCoojqqrMAEsAALTLAKf/oMqwACAWqmTAACV6CggyoJfmAMb3AGDSB6E6qcFZoKPaEHixAJM5AnxnqsyJqsxzoDTGADSXAFIaCsyRqt0aqseEAKCuADkKWp8BlNCcAGc5ACXUAIM3Bb5nqu6IquIrCdsHAFQJCu8HquM8AKV8AEaSoBPkBb3JqWIGkAvLAAmdAKFjAIeCAJM3CwCJuwCruwBwsCjAqpzmqbIPAJV1CxFmuxn1AHrioCaJoESQALlOAHrtAIVhAFeeEXuZacUUpHrUCUJ5AB3EAIWjCzNFuzNv97szUbCavwCSDAsUnAqDagppA6tEFbAZIqArIqs4TQCaVgBmTZni+qssr4CulDAguARxLwC2ngBXnAAV77tWAbtmI7tqHwCcsQALcQAHWwtmzLDKUBtp9ACaSgBgrgl41wBvX4VHZaDkIEBOlDAH6wAGcwBxKQOb+ABYibuIq7uIzbuBlwAqUQuWowuZQ7uZGrAAqwBpqruQpQCqbgA6LQC7zwC1AWAHEEBwwBCgWQAenzCE1gAaJwBoLYRE90RbZ7RYdwAj5QCpjbu76LuUTguYIgCCeABkTwA2zwA2VwFh2gApLAEC9QAOijO7yjDdGAqT7ARCfQRNvbvd67vWj/EL7i+wbkS74+cL7om75zsL7s277tSwSZkAOnkAM+gRd6IRVdEANG4AYMcTtO0Lq1ogg0QAV2wqF24qd6crB9ggfbQghfNAhfmwdesAjKkCiM0iiJGznwZTkUsjmb4wqu0AqtkAJNRVeoMg0bIQkmgTd50wxAIzS7QjQGMyzEcixeIiZNg40KGTGtRCd1UgMXczVwxTFFQAiDQjgcYBpPNRUocABawRAEEFX/mzdmEzQCQzBFY3bFkjQMk8NPQwI8LDU/DAMY8wx8UlRFsAVdExyhoMR0KhWoUgAswBGX4BQLkDd74wIwjMUGczRbvDBgMiZlosNgTAxxQicVUwPXziLEfpJRRnzEhWM4fOgXufAVb9QRORAYL0BEsrI3qhXDBRMsw/LHXcwsXxzGPlw12AJX25LGa7wYjDEWZbABOMEIMcEHTqECK3AKGVALk0VUWtMxkAzLAQAHiGPBjdI4jzM5lKNUHgzCIhxFhzDNw+u9piC++8UIRXEEtiwTRaAWLdEi4izONFLO5vwiOJLO6owjJOEB+pQUNzAJEOEB9FzP9nzP+JzP+kzPENDP/vzPAB3Q/+wLvgABOgAIKcC/17HQDN3QDv3QEB3RAhEQADs=]]></driver-image>
		<java-module value="com.novell.nds.dirxml.driver.jdbc.JDBCDriverShim"/>
		<driver-start-option value="1"/>
		<driver-cache-limit value="0"/>
		<shim-auth-id value="dbauser"/>
		<shim-auth-server value="jdbc:postgresql://192.168.3.222:5432/SIEM"/>
		<shim-config-info-xml>
			<driver-config name="JDBC IDM Driver">
				<driver-options>
					<configuration-values>
						<definitions>
							<definition display-name="Third-party JDBC driver class name:" name="jdbc-class" type="string">
								<description>Specify the class name of your third-party JDBC driver.  Verify that the jar or zip file containing this class is version compatible with the target database.</description>
								<value>org.postgresql.Driver</value>
							</definition>
							<group>
								<!-- NOTE:  you have to give all params a name, even if they're not relevant to actual driver configuration -->
								<definition display-name="Show the database scoping parameters?" name="ignore1" type="enum">
									<description>Show parameters that control how much of the database is visible to this driver?</description>
									<enum-choice display-name="show">show</enum-choice>
									<enum-choice display-name="hide">hide</enum-choice>
									<value>show</value>
								</definition>
								<subordinates active-value="show">
									<group>
										<definition display-name="Synchronization filter:" name="sync-filter" type="enum">
											<description>On start-up, the driver caches database metadata on a limited number of tables or views to facilitate data synchronization.  You can cache no table or view metadata (exclude all tables or views), cache metadata on all tables or views owned by a single database user (include by schema membership) or cache metadata on an explicit list of table or view names (include by table or view name).  If no table or view metadata is cached, the driver acts as a pass-through agent for embedded SQL.  In this state, standard XDS events (add, modify, delete) are ignored.</description>
											<enum-choice display-name="exclude all tables/views">empty</enum-choice>
											<enum-choice display-name="include by schema membership">schema</enum-choice>
											<enum-choice display-name="include by table/view name">list</enum-choice>
											<value>list</value>
										</definition>
										<subordinates active-value="schema">
											<definition display-name="Schema name:" name="sync-schema" type="string">
												<description>Specify the name of the database schema that contains the tables or views to synchronize.  Schema is usually synonymous with ownership.  For example, if database user idm owns table table1, table1 is said to be part of the idm schema. </description>
												<value/>
											</definition>
											<group>
												<definition display-name="Use custom regular expression filters?" name="ignore2" type="enum">
													<description>Select whether you want to use regular expressions to include or exclude tables or views.  These parameters are useful when synchronizing with a large schema and you need to reduce the number of tables or view definitions cached by this driver.  Schema filtering can reduce start-up time as well as reduce runtime memory utilization.</description>
													<enum-choice display-name="yes">1</enum-choice>
													<enum-choice display-name="no">0</enum-choice>
													<value>0</value>
												</definition>
												<subordinates active-value="1">
													<definition display-name="Include filter expression:" name="include-table-filter" type="string">
														<description>Specify a Java regular expression filter for including tables or views.</description>
														<value/>
													</definition>
													<definition display-name="Exclude filter expression:" name="exclude-table-filter" type="string">
														<description>Specify a Java regular expression filter for excluding tables or views.</description>
														<value/>
													</definition>
												</subordinates>
											</group>
										</subordinates>
										<subordinates active-value="list">
											<definition display-name="Table or view names:" name="sync-tables" type="string">
												<description>Specify the names of the tables or views to synchronize.  You might need to schema-qualify these names (for example owner.table).  Use a semicolon, comma, or space as a delimiter for multiple values.  This parameter is useful if you need to reduce the number of table or view definitions cached by this driver, which can shorten driver start-up time as well as reduce runtime memory utilization.  It is also useful when synchronizing tables or views that reside in different database schemas (that is, are owned by multiple database users).</description>
												<value>contacts</value>
											</definition>
										</subordinates>
									</group>
								</subordinates>
							</group>
							<definition display-name="Time syntax:" name="time-syntax" type="enum">
								<description>Select whether the time-related data types are returned as integers, canonical strings, or Java strings.  The advantage of returning time values as integers is that integer values easily map to eDirectory's native time data types.  The disadvantage is the limited range.  An integer value that represents the number of seconds since 1970 can cover a date range from about 1910 to 2030 if interpreted as a signed value.  By default, Identity Manager interprets time-related integer data types as unsigned values.  String timestamps can cover a much broader range, like database timestamps, and are more precise, but must be mapped to string data types in Identity Manager.  Canonical string timestamps, dates, and times are published in the following formats:  CCYYMMDDHHMMSSNNNNNNNNN, CCYYMMDD and HHMMSS, respectively (where C = century, Y = year, M = month or minute, D = day, H = hour, S = second, N = nano).  These  fixed-length formats have the virtue of collating in chronological order on any platform in any locale.  Java string timestamps, dates, and times are published in the following formats:  yyyy-mm-dd hh:mm:ss.fffffffff, yyyy-mm-dd and hh:mm:ss, respectively (where y = year, m = month or minute, d = day, h = hour, s = second, f = nano).</description>
								<enum-choice display-name="integer (default)">_</enum-choice>
								<enum-choice display-name="canonical string">2</enum-choice>
								<enum-choice display-name="java string">3</enum-choice>
								<value>_</value>
							</definition>
							<definition display-name="State directory:" name="state-dir" type="string">
								<description>Specify the path of the folder where you want this driver to store state information.  Changing this value when using triggerless publication can force a resync of all objects.</description>
								<value>.</value>
							</definition>
							<group>
								<definition display-name="Show connectivity parameters?" name="ignore11" type="enum">
									<description>Select whether to show connectivity-related parameters.</description>
									<enum-choice display-name="show">show</enum-choice>
									<enum-choice display-name="hide">hide</enum-choice>
									<value>hide</value>
								</definition>
								<subordinates active-value="show">
									<definition display-name="Use minimal number of connections?" name="use-single-connection" type="enum">
										<description>Select whether the Subscriber and Publisher share a database connection.  Normally, this driver uses three database connections when both channels are enabled (one subscription connection and two publication connections).  This parameter reduces the number of required connections to two (one dedicated publication connection and one shared subscription and publication connection).</description>
										<enum-choice display-name="dynamic default">_</enum-choice>
										<enum-choice display-name="yes">1</enum-choice>
										<enum-choice display-name="no">0</enum-choice>
										<value>_</value>
									</definition>
									<definition display-name="Connection initialization statements:" name="connection-init" type="string">
										<description>What SQL statements, if any, should be executed immediately after connecting to the database?  Use semicolon-delimiters for mulitple values.  This parameter is useful for changing database contexts or setting session properties.</description>
										<value/>
									</definition>
									<definition display-name="Connection properties:" name="connection-properties" type="string">
										<description>List connection properties as key value pairs.  For example:  key=value.  Use a semicolon as a delimiter for multiple values.  For example:  key1=value1; key2=value2.</description>
										<value/>
									</definition>
								</subordinates>
							</group>
							<group>
								<definition display-name="Show the compatibility parameters?" name="ignore3" type="enum">
									<description>Select whether to show parameters that can adjust adjust driver behavior to enhance compatibility with various third-party JDBC implementations and databases.</description>
									<enum-choice display-name="show">show</enum-choice>
									<enum-choice display-name="hide">hide</enum-choice>
									<value>hide</value>
								</definition>
								<subordinates active-value="show">
									<group>
										<definition display-name="Use custom descriptor files?" name="ignore4" type="enum">
											<description>Select whether you want to use custom XML descriptor files that describe the unique properties of your third-party JDBC implementation or database to this driver.</description>
											<enum-choice display-name="yes">1</enum-choice>
											<enum-choice display-name="no">0</enum-choice>
											<value>0</value>
										</definition>
										<subordinates active-value="1">
											<definition display-name="JDBC driver descriptor filename:" name="jdbc-driver-descriptor" type="string">
												<description>Specify the name of the descriptor file for your third-party JDBC driver.  The filename must have the extension .xml and be located in a jar file whose name begins with "jdbc" (case-insensitive) and in the runtime classpath.</description>
												<value/>
											</definition>
											<definition display-name="Database descriptor filename:" name="database-descriptor" type="string">
												<description>Specify the name of the descriptor file for the target database.  The filename must have the extension .xml and be located in a jar file whose name begins with "jdbc" (case-insensitive) and in the runtime classpath.</description>
												<value/>
											</definition>
										</subordinates>
									</group>
									<group>
										<definition display-name="Show backward compatibility parameters?" name="ignore12" type="enum">
											<description>Select whether to show parameters that ensure backward compatibility.</description>
											<enum-choice display-name="show">show</enum-choice>
											<enum-choice display-name="hide">hide</enum-choice>
											<value>hide</value>
										</definition>
										<subordinates active-value="show">
											<definition display-name="Enable table referential attribute support?" name="enable-refs" type="enum">
												<description>Select whether table columns constrained with foreign key constraints are interpreted as referential attributes.  Referrential attributes allow relationships, such as containment, to exist between tables.  For 1.0 backwards compatibility, referential attribute support must be disabled.</description>
												<enum-choice display-name="yes (default)">_</enum-choice>
												<enum-choice display-name="no">0</enum-choice>
												<value>_</value>
											</definition>
											<definition display-name="Enable view meta-identifier support?" name="enable-meta-identifiers" type="enum">
												<description>Select whether view column name prefixes ("pk_", "fk_", "sv_", "mv_") are interpreted as metadata.  When enabled, the prefixes are not considered part of view column names.  Meta-identifiers allow one to define referrential relationships between views and mark view columns as multi or single-valued.  For 1.5 backwards compatibility, meta-identifier support must be disabled.</description>
												<enum-choice display-name="yes (default)">_</enum-choice>
												<enum-choice display-name="no">0</enum-choice>
												<value>_</value>
											</definition>
										</subordinates>
									</group>
									<group>
										<definition display-name="Show transaction-related parameters?" name="ignore5" type="enum">
											<description>Select whether to show transaction-related parameters.</description>
											<enum-choice display-name="show">show</enum-choice>
											<enum-choice display-name="hide">hide</enum-choice>
											<value>hide</value>
										</definition>
										<subordinates active-value="show">
											<definition display-name="Use manual transactions?" name="use-manual-transactions" type="enum">
												<description>Select whether this driver uses transactions.  Are transactions supported by the target database or table implementation you are using?</description>
												<enum-choice display-name="dynamic default">_</enum-choice>
												<enum-choice display-name="yes">1</enum-choice>
												<enum-choice display-name="no">0</enum-choice>
												<value>_</value>
											</definition>
											<definition display-name="Transaction isolation level:" name="transaction-isolation-level" type="enum">
												<description>Use this parameter to set advanced transaction properties.  For additional information on what these values mean, please refer to the JDBC tutorial at  http://java.sun.com/docs/books/tutorial/jdbc/basics/transactions.html and the documentation of your third-party JDBC driver or database.</description>
												<enum-choice display-name="dynamic default">_</enum-choice>
												<enum-choice display-name="unsupported">unsupported</enum-choice>
												<enum-choice display-name="none">none</enum-choice>
												<enum-choice display-name="read uncomitted">read uncommitted</enum-choice>
												<enum-choice display-name="read comitted">read committed</enum-choice>
												<enum-choice display-name="repeatable read">repeatable read</enum-choice>
												<enum-choice display-name="serializable">serializable</enum-choice>
												<value>read committed</value>
											</definition>
										</subordinates>
									</group>
									<group>
										<definition display-name="Show statement-related parameters?" name="ignore6" type="enum">
											<description>Select whether to show statement-related parameters.</description>
											<enum-choice display-name="show">show</enum-choice>
											<enum-choice display-name="hide">hide</enum-choice>
											<value>hide</value>
										</definition>
										<subordinates active-value="show">
											<definition display-name="Reuse statements?" name="reuse-statements" type="enum">
												<description>Should this driver reuse java.sql.Statement objects or close and reallocate them with each use?</description>
												<enum-choice display-name="dynamic default">_</enum-choice>
												<enum-choice display-name="reuse">1</enum-choice>
												<enum-choice display-name="close and reallocate">0</enum-choice>
												<value>_</value>
											</definition>
											<definition display-name="Number of returned result sets:" name="handle-stmt-results" type="enum">
												<description>Specify how many result sets can be returned from an SQL statement.</description>
												<enum-choice display-name="dynamic default">_</enum-choice>
												<enum-choice display-name="none">none</enum-choice>
												<enum-choice display-name="one">single</enum-choice>
												<enum-choice display-name="multiple">multiple</enum-choice>
												<value>_</value>
											</definition>
											<group>
												<definition display-name="Enable statement-level locking?" name="enable-locking" type="enum">
													<description>Select whether this driver explicitly locks database resources before executing each statement.</description>
													<enum-choice display-name="no (default)">0</enum-choice>
													<enum-choice display-name="yes">1</enum-choice>
													<value>0</value>
												</definition>
												<subordinates active-value="1">
													<group>
														<definition display-name="Use the custom lock statement generator class?" name="ignore13" type="enum">
															<description>Select whether you want to use a custom class to generate locking statements.</description>
															<enum-choice display-name="yes">1</enum-choice>
															<enum-choice display-name="no">0</enum-choice>
															<value>0</value>
														</definition>
														<subordinates active-value="1">
															<definition display-name="Lock statement generator class:" name="lock-generator-class" type="string">
																<description>Specify the name of the class used to generate locking statements.</description>
																<value/>
															</definition>
														</subordinates>
													</group>
												</subordinates>
											</group>
										</subordinates>
									</group>
									<definition display-name="Force username case:" name="force-username-case" type="enum">
										<description>Select the case of the authentication username.</description>
										<enum-choice display-name="don't force (default)">_</enum-choice>
										<enum-choice display-name="to upper case">upper</enum-choice>
										<enum-choice display-name="to mixed case">mixed</enum-choice>
										<enum-choice display-name="to lower case">lower</enum-choice>
										<value>_</value>
									</definition>
									<definition display-name="Left outer-join operator:" name="left-outer-join-operator" type="enum">
										<description>Select a left outer-join operator.</description>
										<enum-choice display-name="dynamic default">_</enum-choice>
										<enum-choice display-name="*=">*=</enum-choice>
										<enum-choice display-name="(+)">(+)</enum-choice>
										<enum-choice display-name="LEFT OUTER JOIN">LEFT OUTER JOIN</enum-choice>
										<value>_</value>
									</definition>
									<definition display-name="Retrieve minimal metadata?" name="minimal-metadata" type="enum">
										<description>Select whether this driver runs using the least amount of database metadata possible.  This parameter is useful when a given third-party JDBC driver does not implement one of the optional metadata method normally utilized by this driver.  When set to no, referential data and child parent relationships are no longer available to this driver.</description>
										<enum-choice display-name="dynamic default">_</enum-choice>
										<enum-choice display-name="yes">1</enum-choice>
										<enum-choice display-name="no">0</enum-choice>
										<value>_</value>
									</definition>
									<definition display-name="Function return method:" name="function-return-method" type="enum">
										<description>Select how the results are returned from database functions.</description>
										<enum-choice display-name="dynamic default">_</enum-choice>
										<enum-choice display-name="result set">result set</enum-choice>
										<enum-choice display-name="scalar return value">return value</enum-choice>
										<value>_</value>
									</definition>
									<definition display-name="Supports schemas in metadata retrieval?" name="supports-schemas-in-metadata-retrieval" type="enum">
										<description>Select whether schema names are used to retrieve database metadata.</description>
										<enum-choice display-name="dynamic default">_</enum-choice>
										<enum-choice display-name="yes">1</enum-choice>
										<enum-choice display-name="no">0</enum-choice>
										<value>_</value>
									</definition>
									<definition display-name="Sort column names by:" name="column-position-comparator" type="enum">
										<description>For legacy databases that don't support the notion of column position (DB2/AS400), a backup ordering algorithm must be employed.  Sorting columns names by hexadecimal value ensures that if the this driver is relocated to a different server, it continues to function without modification.  Sorting column names by platform or locale string collation order is more intuitive, but might require a configuration changes if a driver instance is relocated to a different server.  The event log table column order and compound column name order might change.  In the case of the latter, the schema-mapping rule and object association values might need to be updated.  In the case of the former, event log table columns might have to be renamed.</description>
										<enum-choice display-name="dynamic default">_</enum-choice>
										<enum-choice display-name="hexadecimal value">com.novell.nds.dirxml.driver.jdbc.util.config.comp.StringByteComparator</enum-choice>
										<enum-choice display-name="string collation order">com.novell.nds.dirxml.driver.jdbc.util.config.comp.StringComparator</enum-choice>
										<value>_</value>
									</definition>
								</subordinates>
							</group>
						</definitions>
					</configuration-values>
				</driver-options>
				<subscriber-options>
					<configuration-values>
						<definitions>
							<group>
								<definition display-name="Disable subscriber?" name="disable" type="enum">
									<description>Select whether you want to ignore events flowing from Identity Manager to the database.</description>
									<enum-choice display-name="no (default)">_</enum-choice>
									<enum-choice display-name="yes">1</enum-choice>
									<value>_</value>
								</definition>
								<subordinates active-value="_">
									<group>
										<definition display-name="Show primary key parameters?" name="ignore10" type="enum">
											<description>Select whether to show parameters that control how and when primary key values are generated.</description>
											<enum-choice display-name="show">show</enum-choice>
											<enum-choice display-name="hide">hide</enum-choice>
											<value>show</value>
										</definition>
										<subordinates active-value="show">
											<definition display-name="Generation/retrieval method (table-global):" name="key-gen-method" type="enum">
												<description>Select how the primary key values are being generated or retrieved.  This setting is global for all tables or views.</description>
												<enum-choice display-name="subscription event (default)">_</enum-choice>
												<enum-choice display-name="subscriber-generated">driver</enum-choice>
												<enum-choice display-name="auto-generated/identity column">auto</enum-choice>
												<value>driver</value>
											</definition>
											<definition display-name="Retrieval timing (table-global):" name="key-gen-timing" type="enum">
												<description>Select when the primary key values are retrieved.  Select whether the key values are retrieved before or after the row insertion.  This setting is global for all tables or views.</description>
												<enum-choice display-name="before row insertion (default)">_</enum-choice>
												<enum-choice display-name="after row insertion">after</enum-choice>
												<value>after</value>
											</definition>
											<definition display-name="Method and timing (table-local):" name="key-gen" type="string">
												<description>Specify how and when primary key values are generated or retrieved on a per table or view basis.  This parameter overrides global method and timing settings.  Use semicolon, comma, or space as the delimiter for multiple values.</description>
												<!-- split MS by database; rope-in value for MS versions < 2005 -->
												<value/>
											</definition>
										</subordinates>
									</group>
									<definition display-name="Disable statement-level locking?" name="disable-locking" type="enum">
										<description>Select whether to disable statement locking.  Select whether explicit locking or database resources are disabled on this channel.</description>
										<enum-choice display-name="yes">1</enum-choice>
										<enum-choice display-name="no (default)">0</enum-choice>
										<value>0</value>
									</definition>
									<definition display-name="Add default values on view insert?" name="add-default-values-on-view-insert" type="enum">
										<description>Select whether the Subscriber channel adds default values to insert operations on views.  This parameter is desirable for satisfying instead-of-trigger constraints that require non-null values be provided for non-nullable columns before instead-of-triggers fire.  This parameter has no effect on tables.</description>
										<enum-choice display-name="dynamic default">_</enum-choice>
										<enum-choice display-name="yes">1</enum-choice>
										<enum-choice display-name="no">0</enum-choice>
										<value>_</value>
										<!-- base on direct or indirect synchronization model -->
									</definition>
								</subordinates>
							</group>
						</definitions>
					</configuration-values>
				</subscriber-options>
				<publisher-options>
					<configuration-values>
						<definitions>
							<group>
								<definition display-name="Disable the Publisher channel?" id="213" name="disable" type="enum">
								    <description>Select whether you want to ignore events flowing from the database to Identity Manager.</description>
								    <enum-choice display-name="no (default)">_</enum-choice>
								    <enum-choice display-name="yes">1</enum-choice>
								    <value>_</value>
								</definition>
								<subordinates active-value="_">
									<group>
										<definition display-name="Publication mode:" name="publication-mode" type="enum">
											<description>Select whether you want to use triggered or triggerless publication.  Triggered publication uses database triggers to capture events and log them in a table.  Triggerless publication derives events by inspecting database tables or views.  Triggered publication is more efficient, but requires substantial database-side configuration.  Triggerless publication is less efficient, but requires minimal database-side configuration.</description>
											<enum-choice display-name="triggered">_</enum-choice>
											<enum-choice display-name="triggerless">2</enum-choice>
											<value>2</value>
										</definition>
										<subordinates active-value="_">
											<definition display-name="Event log table name:" name="log-table" type="string">
												<description>Specify the name of the table where publication events are stored.</description>
												<value>direct.direct_process</value>
											</definition>
											<definition display-name="Delete processed rows?" name="delete-from-log" type="enum">
												<description>Select whether processed rows are deleted from the event log table.  There is a significant performance hit when processed rows are left in the event log table.  The performance cost can be mitigated by moving processed rows from the event log table into an event history table using the "Post polling statements:" parameter.</description>
												<enum-choice display-name="yes (default)">_</enum-choice>
												<enum-choice display-name="no">0</enum-choice>
												<value>_</value>
											</definition>
											<definition display-name="Optimize updates?" name="optimize-update" type="enum">
												<description>Select whether the Publisher channel optimizes update events before sending them to the engine.  When set to yes, all update events are optimized.  When set to no, select update events are not.  For a more complete explanation of this parameter, consult the driver implementation guide.</description>
												<enum-choice display-name="no (default)">_</enum-choice>
												<enum-choice display-name="yes">1</enum-choice>
												<value>_</value>
											</definition>
											<definition display-name="Allow loopback?" name="allow-loopback" type="enum">
												<description>Select whether to allow events initiated by the Subscriber channel to loopback on the Publisher channel.</description>
												<enum-choice display-name="no (default)">_</enum-choice>
												<enum-choice display-name="yes">1</enum-choice>
												<value>_</value>
											</definition>
											<definition display-name="Disable statement-level locking?" name="disable-locking" type="enum">
												<description>Select whether to disable statement locking.  Select whether explicit locking or database resources are disabled on this channel.</description>
												<enum-choice display-name="yes">1</enum-choice>
												<enum-choice display-name="no (default)">0</enum-choice>
												<value>0</value>
											</definition>
										</subordinates>
										<subordinates active-value="2">
											<definition display-name="Startup option:" name="startup-option" type="enum">
												<description>Determine the Publisher's behavior on start-up.</description>
												<enum-choice display-name="process all changes (default)">_</enum-choice>
												<enum-choice display-name="process future changes only">2</enum-choice>
												<enum-choice display-name="resync all objects">1</enum-choice>
												<value>_</value>
											</definition>
										</subordinates>
									</group>
									<group>
										<definition display-name="Enable future event processing?" name="handle-future-events" type="enum">
											<description>Select whether to process events in the event log table based upon their effective date as opposed to order of insertion (triggered publication) or publish database local time with each event (triggerless publication).</description>
											<enum-choice display-name="no (default)">_</enum-choice>
											<enum-choice display-name="yes">1</enum-choice>
											<value>_</value>
										</definition>
										<subordinates active-value="1">
											<group>
												<definition display-name="Use custom timestamp statement?" name="ignore8" type="enum">
													<description>Select whether you want to specify a custom SQL statement that supplies the current time and date on the database server.  By default, a statement is dynamically derived.</description>
													<enum-choice display-name="yes">1</enum-choice>
													<enum-choice display-name="no">0</enum-choice>
													<value>0</value>
												</definition>
												<subordinates active-value="1">
													<definition display-name="Current timestamp statement:" name="current-timestamp-stmt" type="string">
														<description>Specify the SQL statement that is used to determine the current time and date on the database server.</description>
														<value/>
													</definition>
												</subordinates>
											</group>
										</subordinates>
									</group>
									<group>
										<definition display-name="Show polling-related parameters?" name="ignore9" type="enum">
											<description>Select whether to show parameters that control polling behavior.</description>
											<enum-choice display-name="show">show</enum-choice>
											<enum-choice display-name="hide">hide</enum-choice>
											<value>show</value>
										</definition>
										<subordinates active-value="show">
											<definition display-name="Polling interval (in seconds):" name="polling-interval" type="string">
												<!--
                            NOTE: can't be type="int"; this type doesn't permit no value which is permissible
                            when time-of-day is used.
                        -->
												<description>Specify the minimum number of seconds of inactivity that elapses between polling cycles.  In practice, more than the number of specified seconds can elapse (this is a lower bound only).  The default is 10 seconds.</description>
												<value>10</value>
											</definition>
											<definition display-name="Polling time of day:" name="time-of-day" type="string">
												<description>Specify when the Publisher channel checks for new database events each day.  Mulitple formats for the Time values are supported.  The preferred format is hh:mm:ss, where h = hour, m = minute, s = second.</description>
												<value/>
											</definition>
											<definition display-name="Post polling statements:" name="post-poll-stmt" type="string">
												<description>Specify the statements, if any, that are executed after an active polling cycle.  This parameter is useful for calling a stored procedure or function that moves processed rows from the event log table into a history table and rebuilds indexes on the event log table.  Use semicolon as the delimiter for multiple values.</description>
												<value/>
											</definition>
											<definition display-name="Batch size:" name="batch-size" type="enum">
												<description>Specify the desired number of database events that the Publisher channel groups together in a single publication document.  The number of events per document can be less but are not greater.  The upper bound of 128 is set to minimize the likelihood of overflowing the Java heap and to mitigate delaying termination of the Publisher thread on driver shutdown.</description>
												<enum-choice display-name="1 (default)">_</enum-choice>
												<enum-choice display-name="2">2</enum-choice>
												<enum-choice display-name="4">4</enum-choice>
												<enum-choice display-name="8">8</enum-choice>
												<enum-choice display-name="16">16</enum-choice>
												<enum-choice display-name="32">32</enum-choice>
												<enum-choice display-name="64">64</enum-choice>
												<enum-choice display-name="128">128</enum-choice>
												<value>_</value>
											</definition>
										</subordinates>
									</group>
								</subordinates>
							</group>
							<definition display-name="Heartbeat interval (in minutes):" name="pub-heartbeat-interval" type="integer">
								<description>Specify how many minutes of Publisher inactivity elapses before the Publisher sends a heartbeat document.  In practice, more than the number of minutes specified can elapse.  This parameter defines a lower bound.</description>
								<value>0</value>
							</definition>
						</definitions>
					</configuration-values>
				</publisher-options>
			</driver-config>
		</shim-config-info-xml>
		<driver-password-query/>
		<shim-auth-password-query/>
		<policy-linkage>
			<linkage-item dn="Schema Mapping Rule.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="0" policy-set="0" policy-set-name="Schema Mapping Policies "/>
			<linkage-item dn="Input Transformation.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="0" policy-set="1" policy-set-name="Publisher Input Transformation Policies"/>
			<linkage-item dn="Password(Pub)-Sub Email Notifications.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="1" policy-set="1" policy-set-name="Publisher Input Transformation Policies"/>
			<linkage-item dn="Password(Sub)-Pub Email Notifications.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="0" policy-set="2" policy-set-name="Subscriber Output Transformation Policies"/>
			<linkage-item dn="Delete Event Management.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="0" policy-set="4" policy-set-name="Subscriber Event Transformation Policies"/>
			<linkage-item dn="Matching Rule.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="0" policy-set="6" policy-set-name="Subscriber Matching Policies"/>
			<linkage-item dn="Matching Rule.Publisher.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="0" policy-set="7" policy-set-name="Publisher Matching Policies"/>
			<linkage-item dn="Create Rule.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="0" policy-set="8" policy-set-name="Subscriber Creation Policies"/>
			<linkage-item dn="Create Rule.Publisher.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="0" policy-set="9" policy-set-name="Publisher Creation Policies"/>
			<linkage-item dn="Embedded SQL - Add Event.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="0" policy-set="10" policy-set-name="Subscriber Command Transformation Policies"/>
			<linkage-item dn="Modify Password Add CN.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="1" policy-set="10" policy-set-name="Subscriber Command Transformation Policies"/>
			<linkage-item dn="Embedded SQL Modify Password.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="2" policy-set="10" policy-set-name="Subscriber Command Transformation Policies"/>
			<linkage-item dn="Strip CN.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="3" policy-set="10" policy-set-name="Subscriber Command Transformation Policies"/>
			<linkage-item dn="Embedded SQL - Delete Event.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="4" policy-set="10" policy-set-name="Subscriber Command Transformation Policies"/>
			<linkage-item dn="Operation Data - Add Event.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="5" policy-set="10" policy-set-name="Subscriber Command Transformation Policies"/>
			<linkage-item dn="Remove Unnecessary Events.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL" order="6" policy-set="10" policy-set-name="Subscriber Command Transformation Policies"/>
		</policy-linkage>
	</attributes>
	<children>
		<publisher name="Publisher">
			<attributes/>
			<children>
				<rule name="Create Rule">
					<policy>
						<rule>
							<description>Block all add events</description>
							<conditions>
								<and>
									<if-operation op="equal">add</if-operation>
								</and>
							</conditions>
							<actions>
								<do-veto/>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Matching Rule">
					<policy>
						<rule>
							<description>User:  Match on Surname, Given Name</description>
							<conditions>
								<and>
									<if-operation op="equal">add</if-operation>
									<if-class-name op="equal">User</if-class-name>
								</and>
							</conditions>
							<actions>
								<do-find-matching-object scope="subtree">
									<arg-match-attr name="Surname"/>
									<arg-match-attr name="Given Name"/>
								</do-find-matching-object>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Password(Pub)-Add Password Payload">
					<policy>
						<description>Publish password payloads</description>
						<rule>
							<description>Add operation-data element to password operations</description>
							<conditions>
								<and>
									<if-operation op="equal">add</if-operation>
									<if-password op="available"/>
									<if-xpath op="not-true">operation-data</if-xpath>
								</and>
								<and>
									<if-operation op="equal">add</if-operation>
									<if-xpath op="true">add-attr[@attr-name='nspmDistributionPassword']</if-xpath>
									<if-xpath op="not-true">operation-data</if-xpath>
								</and>
								<and>
									<if-operation op="equal">modify-password</if-operation>
									<if-xpath op="not-true">operation-data</if-xpath>
								</and>
								<and>
									<if-operation op="equal">modify</if-operation>
									<if-xpath op="true">modify-attr[@attr-name='nspmDistributionPassword']</if-xpath>
									<if-xpath op="not-true">operation-data</if-xpath>
								</and>
							</conditions>
							<actions>
								<!-- Add a operation data payload element to pick up result of a password operation -->
								<do-append-xml-element expression="." name="operation-data"/>
							</actions>
						</rule>
						<rule>
							<description>Add payload data to password operations</description>
							<conditions>
								<and>
									<if-operation op="equal">add</if-operation>
									<if-password op="available"/>
								</and>
								<and>
									<if-operation op="equal">add</if-operation>
									<if-xpath op="true">add-attr[@attr-name='nspmDistributionPassword']</if-xpath>
								</and>
								<and>
									<if-operation op="equal">modify-password</if-operation>
								</and>
								<and>
									<if-operation op="equal">modify</if-operation>
									<if-xpath op="true">modify-attr[@attr-name='nspmDistributionPassword']</if-xpath>
								</and>
							</conditions>
							<actions>
								<!-- Add a operation data payload element to pick up result of a password operation -->
								<do-append-xml-element expression="operation-data" name="password-publish-status"/>
								<do-append-xml-element expression="operation-data/password-publish-status" name="association"/>
								<do-append-xml-text expression="operation-data/password-publish-status/association">
									<arg-string>
										<token-association/>
									</arg-string>
								</do-append-xml-text>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Password(Pub)-Check Password GCV" next-transform="Password(Pub)-Publish Distribution Password.Publisher.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL">
					<policy>
						<description>Publish Passwords</description>
						<rule>
							<description>Block publishing passwords to DirXML data store when adding a object</description>
							<conditions>
								<and>
									<if-global-variable mode="nocase" name="enable-password-publish" op="equal">false</if-global-variable>
									<if-operation op="equal">add</if-operation>
								</and>
							</conditions>
							<actions>
								<!-- Remove all password elements from add -->
								<do-strip-xpath expression="password"/>
							</actions>
						</rule>
						<rule>
							<description>Block sending modify-password changes to the DirXML data store</description>
							<conditions>
								<and>
									<if-global-variable mode="nocase" name="enable-password-publish" op="equal">false</if-global-variable>
									<if-operation op="equal">modify-password</if-operation>
								</and>
							</conditions>
							<actions>
								<!-- Block all modify-passwords -->
								<do-veto/>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Password(Pub)-Default Password Policy" next-transform="Password(Pub)-Check Password GCV.Publisher.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL">
					<policy>
						<rule>
							<description>On User add, provide default password of Dirxml1 if none exists</description>
							<conditions>
								<and>
									<if-operation op="equal">add</if-operation>
									<if-class-name op="equal">User</if-class-name>
									<if-password op="not-available"/>
								</and>
							</conditions>
							<actions>
								<do-set-dest-password>
									<arg-string>
										<token-text xml:space="preserve">Dirxml1</token-text>
									</arg-string>
								</do-set-dest-password>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Password(Pub)-Publish Distribution Password" next-transform="Password(Pub)-Publish NDS Password.Publisher.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL">
					<policy>
						<description>xlfid(PublishDPPolicyDescr)</description>
						<rule>
							<description>Add nspmDistributionAttribute attribute to add operation</description>
							<conditions>
								<and>
									<if-global-variable mode="nocase" name="publish-password-to-dp" op="equal">true</if-global-variable>
									<if-operation op="equal">add</if-operation>
									<if-password op="available"/>
								</and>
							</conditions>
							<actions>
								<!-- Add add-attr element for nspmDistributionPassword attribute -->
								<do-add-dest-attr-value name="nspmDistributionPassword">
									<arg-value>
										<token-password/>
									</arg-value>
								</do-add-dest-attr-value>
								<!-- Add a validate-password attribute to previous add-attr element -->
								<do-set-xml-attr expression="add-attr[@attr-name = 'nspmDistributionPassword'][last()]" name="enforce-password-policy">
									<arg-string>
										<token-global-variable name="enforce-password-policy"/>
									</arg-string>
								</do-set-xml-attr>
							</actions>
						</rule>
						<rule>
							<description>Change modify-password operations to a modify</description>
							<conditions>
								<and>
									<if-global-variable mode="nocase" name="publish-password-to-dp" op="equal">true</if-global-variable>
									<if-operation op="equal">modify-password</if-operation>
								</and>
							</conditions>
							<actions>
								<!-- Add modify-attr element for nspmDistributionPassword attribute -->
								<do-add-dest-attr-value name="nspmDistributionPassword">
									<arg-value>
										<token-password/>
									</arg-value>
								</do-add-dest-attr-value>
								<!-- Add a event-id attribute to previous modify element -->
								<do-set-xml-attr expression="../modify" name="event-id">
									<arg-string>
										<token-text>pwd-publish</token-text>
									</arg-string>
								</do-set-xml-attr>
								<!-- Add a validate-password attribute to previous add-attr element -->
								<do-set-xml-attr expression="../modify/modify-attr[@attr-name='nspmDistributionPassword']" name="enforce-password-policy">
									<arg-string>
										<token-global-variable name="enforce-password-policy"/>
									</arg-string>
								</do-set-xml-attr>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Password(Pub)-Publish NDS Password" next-transform="Password(Pub)-Add Password Payload.Publisher.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL">
					<policy>
						<description>Publish passwords to NDS password.</description>
						<rule>
							<description>Block publishing passwords to NDS password</description>
							<conditions>
								<and>
									<if-global-variable mode="nocase" name="publish-password-to-nds" op="equal">false</if-global-variable>
									<if-operation op="equal">add</if-operation>
								</and>
							</conditions>
							<actions>
								<!-- Remove all password elements from add -->
								<do-strip-xpath expression="password"/>
							</actions>
						</rule>
						<rule>
							<description>Block sending modify-password changes to the NDS password</description>
							<conditions>
								<and>
									<if-global-variable mode="nocase" name="publish-password-to-nds" op="equal">false</if-global-variable>
									<if-operation op="equal">modify-password</if-operation>
								</and>
							</conditions>
							<actions>
								<!-- Block all modify-passwords -->
								<do-veto/>
							</actions>
						</rule>
					</policy>
				</rule>
			</children>
		</publisher>
		<subscriber name="Subscriber">
			<attributes/>
			<children>
				<rule name="Create Rule">
					<policy>
						<rule>
							<description>UserAccount entitlement: Veto account creation when entitlement not granted</description>
							<comment xml:space="preserve">When using the User Account entitlement with the Identity Manager user application or Role Based Entitlements, accounts are only created for users that are specifically granted the account entitlement. This rule vetoes user account creation when the entitlement is not granted.</comment>
							<conditions>
								<and>
									<if-class-name mode="nocase" op="equal">User</if-class-name>
									<if-entitlement name="Account" op="not-available"/>
								</and>
							</conditions>
							<actions>
								<do-veto/>
							</actions>
						</rule>
						<rule>
							<description>Block add events that don't have required attributes</description>
							<conditions>
								<and>
									<if-class-name op="equal">User</if-class-name>
								</and>
							</conditions>
							<actions>
								<do-veto-if-op-attr-not-available name="Given Name"/>
								<do-veto-if-op-attr-not-available name="Surname"/>
								<do-veto-if-op-attr-not-available name="nspmDistributionPassword"/>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Delete Event Management">
					<policy>
						<rule>
							<description>Delete event parse src-dn</description>
							<comment xml:space="preserve">The stored procedure that deletes the user accounts expects to be handed the user login name. Since the driver association is a table name it can't be used. In order to satisfy the requirement. The src-dn is parsed and modifed to reflect the source objects RDN.</comment>
							<conditions>
								<and>
									<if-operation mode="case" op="equal">delete</if-operation>
								</and>
							</conditions>
							<actions>
								<do-set-op-src-dn>
									<arg-dn>
										<token-parse-dn>
											<token-src-dn length="1" start="-1"/>
										</token-parse-dn>
									</arg-dn>
								</do-set-op-src-dn>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Matching Rule">
					<policy>
						<rule disabled="true">
							<description>User:  Match on Surname, Given Name</description>
							<conditions>
								<and>
									<if-operation op="equal">add</if-operation>
									<if-class-name op="equal">User</if-class-name>
								</and>
							</conditions>
							<actions>
								<do-find-matching-object scope="subtree">
									<arg-match-attr name="Surname"/>
									<arg-match-attr name="Given Name"/>
								</do-find-matching-object>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Modify Password Add CN">
					<policy>
						<rule>
							<description>Generate CN</description>
							<conditions>
								<and>
									<if-class-name op="equal">User</if-class-name>
									<if-operation op="equal">modify</if-operation>
									<if-op-attr name="nspmDistributionPassword" op="available"/>
								</and>
							</conditions>
							<actions>
								<do-set-dest-attr-value class-name="User" name="CN">
									<arg-value type="string">
										<token-lower-case>
											<token-src-dn length="1" start="-1"/>
										</token-lower-case>
									</arg-value>
								</do-set-dest-attr-value>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Operation Data - Add Event">
					<policy>
						<rule>
							<description>Set local varible for src-dn</description>
							<conditions>
								<and>
									<if-class-name op="equal">User</if-class-name>
									<if-operation op="equal">add</if-operation>
								</and>
							</conditions>
							<actions>
								<do-set-local-variable name="source-dn" scope="driver">
									<arg-string>
										<token-src-dn/>
									</arg-string>
								</do-set-local-variable>
								<do-set-local-variable name="common-name" scope="driver">
									<arg-string>
										<token-op-attr name="CN"/>
									</arg-string>
								</do-set-local-variable>
							</actions>
						</rule>
						<rule>
							<description>Set Operation Property - Add Event</description>
							<conditions>
								<and>
									<if-xpath op="true">../jdbc:statement/jdbc:sql[contains(text(),"esec_insert_user")]</if-xpath>
								</and>
							</conditions>
							<actions>
								<do-set-op-property name="add-event-srcdn">
									<arg-string>
										<token-local-variable name="source-dn"/>
									</arg-string>
								</do-set-op-property>
								<do-set-op-property name="add-event-cn">
									<arg-string>
										<token-local-variable name="common-name"/>
									</arg-string>
								</do-set-op-property>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Password(Sub)-Add Password Payload">
					<policy>
						<description>Payloads for subscribe to password changes</description>
						<rule>
							<description>Add operation-data element to password operations</description>
							<conditions>
								<and>
									<if-operation op="equal">add</if-operation>
									<if-password op="available"/>
									<if-xpath op="not-true">operation-data</if-xpath>
								</and>
								<and>
									<if-operation op="equal">modify-password</if-operation>
									<if-xpath op="not-true">operation-data</if-xpath>
								</and>
							</conditions>
							<actions>
								<!-- Add a operation data payload element to pick up result of a password operation -->
								<do-append-xml-element expression="." name="operation-data"/>
							</actions>
						</rule>
						<rule>
							<description>Add payload data to a reset password from a failed password publish operation</description>
							<conditions>
								<and>
									<if-operation op="equal">modify-password</if-operation>
									<if-xpath op="true">self::modify-password[@event-id = 'pwd-publish-failed']</if-xpath>
								</and>
							</conditions>
							<actions>
								<!-- Add a operation data payload element to pick up result of a password operation -->
								<do-append-xml-element expression="operation-data" name="password-reset-status"/>
								<do-append-xml-element expression="operation-data/password-reset-status" name="association"/>
								<do-append-xml-text expression="operation-data/password-reset-status/association">
									<arg-string>
										<token-association/>
									</arg-string>
								</do-append-xml-text>
							</actions>
						</rule>
						<rule>
							<description>Add payload data to password operations</description>
							<conditions>
								<and>
									<if-operation op="equal">add</if-operation>
									<if-password op="available"/>
								</and>
								<and>
									<if-operation op="equal">modify-password</if-operation>
									<if-xpath op="true">self::modify-password[@event-id != 'pwd-publish-failed']</if-xpath>
								</and>
							</conditions>
							<actions>
								<!-- Add a operation data payload element to pick up result of a password operation -->
								<do-append-xml-element expression="operation-data" name="password-subscribe-status"/>
								<do-append-xml-element expression="operation-data/password-subscribe-status" name="association"/>
								<do-append-xml-text expression="operation-data/password-subscribe-status/association">
									<arg-string>
										<token-association/>
									</arg-string>
								</do-append-xml-text>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Password(Sub)-Check Password GCV" next-transform="Password(Sub)-Add Password Payload.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL">
					<policy>
						<description>Subscribe to password changes</description>
						<rule>
							<description>Block subscribing to passwords when objects are added</description>
							<conditions>
								<and>
									<if-global-variable mode="nocase" name="enable-password-subscribe" op="equal">false</if-global-variable>
									<if-operation op="equal">add</if-operation>
								</and>
							</conditions>
							<actions>
								<!-- Remove all password elements from add -->
								<do-strip-xpath expression="password"/>
							</actions>
						</rule>
						<rule>
							<description>Block subscribing to password modifications</description>
							<conditions>
								<and>
									<if-global-variable mode="nocase" name="enable-password-subscribe" op="equal">false</if-global-variable>
									<if-operation op="equal">modify-password</if-operation>
								</and>
							</conditions>
							<actions>
								<!-- Block all modify-passwords -->
								<do-veto/>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Password(Sub)-Default Password Policy" next-transform="Password(Sub)-Check Password GCV.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL">
					<policy>
						<rule>
							<description>On User add, provide default password of Dirxml1 if none exists</description>
							<conditions>
								<and>
									<if-operation op="equal">add</if-operation>
									<if-class-name op="equal">User</if-class-name>
									<if-password op="not-available"/>
								</and>
							</conditions>
							<actions>
								<do-set-dest-password>
									<arg-string>
										<token-text xml:space="preserve">Dirxml1</token-text>
									</arg-string>
								</do-set-dest-password>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Password(Sub)-Transform Distribution Password" next-transform="Password(Sub)-Default Password Policy.Subscriber.jdbc-nia.LAB_DRIVERSET.INFRASTRUCTURE.NOVELL">
					<policy>
						<description>Transform NMAS attribute to password elements</description>
						<rule>
							<description>Convert adds of the nspmDistributionPassword attribute to password elements</description>
							<conditions>
								<and>
									<if-operation op="equal">add</if-operation>
									<if-op-attr name="nspmDistributionPassword" op="available"/>
								</and>
							</conditions>
							<actions>
								<!-- Change all add-attr elements for the nspmDistributionPassword attribute to password elements-->
								<do-set-dest-password>
									<arg-string>
										<token-xpath expression="add-attr[@attr-name='nspmDistributionPassword']//value"/>
									</arg-string>
								</do-set-dest-password>
								<!-- Remove all add-attr elements for the nspmDistributionPassword attribute -->
								<do-strip-op-attr name="nspmDistributionPassword"/>
							</actions>
						</rule>
						<rule>
							<description>Block modifies for failed password publish operations if reset password is false</description>
							<conditions>
								<and>
									<if-global-variable mode="nocase" name="reset-external-password-on-failure" op="equal">false</if-global-variable>
									<if-operation op="equal">modify</if-operation>
									<if-xpath op="true">modify-attr[@attr-name='nspmDistributionPassword' and @failed-sync='true']</if-xpath>
								</and>
							</conditions>
							<actions>
								<!-- Block a password reset -->
								<do-veto/>
							</actions>
						</rule>
						<rule>
							<description>Convert modifies of a nspmDistributionPassword attribute to a modify password operation</description>
							<conditions>
								<and>
									<if-operation op="equal">modify</if-operation>
									<if-op-attr name="nspmDistributionPassword" op="available"/>
								</and>
							</conditions>
							<actions>
								<!-- Change all modify-attr elements for the nspmDistributionPassword attribute to modify-password elements-->
								<do-set-dest-password>
									<arg-string>
										<token-xpath expression="modify-attr[@attr-name='nspmDistributionPassword']//add-value//value"/>
									</arg-string>
								</do-set-dest-password>
								<!-- Remove all add-attr elements for the nspmDistributionPassword attribute -->
								<do-strip-op-attr name="nspmDistributionPassword"/>
								<!-- Add an event-id attribute to the modify-password command we just added, required for operation data -->
								<do-set-xml-attr expression="../modify-password" name="event-id">
									<arg-string>
										<token-text>pwd-subscribe</token-text>
									</arg-string>
								</do-set-xml-attr>
							</actions>
						</rule>
						<rule>
							<description>Block empty modify operations</description>
							<conditions>
								<and>
									<if-operation op="equal">modify</if-operation>
									<if-xpath op="not-true">modify-attr</if-xpath>
								</and>
							</conditions>
							<actions>
								<!-- Veto empty modify -->
								<do-veto/>
							</actions>
						</rule>
					</policy>
				</rule>
				<rule name="Strip CN">
					<policy>
						<rule>
							<description>Strip CN</description>
							<conditions>
								<and>
									<if-class-name op="equal">User</if-class-name>
									<if-operation op="equal">modify</if-operation>
									<if-op-attr name="nspmDistributionPassword" op="available"/>
								</and>
							</conditions>
							<actions>
								<do-strip-op-attr name="CN"/>
							</actions>
						</rule>
					</policy>
				</rule>
				<stylesheet name="Embedded SQL - Add Event">
					<xsl:stylesheet exclude-result-prefixes="query cmd dncv" version="1.0" xmlns:cmd="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsCommandProcessor" xmlns:dncv="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.DNConverter" xmlns:jdbc="urn:dirxml:jdbc" xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQueryProcessor" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
						<!-- parameters passed in from the DirXML engine -->
						<xsl:param name="srcQueryProcessor"/>
						<xsl:param name="destQueryProcessor"/>
						<xsl:param name="srcCommandProcessor"/>
						<xsl:param name="destCommandProcessor"/>
						<xsl:param name="dnConverter"/>
						<xsl:param name="fromNds"/>
						<!-- identity transformation template -->
						<!-- in the absence of any other templates this will cause -->
						<!-- the stylesheet to copy the input through unchanged to the output -->
						<xsl:template match="node()|@*">
							<xsl:copy>
								<xsl:apply-templates select="@*|node()"/>
							</xsl:copy>
						</xsl:template>
						<xsl:template match="add">
							<xsl:copy>
								<xsl:apply-templates select="@*"/>
								<xsl:attribute name="jdbc:transaction-id">0</xsl:attribute>
								<xsl:attribute name="jdbc:op-id">0</xsl:attribute>
								<xsl:apply-templates select="node()"/>
							</xsl:copy>
							<xsl:call-template name="add-user"/>
							<!-- <xsl:call-template name="add-contact"/> -->
						</xsl:template>
						<xsl:template name="add-user">
							<xsl:variable name="CN" select="add-attr[@attr-name='CN']/value"/>
							<xsl:variable name="pwd" select="add-attr[@attr-name='nspmDistributionPassword']/value"/>
							<xsl:variable name="desc" select="add-attr[@attr-name='Description']/value"/>
							<xsl:variable name="SN" select="add-attr[@attr-name='Surname']/value"/>
							<xsl:variable name="GN" select="add-attr[@attr-name='Given Name']/value"/>
							<xsl:variable name="title" select="add-attr[@attr-name='Title']/value"/>
							<xsl:variable name="dept" select="add-attr[@attr-name='Department']/value"/>
							<xsl:variable name="phone" select="add-attr[@attr-name='Telephone Number']/value"/>
							<xsl:variable name="email" select="add-attr[@attr-name='Internet EMail Address']/value"/>
							<jdbc:statement jdbc:op-id="0" jdbc:transaction-id="0" jdbc:transaction-type="auto" jdbc:type="query">
								<jdbc:sql>
									<xsl:text>select * from esec_insert_user('</xsl:text>
									<xsl:value-of select="$CN"/>
									<xsl:text>', '</xsl:text>
									<xsl:value-of select="$pwd"/>
									<xsl:text>', 'ALL', </xsl:text>
									<xsl:text>true, '</xsl:text>
									<xsl:value-of select="$desc"/>
									<xsl:text>', '</xsl:text>
									<xsl:text>MAIN_PERMISSION:RT_MS:RT_MS_SW:RT_MS_CM:RT_MS_SS:RT_FL_PUBFL:RT_FL_PUBFL_CR:RT_FL_PUBFL_MO:RT_FL_PUBFL_DE:RT_FL_PRIFL:RT_FL_PRIFL_CR:RT_FL_PRIFL_MO:RT_FL_PRIFL_DE:RT_FL_PRIFL_VW:RT:RT_VW:RT_MI:RT_MI_VW:RT_MI_AI:RT_MI_RI:RT_MI_EE:RT_MI_VA:RT_MI_VV:RT_SD_VW:ITRAC:ITRAC_VW:ITRAC_AM:ITRAC_TM:ITRAC_TM_VW:ITRAC_TM_CR:ITRAC_PM:ITRAC_PM_VW:ITRAC_PM_CR:ITRAC_WM:IN:IN_VW:IN_ADM:IN_VWIN:IN_CI:IN_MOI:IN_DI:IN_AI:IN_EML:IN_ACT:IN_NOTES:WZ:WZ_VW:WZ_VW_SP:WZ_ADM:WZ_CTRL:WZ_PLUGIN:WZ_VW_RAW:WZ_DEBUG:AN:AN_VW:AD:AD_VW:ADM:ADM_VW:RT_FL_GLOFL:RT_FL_GLOFL_VW:RT_FL_GLOFL_MO:ADM_DAS_STATS:ADM_EVT_CFG:ADM_MENU_EVT:ADM_MAP_CFG:ADM_MENU_CFG:ADM_REP_DATA:ADM_SRVVW:ADM_SRVVW_VW:ADM_SRVVW_CNTRL:ADM_USRADM:ADM_USR_SESS:ADM_ROLEADM:INTEGRATORS:INT_VW:INT_ADM:INT_PLUGINS:ACTIONS:VIEW_ACT:MANAGE_ACT:MANAGE_ACTION_PLUGINS:CORR:CORR_TAB_VW:CORR_MGR:CORR_ENG:DYN_MGR:CP:CP_EX:CP_IM:IDENT:VIEW_ADD_BOOK:</xsl:text>
									<xsl:text>', '</xsl:text>
									<xsl:value-of select="$GN"/>
									<xsl:text>', '</xsl:text>
									<xsl:value-of select="$SN"/>
									<xsl:text>', '</xsl:text>
									<xsl:value-of select="$title"/>
									<xsl:text>', '</xsl:text>
									<xsl:value-of select="$dept"/>
									<xsl:text>', '</xsl:text>
									<xsl:value-of select="$phone"/>
									<xsl:text>', '</xsl:text>
									<xsl:value-of select="$email"/>
									<xsl:text>', '' , '')</xsl:text>
									<jdbc:param/>
								</jdbc:sql>
							</jdbc:statement>
						</xsl:template>
					</xsl:stylesheet>
				</stylesheet>
				<stylesheet name="Embedded SQL - Delete Event">
					<xsl:stylesheet exclude-result-prefixes="query cmd dncv" version="1.0" xmlns:cmd="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsCommandProcessor" xmlns:dncv="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.DNConverter" xmlns:jdbc="urn:dirxml:jdbc" xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQueryProcessor" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
						<!-- parameters passed in from the DirXML engine -->
						<xsl:param name="srcQueryProcessor"/>
						<xsl:param name="destQueryProcessor"/>
						<xsl:param name="srcCommandProcessor"/>
						<xsl:param name="destCommandProcessor"/>
						<xsl:param name="dnConverter"/>
						<xsl:param name="fromNds"/>
						<!-- identity transformation template -->
						<!-- in the absence of any other templates this will cause -->
						<!-- the stylesheet to copy the input through unchanged to the output -->
						<xsl:template match="node()|@*">
							<xsl:copy>
								<xsl:apply-templates select="@*|node()"/>
							</xsl:copy>
						</xsl:template>
						<xsl:template match="delete">
							<xsl:copy>
								<xsl:apply-templates select="@*"/>
								<xsl:attribute name="jdbc:transaction-id">0</xsl:attribute>
								<xsl:attribute name="jdbc:op-id">0</xsl:attribute>
								<xsl:apply-templates select="node()"/>
							</xsl:copy>
							<xsl:call-template name="delete-user">
								<xsl:with-param name="src-dn" select="@src-dn"/>
							</xsl:call-template>
							<!-- <xsl:call-template name="delete-user"/> -->
						</xsl:template>
						<xsl:template name="delete-user">
							<xsl:param name="src-dn"/>
							<jdbc:statement jdbc:op-id="0" jdbc:transaction-id="0" jdbc:transaction-type="auto" jdbc:type="query">
								<jdbc:sql>
									<xsl:text>select * from esec_delete_user('</xsl:text>
									<xsl:value-of select="$src-dn"/>
									<xsl:text>')</xsl:text>
									<jdbc:param/>
								</jdbc:sql>
							</jdbc:statement>
						</xsl:template>
					</xsl:stylesheet>
				</stylesheet>
				<stylesheet name="Embedded SQL Modify Password">
					<xsl:stylesheet exclude-result-prefixes="query cmd dncv" version="1.0" xmlns:cmd="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsCommandProcessor" xmlns:dncv="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.DNConverter" xmlns:jdbc="urn:dirxml:jdbc" xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQueryProcessor" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
						<!-- parameters passed in from the DirXML engine -->
						<xsl:param name="srcQueryProcessor"/>
						<xsl:param name="destQueryProcessor"/>
						<xsl:param name="srcCommandProcessor"/>
						<xsl:param name="destCommandProcessor"/>
						<xsl:param name="dnConverter"/>
						<xsl:param name="fromNds"/>
						<!-- identity transformation template -->
						<!-- in the absence of any other templates this will cause -->
						<!-- the stylesheet to copy the input through unchanged to the output -->
						<xsl:template match="node()|@*">
							<xsl:copy>
								<xsl:apply-templates select="@*|node()"/>
							</xsl:copy>
						</xsl:template>
						<xsl:template match="modify">
							<xsl:choose>
								<xsl:when test="modify-attr[@attr-name='nspmDistributionPassword']">
									<xsl:copy>
										<xsl:apply-templates select="@*"/>
										<xsl:attribute name="jdbc:transaction-id">0</xsl:attribute>
										<xsl:attribute name="jdbc:op-id">0</xsl:attribute>
										<xsl:apply-templates select="node()"/>
									</xsl:copy>
									<xsl:call-template name="modify-pwd">
										<xsl:with-param name="cn" select="modify-attr[@attr-name='CN']/add-value/value"/>
										<xsl:with-param name="pwd" select="modify-attr[@attr-name='nspmDistributionPassword']/add-value/value"/>
									</xsl:call-template>
								</xsl:when>
								<xsl:otherwise>
									<xsl:copy>
										<xsl:apply-templates select="@*|node()"/>
									</xsl:copy>
								</xsl:otherwise>
							</xsl:choose>
						</xsl:template>
						<xsl:template name="modify-pwd">
							<xsl:param name="cn"/>
							<xsl:param name="pwd"/>
							<jdbc:statement jdbc:op-id="0" jdbc:transaction-id="0" jdbc:transaction-type="manual" jdbc:type="update">
								<jdbc:sql>
									<xsl:text>ALTER USER </xsl:text>
									<xsl:value-of select="$cn"/>
									<xsl:text> WITH PASSWORD '</xsl:text>
									<xsl:value-of select="$pwd"/>
									<xsl:text>'</xsl:text>
									<jdbc:param/>
								</jdbc:sql>
							</jdbc:statement>
						</xsl:template>
					</xsl:stylesheet>
				</stylesheet>
				<stylesheet name="Remove Unnecessary Events">
					<xsl:transform exclude-result-prefixes="cmd query xsl" version="1.0" xmlns:cmd="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsCommandProcessor" xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driverXdsQueryProcessor" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
						<!-- Standard DirXML XSLT document information. -->
						<xsl:param name="srcQueryProcessor"/>
						<xsl:param name="destQueryProcessor"/>
						<xsl:param name="srcCommandProcessor"/>
						<xsl:param name="destCommandProcessor"/>
						<xsl:strip-space elements="*"/>
						<xsl:preserve-space elements="value,component"/>
						<xsl:output indent="yes" method="xml"/>
						<!-- Identity transform.  -->
						<xsl:template match="/">
							<xsl:apply-templates select="@*|node()"/>
						</xsl:template>
						<xsl:template match="@*|node()">
							<xsl:copy>
								<xsl:apply-templates select="@*|node()"/>
							</xsl:copy>
						</xsl:template>
						<!-- Remove add-association events. -->
						<xsl:template match="add|delete|rename|move"/>
					</xsl:transform>
				</stylesheet>
				<stylesheet name="Scout XSLT 2">
					<xsl:stylesheet exclude-result-prefixes="query cmd dncv" version="1.0" xmlns:cmd="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsCommandProcessor" xmlns:dncv="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.DNConverter" xmlns:jdbc="urn:dirxml:jdbc" xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQueryProcessor" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
						<!-- parameters passed in from the DirXML engine -->
						<xsl:param name="srcQueryProcessor"/>
						<xsl:param name="destQueryProcessor"/>
						<xsl:param name="srcCommandProcessor"/>
						<xsl:param name="destCommandProcessor"/>
						<xsl:param name="dnConverter"/>
						<xsl:param name="fromNds"/>
						<!-- identity transformation template -->
						<!-- in the absence of any other templates this will cause -->
						<!-- the stylesheet to copy the input through unchanged to the output -->
						<xsl:template match="node()|@*">
							<xsl:copy>
								<xsl:apply-templates select="@*|node()"/>
							</xsl:copy>
						</xsl:template>
						<xsl:template match="add">
							<xsl:copy>
								<xsl:apply-templates select="@*"/>
								<xsl:attribute name="jdbc:transaction-id">0</xsl:attribute>
								<xsl:attribute name="jdbc:op-id">0</xsl:attribute>
								<xsl:apply-templates select="node()[@attr-name != 'CN']"/>
							</xsl:copy>
							<xsl:call-template name="add-user"/>
						</xsl:template>
						<xsl:template name="add-user">
							<xsl:variable name="cn" select="add-attr[@attr-name='CN']/value"/>
							<jdbc:statement jdbc:op-id="0" jdbc:transaction-id="0" jdbc:transaction-type="manual" jdbc:type="update">
								<jdbc:sql>CREATE USER {$CN} WITH PASSWORD 'novell'</jdbc:sql>
							</jdbc:statement>
						</xsl:template>
					</xsl:stylesheet>
				</stylesheet>
			</children>
		</subscriber>
		<rule name="Input Transformation">
			<policy>
				<rule>
					<description>Add Group Membership</description>
					<comment xml:space="preserve">If you disable the publisher channel the action that adds the association must be enabled. This is because the association is added by default via a loopback of the add event.</comment>
					<conditions>
						<and>
							<if-operation op="equal">status</if-operation>
							<if-op-property name="add-event-srcdn" op="available"/>
							<if-op-property name="add-event-cn" op="available"/>
							<if-global-variable name="group" op="available"/>
						</and>
					</conditions>
					<actions>
						<do-add-dest-attr-value class-name="User" name="Group Membership">
							<arg-dn>
								<token-op-property name="add-event-srcdn"/>
							</arg-dn>
							<arg-value type="string">
								<token-global-variable name="group"/>
							</arg-value>
						</do-add-dest-attr-value>
					</actions>
				</rule>
				<rule>
					<description>Add Association</description>
					<comment xml:space="preserve">If you disable the publisher channel the action that adds the association must be enabled. This is because the association is added by default via a loopback of the add event.</comment>
					<conditions>
						<and>
							<if-operation op="equal">status</if-operation>
							<if-op-property name="add-event-srcdn" op="available"/>
							<if-op-property name="add-event-cn" op="available"/>
							<if-global-variable name="disablepublisher" op="equal">true</if-global-variable>
						</and>
					</conditions>
					<actions>
						<do-add-association>
							<arg-dn>
								<token-op-property name="add-event-srcdn"/>
							</arg-dn>
							<arg-association>
								<token-op-property name="add-event-cn"/>
							</arg-association>
						</do-add-association>
					</actions>
				</rule>
			</policy>
		</rule>
		<rule name="Password(Pub)-Sub Email Notifications">
			<policy>
				<description>Email notifications for failed password subscriptions</description>
				<rule>
					<description>Send e-mail on a failure when subscribing to passwords</description>
					<conditions>
						<and>
							<if-global-variable mode="nocase" name="notify-user-on-password-dist-failure" op="equal">true</if-global-variable>
							<if-operation op="equal">status</if-operation>
							<if-xpath op="true">self::status[@level != 'success']/operation-data/password-subscribe-status</if-xpath>
						</and>
					</conditions>
					<actions>
						<!-- generate email notification -->
						<do-send-email-from-template notification-dn="cn=security\cn=Default Notification Collection" template-dn="cn=security\cn=Default Notification Collection\cn=Password Set Fail">
							<arg-string name="UserFullName">
								<token-dest-attr name="Full Name">
									<arg-association>
										<token-xpath expression="self::status/operation-data/password-subscribe-status/association"/>
									</arg-association>
								</token-dest-attr>
							</arg-string>
							<arg-string name="UserGivenName">
								<token-dest-attr name="Given Name">
									<arg-association>
										<token-xpath expression="self::status/operation-data/password-subscribe-status/association"/>
									</arg-association>
								</token-dest-attr>
							</arg-string>
							<arg-string name="UserLastName">
								<token-dest-attr name="Surname">
									<arg-association>
										<token-xpath expression="self::status/operation-data/password-subscribe-status/association"/>
									</arg-association>
								</token-dest-attr>
							</arg-string>
							<arg-string name="ConnectedSystemName">
								<token-global-variable name="ConnectedSystemName"/>
							</arg-string>
							<arg-string name="FailureReason">
								<token-text/>
								<token-xpath expression="self::status/child::text()"/>
							</arg-string>
							<arg-string name="to">
								<token-dest-attr name="Internet EMail Address">
									<arg-association>
										<token-xpath expression="self::status/operation-data/password-subscribe-status/association"/>
									</arg-association>
								</token-dest-attr>
							</arg-string>
						</do-send-email-from-template>
					</actions>
				</rule>
				<rule>
					<description>Send e-mail on failure to reset connected system password using the DirXML data store password</description>
					<conditions>
						<and>
							<if-global-variable mode="nocase" name="notify-user-on-password-dist-failure" op="equal">true</if-global-variable>
							<if-operation op="equal">status</if-operation>
							<if-xpath op="true">self::status[@level != 'success']/operation-data/password-reset-status</if-xpath>
						</and>
					</conditions>
					<actions>
						<!-- generate email notification -->
						<do-send-email-from-template notification-dn="cn=security\cn=Default Notification Collection" template-dn="cn=security\cn=Default Notification Collection\cn=Password Reset Fail">
							<arg-string name="UserFullName">
								<token-dest-attr name="fullname">
									<arg-association>
										<token-xpath expression="self::status/operation-data/password-reset-status/association"/>
									</arg-association>
								</token-dest-attr>
							</arg-string>
							<arg-string name="UserGivenName">
								<token-dest-attr name="Given Name">
									<arg-association>
										<token-xpath expression="self::status/operation-data/password-reset-status/association"/>
									</arg-association>
								</token-dest-attr>
							</arg-string>
							<arg-string name="UserLastName">
								<token-dest-attr name="Surname">
									<arg-association>
										<token-xpath expression="self::status/operation-data/password-reset-status/association"/>
									</arg-association>
								</token-dest-attr>
							</arg-string>
							<arg-string name="ConnectedSystemName">
								<token-global-variable name="ConnectedSystemName"/>
							</arg-string>
							<arg-string name="FailureReason">
								<token-text/>
								<token-xpath expression="self::status/child::text()"/>
							</arg-string>
							<arg-string name="to">
								<token-dest-attr name="Internet EMail Address">
									<arg-association>
										<token-xpath expression="self::status/operation-data/password-reset-status/association"/>
									</arg-association>
								</token-dest-attr>
							</arg-string>
						</do-send-email-from-template>
					</actions>
				</rule>
			</policy>
		</rule>
		<rule name="Password(Sub)-Pub Email Notifications">
			<policy>
				<description>Email notifications for failed password publications</description>
				<rule>
					<description>Send e-mail for a failed publish password operation</description>
					<conditions>
						<and>
							<if-global-variable mode="nocase" name="notify-user-on-password-dist-failure" op="equal">true</if-global-variable>
							<if-operation op="equal">status</if-operation>
							<if-xpath op="true">self::status[@level != 'success']/operation-data/password-publish-status</if-xpath>
						</and>
					</conditions>
					<actions>
						<!-- generate email notification -->
						<do-send-email-from-template notification-dn="cn=security\cn=Default Notification Collection" template-dn="cn=security\cn=Default Notification Collection\cn=Password Sync Fail">
							<arg-string name="UserFullName">
								<token-src-attr name="Full Name">
									<arg-association>
										<token-xpath expression="self::status/operation-data/password-publish-status/association"/>
									</arg-association>
								</token-src-attr>
							</arg-string>
							<arg-string name="UserGivenName">
								<token-src-attr name="Given Name">
									<arg-association>
										<token-xpath expression="self::status/operation-data/password-publish-status/association"/>
									</arg-association>
								</token-src-attr>
							</arg-string>
							<arg-string name="UserLastName">
								<token-src-attr name="Surname">
									<arg-association>
										<token-xpath expression="self::status/operation-data/password-publish-status/association"/>
									</arg-association>
								</token-src-attr>
							</arg-string>
							<arg-string name="ConnectedSystemName">
								<token-global-variable name="ConnectedSystemName"/>
							</arg-string>
							<arg-string name="to">
								<token-src-attr name="Internet EMail Address">
									<arg-association>
										<token-xpath expression="self::status/operation-data/password-publish-status/association"/>
									</arg-association>
								</token-src-attr>
							</arg-string>
							<arg-string name="FailureReason">
								<token-text/>
								<token-xpath expression="self::status/child::text()"/>
							</arg-string>
						</do-send-email-from-template>
					</actions>
				</rule>
			</policy>
		</rule>
		<rule name="Schema Mapping Rule">
			<attr-name-map>
				<class-name>
					<nds-name>User</nds-name>
					<app-name>contacts</app-name>
				</class-name>
				<attr-name class-name="User">
					<app-name>phone</app-name>
					<nds-name>Telephone Number</nds-name>
				</attr-name>
				<attr-name class-name="User">
					<app-name>department</app-name>
					<nds-name>departmentNumber</nds-name>
				</attr-name>
				<attr-name class-name="User">
					<app-name>title</app-name>
					<nds-name>Title</nds-name>
				</attr-name>
				<attr-name class-name="User">
					<app-name>cell</app-name>
					<nds-name>mobile</nds-name>
				</attr-name>
				<attr-name class-name="User">
					<app-name>first_name</app-name>
					<nds-name>Given Name</nds-name>
				</attr-name>
				<attr-name class-name="User">
					<app-name>email</app-name>
					<nds-name>Internet EMail Address</nds-name>
				</attr-name>
				<attr-name class-name="User">
					<app-name>last_name</app-name>
					<nds-name>Surname</nds-name>
				</attr-name>
			</attr-name-map>
		</rule>
		<entitlement-definition name="Account">
			<entitlement conflict-resolution="priority" description="" display-name="Account"/>
		</entitlement-definition>
	</children>
	<global-config-values>
		<configuration-values>
			<definitions>
				<header display-name="Credential Provisioning"/>
				<definition display-name="SecureLogin Repository" name="idv.credprov.nsl.repository" type="string">
					<description>Name of the Credential Provisioning SecureLogin Repository which contains all the configuration parameters to enable credential provisioning to take place.
	
Note: The object is expected to reside in the same library location as the lib-CredProv-ProcessPayload-itp policy which is linked-in by implementing drivers.</description>
					<value>lib-CredProv-NSLRepository-V1</value>
				</definition>
				<definition display-name="SecretStore Repository" name="idv.credprov.nss.repository" type="string">
					<description>Name of the Credential Provisioning SecretStore Repository which contains all the configuration parameters to enable credential provisioning to take place.
	
Note: The object is expected to reside in the same library location as the lib-CredProv-ProcessPayload-itp policy which is linked-in by implementing drivers.</description>
					<value>lib-CredProv-NSSRepository-V1</value>
				</definition>
				<header display-name="Operational Settings"/>
				<definition display-name="Generate random passwords for new employees" name="idv.pwdmgmt.genpwds" type="boolean">
					<description>If set to "true", random passwords will be generated for new employees.</description>
					<value>true</value>
				</definition>
				<definition display-name="Strict Scoping" hide="true" name="g-scope-sub-strict" type="boolean">
					<description>If set to "true" the subscriber channel will only handle objects that are in the same subtree as the subtree that the publisher channel creates new objects in.</description>
					<value>true</value>
				</definition>
				<definition display-name="Random Password Policy object" dn-space="dirxml" dn-type="slash" name="idv.users.password-policy" type="dn">
					<description>The slash DN of the nspmPasswordPolicy object to be used to generate random passwords for new employees.</description>
					<value>Security\Password Policies\Default Policy Random Passwords</value>
				</definition>
				<definition display-name="User account for starting workflows" dn-space="dirxml" dn-type="ldap" name="idv.workflow.user" type="dn">
					<description>LDAP DN of a user account to specify for starting workflow from policy.</description>
					<value>cn=padmin,dc=admins,dc=system</value>
				</definition>
				<definition display-name="Default workflow approver" dn-space="dirxml" dn-type="ldap" name="idv.workflow.default.approver" type="dn">
					<description>LDAP DN of a user account or group to send workflows to if no other approver, like manager, can be find.</description>
					<value>CN=Management,dc=groups,O=company,dc=data</value>
				</definition>
				<definition display-name="Workflow definition container" dn-space="dirxml" dn-type="ldap" name="idv.workflow.container" type="dn">
					<description>LDAP DN of container holding Provisioning Request Definitions</description>
					<value>CN=RequestDefs,CN=AppConfig,CN=user-application,CN=driverset1,dc=idm,dc=services,dc=system</value>
				</definition>
				<definition display-name="Workorder Container" dn-space="dirxml" dn-type="slash" name="idv.workorder.container" type="dn">
					<description>The container to hold work order related objects.</description>
					<value>system\services\idm\workorders</value>
				</definition>
				<definition display-name="User Application URL" name="idv.workflow.url" type="string">
					<description>URL of User Application used to start workflows</description>
					<value>http://127.0.0.1:8080/IDMProv</value>
				</definition>
				<definition display-name="User Container" dn-space="dirxml" dn-type="slash" name="idv.dit.data.users" type="dn">
					<?generatePrompt?>
					<description>This GCV is used to get a reference to the container where users are stored. This value is used for all drivers. If you want separate containers for each driver, use the GCV on the Driver Object.
The DN is expected in slash-format.</description>
					<value>NOVELL\WORKFORCE</value>
				</definition>
				<definition display-name="Group Container" dn-space="dirxml" dn-type="slash" name="idv.dit.data.groups" type="dn">
					<description>This GCV is used to get a reference to the container where groups are stored. This value is used for all drivers. If you want separate containers for each driver, use the GCV on the Driver Object.
The DN is expected in slash-format.</description>
					<value>data\company\groups</value>
				</definition>
				<definition display-name="Organization Object Container:" dn-space="dirxml" dn-type="slash" name="sap-org-placement" type="dn">
					<description>The name of the container under which published SAP Organization (O) objects will be placed as (nested) Groups.</description>
					<value>data\organisations</value>
				</definition>
				<definition display-name="Position Object Container:" dn-space="dirxml" dn-type="slash" name="sap-pos-placement" type="dn">
					<description>The name of the Organizational Unit object under which published SAP Position (S) objects will be placed.</description>
					<value>data\positions</value>
				</definition>
				<definition display-name="Job Object Container:" dn-space="dirxml" dn-type="slash" name="sap-job-placement" type="dn">
					<description>The name of the Organizational Unit object under which published SAP Job (C) objects will be placed.</description>
					<value>data\jobs</value>
				</definition>
				<definition display-name="Active Users Container:" dn-space="dirxml" dn-type="slash" name="active-user-placement" type="dn">
					<description>The name of the Organizational Unit object where published Active users will be placed.</description>
					<value>data\users\active</value>
				</definition>
				<definition display-name="Inactive Users Container:" dn-space="dirxml" dn-type="slash" name="inactive-user-placement" type="dn">
					<description>The name of the Organizational Unit object where published Inactive users will be placed.</description>
					<value>data\users\inactive</value>
				</definition>
				<definition display-name="Active Employees Group:" dn-space="dirxml" dn-type="slash" name="active-emp-group" type="dn">
					<description>The name of the Group object to which published Active 'Employee' Users will be added.</description>
					<value>data\groups\ActiveUsers</value>
				</definition>
				<definition display-name="Active Managers Group:" dn-space="dirxml" dn-type="slash" name="active-manager-group" type="dn">
					<description>The name of the Group object to which published Active 'Manager' Users will be added.</description>
					<value>data\groups\ActiveManagers</value>
				</definition>
				<definition display-name="Default Password Policy" dn-space="dirxml" dn-type="slash" name="default-password-policy" type="dn">
					<description>Password policy used to generate inital user passwords</description>
					<value>Security\Password Policies\Default Password Policy</value>
				</definition>
				<definition display-name="Identity Vault User Container" dn-space="dirxml" dn-type="slash" name="g-dit-data-users" type="dn">
					<description>All Resource Kit drivers use this GCV to get a reference to the container where users are stored.</description>
					<value>data\users</value>
				</definition>
				<definition display-name="idsrv-trace-level" name="idsrv-trace-level" type="string">
					<value>0</value>
					<description/>
				</definition>
				<definition display-name="archive-user-container" dn-space="dirxml" dn-type="slash" name="archive-user-container" type="dn">
					<value>archive\users</value>
					<description>Archive Container for User</description>
				</definition>
			</definitions>
		</configuration-values>
	</global-config-values>
</driver-configuration>

Keep in mind that this default configuration uses an entitlement (‘Account’) that should be set for provisioning to work. A user object also needs a Given Name by default for it to synchronize. If you do not either disable the entitlement policy or grant the entitlement along with assigning a Given Name the sync event will be vetoed in the Creation Policyset. This driver also does not currently support creates or matches on the Publisher channel as that doesn’t seem to be nearly as useful as provisioning from the main Identity Vault where all the users already reside.

Once completed we have a setup that properly moves users from eDirectory to the Novell Identity Audit environment. By granting the Account entitlement to user that we want having access to NIA synchronization (including password updates) of users in NIA is just a matter of having the users do their regular day-to-day operations.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

Leave a Comment

  • fevans says:

    This is a great article to streamline users into the Audit software. There is a portion missing from the Publisher Settings of the Driver Configuration. The beginning portion should read like this so that options such as polling interval are displayed.

    <publisher-options>

            <configuration-values>
                <definitions>

                    <group>

                        <definition display-name=”Disable the Publisher channel?” id=”213″ name=”disable” type=”enum”>

                            <description>Select whether you want to ignore events flowing from the database to Identity Manager.</description>

                            <enum-choice display-name=”no (default)”>_</enum-choice>

                            <enum-choice display-name=”yes”>1</enum-choice>

                            <value>_</value>

                        </definition>

                        <subordinates active-value=”_”>

  • geoffc says:

    Aaron,
    You can attach a config file (XML, ZIP’ed, tar.gz’ed, whatever) to the article which would make trying this driver a lot easier! :)

    Also I find there may be encoding issues for specail chars inside the XML when pasted into here, formatted, copied into Designer/iManager and then errors…

By: ab
Sep 22, 2009
4:15 pm
Reads:
1,207
Score:
Unrated