Overview#

This is a look at the implementation of the DirXML Entitlements framework utilizes the entitlementRef attribute.

The Novell Entitlement Framework, adds an entitlementRef attribute to the entry that the entitlement is being granted or revoked.

Shows a DirXML Example and XPATH Example for working with DirXML Entitlements.

Details#

This is what we know about the entitlementRef attribute and how a drive could make use of the values of the entitlementRef attribute.

The entitlementRef is an attribute with a path syntax

The Entitlement itself is documented We assume that at least some of the XML elements are common.

An entitlement is granted to and revoked from an eDirectory entry via the addition a value for the DirXML-EntitlementRef attribute which is associated with the auxiliary class DirXML-EntitlementRecipient on the eDirectory entry.

The DirXML-EntitlementRef attribute is of SYN_PATH syntax and is write-managed.

namespace element or path#

The "namespace" (or integer) component of the DirXML-EntitlementRef attribute is used as a bitmask to hold a set of flags.
<component name="path.xml">

Xpath used to retrieve the value is:

expression="$current-node/component[@name='path.xml']"/>
Returns the xmlData within the component name path.xml.

The path is an XML fragment of an element <ref>.

The <ref> element has the following elements.

State Bit#

Bit 0 of the 32-bit integer is used for this flag value and is known as the state bit where:
<component name="nameSpace">1</component> 

Xpath used to retrieve the value is:

expression="$current-node/component[@name='nameSpace']"/>

Possible values:

  • 1 - granted
  • 0 - revoked

Upgrade Bit#

Bit 1 of the 32-bit integer is used to flag a granted entitlement that is the result of the upgrade process and is known as the upgrade bit where:
  • 1 means that the entitlement was previously granted in the legacy format and is therefore not a change in the entitlement state.

Future Use#

Bits 2-31 of the 32-bit integer are reserved for future use.

volume element #

The "volume" (or component) of the path contains a reference to the DirXML-Entitlement entry.

Because the attribute is write-managed, the agent setting the DirXML-EntitlementRef attribute value on an eDirectory object must have write access to the DirXML-EntitlementRef attribute on the object that is being written to and must also have write access to the ACL attribute on the DirXML-Entitlement object that is referred to by the DN portion of the DirXML-EntitlementRef value.

The FDN of the entitlement that the entitlementRef is referring to.

<component name="volume">\IDV-LAB\com\willeke\services\idm\DriverSet\AD\ADGroups</component>

Xpath used to retrieve the value is:

expression="$current-node/component[@name='volume']"/>

path element (or path.xml component)#

The value of the "path" (or path.xml component) portion of the DirXML-EntitlementRef attribute.

When used on a DirXML-EntitlementRecipient it represents a granted or revoked entitlement and contains information about the granting/revoking agent as well as the parameter value if the entitlement requires one. When used on a DirXML-SharedProfile (that is, an RBE policy or role), it is only used to provide the parameter value that will be granted by the role. [1]

From what we can find out by Novell Schema Documentation and our own observations, the element <ref> breaks down as:

<src> Elelement#

The <src> element contains the Entitlement Granting Agent Type
<src>AF</src>
This tells which of the Entitlement Granting Agent Type the DirXML Entitlement was created from.

DirXML-Script to retrieve the value:

<token-xpath expression="$current-node/component[@name='path.xml']/ref/src/text()"/>

<id> Elelement #

Entitlement Granting Agent Correlation ID In our example:
<id>7a6d3c359d764786bdabd42839c65043:71af971ce15a437ab6810a619260aee2</id>      

As far as we know, these values are not used for anything outside of the Entitlement Granting Agent Types.

DirXML-Script to retrieve the value:

<token-xpath expression="$current-node/component[@name='path.xml']/ref/id/text()"/>

<param> Elelement#

Entitlement parameter value(s) may have more than one value. In our example:
<param>CN=VBUSE-ADServ,OU=VB,OU=AD,OU=groups,dc=willeke,dc=com</param>

The VALUE of the entitlement. In this case we put the FDN of the group from the IDV in LDAP format because that is how the User App uses the entitlement.

DirXML-Script to retrieve the value(s):

<token-xpath expression="$current-node/component[@name='path.xml']/ref/param/text()"/>

Note: multiple values would return as a nodeSet.

entitlementsRef as a Driver Would See#

So the dirver sees the entitlementsRef like this: (From User App)
<add-attr attr-name="DirXML-EntitlementRef">
<value timestamp="1259073195#1" type="structured">
  <component name="nameSpace">1</component>
  <component name="volume">\IDV-LAB\com\willeke\services\idm\DriverSet\AD\ADGroups</component>
  <component name="path.xml">
    <ref>
      <src>AF</src>
      <id>7a6d3c359d764786bdabd42839c65043:71af971ce15a437ab6810a619260aee2</id>
      <param>CN=VBUSE-ADServ,OU=VB,OU=AD,OU=groups,dc=willeke,dc=com</param>
    </ref>
  </component>
 </value>
</add-attr>

An Example#

In this particular case, groupMemberships are not synchronized to the vault, but we do synchronize some attribute of the groups for reference purposes. The value of the group in the destination is in an custom attribute stored on the group in the referred to here as willekeADValue.

The rule uses the value of the willekeADValue to set the member value of the user which has the entitlmentRef in the destination.

So something like this rule works:

<actions>
	<do-for-each>
		<arg-node-set>
			<token-removed-entitlement name="willekeADGroups"/>
		</arg-node-set>
		<arg-actions>
			<do-remove-dest-attr-value class-name="Group" name="member" when="after">
				<arg-dn>
					<token-src-attr class-name="Group" name="willekeADValue">
						<arg-dn>
							<token-parse-dn dest-dn-format="src-dn" src-dn-format="ldap">
								<token-local-variable name="current-node"/>
							</token-parse-dn>
						</arg-dn>
					</token-src-attr>
				</arg-dn>
				<arg-value>
					<token-src-attr name="DirXML-ADContext">
						<arg-association>
							<token-association/>
						</arg-association>
					</token-src-attr>
				</arg-value>
			</do-remove-dest-attr-value>
			<do-set-xml-attr disabled="true" expression="../modify[last()]/modify-attr[last()]/remove-value[last()]/value[last()]" name="association-ref">
				<arg-string>
					<token-association/>
				</arg-string>
			</do-set-xml-attr>
		</arg-actions>
	</do-for-each>
	<do-for-each>
		<arg-node-set>
			<token-added-entitlement name="willekeADGroups"/>
		</arg-node-set>
		<arg-actions>
			<do-add-dest-attr-value class-name="Group" name="member" when="after">
				<arg-dn>
					<token-src-attr class-name="Group" name="willekeADValue">
						<arg-dn>
							<token-parse-dn dest-dn-format="src-dn" src-dn-format="ldap">
								<token-local-variable name="current-node"/>
							</token-parse-dn>
						</arg-dn>
					</token-src-attr>
				</arg-dn>
				<arg-value>
					<token-src-attr name="DirXML-ADContext">
						<arg-association>
							<token-association/>
						</arg-association>
					</token-src-attr>
				</arg-value>
			</do-add-dest-attr-value>
			<do-set-xml-attr disabled="true" expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
				<arg-string>
					<token-association/>
				</arg-string>
			</do-set-xml-attr>
		</arg-actions>
	</do-for-each>
</actions>

More Information#

There might be more information for this subject on one of the following: ...nobody


[#1] - http://www.novell.com/documentation/idm36/policy_dtd/?page=/documentation/idm36/policy_dtd/data/dtdentitlementoverview.html

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-36) was last changed on 24-Sep-2014 14:18 by jim