Novell®
www.novell.com
DTD Reference
Identity Manager
novdocx (en) 13 May 2009
AUTHORIZED DOCUMENTATION
3.6.1
June 05, 2009
Identity Manager 3.6 DTD Reference
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 13 May 2009
Copyright © 2008-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 13 May 2009
novdocx (en) 13 May 2009
4 Identity Manager 3.6 DTD Reference
Contents
About This Guide 11
1 DTD Overview 13
2Filter DTD 15
2.1 Filter Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
filter-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
filter-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3 NDS DTD 23
3.1 NDS DTD Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
add-association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
add-attr. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
add-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
allow-attr. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
allow-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
app-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
attr-def . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
attr-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
attr-name-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
authentication-info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
check-object-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
check-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
class-def. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
class-name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
config-object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
copy-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
copy-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
copy-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
copy-path-suffix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
create-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
create-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
driver-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
driver-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
driver-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
driver-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
get-named-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
init-params . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
match-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
match-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
match-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
novdocx (en) 13 May 2009
Contents 5
matching-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
matching-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
modify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
modify-association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
modify-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
modify-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
nds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
nds-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
new-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
old-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
operation-data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
parent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
placement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
placement-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
placement-rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
publisher-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
publisher-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
query-ex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
query-schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
query-token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
read-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
read-parent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
remove-all-values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
remove-association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
remove-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
required-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
schema-def . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
search-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
search-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
subscriber-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
subscriber-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
sync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
value. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
novdocx (en) 13 May 2009
4Map DTD 161
4.1 Map DTD Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
col. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
col-def . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
mapping-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
5 DirXML Script DTD 169
5.1 DirXML Script DTD Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
and . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
arg-actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
6 Identity Manager 3.6 DTD Reference
arg-association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
arg-component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
arg-conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
arg-dn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
arg-match-attr. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
arg-node-set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
arg-object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
arg-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
arg-string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
arg-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
do-add-association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
do-add-dest-attr-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
do-add-dest-object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
do-add-role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
do-add-src-attr-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
do-add-src-object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
do-append-xml-element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
do-append-xml-text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
do-break . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
do-clear-dest-attr-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
do-clear-op-property. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
do-clear-src-attr-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
do-clear-sso-credential. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
do-clone-op-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
do-clone-xpath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
do-delete-dest-object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
do-delete-src-object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
do-find-matching-object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
do-for-each. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
do-generate-event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
do-if . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
do-implement-entitlement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
do-move-dest-object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
do-move-src-object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
do-reformat-op-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
do-remove-association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
do-remove-dest-attr-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
do-remove-role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
do-remove-src-attr-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
do-rename-dest-object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
do-rename-op-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
do-rename-src-object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
do-send-email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
do-send-email-from-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
do-set-default-attr-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
do-set-dest-attr-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
do-set-dest-password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
do-set-local-variable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
do-set-op-association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
do-set-op-class-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
do-set-op-dest-dn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
do-set-op-property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
do-set-op-src-dn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
do-set-op-template-dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
do-set-src-attr-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
novdocx (en) 13 May 2009
Contents 7
do-set-src-password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
do-set-sso-credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
do-set-sso-passphrase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
do-set-xml-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
do-start-workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
do-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
do-strip-op-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
do-strip-xpath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
do-trace-message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
do-veto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
do-veto-if-op-attr-not-available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
do-while . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
if-association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
if-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
if-class-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
if-dest-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
if-dest-dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
if-entitlement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
if-global-variable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
if-local-variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
if-named-password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
if-op-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
if-op-property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
if-operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
if-password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
if-src-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
if-src-dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
if-xml-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
if-xpath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
include . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
or . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
token-added-entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
token-association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
token-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
token-base64-decode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
token-base64-encode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
token-char . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
token-class-name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
token-convert-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
token-dest-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
token-dest-dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
token-dest-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
token-document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
token-entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
token-escape-for-dest-dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
token-escape-for-src-dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
token-generate-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
token-global-variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
token-join . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
token-local-variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
token-lower-case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
token-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
token-named-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
token-op-attr. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
token-op-property. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
token-operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
token-parse-dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
09
novdocx (en) 13 May 2009
8 Identity Manager 3.6 DTD Reference
token-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
token-query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
token-removed-attr. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
token-removed-entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
token-replace-all. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
token-replace-first . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
token-resolve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
token-split. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
token-src-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
token-src-dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
token-src-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
token-substring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
token-text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
token-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
token-unique-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
token-unmatched-src-dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
token-upper-case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
token-xml-parse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
token-xml-serialize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
token-xpath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
novdocx (en) 13 May 2009
6 DirXML Entitlements DTD 497
6.1 DirXML Entitlements DTD Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
display-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
ent-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
entitlement-impl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
item-description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
item-display-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
item-value. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
items. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
msg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
param . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
query-app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
query-xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
ref . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
result-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
src . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
timestamp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
token-association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
token-attr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
token-src-dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
value. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
7 Jobs DTD 531
7.1 Jobs XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
bcc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Contents 9
cc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
java-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
job-aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
job-definition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
reply-to . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
result-processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
to . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
xliff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
7.2 Example Job XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
novdocx (en) 13 May 2009
10 Identity Manager 3.6 DTD Reference
About This Guide
This guides is a reference to the document type definitions (DTD) that Identity Manager uses. The
guide contains definitions for each of the elements used in Identity Manager. There are separate
DTDs for different components of Identity Manager.
“Filter DTD” on page 15
“NDS DTD” on page 23
“Map DTD” on page 161
“DirXML Script DTD” on page 169
“DirXML Entitlements DTD” on page 497
“Jobs DTD” on page 531
Audience
novdocx (en) 13 May 2009
This guide is intended as a reference for Identity Manager consultants.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to www.novell.com/documentation/feedback.html and enter your
comments there.
Documentation Updates
For the most recent version of the Identity Manager DTD Reference, and the latest Identity Manager
documentation, visit the Identity Manager Documentation Web site (http://www.novell.com/
documentation/idm36/).
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
®
A trademark symbol (
trademark.
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux or UNIX, should use forward slashes as required by your software.
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
About This Guide 11
novdocx (en) 13 May 2009
12 Identity Manager 3.6 DTD Reference
1
DTD Overview
This guides is a reference for the Identity Manager document type definitions (DTD). There are
separate DTDs for different components of Identity Manager:
“Filter DTD” on page 15
“NDS DTD” on page 23
“Map DTD” on page 161
“DirXML Script DTD” on page 169
“DirXML Entitlements DTD” on page 497
“Jobs DTD” on page 531
What’s New in Identity Manager 3.6.1
Version 3.6.1 of DTD has no new features.
novdocx (en) 13 May 2009
1
What’s New in Identity Manager 3.6
Added Jobs DTD section that provides introductory information about the XML structure used
to create scheduled Jobs in Identity Manager.
Added do-add-role and do-remove-role.
Changed do-send-email-from-template to allow sending html content from policy.
Made attribute
Changed do-find-matching-object to set a local variable if they encounter an error and provide
additional information in the server log.
Added
Added optional
Added optional
offset
policy-dn
and
default-value
old-password
optional for token-generate-password.
offset-unit
attribute to token-convert-time.
attribute to token-map.
attribute to do-set-src-password and do-set-dest-password.
DTD Overview
13
novdocx (en) 13 May 2009
14 Identity Manager 3.6 DTD Reference
2
Filter DTD
An Identity Manager filter is primarily for controlling which object classes are synchronized and
which attributes are synchronized for those object classes. Additionally, other behaviors of those
classes and attributes within Identity Manager are controlled through the filter.
An Identity Manager filter consists of a top level <filter> element that contains a set of <filter-class>
elements, each of which contains a set of <filter-attr> elements. The filter for a particular driver is
stored in the DirXML-DriverFilter attribute on the DirXML-Driver object.
See “Filter Elements” on page 15 for a list of all the elements in the Filter DTD.
2.1 Filter Elements
Element Description
novdocx (en) 13 May 2009
2
filter Filter for an Identity Manager driver.
filter-attr Behavior of an attribute for a particular object class.
filter-class Behavior of an object class.
Filter DTD
15
filter
Consists of a set of <filter-class> elements that describe the object classes used by a particular
instance of an Identity Manager driver.
Example
<filter>
<filter-class class-name="User"
subscriber="sync"
publisher="sync">
<filter-attr attr-name="CN"
subscriber="sync"
publisher="ignore"
merge-authority="none"/>
<filter-attr attr-name="Surname"
subscriber="sync"/>
novdocx (en) 13 May 2009
<filter-attr attr-name="Given name"
subscriber="sync"/>
<filter-attr attr-name="Internet EMail Address"
publisher="sync"
publisher-optimize-modify="false"/>
<filter-attr attr-name="Login Disabled"
subscriber="notify"/>
</filter-class>
<filter-class class-name="Group"
subscriber="sync"
publisher="sync">
publisher-create-homedir="false">
<filter-attr attr-name="CN"
subscriber="sync"
merge-authority="none"/>
<filter-attr attr-name="Member"
subscriber="sync"
publisher="sync"
merge-authority="publisher"
publisher-optimize-modify="false"/>
</filter-class>
</filter>
Allowed Content
Element Description
filter-class Behavior of an object class.
16 Identity Manager 3.6 DTD Reference
Attributes
None
Content Rule
(filter-class*)
Parent Elements
None
novdocx (en) 13 May 2009
Filter DTD 17
filter-attr
Describes an attribute of the enclosing <filter-class> that is used by a particular instance of an
Identity Manager driver. The attr-name attribute specifies the name of an attribute in
eDirectory
on the respective channels according to the following table. If the channel setting for the object class
as a whole is ignored, then the setting for individual attributes is ignored.
Remarks
The publisher and subscriber attributes control whether this attribute is synchronized on the
respective channels according to the following table. If the channel setting for the object class as a
whole is ignored, then the setting for individual attributes is ignored.
Value Description
ignore Changes to this attribute are not reported or
TM
.The publisher and subscriber attributes control whether this attribute is synchronized
automatically synchronized.
novdocx (en) 13 May 2009
notify Changes to this attribute are reported but not
automatically synchronized.
sync Changes to this attribute are reported and
automatically synchronized.
reset Changes to this attribute are reported and triggers
the attribute to be automatically reset to the values
from the other channel. It is illegal for both
Publisher and Subscriber to reset for the same
attribute.
The merge-authority attribute controls the behavior of the attribute during a merge operation
according to the following table:
18 Identity Manager 3.6 DTD Reference
Value Behavior Valid
novdocx (en) 13 May 2009
default 1. If an attribute is not being synchronized in either
channel, then no merging occurs.
2. If an attribute is being synchronized in one
channel and not the other, then all existing values
on the destination for that channel are removed and
replaced with the values from the source for that
channel. If the source has multiple values and the
destination can only accommodate a single value,
then only one of the values is used on the
destination side, although it is undefined which of
those values are used.
3. If an attribute is being synchronized in both
channels and both sides can accommodate
multiple values, then each side ends up with the
union of values present on either side.
4. If an attribute is being synchronized in both
channels and both sides can accommodate only a
single value, the application ends up with the value
from eDirectory unless there is no value in
eDirectory. In this case eDirectory ends up with the
value from the application (if any).
5. If an attribute is synchronized in both channels
and only one side can accommodate multiple
values then the single-valued side's value is added
to the value from the multiple-value side if it is
already there. If there is no value on the singlevalued side one of the values (undefined) is added
to the single-valued side.
Always
edir Has the same behavior as the default if the
attributes are synchronized on the Subscriber
channel and not on the Publisher channel.
app Has the same behavior as the default if the
attributes are synchronized on the Publisher
channel and not on the Subscriber channel.
none No merging occurs regardless of synchronization. Always
When synchronizing or notifying
on the Subscriber channel
When synchronizing or notifying
on the Publisher channel
The publisher-optimize-modify attribute controls whether or not changes to this attribute are
examined on the Publisher channel to determine the minimal change needed in the Identity Vault.
Example
See <filter>.
Allowed Content
EMPTY
Filter DTD 19
Attributes
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
attr-name CDATA
Name of the attribute.
merge-authority default | edir | app | none
Flag that controls how this
attribute is merged.
publisher ignore | notify | sync | reset
Flag that controls Publisher
channel synchronization.
publisher-optimize-modify true | false
Flag that controls optimization of
modifications on the Subscriber
channel.
subscriber ignore | notify | sync | reset
Flag that controls Subscriber
channel synchronization.
Content Declaration
Empty
#REQUIRED
default
ignore
true
ignore
Parent Elements
Element Description
filter-class Behavior of an object class.
20 Identity Manager 3.6 DTD Reference
filter-class
Describes an object class that is used by a particular instance of an Identity Manager driver. The
class-name attribute specifies the name of an effective (that is, structural or base) class in eDirectory
and only applies to objects that have that particular base class.
Remarks
The Publisher and Subscriber attributes control whether this class is synchronized on the respective
channels.
Value Description
ignore Changes to the objects of this class are not reported or
automatically synchronized.
sync Changes to the objects of this class are reported and automatically
synchronized.
novdocx (en) 13 May 2009
The publisher-track-template-member attribute controls whether or not the Publisher channel
maintains the Member of Template attribute when it creates objects from a template. The publisher-
®
create-homedir attribute controls whether or not a NetWare
home directory is automatically
created when a User is created with the Home Directory attribute populated.
Example
See <filter>.
Allowed Content
Element Description
filter-attr Behavior of an attribute for a particular object class.
Attributes
Attribute Possible Values Default Value
class-name CDATA
#REQUIRED
Name of the object class.
publisher ignore | sync
Flag that controls Publisher
channel synchronization.
ignore
Filter DTD 21
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
publisher-create-homedir true | false
Flag that controls automatic
creation of home directories.
publisher-track-template-member true | false
Flag that controls the tracking of
objects.
subscriber ignore | sync
Flag that controls Publisher
channel synchronization.
true
false
ignore
Content Rule
filter-attr
Parent Elements
Element Description
filter Filter for an Identity Manager driver.
22 Identity Manager 3.6 DTD Reference
3
NDS DTD
novdocx (en) 13 May 2009
3
The NDSTM document type definition file (
the Identity Manager engine can process. XML documents that do not conform to this schema
generate errors.
nds.dtd
The
Input and output commands and events (such as add, delete, modify, and rename) that can be
performed on entries and the data that must be included with each.
Driver initialization operations (such as authentication information, driver filter, configuration
options, and state) for the driver shim, publisher shim, and subscriber shim and the data that
these operations require.
Schema operations for defining class and attribute definitions.
Rules for schema mapping, matching, creation, and placement.
Remember the following when reading a DTD file:
Marker Meaning
? 0 or 1 of these can be included.
+ 1 or more of these must be included.
* 0 or more of these can be included.
CDATA Character data.
file defines the following:
nds.dtd
) defines the schema of the XML documents that
PCDATA Parsed character data.
<! Beginning of an element, entity, or attribute definition.
> End of an element, entity, or attribute definition.
See “NDS DTD Elements” on page 23 for a list of all of the elements in the NDS DTD.
3.1 NDS DTD Elements
Element Description
add Adds an object when an add event occurs.
add-association Adds an association.
add-attr Adds an attribute.
add-value Adds values.
allow-attr Allows an attribute in the filter.
allow-class Allows a class in the filter.
app-name Names in the application namespace.
NDS DTD
23
Element Description
association Unique key of the application object.
attr Current state of an attribute.
attr-def Schema attribute definition.
attr-name Maps an attribute name.
attr-name-map Top-level element for Schema Mapping policies.
authentication-info Information for connecting and authenticating to
the application.
check-object-password Checks the password against an eDirectory object.
check-password Checks the password against an eDirectory driver
object.
class-def Schema class definition.
class-name Maps a class name.
novdocx (en) 13 May 2009
component Component of a structured attribute.
config-object eDirectory object to use for additional configuration
data.
contact Point of contact for the originating product.
copy-attr Copies an attribute token. Deprecated as of Identity
Manager 2.0.
copy-name Copies a name token. Deprecated as of Identity
Manager 2.0.
copy-path Copies a path token.Deprecated as of Identity
Manager 2.0.
copy-path-suffix Copies a path token. Deprecated as of Identity
Manager 2.0.
create-rule Object creation rule. Deprecated as of Identity
Manager 2.0.
create-rules Top-level element for object creation rules.
Deprecated as of Identity Manager 2.0.
delete Deletes an object when a delete event occurs.
driver-config Driver-specific Driver Shim configuration options.
driver-filter Publication and Subscription class and attribute
event filter.
driver-options Driver-specific Driver Shim configuration options.
driver-state Driver-specific state information.
get-named-password Retrieves a named password for a driver.
init-params Initialization parameters for the DriverShim,
24 Identity Manager 3.6 DTD Reference
SubscriptionShim, or PublicationShim.
Element Description
tinput Input events or commands.
instance Current state of an instance of an object.
match-attr Matches an attribute. Deprecated as of Identity
Manager 2.0.
match-class Matches a class name. Deprecated as of Identity
Manager 2.0.
match-path Matches a path. Deprecated as of Identity Manager
2.0.
matching-rule Object matching rule. Deprecated as of Identity
Manager 2.0.
matching-rules Top-level element for object matching rules.
Deprecated as of Identity Manager 2.0.
modify Modifies an object when a modify event occurs.
novdocx (en) 13 May 2009
modify-association Modifies an association command.
modify-attr Modifies an attribute.
modify-password Modifies an object password when a modify event
for a password occurs.
move Moves an object when a move event occurs.
nds Top-level element for all Identity Manager and
Driver communication.
nds-name Name in the eDirectory namespace.
new-name The new name of a renamed object.
old-password The old authentication password.
operation-data The operation adds additional custom data.
output Results of events or commands.
parent The parent container of an object.
password The authentication password.
placement Object placement specifier. Deprecated as of
Identity Manager 2.0.
placement-rule Object placement rule. Deprecated as of Identity
Manager 2.0.
placement-rules Top-level element for object placement rules.
Deprecated as of Identity Manager 2.0.
publisher-options Driver-specific PublicationShim configuration
options.
publisher-state Driver PublicationShim state information.
query Query command.
NDS DTD 25
Element Description
query-ex Query command with result count limit.
query-schema Query schema command.
query-token Opaque handle for query-ex commands
rread-attr Returns specified object attribute values.
read-parent Returns the object parent container.
remove-all-values Removes all attribute values.
remove-association Removes an association.
remove-value Removes specified attribute values.
rename Renames an object when a rename event occurs.
required-attr Required attribute. Deprecated as of Identity
Manager 2.0.
schema-def Schema definition.
novdocx (en) 13 May 2009
search-attr Query search attribute value filter.
search-class Query search class filter.
server The authentication server.
source The source or creator of the document.
status Status of the processing of a command or event.
subscriber-options Driver-specific SubscriptionShim configuration
options.
subscriber-state Driver SubscriptionShim state information.
sync Resynchronization or migrate event.
template Specifies a template. Deprecated as of Identity
Manager 2.0.
user The authentication user name
value The attribute value.
26 Identity Manager 3.6 DTD Reference
add
Used as an event notification from the PublicationShim to Identity Manager when an object is added
in the application. When it is used as a notification, an <association> is required. It is also used as a
command from Identity Manager to the SubsciptionShim to add an object in the application.
Remarks
<add> contains an <add-attr> for each attribute of the object added.
<add> might contain a <password> for the object added.
A response to <add> should be a <status> indicating whether or not the <add> was processed
successfully. When used as a command, <add> should also return an <add-association> that
contains the unique key for the newly added object. The dest-dn and dest-entry-id attributes of the
<add-association> should be set to the src-dn and src-entry-id of the <add>.
Example
novdocx (en) 13 May 2009
<add class-name="User" src-dn="\Sam">
<association>1012</association>
<add-attr attr-name="cn">
<value>Sam</value>
</add-attr>
<add-attr attr-name="Surname">
<value>Jones</value>
</add-attr>
<add-attr attr-name="Given Name">
<value>Sam</value>
</add-attr>
<add-attr attr-name="Telephone Number">
<value>555-1212</value>
</add-attr>
</add>
Allowed Content
Element Description
association Unique key of the application object.
add-attr Add attribute.
password The authentication password.
operation-data The operation adds additional custom data.
NDS DTD 27
Attributes
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
class-name CDATA
The name of the base class of the
object. The class name is
mapped between the application
and eDirectory namespaces by
the Schema Mapping policy so
that Identity Manager sees the
name in the eDirectory
namespace and a driver sees the
name in the application
namespace.
dest-dn CDATA
The distinguished name of the
target object in the namespace of
the receiver.
Should be left empty for event
notifications. Filled in by the
Placement policy on commands.
dest-entry-id CDATA
The entry ID of the target object
in the namespace of the receiver.
Reserved. Should be ignored by
the driver.
TM
#REQUIRED
#IMPLIED
#IMPLIED
event-id CDATA
An identifier used to tag the
results of an event or command.
Should be copied to the event-id
attribute of the resulting <status>
and <add-association> elements.
qualified-src-dn CDATA
The qualified version of src-dn.
Only used for describing objects
from eDirectory.
src-dn CDATA
The distinguished name of source
object that generated the event in
the namespace of the sender.
Should be copied to the dest-dn
attribute of the resulting <add-
association> for commands.
#IMPLIED
#IMPLIED
#IMPLIED
28 Identity Manager 3.6 DTD Reference
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
src-entry-id CDATA
The entry ID of source object that
generated the event in the
namespace of the sender.
Should be copied to the destentry-id attribute of the resulting
<add-association> for
commands.
template-dn CDATA
The distinguished name of a
template in the receiver's
namespace to use as a basis for
creating the object.
Filled in by the Create policy for
commands. Drivers only need to
implement this if it makes sense
for the application.
timestamp CDATA
Reserved. Should be ignored by
the driver.
#IMPLIED
#IMPLIED
#IMPLIED
Content Rule
( association ? , add-attr * , password ? , operation-data ? )
Parent Elements
Element Description
input Input events or commands.
NDS DTD 29
add-association
Used to return the unique key of an object added as the result of an <add> command.
Example
<add-association dest-dn="\Users\Samuel" dest-entry-id="33974">
{BC3E7155-CDF9-d311-9846-0008C76B16C2}
</add-association>
Allowed Content
#PCDATA
Element Description
operation-data Operation adds additional custom data.
novdocx (en) 13 May 2009
Attributes
Attribute Possible Values Default Value
dest-dn CDATA
The distinguished name of the
target object in the namespace of
the receiver.
Should be set to the src-dn of the
<add>.
dest-entry-id CDATA
The entry id of the target object in
the namespace of the receiver.
Should be set to the src-entry-id
of the <add>.
event-id CDATA
An identifier used to tag the
results of an event or command.
Should be set to the event-id of
the <add>.
#REQUIRED
#IMPLIED
#IMPLIED
Content Rule
( #PCDATA | operation-data ) *
30 Identity Manager 3.6 DTD Reference
Parent Elements
Element Description
input Input events or commands.
output Results of events or commands.
novdocx (en) 13 May 2009
NDS DTD 31
add-attr
Used to specify the attribute values for an <add> operation or event. Each <add-attr> should contain
at least one <value>
Example
See <add>.
Allowed Content
Element Description
value The attribute value.
Attributes
novdocx (en) 13 May 2009
Attribute Possible Values Default Value
attr-name CDATA
The name of the attribute.
The name is mapped between
the application and eDirectory
namespaces by the Schema
Mapping policy so that Identity
Manager sees the name in the
eDirectory namespace and a
driver sees the name in the
application namespace. The
mapping rule uses the class
name attribute of the enclosing
command or event to determine
which class to use for mapping
the attribute name.
enforce-password-policy true | false
Reserved. Should be ignored by
the driver.
#REQUIRED
#IMPLIED
Content Rule
( value + )
32 Identity Manager 3.6 DTD Reference
Parent Elements
Element Description
add Adds an object when an add event occurs.
novdocx (en) 13 May 2009
NDS DTD 33
add-value
Used to specify values added to the attribute specified in the enclosing <modify-attr>. A driver
should gracefully ignore an <add-value> for a value that already exists and continue to process the
remainder of the enclosing <modify>.
Example
See <modify>.
Allowed Content
Element Description
value The attribute value.
novdocx (en) 13 May 2009
Attributes
None
Parent Elements
Element Description
modify-attr Modifies an attribute.
34 Identity Manager 3.6 DTD Reference
allow-attr
Used to specify attributes that are allowed in the event filter for the class specified in the enclosing
<allow-class>.
Example
See <init-params>.
Allowed Content
EMPTY
Attributes
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
attr-name CDATA
The name of the attribute.
The name is mapped between
the application and
eDirectorynamespaces by the
Schema Mapping policy so that
Identity Manager sees the name
in the eDirectory namespace and
a driver sees the name in the
application namespace. The
mapping rule uses the class
name attribute of the enclosing
command or event to determine
which class to use for mapping
the attribute name.
is-sensitive true | false
If true, specifies that the attribute
values referenced by the <allow-
attr> element contain sensitive
data that should be suppressed in
trace information.
Content Declaration
#REQUIRED
false
Empty
NDS DTD 35
Parent Elements
Element Description
allow-class Allow a class in the filter.
novdocx (en) 13 May 2009
36 Identity Manager 3.6 DTD Reference
allow-class
Used to specify classes that are allowed in the event filter specified by the enclosing <driver-filter>.
Example
See <init-params>.
Allowed Content
Element Description
allow-attr Allow an attribute in the filter.
Attributes
novdocx (en) 13 May 2009
Attribute Possible Values Default Value
class-name CDATA
The name of the base class of the
object.
The class name is mapped
between the application and
eDirectory namespaces by the
Schema Mapping policy so that
Identity Manager sees the name
in the eDirectory namespace and
a driver sees the name in the
application namespace.
#REQUIRED
Content Rule
( allow-attr ) *
Parent Elements
Element Description
driver-filter Publication and Subscription class and attribute
event filter.
NDS DTD 37
app-name
Used to specify a class or attribute name in the application namespace.
Example
See <attr-name-map>.
Allowed Content
#PCDATA
Attributes
None
Content Rule
novdocx (en) 13 May 2009
( #PCDATA )
Parent Elements
Element Description
attr-name Maps an attribute name.
class-name Maps a class name.
38 Identity Manager 3.6 DTD Reference
association
Used to specify the unique key of an application object that is the source of an event notification
from the PublicationShim to Identity Manager, the target of a command sent form Identity Manager
to the SubscriptionShim, or the base object of a <query> sent to the SubscriptionShim.
Example
<association state="associated">
{B43E7155-CDF9-d311-9846-0008C76B16C2}
</association>
Allowed Content
#PCDATA
Attributes
novdocx (en) 13 May 2009
Attribute Possible Values Default Value
state not-associated | associated |
disabled | migrate | pending |
manual
Reserved: Should be ignored by
the driver
#IMPLIED
Content Rule
#PCDATA
Parent Elements
Element Description
add Adds an object when an add event occurs.
check-object-password Checks the password against an eDirectory object.
delete Deletes an object when a delete event occurs.
instance Current state of an instance of an object.
modify Modifies an object when a modify event occurs.
modify-association Modifies an association command.
modify-password Modifies an object password when a modify event
for a password occurs.
move Moves an object when a move event occurs.
NDS DTD 39
Element Description
parent The parent container of an object.
query Query command.
query-ex Query command with a result count limit.
rename Renames an object when a rename event occurs.
sync Resynchronization or migrate event.
novdocx (en) 13 May 2009
40 Identity Manager 3.6 DTD Reference
attr
Used to specify the attribute values for the object specified by the enclosing <instance>. Each <attr>
should contain at least one <value>.
Example
See <instance>.
Allowed Content
Element Description
value The attribute value.
Attributes
novdocx (en) 13 May 2009
Attribute Possible Values Default Value
attr-name CDATA
The name of the attribute.
The name is mapped between
the application and eDirectory
namespaces by the Schema
Mapping policy so that Identity
Manager sees the name in the
eDirectory namespace and a
driver sees the name in the
application namespace. The
mapping rule uses the class
name attribute of the enclosing
command or event to determine
which class to use for mapping
the attribute name.
#REQUIRED
Content Rule
( value * )
Parent Elements
Element Description
instance Current state of an instance of an object.
NDS DTD 41
attr-def
Used to specify a schema attribute for the class specified by the enclosing <class-def>.
Example
See <schema-def>.
Allowed Content
EMPTY
Attributes
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
asn1id CDATA
The ASN.1 Object ID of the
attribute.
attr-name CDATA
The name of the attribute.
case-sensitive true | false
Whether or not the attribute is
case sensitive.
multi-valued true | false
Whether or not the attribute can
hold more than one value
naming true | false
Whether or not the attribute can
be used as part of the RDN of an
object of the enclosing class.
read-only true | false
Whether or not the attribute is
read-only.
#IMPLIED
#REQUIRED
false
true
false
false
required true | false
42 Identity Manager 3.6 DTD Reference
false
Whether or not the attribute is
required by an object of the
enclosing class.
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
type string | teleNumber | int | state |
counter | dn | interval | octet | time
| structured
The data type of the attribute.
string
Content Declaration
Empty
Parent Elements
Element Description
class-def Schema class definition.
NDS DTD 43
attr-name
Used to specify a mapping between an attribute name in the eDirectory namespace and the
application namespace.
Example
See <attr-name-map>.
Allowed Content
Element Description
nds-name Name in the eDirectory namespace. The names
specified must be unique for the given class.
app-name Name in the application namespace. The names
specified must be unique for the given class.
novdocx (en) 13 May 2009
Attributes
Attribute Possible Values Default Value
class-name CDATA
The name of the class that this
attribute name mapping is for in
the eDirectory namespace. If
missing or blank then mapping is
considered generic and applies to
all classes that don't have a
class-specific mapping.
#IMPLIED
Content Rule
( nds-name , app-name )
Parent Elements
Element Description
attr-name-map Top-level element for Schema Mapping policies.
44 Identity Manager 3.6 DTD Reference
attr-name-map
The top-level (document) element for Schema Mapping policies. Schema Mapping policies are
stored in the DirXML-XmlData attribute of a DirXML-Rule object that is pointed to by the
DirXML-MappingRule attribute of a DirXML-Driver object.
Remarks
<attr-name-map> contains <attr-name> and <class-name> elements that specify a one-to-one
mapping between class and attribute names in eDirectory and the application namespace. Schema
Mapping policies are applied to map from the eDirectory namespace to the application namespace
whenever XML is sent or returned from Identity Manager to the driver and before the Output
transform is applied.
Schema Mapping policies are applied to map from the application namespace to the eDirectory
namespace whenever XML is sent or returned from driver to Identity Manager after the Input
Transform policy is applied.
Schema Mapping policies try to map the <class-name> and <attr-name> attributes of all elements in
the document. The <class-name> to map an attribute name is found by looking the nearest ancestor
element with a <class-name> attribute.
novdocx (en) 13 May 2009
Example
<attr-name-map>
<!-- map eDirectory class User application class inetOrgPerson
-->
<class-name>
<nds-name>User</nds-name>
<app-name>inetOrgPerson</app-name>
</class-name>
<!-- map NDS attribute Given Name to application attribute givenName
for class User -->
<attr-name class-name="User">
<nds-name>Given Name</nds-name>
<app-name>givenName</app-name>
</attr-name>
<!-- map NDS attribute Surname to application attribute sn for all
classes -->
<!-- that don't have a class-specific mapping -->
<attr-name>
<nds-name>Surname</nds-name>
<app-name>sn</app-name>
</attr-name>
</attr-name-map>
Allowed Content
Element Description
attr-name Maps an attribute name.
NDS DTD 45
Element Description
class-name Maps a class name.
Attributes
None
Content Rule
( attr-name | class-name ) *
Parent Elements
None
novdocx (en) 13 May 2009
46 Identity Manager 3.6 DTD Reference
authentication-info
Used to specify the parameters needed for the driver to connect to and authenticate to an application
server.
Example
See <init-params>.
Allowed Content
Element Description
server The authentication server.
user The authentication username.
password The authentication password.
novdocx (en) 13 May 2009
Attributes
None
Content Rule
( server ? , user ? , password ? )
Parent Elements
Element Description
init-params Initialization parameters for the DriverShim,
SubscriptionShim, or PublicationShim.
NDS DTD 47
check-object-password
Used to validate a password against an eDirectory object. A <status> result is returned indicating
success or failure.
Remarks
An <association> element, a dest-dn attribute, or a dest-entry-id attribute is used to specify the
eDirectory object against which the password is to be checked.
If the eDirectory object's Login Disabled attribute is set to true, then the <status> indicates an error
even if the password is correct.
Example
<check-object-password dest-dn="container\object">
abdc1234
</check-object-password>
novdocx (en) 13 May 2009
Allowed Content
Element Description
association Unique key of the application object.
password The authentication password.
operation-data Operation additional custom data.
Attributes
Attribute Possible Values Default Value
dest-dn CDATA
The distinguished name of the
target object in the namespace of
the receiver.
dest-entry-id CDATA
The entry ID of the target object
in the namespace of the receiver.
#IMPLIED
#IMPLIED
event-id CDATA
An identifier used to tag the
results of an event or command.
48 Identity Manager 3.6 DTD Reference
CDATA
An identifier used to tag the
results of an event or command.
#IMPLIED
Content Rule
( association ? , password , operation-data ? )
Parent Elements
Element Description
input Input events or commands.
novdocx (en) 13 May 2009
NDS DTD 49
check-password
Used to validate a password against the eDirectory driver object. A <status> result is returned
indicating success or failure.
Example
<check-password>abdc1234</check-password>
Allowed Content
#PCDATA
Element Description
operation-data The operation adds additional custom data.
novdocx (en) 13 May 2009
Attributes
None
Content Rule
( #PCDATA | operation-data ) *
Parent Elements
Element Description
input Input events or commands.
50 Identity Manager 3.6 DTD Reference
class-def
Used to specify a schema class the enclosing <schema-def>.
Example
See <schema-def>.
Allowed Content
Element Description
attr-def Schema attribute definition.
Attributes
novdocx (en) 13 May 2009
Attribute Possible Values Default Value
asn1id CDATA
The ASN.1 Object ID of the class.
class-name CDATA
The name of the schema class.
container true | false
Whether or not an object of this
class can be a container for other
objects.
#IMPLIED
#REQUIRED
false
Content Rule
( attr-def ) *
Parent Elements
Element Description
schema-def Schema definition.
NDS DTD 51
class-name
Used to specify a mapping between a class name in the eDirectory namespace and the application
namespace.
Example
See <attr-name-map>.
Allowed Content
Element Description
nds-name Name in the eDirectory namespace. The names
specified must be unique to this <class-name>.
app-name Name in the eDirectory namespace. The names
specified must be unique to this <class-name>.
novdocx (en) 13 May 2009
Attributes
None
Content Rule
( nds-name , app-name )
Parent Elements
Element Description
attr-name-map Top-level element for Schema Mapping policies.
52 Identity Manager 3.6 DTD Reference
component
Used to specify an individual field of the enclosing <value> if the data type of the value is
structured.
Example
See <value>.
Allowed Content
#PCDATA
Attributes
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
association-ref CDATA
The association value
(application object unique key) of
the object being referenced by
this component. This is required
on all components that refer to
other objects when the
component is part of a notification
event from the driver. This exists
on all components that refer to
other objects when the
component is part of a command
from Identity Manager if the
referenced object has an
established association in
eDirectory.
name CDATA
The name of the component. This
is specific to individual attribute
syntaxes. See <value>.
Content Rule
#IMPLIED
#REQUIRED
( #PCDATA )
Parent Elements
Element Description
value The attribute value.
NDS DTD 53
config-object
Used to specify objects and attributes where additional configuration information is obtained.
Remarks
During driver startup, the contained <query> is processed and the resulting <instance> element
replaces the <config-object> in the <init-params> passed to the DriverShim.init(),
SubscriptionShim.init(), and PublicationShim.init() methods.
Example
See <init-params>.
Allowed Content
novdocx (en) 13 May 2009
Element Description
query Query command.
Attributes
Attribute Possible Values Default Value
display-name CDATA
The name to display in the
interface generated by
ConsoleOne
®
.
#IMPLIED
Content Rule
( query )
Parent Elements
None
54 Identity Manager 3.6 DTD Reference
contact
Used to specify the point of contact for the creator of the enclosing document.
Example
See <nds>.
Allowed Content
#PCDATA
Attributes
None
Content Rule
novdocx (en) 13 May 2009
#PCDATA
Parent Elements
Element Description
source The source or creator of the document.
NDS DTD 55
copy-attr
Deprecated as of Identity Manager 2.0. Use DirXMLScript <token-op-attr> instead.
Remarks
<copy-attr> is used as a token to specify a string replacement in the distinguished name generated by
the enclosing <placement>.
The replacement string is generated by copying the first value for the attribute specified by attrname from the <add> event that is being processed. If the attribute does not exist, then the enclosing
<placement-rule> is skipped. Structured attribute types are not supported.
Example
See <placement-rules>.
Allowed Content
novdocx (en) 13 May 2009
EMPTY
Attributes
Attribute Possible Values Default Value
attr-name CDATA
The name of the attribute.
The name is mapped between
the application and eDirectory
namespaces by the Schema
Mapping policy so that Identity
Manager sees the name in the
eDirectory namespace and a
driver sees the name in the
application namespace. The
mapping rule uses the class
name attribute of the enclosing
command or event to determine
which class to use for mapping
the attribute name.
#REQUIRED
Content Declaration
Empty
56 Identity Manager 3.6 DTD Reference
Parent Elements
Element Description
placement Object placement specifier. Deprecated as of
Identity Manager 2.0.
novdocx (en) 13 May 2009
NDS DTD 57
copy-name
Deprecated as of Identity Manager 2.0. Use DirXMLScript <token-src-dn> instead.
Remarks
<copy-name> is used as a token to specify a string replacement in the distinguished name generated
by the enclosing <placement>.
The replacement string is generated by copying the unqualified portion of the leaf-most component
of the src-dn attribute from the <add> event that is being processed. If the src-dn does not exist, then
the enclosing <placement-rule> is skipped.
Example
See <placement-rules>.
Allowed Content
novdocx (en) 13 May 2009
EMPTY
Attributes
None
Content Declaration
Empty
Parent Elements
Element Description
placement Object placement specifier. Deprecated as of
Identity Manager 2.0.
58 Identity Manager 3.6 DTD Reference
copy-path
Deprecated as of Identity Manager 2.0. Use DirXMLScript <token-src-dn> instead.
Remarks
<copy-path> is used as a token to specify a string replacement in the distinguished name generated
by the enclosing <placement>.
The replacement string is generated by copying the src-dn attribute from the <add> event that is
being processed. A conversion from the src-dn-format to the dest-dn-format of the enclosing
<placement-rules> is performed if the formats are different. Conversion from a typeless
(unqualified) format to a typed (qualified) format is unsupported unless the source is eDirectory.
Example
See <placement-rules>.
novdocx (en) 13 May 2009
Allowed Content
EMPTY
Attributes
None
Content Declaration
Empty
Parent Elements
Element Description
placement Object placement specifier. Deprecated as of
Identity Manager 2.0.
NDS DTD 59
copy-path-suffix
Deprecated as of Identity Manager 2.0. Use DirXMLScript <token-unmatched-src-dn> instead.
Remarks
<copy-path-suffix> is used as a token to specify a string replacement in the distinguished name
generated by the enclosing <placement>.
The replacement string is generated by copying src-dn attribute from the <add> event that is being
processed, and then stripping away the portion of the src-dn matched by a <match-path> in the
enclosing <placement-rule>. If no <match-path> was specified then the whole src-dn is copied. A
conversion from the src-dn-format to the dest-dn-format of the enclosing <placement-rules> is
performed if the formats are different. Conversion from a typeless (unqualified) format to a typed
(qualified) format is unsupported unless the source is eDirectory.
Example
novdocx (en) 13 May 2009
See <placement-rules>.
Allowed Content
EMPTY
Attributes
None
Content Declaration
Empty
Parent Elements
Element Description
placement Object placement specifier. Deprecated as of
Identity Manager 2.0.
60 Identity Manager 3.6 DTD Reference
create-rule
Deprecated as of Identity Manager 2.0. Use DirXMLScript <rule> instead.
Remarks
<create-rule> is used to specify the criteria for creating a new object as a result of an <add> event.
When a <create-rule> is evaluated, it first checks whether or not this is a suitable rule for the <add>
event in question. It does this by checking if a class name is specified by the rule. If so, the rule is
only suitable if the class name matches the class name on the event. It then checks if any <match-
attr> criteria are specified by the rule. If so, the rule is only suitable if the <add> contains all the
attribute values required by the <match-attr>. If a rule is determined to not be suitable, it is skipped.
When a suitable rule is found, the <add> is evaluated to see if it has a value for all of the <required-
attr> that do not contain a default value. If not, the <add> is vetoed; otherwise, it is allowed. Then
any required attributes with default values that were missing from the <add> are filled in. If the
write-back attribute of the <required-attr> element is set, the missing values are also written back to
the source object. The template-dn attribute is filled in if a <template> is specified.
novdocx (en) 13 May 2009
Example
See <create-rules>.
Allowed Content
Element Description
match-attr Matches an attribute. Deprecated as of Identity
Manager 2.0.
read-attr Required attribute. Deprecated as of Identity
Manager 2.0.
template Specifies a template. Deprecated as of Identity
Manager 2.0.
Attributes
Attribute Possible Values Default Value
class-name CDATA
#IMPLIED
The name of the base class of the
objects this rule applies to in the
eDirectory namespace. If empty
or not present, then this rule
applies to all base classes
NDS DTD 61
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
description CDATA
Description of this rule, primarily
for use in ConsoleOne.
#IMPLIED
Content Rule
( match-attr * , required-attr * , template ? )
Parent Elements
Element Description
create-rules Top-level element for object creation rules.
Deprecated as of Identity Manager 2.0.
62 Identity Manager 3.6 DTD Reference
create-rules
Deprecated as of Identity Manager 2.0. Use DirXMLScript <policy> instead.
Remarks
<create-rules> is the top-level (document) element for object creation rules. Object creation rules
are stored in the DirXML-XmlData attribute of a DirXML-Rule object that is pointed to by the
DirXML-CreateRule attribute of a DirXML-Subscriber or DirXML-Publisher object.
In the Subscriber channel, the source is eDirectory, and the destination is the application. In the
Publisher channel, the source is the application and the destination is eDirectory.
Object creation rules are used to determine whether or not to create a new object in the destination as
a result of an <add> event in the source. (Identity Manager automatically converts <modify> into
<add> for events from unassociated objects). Object creation rules are applied only after any
existing Matching rules are applied and fail to find a matching object in the destination.
<create-rules> contains 0 or more <create-rule> elements. The creation rule processor evaluates
each <create-rule> in order until a suitable rule is found. That rule then vetoes or allows the object
creation and fills in any default attributes and templates specified. If no suitable <create-rule> is
found, then the object creation is allowed.
novdocx (en) 13 May 2009
Example
<create-rules>
<!-- For all Users in the Defense organization require Given Name-->
<!-- Surname, and Security Clearance. Create using the -->
<!-- templates\Secure User template -->
<create-rule class-name="User">
<match-attr attr-name="OU">
<value>Defense</value>
</match-attr>
<required-attr attr-name="Given Name"/>
<required-attr attr-name="Surname"/>
<required-attr attr-name="Security Clearance"/>
<template template-dn="templates\Secure User"/>
</create-rule>
<!-- For all other Users require Given Name and Surname. -->
<!-- Default the value of Security Clearance to None -->
<!-- Don't use a template for creation -->
<create-rule class-name="User">
<required-attr attr-name="Given Name"/>
<required-attr attr-name="Surname"/>
<required-attr attr-name="Security Clearance">
<value>None</value>
</required-attr>
</create-rule>
</create-rules>
NDS DTD 63
Allowed Content
Element Description
create-rule Object creation rule. Deprecated as of Identity
Manager 2.0.
Attributes
None
Content Rule
( create-rule ) *
Parent Elements
novdocx (en) 13 May 2009
None
64 Identity Manager 3.6 DTD Reference
delete
Used as an event notification from the PublicationShim to Identity Manager when an object is
deleted in the application. When used as a notification, an <association> is required. Also used as a
command from Identity Manager to the SubsciptionShim to delete an object in the application.
When used as a command, an <association> is required and is the unique key of the object to delete.
Remarks
A response to <delete> should be a <status> indicating whether or not the <delete> was processed
successfully.
Example
<delete class-name="User" src-dn="\Sam">
<association>1012</association>
</delete>
novdocx (en) 13 May 2009
Allowed Content
Element Description
association Unique key of the application object.
operation-data The operation adds additional custom data.
Attributes
Attribute Possible Values Default Value
class-name CDATA
The name of the base class of the
object.
The class name is mapped
between the application and
eDirectory namespaces by the
Schema Mapping policy so that
Identity Manager sees the name
in the eDirectory namespace and
a driver sees the name in the
application namespace.
#IMPLIED
dest-dn CDATA
The distinguished name of the
target object in the namespace of
the receiver.
Should be left empty for event
notifications.
#IMPLIED
NDS DTD 65
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
dest-entry-id CDATA
The entry ID of the target object
in the namespace of the receiver.
Should be left empty for event
notifications.
event-id CDATA
An identifier used to tag the
results of an event or command.
qualified-src-dn CDATA
The qualified version of src-dn.
Only used for describing objects
from eDirectory.
src-dn CDATA
The distinguished name of source
object that generated the event in
the namespace of the sender.
src-entry-id CDATA
The entry ID of the source object
that generated the event in the
namespace of the sender.
#IMPLIED
#IMPLIED
#IMPLIED
#IMPLIED
#IMPLIED
Reserved. Should be ignored by
the driver.
timestamp CDATA
Reserved. Should be ignored by
the driver.
#IMPLIED
Content Rule
( association ? , operation-data ? )
Parent Elements
Element Description
input Input events or commands.
66 Identity Manager 3.6 DTD Reference
driver-config
Used to specify driver-specific configuration options. It is the top-level element in the XML stored
in the DirXML-ShimConfigInfo attribute of the DirXML-Driver object in eDirectory.
Remarks
The enclosed <driver-options>, <subscriber-options>, and <publisher-options> can each contain
any number of <config-object> and driver-defined elements. The driver-defined elements might
each contain text data.
Each driver-defined element can have a type attribute. The type attribute can specify that the
element refers to a named password by assigning the value password-ref to the attribute. A named
password reference is replaced at runtime with the actual value of a named password set using the
Identity Manager administration facilities.
In the Identity Manager administration interface, each driver defined element is displayed as an edit
control that can edit the content of the element. Each <config-object> is displayed as a single valued
dn control that allows the selection of a dn to fill in the dest-dn of enclosed <query>. Each control is
labeled with the value of the display-name attribute if it exists or with the tag name if it does not
exist.
novdocx (en) 13 May 2009
Example
<driver-config name="Netscape DirXML Driver">
<driver-options>
<display-method display-name="Debug Output (0-none,
1-Window, 2-DSTrace)">1</display-method>
</driver-options>
<subscriber-options>
<config-object display-name="Super driver configuration
data">
<query dest-dn="novell/Driver Set/Super
Driver/Config Object" scope="entry" event-id="config1">
<read-attr attr-name="Some Attribute"/>
<read-attr attr-name="XmlData" type="xml"/>
</query>
</config-object>
</subscriber-options>
<publisher-options>
<pollRate display-name="Poll rate in seconds">5</pollRate>
<changeLogSuffix display-name="Netscape changelog
suffix">cn=changelog</changeLogSuffix>
<changeLogBegin display-name="Starting changelog (1-First,2New, 3-Continue)">2</changeLogBegin>
</publisher-options>
</driver-config>
NDS DTD 67
Allowed Content
Element Description
driver-options Driver-specific DriverShim configuration options.
subscriber-options Driver-specific SubscriptionShim configuration
options.
publisher-options Driver-specific PublicationShim configuration
options.
Attributes
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
name CDATA
Human readable name of the
driver shim.
Content Rule
( driver-options ? , subscriber-options ? , publisher-options ? )
Parent Elements
None
#IMPLIED
68 Identity Manager 3.6 DTD Reference
driver-filter
Used to specify the event filter that is being used by a particular channel. It is generated from the
DirXML-DriverFilter attribute on the DirXML-Subscriber or DirXML-Publisher object.
Example
See <init-params>.
Allowed Content
Element Description
allow-class Allows a class in the filter.
Attributes
novdocx (en) 13 May 2009
Attribute Possible Values Default Value
type publisher | subscriber
Specifies the channel that the
filter is for.
#IMPLIED
Content Rule
( allow-class ) *
Parent Elements
Element Description
init-params Initialization parameters for a DriverShim,
SubscriptionShim, or PublicationShim.
NDS DTD 69
driver-options
Used to specify driver-specific configuration options. It comes from the DirXML-ShimConfigInfo
attribute of the DirXML-Driver object in eDirectory.
Example
See <driver-config>.
Allowed Content
ANY
Attributes
None
novdocx (en) 13 May 2009
Content Rule
ANY
Parent Elements
Element Description
driver-config Driver specific DriverShim configuration options.
init-params Initialization parameters for a DriverShim,
SubscriptionShim, or PublicationShim.
70 Identity Manager 3.6 DTD Reference
driver-state
Used specify driver specific state information.
Example
See <init-params>.
Allowed Content
ANY
Attributes
None
Content Rule
novdocx (en) 13 May 2009
ANY
Parent Elements
Element Description
init-params Initialization parameters for a DriverShim,
SubscriptionShim, or PublicationShim.
NDS DTD 71
get-named-password
Used to retrieve a named password for a driver. A <status> result is returned indicating success or
failure. If the status is success, then a <password> element is also returned containing the password
value. The content of <get-namedpassword> is the name or key of the password that is retrieved.
Example
<get-named-password event-id="gnp37">
web-password
</get-named-password>
Allowed Content
#PCDATA
Element Description
novdocx (en) 13 May 2009
operation-data The operation adds additional custom data.
Attributes
Attribute Possible Values Default Value
event-id CDATA
An identifier used to tag the
results of an event or command.
#IMPLIED
Content Rule
( #PCDATA | operation-data ) *
Parent Elements
Element Description
input Input events or commands.
72 Identity Manager 3.6 DTD Reference
init-params
Used to specify initialization parameters for a DriverShim, SubscriptionShim, or PublicationShim.
Remarks
<init-params> is also included in any <output> or <input> from the driver to Identity Manager,
which instructs Identity Manager to store the contents of the enclosed <driver-state>, <subscriber-
state>, and <publisher-state> into the DirXML-DriverStorage attribute of the DirXML-Driver object
in eDirectory. The states are included in the <init-params> sent to the corresponding init() function
when a driver, subscriber, or publisher is started.
Example
<!-- for DriverShim.init() -->
<init-params src-dn="\MY_TREE\MyOrg\MyDriverSet\MyDriver">
<authentication-info>
<server>localhost</server>
<user>Fred</user>
<password>foobar</password>
</authentication-info>
<driver-options>
<!-- some driver defined driver options -->
</driver-options>
<driver-state>
<!-- some driver defined driver state -->
</driver-state>
</init-params>
<!-- for SubscriptionShim.init() -->
<init-params src-dn="\MY_TREE\MyOrg\MyDriverSet\MyDriver\Subscriber">
<authentication-info>
<server>localhost</server>
<user>Fred</user>
<password>foobar</password>
</authentication-info>
<driver-filter type="subscriber">
<allow-class class-name="User">
<allow-attr attr-name="Telephone Number"/>
<allow-attr attr-name="CN"/>
<allow-attr attr-name="Surname"/>
<allow-attr attr-name="Given Name"/>
<allow-attr attr-name="Description"/>
<allow-attr attr-name="Title"/>
<allow-attr attr-name="Postal Address"/>
<allow-attr attr-name="GUID"/>
<allow-attr attr-name="Full Name"/>
</allow-class>
<allow-class class-name="Organizational Unit">
<allow-attr attr-name="OU"/>
</allow-class>
<allow-class class-name="Organizational">
<allow-attr attr-name="O"/>
</allow-class>
</driver-filter>
<subscriber-options>
novdocx (en) 13 May 2009
NDS DTD 73
<!-- some driver defined subscriber options -->
</subscriber-options>
<subscriber-state>
<!-- some driver defined subscriber state -->
</subscriber-state>
</init-params>
<!-- for PublicationShim.init() -->
<init-params src-dn="\MY_TREE\MyOrg\MyDriverSet\MyDriver\Publisher">
<authentication-info>
<server>localhost</server>
<user>Fred</user>
<password>foobar</password>
</authentication-info>
<driver-filter type="publisher">
<allow-class class-name="User">
<allow-attr attr-name="Telephone Number"/>
<allow-attr attr-name="CN"/
<allow-attr attr-name="Surname"/>
<allow-attr attr-name="Given Name"/>
<allow-attr attr-name="Description"/>
<allow-attr attr-name="Title"/>
<allow-attr attr-name="Postal Address"/>
<allow-attr attr-name="GUID"/>
<allow-attr attr-name="Full Name"/>
</allow-class>
<allow-class class-name="Organizational Unit">
<allow-attr attr-name="OU"/>
</allow-class>
<allow-class class-name="Organizational">
<allow-attr attr-name="O"/>
</allow-class>
</driver-filter>
<publisher-options>
<!-- some driver defined publisher options -->
</publisher-options>
<publisher-state>
<!-- some driver defined publisher state -->
</publisher-state>
</init-params>
<!-- for DriverShim.getSchema() -->
<init-params>
<authentication-info>
<server>localhost</server>
<user>Fred</user>
<password>foobar</password>
</authentication-info>
<driver-filter type="subscriber">
<allow-class class-name="User">
<allow-attr attr-name="Telephone Number"/>
<allow-attr attr-name="CN"/>
<allow-attr attr-name="Surname"/>
<allow-attr attr-name="Given Name"/>
<allow-attr attr-name="Description"/>
<allow-attr attr-name="Title"/>
<allow-attr attr-name="Postal Address"/>
<allow-attr attr-name="GUID"/>
<allow-attr attr-name="Full Name"/>
</allow-class>
<allow-class class-name="Organizational Unit">
novdocx (en) 13 May 2009
74 Identity Manager 3.6 DTD Reference
<allow-attr attr-name="OU"/>
</allow-class>
<allow-class class-name="Organizational">
<allow-attr attr-name="O"/>
</allow-class>
</driver-filter>
<driver-filter type="publisher">
<allow-class class-name="User">
<allow-attr attr-name="Telephone Number"/>
<allow-attr attr-name="CN"/>
<allow-attr attr-name="Surname"/>
<allow-attr attr-name="Given Name"/>
<allow-attr attr-name="Description"/>
<allow-attr attr-name="Title"/>
<allow-attr attr-name="Postal Address"/>
<allow-attr attr-name="GUID"/>
<allow-attr attr-name="Full Name"/>
</allow-class>
<allow-class class-name="Organizational Unit">
<allow-attr attr-name="OU"/>
</allow-class>
<allow-class class-name="Organizational">
<allow-attr attr-name="O"/>
</allow-class>
</driver-filter>
<driver-options>
<!-- some driver defined driver options -->
</driver-options>
<subscriber-options
<!-- some driver defined subscriber options -->
</subscriber-options>
<publisher-options>
<!-- some driver defined publisher options -->
</publisher-options>
<driver-state>
<!-- some driver defined driver state -->
</driver-state>
<subscriber-state>
<!-- some driver defined subscriber state -->
</subscriber-state>
<publisher-state>
<!-- some driver defined publisher state -->
</publisher-state>
</init-params>
novdocx (en) 13 May 2009
Allowed Content
Element Description
authentication-info Information for connecting and authenticating to
the application.
driver-filter Publication and Subscription class and attribute
event filter.
driver-options Driver-specific DriverShim configuration options.
NDS DTD 75
Element Description
subscriber-options Driver-specific SubscriptionShim configuration
options.
publisher-options Driver-specific PublicationShim configuration
options.
driver-state Driver-specific state information.
subscriber-state Driver SubscriptionShim state information.
publisher-state Driver PublicationShim state information.
operation-data The operation adds additional custom data.
Attributes
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
src-dn CDATA
The distinguished name of
DirXML-Driver, DirXML-Publisher,
or DirXML-Subscriber.
#IMPLIED
Content Rule
( authentication-info ? , driver-filter ? , driver-options ? , subscriber-options ? , publisher-options ? ,
driver-state ? , subscriber-state ? , publisher-state ? , operation-data ? )
Parent Elements
Element Description
input Input events or commands.
output Results of events or commands.
76 Identity Manager 3.6 DTD Reference
input
Used to encapsulate events or commands sent as input to a driver or Identity Manager. All <nds>
documents sent as a parameter to Identity Manager or driver interface method should contain
exactly one <input>.
Example
See <nds>.
Allowed Content
Element Description
add Adds an object when an add event occurs.
modify Modifies an object when a modify event occurs.
novdocx (en) 13 May 2009
delete Deletes an object when a delete event occurs.
rename Renames an object when a rename event occurs.
move Moves an object when a move event occurs
query Query command.
query-ex Query command with a result count limit.
query-schema Query schema command.
add-association Adds association command.
modify-association Modifies an association command.
remove-association Removes an association command.
init-params Initialization parameters for a DriverShim,
SubscriptionShim, or PublicationShim.
status Status of the processing of a command or event.
check-password Checks password against an eDirectory driver
object.
modify-password Modifies an object password when a modify event
for a password occurs.
check-object-password Checks password against an eDirectory object.
sync Resynchronization or migrate event.
get-named-password Retrieves a named password for a driver.
Attributes
None
NDS DTD 77
Content Rule
( add | modify | delete | rename | move | query | query-ex | query-schema | add-association | modifyassociation | remove-association | init-params | status | check-password | modify-password | checkobject-password | sync | get-named-password ) *
Parent Elements
Element Description
nds Top-level element for all Identity Manager and
Driver communication.
novdocx (en) 13 May 2009
78 Identity Manager 3.6 DTD Reference
instance
Used to represent an object in eDirectory or the application as part of the response to a <query>
command or a <query-ex> command. <instance> does not necessarily represent the complete state
of object, but just the information requested by the <query> or <query-ex>. When returned from a
driver, an <association> is required.
Example
<instance class-name="User" src-dn="\Users\Samuel">
<association>1012</association>
<attr attr-name="Surname">
<value>Jones</value>
</attr>
<attr attr-name="cn">
<value>Samuel</value>
</attr>
<attr attr-name="Given Name">
<value>Samuel</value>
</attr>
<attr attr-name="Telephone Number">
<value>555-1212</value>
<value>555-1764</value>
</attr>
</instance>
novdocx (en) 13 May 2009
Allowed Content
Element Description
association Unique key of the application object.
parent The parent or container of an object.
attr Current state of an attribute.
operation-data The operation adds additional custom data.
NDS DTD 79
Attributes
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
class-name CDATA
The name of the base class of the
object.
The class name is mapped
between the application and
eDirectory namespaces by the
Schema Mapping policy so that
Identity Manager sees the name
in the eDirectory namespace and
a driver sees the name in the
application namespace.
event-id CDATA
An identifier used to tag the
results of an event or command.
qualified-src-dn CDATA
The qualified version of src-dn.
Only used for describing objects
from eDirectory.
src-dn CDATA
The distinguished name of the
source object that generated the
event in the namespace of the
sender.
#REQUIRED
#IMPLIED
#IMPLIED
#IMPLIED
src-entry-id CDATA
The entry ID of the source object
that generated the event in the
namespace of the sender.
Reserved: Should be ignored by
the driver.
#IMPLIED
Content Rule
( association ? , parent ? , attr * , operation-data ? )
Parent Elements
Element Description
output Results of events or commands.
80 Identity Manager 3.6 DTD Reference
match-attr
Deprecated as of Identity Manager 2.0. Use DirXMLScript <if-op-attr> for an object creation and
Placement policy or <do-find-matching-object> and <arg-match-attr> for an object Matching policy.
Remarks
<match-attr> is used to specify:
Rule selection criteria for the enclosing <create-rule> or <placement-rule>. When used as such,
it must contain at least one <value>.
Object selection criteria for the enclosing <matching-rule>. When used as such, it must not
contain a <value>.
Example
See <create-rules>.
novdocx (en) 13 May 2009
Allowed Content
Element Description
value The attribute value.
Attributes
Attribute Possible Values Default Value
attr-name CDATA
The name of the required
attribute in the eDirectory
namespace.
#REQUIRED
Content Rule
( value ) *
Parent Elements
Element Description
create-rule Object creation rule. Deprecated as of Identity
Manager 2.0.
matching-rule Object matching rule. Deprecated as of Identity
Manager 2.0.
NDS DTD 81
Element Description
placement-rule Object placement rule. Deprecated as of Identity
Manager 2.0.
novdocx (en) 13 May 2009
82 Identity Manager 3.6 DTD Reference
match-class
Deprecated as of Identity Manager 2.0. Use DirXMLScript <if-object-class> instead.
Remarks
<match-class> is used to specify rule selection criteria for the enclosing <matching-rule> or
<placement-rule>.
Example
See <matching-rules> and <placement-rules>.
Allowed Content
EMPTY
novdocx (en) 13 May 2009
Attributes
Attribute Possible Values Default Value
class-name CDATA
The name of the base class in the
eDirectory namespace.
#REQUIRED
Content Declaration
Empty
Parent Elements
Element Description
matching-rule Object matching rule. Deprecated as of Identity
Manager 2.0.
placement-rule Object matching rule. Deprecated as of Identity
Manager 2.0.
NDS DTD 83
match-path
Deprecated as of Identity Manager 2.0. Use DirXMLScript <if-src-dn> for object placement policy
or <do-find-matching-object> and <arg-dn> for object matching policy.
Remarks
<match-path> is used to specify:
Rule selection criteria for the enclosing <placement-rule>. When used as such, the src-dn
attribute of the source <add> event is compared with prefix and is considered a match if the srcdn is in the subtree whose root is prefix. The namespace of the path is the same as the event
source.
Object selection criteria for the enclosing <matching-rule>. When used as such, prefix is used
as the dest-dn for the <query> generated by the enclosing rule. The namespace of the path is the
same as the event destination.
When the namespace of the path is eDirectory, the format is slash format, for example,
\treename\container\...\leaf. If the leading \ is omitted, the path is assumed to be relative to the tree
root.
novdocx (en) 13 May 2009
When the namespace of the path is the application namespace, the format of the path is application
dependent and should be documented by the driver writer.
Example
See <matching-rules> and <placement-rules>.
Allowed Content
EMPTY
Attributes
Attribute Possible Values Default Value
prefix CDATA
The root-most portion of the path
or distinguished name to match.
#REQUIRED
Content Declaration
EMPTY
84 Identity Manager 3.6 DTD Reference
Parent Elements
Element Description
matching-rule Object matching rule. Deprecated as of Identity
Manager 2.0.
placement-rule Object matching rule. Deprecated as of Identity
Manager 2.0.
novdocx (en) 13 May 2009
NDS DTD 85
matching-rule
Deprecated as of Identity Manager 2.0. Use DirXMLScript <rule> and <do-find-matching-object>
instead.
Remarks
<matching-rule> is used to specify the criteria for finding a matching object for automatic
association of a new object as a result of an <add> event.
When a <matching-rule> is evaluated, it first checks whether or not this is a suitable rule for the
<add> event in question. It does this by checking if any <match-class> elements are specified by the
rule. If so then the rule is only suitable if the class name on the event matches the class name on one
of the <match-class> elements. It then checks if any <modify-attr> criteria are specified by the rule.
If so, the rule is only suitable if the <add> contains an attribute value for each attribute specified by
a <match-attr>. If a rule is determined to not be suitable, it is skipped.
When a suitable rule is found, a <query> is generated based on the criteria specified by the rule
(<match-attr and <match-path>), and the class name and attribute values specified by the <add>.
This query is sent to the destination (eDirectory or driver). Any <instance> elements returned are
considered matches.
novdocx (en) 13 May 2009
Example
See <matching-rules>.
Allowed Content
Element Description
match-class Matches a class name. Deprecated as of Identity
Manager 2.0.
match-path Matches a path. Deprecated as of Identity
Manager 2.0.
match-attr Matches an attribute. Deprecated as of Identity
Manager 2.0.
Attributes
Attribute Possible Values Default Value
description CDATA
#IMPLIED
86 Identity Manager 3.6 DTD Reference
Description of this rule, primarily
for use in ConsoleOne.
Content Rule
( match-class * , match-path ? , match-attr * )
Parent Elements
Element Description
matching-rules Top-level element for object matching rules.
Deprecated as of Identity Manager 2.0.
novdocx (en) 13 May 2009
NDS DTD 87
matching-rules
Deprecated as of Identity Manager 2.0 - use DirXMLScript <policy>.
Remarks
<matching-rules> is the top level (document) element for object matching rules. Object matching
rules are stored in the DirXML-XmlData attribute of a DirXML-Rule object that is pointed to by the
DirXML-MatchingRule attribute of a DirXML-Subscriber or DirXML-Publisher object.
In the Subscriber channel, the source is eDirectory, and the destination is the application. In the
Publisher channel the source is the application and the destination is eDirectory.
Object matching rules are used to try to find a matching object in the destination for an unassociated
object in the source as a result of an <add> event in the source. (Note that DirXML automatically
converts <modify> into <add> for events from unassociated objects). Object matching rules are
applied before deciding if a new object should be created in the destination.
<matching-rules> contains 0 or more <matching-rule> elements. The matching rule processor
evaluates each <matching-rule> in order until one or more matching objects in the destination are
found.
novdocx (en) 13 May 2009
If exactly one matching object is found, that object is automatically associated with the source
object and Identity Manager attempts to reconcile any differences in the attribute values of the two
objects as allowed by the Publisher and Subscriber filters.
If more than one matching object is found, an error is signaled and the object either has to be
manually associated or the object matching rules has to be modified to be more specific.
If no matching objects are found, Identity Manager continues processing the event.
Example
<matching-rules>
<!-- for Users, first try to match on Surname, Given Name and
Location -->
<matching-rule>
<match-class class-name="User"/>
<match-attr attr-name="Surname"/>
<match-attr attr-name="Given Name"/>
<match-attr attr-name="Location"/>
</matching-rule>
<!-- for Users, then try to match on Surname only in -->
<!-- the o=novell subtree -->
<matching-rule>
<match-class class-name="User"/>
<match-path prefix="o=novell"/>
<match-attr attr-name="Surname"/>
</matching-rule>
<!-- for all classes try to match on CN only -->
<matching-rule>
<match-attr attr-name="CN"/>
</matching-rule>
</matching-rules>
88 Identity Manager 3.6 DTD Reference
Allowed Content
Element Description
matching-rule Object matching rule. Deprecated as of Identity
Manager 2.0.
Attributes
None
Content Rule
( matching-rule * )
Parent Elements
novdocx (en) 13 May 2009
None
NDS DTD 89
modify
Used as an event notification from the PublicationShim to Identity Manager that an object is
modified in the application. When it is used as a notification, an <association> is required. It is also
used as a command from Identity Manager to the SubsciptionShim to modify an object in the
application. When it is used as a command, an <association> is required and is the unique key of the
object to modify.
Remarks
<add> contains a <modify-attr> for each attribute modified.
A response to <modify> should be a <status> indicating whether or not the <modify> is processed
successfully.
Example
<modify class-name="User" src-dn="\Sam">
<association>1012</association>
<modify-attr attr-name="Given Name">
<remove-all-values/>
<add-value>
<value>Samuel</value>
</add-value>
</modify-attr>
<modify-attr attr-name="Telephone Number">
<remove-value>
<value>555-1212</value>
</remove-value>
<add-value>
<value>555-1764</value>
<value>555-1765</value>
</add-value>
</modify-attr>
</modify>
novdocx (en) 13 May 2009
Allowed Content
Element Description
association Unique key of the application object.
modify-attr Modifies an attribute
operation-data The operation adds additional custom data.
90 Identity Manager 3.6 DTD Reference
Attributes
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
class-name CDATA
The name of the base class of the
object.
The class name is mapped
between the application and
eDirectory namespaces by the
Schema Mapping policy so that
Identity Manager sees the name
in the eDirectory namespace and
a driver sees the name in the
application namespace.
Required when used as a
notification.
dest-dn CDATA
The distinguished name of the
target object in the namespace of
the receiver.
Reserved. Should be ignored by
the driver.
dest-entry-id CDATA
The entry ID of the target object
in the namespace of the receiver.
#IMPLIED
#IMPLIED
#IMPLIED
Reserved. Should be ignored by
the driver.
event-id CDATA
An identifier used to tag the
results of an event or command.
from-merge true | false
True if the command is the result
of a merge
qualified-src-dn CDATA
The qualified version of src-dn.
Only used for describing objects
from eDirectory.
src-dn CDATA
The distinguished name of the
source object that generated the
event in the namespace of the
sender.
#IMPLIED
false
#IMPLIED
#IMPLIED
NDS DTD 91
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
src-entry-id CDATA
The entry id of the source object
that generated the event in the
namespace of the sender.
Reserved. Should be ignored by
the driver.
timestamp CDATA
Reserved. Should be ignored by
the driver.
#IMPLIED
#IMPLIED
Content Rule
( association ? , modify-attr + , operation-data ? )
Parent Elements
Element Description
input Input events or commands.
92 Identity Manager 3.6 DTD Reference
modify-association
Used to notify Identity Manager that an application object's unique key is modified. <modifyassociation> should be sent when the unique key is changed for an object that passes the event filter
for either the SubscriptionShim or the PublicationShim. <modify-association> can be included in
any <output> or <input> from the driver to Identity Manager.
Example
<modify-association>
<association>{BC3E7155-CDF9-d311-9846-0008C76B16C2}</association>
<association>{CD3F7155-DE09-e311-9846-0008D76C16D2}</association>
</modify-association>
Allowed Content
Element Description
novdocx (en) 13 May 2009
association Unique key of the application object.
operation-data The operation adds additional custom data.
Attributes
Attribute Possible Values Default Value
event-id CDATA
An identifier used to tag the
results of an event or command.
#IMPLIED
Content Rule
( association , association , operation-data ? )
Parent Elements
Element Description
input Input events or commands.
output Results of events or commands.
NDS DTD 93
modify-attr
Used to specify the modified attribute values for a <modify> operation or event.
Remarks
Each <modify-attr> should contain at least one <add-value>, <remove-value>, or <remove-all-
values>.
The order of the above elements is significant.
Example
See <modify>.
Allowed Content
novdocx (en) 13 May 2009
Element Description
remove-value Removes the specified attribute values.
remove-all-values Removes all attribute values.
add-value Adds values.
Attributes
Attribute Possible Values Default Value
attr-name CDATA
The name of the attribute.
The name is mapped between
the application and eDirectory
namespaces by the Schema
Mapping policy so that Identity
Manager sees the name in the
eDirectory namespace and a
driver sees the name in the
application namespace. The
Mapping policy uses the class
name attribute of the enclosing
command or event to determine
which class to use for mapping
the attribute name.
#REQUIRED
enforce-password-policy true | false
94 Identity Manager 3.6 DTD Reference
#IMPLIED
Reserved. Should be ignored by
the driver.
Content Rule
( remove-value | remove-all-values | add-value ) +
Parent Elements
Element Description
modify Modifies an object when a modify event occurs.
novdocx (en) 13 May 2009
NDS DTD 95
modify-password
Used as an event notification from the PublicationShim to Identity Manager that an object password
is modified in the application. When used as a notification, an <association> is required. Also used
as a command from Identity Manager to the SubsciptionShim to modify an object password in the
application. When used as a command, an <association> is required and is the unique key of the
object to modify.
Remarks
When the target is eDirectory, and <old-password> is specified, the modifyPassword API is used to
modify the password. If not specified, the GenerateKeyPair API is used. Using GenerateKeyPair
might invalidate authentication credentials for any existing session authenticated as the target object.
When the target is the application, a driver might or might not implement this functionality,
depending on the applicability to the application.
A response to <modify-password> should be a <status> indicating whether or not the <modifypassword> is processed successfully.
novdocx (en) 13 May 2009
Example
<modify-password class-name="User" src-dn="\Sam">
<association>1012</association>
<password>mypassword<password>
</modify-password>
Allowed Content
Element Description
association Unique key of the application object.
old-password The old authentication password.
password The authentication password.
operation-data The operation adds additional custom data.
96 Identity Manager 3.6 DTD Reference
Attributes
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
class-name CDATA
The name of the base class of the
object.
The class name is mapped
between the application and
eDirectory namespaces by the
Schema Mapping policy so that
Identity Manager sees the name
in the eDirectory namespace and
a driver sees the name in the
application namespace.
Required when used as a
notification.
dest-dn CDATA
The distinguished name of the
target object in the namespace of
the receiver.
dest-entry-id CDATA
The entry ID of the target object
in the namespace of the receiver.
Reserved. Should be ignored by
the driver.
#IMPLIED
#IMPLIED
#IMPLIED
event-id CDATA
An identifier used to tag the
results of an event or command.
qualified-src-dn CDATA
The qualified version of the srcdn. Only used for describing
objects from eDirectory.
src-dn CDATA
The distinguished name of the
source object that generated the
event in the namespace of the
sender.
src-entry-id CDATA
The entry ID of the source object
that generated the event in the
namespace of the sender.
Reserved. Should be ignored by
the driver.
#IMPLIED
#IMPLIED
#IMPLIED
#IMPLIED
NDS DTD 97
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
timestamp CDATA
Reserved. Should be ignored by
the driver.
#IMPLIED
Content Rule
( association ? , old-password ? , password , operation-data ? )
Parent Elements
Element Description
input Input events or commands.
98 Identity Manager 3.6 DTD Reference
move
Used as an event notification from the PublicationShim to Identity Manager when an object is
moved to a different container in the application. When used as a notification, an <association> is
required. Also used as a command from Identity Manager to the SubsciptionShim to move an object
to a different container in the application. When used as a command, an <association> is required
and is the unique key of the object to move.
Remarks
<move> contains a <parent> that specifies the new container. When used as a command, the
<parent> can contain an <association>. If it does not contain an association, the driver should not
attempt to move the object and should return a <status> level=“warning”.
A response to <move> should be a <status> indicating whether or not the <move> is processed
successfully.
Example
novdocx (en) 13 May 2009
<move class-name="User" src-dn="\Users\Samuel" old-src-dn="\Samuel">
<association>1012</association>
<parent src-dn="\Users\">
<association>1013</association>
</parent>
</move>
Allowed Content
Element Description
association Unique key of the application object.
parent The parent or container of an object.
operation-data The operation adds additional custom data
NDS DTD 99
Attributes
Attribute Possible Values Default Value
novdocx (en) 13 May 2009
class-name CDATA
The name of the base class of the
object.
The class name is mapped
between the application and
eDirectory namespaces by the
Schema Mapping policy so that
Identity Manager sees the name
in the eDirectory namespace and
a driver sees the name in the
application namespace.
dest-dn CDATA
The distinguished name of the
target object in the namespace of
the receiver.
Reserved. Should be ignored by
the driver.
dest-entry-id CDATA
The entry ID of the target object
in the namespace of the receiver.
Reserved. Should be ignored by
the driver.
#IMPLIED
#IMPLIED
#IMPLIED
event-id CDATA
An identifier used to tag the
results of an event or command.
old-src-dn CDATA
The original distinguished name
of the source object that
generated the event in the
namespace of the sender.
qualified-old-src-dn CDATA
The qualified version of the oldsrc-dn. Only used for describing
objects from eDirectory.
qualified-src-dn CDATA
The qualified version of the srcdn. Only used for describing
objects from eDirectory.
#IMPLIED
#IMPLIED
#IMPLIED
#IMPLIED
100 Identity Manager 3.6 DTD Reference
Loading...