The arguments to some conditions, actions, and tokens use XPath 1.0 expressions. XPath is a language created to provide a common syntax and semantics for the functionality shared between XSLT and XPointer. XPath is used primarily for addressing parts of an XML document, but also provides basic facilities for manipulation of strings, numbers, and Booleans.
The XPath specification requires that the embedding application provide a context with several application-defined pieces of information. In the DirXML Script (see DirXML Script), XPath is evaluated with the following context:
The context node is the current operation executed by the policy, unless otherwise specified in the description of the expression.
A Modify event in Identity Manager looks like this:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="4.0.1">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class‑name="User" event‑id="656B0450E1A3BC5C6525780D003E7F4D ‑ 1294053788689" from‑merge="true" qualified‑src‑dn="O=data\OU=users\CN=username" src‑dn="data\users\username" src‑entry‑id="33045">
<association>656B0450E1A3BC5C6525780D003E7F4D</association>
<modify‑attr attr‑name="DirXML‑EntitlementRef">
<remove‑all‑values/>
</modify‑attr>
<modify‑attr attr‑name="CN">
<add‑value>
<value naming="true" timestamp="1294053459#23" type="string">username</value>
</add‑value>
</modify‑attr>
</modify>
</input>
</nds>
When a policy rule is executed on the above event, the context node is set to the Modify node instead of /. To obtain the values of some of the nodes, start the XPath expression from the Modify node instead of /nds/input/modify. For example, the XPath expression for obtaining the class-name attribute should be @class-name instead of nds/input/modify/@class-name. The XPath expression for extracting the value of attr-name=CN can be modify-attr[@attr-name="CN"]/add-value/value/ or modify-attr/add-value/value/.
The context position and size are 1.
There are several available variables:
Variables available as parameters to style sheets within Identity Manager (currently fromNds, srcQueryProcessor, destQueryProcessor, srcCommandProcessor, destCommandProcessor, and dnConverter).
Global configuration variables.
Local policy variables.
If there is a name conflict between different variable sources, the order of precedence is local (policy scope), local (driver scope), and global.
Because of the XPath syntax, any variable that has a colon character in its name is not accessible from XPath.
There are several namespaces definitions available.
Any namespaces explicitly declared on the <policy> element by using the XMLNS:prefix.
The following implicitly defined namespaces (unless the same prefix has been explicitly defined):
xmlns:js="http://www.novell.com/nxsl/ecmascript"
xmlns:es="http://www.novell.com/nxsl/ecmascript"
xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQueryProcessor”
xmlns:cmd="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsCommandProcessor”
xmlns:jdbc="urn:dirxml:jdbc"
Any namespace prefix that is not otherwise mapped is automatically mapped to http://www.novell.com/nxsl/java/<prefix> , if the prefix is the fully qualified class name of the Java class that can be resolved to an available Java class through introspection.
Namespace declarations to associate a prefix with a Java class must be declared with the policy element.
There are several available functions:
All built-in XPath 1.0 functions.
Java extension functions, as provided by NXSL.
Java extension functions are accessed through a namespace prefix mapped to a URI of the form: http://www.novell.com/nxsl/java/<fully-qualified-class-name>.
For convenience, any prefix that is not otherwise mapped is mapped to http://www.novell.com/nxsl/java/<prefix>, if the prefix is the fully qualified class name of a Java class that can be discovered through introspection.
ECMAScript extension functions, as provided by NXSL:
The ECMAScript extension function definitions come from the set of ECMAScript resources associated with the driver.
The ECMAScript extension functions are accessed through a namespace prefix mapped to the URI http://www.novell.com/nxsl/ecmascript.
The prefixes js and es are both implicitly mapped to http://www.novell.com/nxsl/ecmascript unless otherwise explicitly defined.
The W3 Web site contains more information about XPath.
Here are some simple XPath examples commonly used in Identity Manager:
<input>
<add cached-time="20130423053016.248Z" class-name="User" event-id="rj-idmdt-122#20130423053016#1#1:71e2b5fd-cf71-4ebc-06a1-fdb5e27171cf" qualified-src-dn="O=data\OU=users\CN=sfpuserz" src-dn="\Rose-Mayflower-2\data\users\sfpuserz" src-entry-id="39025" timestamp="1366695016#45">
<add-attr attr-name="Postal Code">
<value timestamp="1366695016#24" type="string">Sacramento</value>
</add-attr>
<add-attr attr-name="OU">
<value timestamp="1366695016#22" type="string">DCM</value>
</add-attr>
<add-attr attr-name="Title">
<value timestamp="1366695016#16" type="string">senior manager</value>
</add-attr>
<add-attr attr-name="co">
<value timestamp="1366695016#18" type="string">USA</value>
</add-attr>
<add-attr attr-name="Telephone Number">
<value timestamp="1366695016#12" type="teleNumber">+1 818 936-6205</value>
</add-attr>
<add-attr attr-name="S">
<value timestamp="1366695016#19" type="string">California</value>
</add-attr>
<add-attr attr-name="Given Name">
<value timestamp="1366695016#11" type="string">sfpuserz</value>
</add-attr>
<add-attr attr-name="company">
<value timestamp="1366695016#23" type="string">Francos</value>
</add-attr>
<add-attr attr-name="Surname">
<value timestamp="1366695016#26" type="string">joe</value>
</add-attr>
<add-attr attr-name="workforceID">
<value timestamp="1366695016#15" type="string">800001</value>
</add-attr>
<add-attr attr-name="CN">
<value timestamp="1366695016#45" type="string">sfpuserz</value>
</add-attr>
</add>
</input>
|
Element |
Description |
|---|---|
|
add-attr[@attr-name="Surname"]/value |
Returns the value of the add-value node for the Surname attribute. |
|
add-attr[@attr-name=" Facsimile Telephone Number" /value/component[@name="faxNumber"] |
Returns the value of the fax number from the Facsimile Telephone Number structured attribute. |
<input>
<modify class name="User" event id="656B0450E1A3BC5C6525780D003E7F4D 1294053788689" from merge="true" qualified src dn="O=data\OU=users\CN=username" src dn="data\users\username" src entry id="33045">
<association>656B0450E1A3BC5C6525780D003E7F4D</association>
<modify attr attr name="DirXML EntitlementRef">
<remove all values/>
</modify attr>
<modify attr attr name="CN">
<add value>
<value naming="true" timestamp="1294053459#23" type="string">username</value>
</add value>
</modify attr>
</modify>
</input>
|
Element |
Description |
|---|---|
|
@src-dn |
Returns the value of the src-dn attribute inside the event node. |
|
@event-id |
Returns the value of the event-id attribute. |
|
modify-attr[@attr-name="CN"]/add-value/value |
Returns the value of the add-value node for the Surname attribute. |