Skip to content

Releases: PointBlueTechnology/DirXMLSimulator

v1.5.0 — regression tooling & offline resolution

Choose a tag to compare

@jcombs-pointblue jcombs-pointblue released this 19 Jun 21:14

Builds on v1.4.0's input/integration sources with a regression-testing suite, policy analysis tools, and offline resolution of mapping tables and config scope.

Regression & CI

  • bin/sim test-all <dir> — run a whole case corpus as golden tests; PASS/FAIL/ERROR/SKIP summary, non-zero exit, optional JUnit (--junit) and JSON (--json) reports. Point CI at it.
  • bin/sim harvest <configDir> <outDir> — mint a regression corpus from real Event Logger DB events: replay each through the current policies and snapshot the output as a golden (a change detector, not a correctness oracle).
  • expected.assertions — XPath checks on the final output (exists/absent/equals/matches/count/vetoed), robust where a full golden is brittle.

Analysis

  • bin/sim compare <caseDir> --against <cfg> — run the same input through two policy sets (e.g. two git revisions) and report per-stage + final divergence.
  • bin/sim coverage <dir> — which DirXML Script rules fired vs are defined across a corpus; lists never-fired rules.
  • --json structured output for run/step/test/compare.

Offline resolution

  • Map token mapping tables now resolve headlessly — auto-extracted from a driver-set export, a Designer project, an LDIF dump, or live LDAP, or supplied via a case-local mapping-tables/ dir.
  • Config scope — warns when a GCV (token-global-variable) or a shared/Library policy is referenced but missing; supply a GCV inline with gcv.<name>=<value>.

Install

Download dirxml-simulator-1.5.0.zip, unzip, drop your nine NetIQ jars into lib/, and run bin/sim doctor. The proprietary jars are never bundled; only the open-source PostgreSQL JDBC driver is included. JDK 21 required.

Full docs: see docs/regression-testing.md, docs/mapping-tables-design.md, and the README.

DirXML Policy Simulator 1.4.0

Choose a tag to compare

@jcombs-pointblue jcombs-pointblue released this 18 Jun 21:23

Live-environment milestone: read driver config, schema, queries, and real events straight from a running vault — and from two new event sources.

New in 1.4.0

Read everything live from eDirectory (LDAP)

  • Driver configldapConfig=<DriverSetDN> reads the DirXML-Driver subtree directly from the running vault (policies, GCVs, filter, shim params), no export or project needed. A third config source alongside a driver export and a Designer project.
  • Schemaschema=ldap (or automatically whenever ldap= is set) reads the eDir subschema (cn=schema), recovering the true NDS/DirXML names (via X-NDS_NAME) and syntaxes — a full equivalent of a Designer *_schema.xml.
  • Queries — with ldap= set, the chain's lookups are answered from live eDirectory, values normalized to native XDS by syntax (a binary GUID comes back type="octet" base64, not raw bytes).
  • TLS — cert validation is off by default (test directories use self-signed certs); set ldapTrustAll=false to require a valid cert.

Real input events from two new sources

  • A stopped driver's event cachebin/sim dxcache <caseDir> reads a driver's queued, unprocessed subscriber transactions via DxCMD's LDAP extended operations. Running drivers are detected and reported (stop first). Needs the optional lib/ldap.jar.
  • The DirXML Event Logger databasebin/sim dbevents <caseDir> queries a PostgreSQL history of captured events (by DN, driver, type, class, or date) and writes each as its own pickable transaction. The richest input source: real production traffic, persistent and searchable. The PostgreSQL JDBC driver is fetched by Maven and bundled in this release — nothing to stage.

Other

  • LDIF can also seed the fake directory (ldif=) with real objects, mapped to native XDS by the schema.
  • Docs (intro, quickstart, README, skill) updated to cover every source and integration.

Notes

  • 112 tests green. JDK 21. The nine proprietary NetIQ jars are still required in lib/ (never bundled); ldap.jar is needed only for the DxCMD cache feature.

Assets

  • dirxml-simulator-1.4.0.jar — executable jar.
  • dirxml-simulator-1.4.0.zip — clone-free distribution: jar + launchers + skill + docs + sample cases + the bundled open-source PostgreSQL driver.

DirXML Policy Simulator 1.3.0

Choose a tag to compare

@jcombs-pointblue jcombs-pointblue released this 18 Jun 20:15

Populate everything from a live LDAP connection — no Designer project, no manual exports.

New in 1.3.0

Read the eDirectory schema directly from LDAP

  • schema=ldap (or automatically whenever ldap= is set and no other schema is supplied) parses the eDir subschema (cn=schema) into the validation/normalization model. The true NDS/DirXML name comes from each definition's X-NDS_NAME extension (falling back to the LDAP name), and the syntax OID maps to the eDir syn= the value normalizer uses — a full equivalent of a Designer *_schema.xml, no project needed. Validated on a real 2,150-attribute / 279-class subschema.

Read a driver's config directly from LDAP

  • ldapConfig=<DriverSetDN> + driver=<name> reads the DirXML-Driver subtree live from the vault (over the ldap= connection) and assembles the channel chain — the DirXML-Policies linkage, each policy's XmlData, GCVs, filter, and shim params — instead of needing an LDIF file or an export. A third live source alongside the existing LDIF file.

TLS cert validation off by default

  • The harness only ever points at test directories, which routinely use self-signed / internal-CA certs over ldaps. ldapTrustAll now defaults to true; set ldapTrustAll=false to require a valid cert.

Verified against a real eDirectory

The entire live-LDAP path was exercised end-to-end against a live eDir over ldaps:

  • trust-all TLS connect + bind,
  • schema read (NDS↔LDAP names + syntaxes),
  • object query (a binary GUID returned correctly as type="octet" base64, association extracted),
  • driver + driverset config read — all 19 drivers of a real DriverSet assembled in ~0.4 s; the CyberArk publisher chain ran through the CLI with the live-read schema-mapping policy applied (SurnamefamilyName).

Notes

  • 105 tests green. The nine proprietary NetIQ engine jars are still required in lib/ (never bundled). JDK 21.

Assets

  • dirxml-simulator-1.3.0.jar — executable jar.
  • dirxml-simulator-1.3.0.zip — clone-free distribution: jar + launchers + skill + docs + sample cases + empty lib/.

DirXML Policy Simulator 1.2.0

Choose a tag to compare

@jcombs-pointblue jcombs-pointblue released this 18 Jun 19:29

Real-connector and live-vault testing, plus a third driver-config source.

New in 1.2.0

Test against the real connector (opt-in)

  • shim=true drives the actual driver DriverShim as a terminal command sink: after the chain runs, its final command is handed to SubscriptionShim.execute, and a new shim snapshot shows the connector's real status/association response — validating that your policies produced a payload the connector accepts. Pure-Java connectors (REST/SCIM/SOAP/JDBC/Delimited/Loopback); subscriber direction.
  • ldap=ldaps://host answers the chain's (and the shim's) queries from live eDirectory over LDAP, with values normalized to native XDS form by schema syntax.
  • Both are off by default — absent keys mean unchanged behavior.

LDIF / live-LDAP as a driver-config source

  • ldifConfig=<vault.ldif> + driver=<name> assembles a driver's chain from an LDIF/LDAP export of the live Identity Vault — a third source alongside Designer exports and projects. One subtree dump carries the whole driver set's policies (DirXML-Policies linkage + each rule's XmlData), GCVs, filter, and shim params. Often the easiest path. (The export must request the DirXML data attributes — see the quickstart for the exact ldapsearch.)
  • A policy whose content the engine rejects at build time (an unresolved map-table/resource reference, an uncompilable XPath) is skipped with a warning instead of failing the whole chain.

Seed the fake directory from LDIF

  • ldif=<file> loads real objects from an ldapsearch/ICE dump as <instance> state (names mapped via the schema, values normalized by syntax — :: base64 octet stays base64, generalized time → seconds, DN → slash form). Realistic data at scale without a trace.

Value-representation correctness

  • New LdapValueNormalizer maps LDAP↔native XDS by eDir syntax, fixing the deltas a naive toString() gets wrong (octet → base64, time, DN, structured path/typed-name).

Agent guidance

  • The skill now instructs agents to ask for missing inputs (config, event, seed data, secrets) and tell the user how to produce each, rather than running on empty data.

Notes

  • 98 tests green. Validated on a real 19-driver Identity Vault export (Active Directory at 27 subscriber / 28 publisher stages).
  • The nine proprietary NetIQ engine jars are still required in lib/ (never bundled). JDK 21.

Assets

  • dirxml-simulator-1.2.0.jar — the executable jar (run with java -jar, with the NetIQ jars in ../lib or lib/).
  • dirxml-simulator-1.2.0.zip — clone-free distribution: jar + launchers + skill + docs + sample cases + empty lib/.

DirXML Policy Simulator 1.1.0

Choose a tag to compare

@jcombs-pointblue jcombs-pointblue released this 17 Jun 17:07

DirXML Policy Simulator 1.1.0

A headless, agent-drivable test harness for NetIQ / OpenText Identity Manager (DirXML) channel policies. It runs the real IDM engine: assemble a driver's channel, step it stage by stage (or rule by rule), answer the policies' queries from an in-memory directory, and golden-test changes. A lot has landed since 1.0.0.

New since 1.0.0

  • Two ways to supply driver config. A Designer driver export (export=…) or a Designer project on disk (project=<dir> + driver=<name>) — the latter needs no export and additionally brings the project's GCVs, ECMAScript resources, and eDirectory schema (which exports omit).
  • Schema validation. With a schema available (project= or schema=…), input.xds/directory.xds are checked against the eDir schema — unknown class, misspelled/invalid attribute, or multiple values on a single-valued attribute.
  • External actions are faked. do-invoke-rest-endpoint, do-send-email[-from-template], RBPM role/resource SOAP, do-start-workflow, XDAS, and SSO actions are faked by default — no live call, no hang; recorded as FAKED: … in the trace. For REST, supply a canned body (restResponse=… / rest-response.json) that downstream rules consume.
  • Named passwords. Supplied per case as secret values (namedPassword.<name>=<value>), resolved through token-named-password.
  • Entitlements confirmed op-driven — token-added-entitlement / if-entitlement work whenever the input op carries the DirXML-EntitlementRef change.
  • Windows launcher (bin/sim.cmd) alongside bin/sim; shipped in the archive.

Core (since 1.0.0)

Real-engine execution of DirXML Script / XSLT / schema-mapping policies, per-stage and per-rule stepping, trace capture, an in-memory fake directory (with query-ex paging), driver-export chain assembly, ECMAScript (es:) and Java extension functions, trace mining (bin/sim extract), golden tests, the run/step/test/record/extract/doctor CLI, and a Claude Code skill (+ AGENTS.md).

Install (no build)

Download dirxml-simulator-1.1.0.zip, unzip, drop your nine NetIQ jars into lib/, and run bin/sim doctor (Windows: bin\sim.cmd doctor). The proprietary jars are not bundled — you supply them. Requires JDK 21. See docs/intro.md and docs/quickstart.md.

DirXML Policy Simulator 1.0.0

Choose a tag to compare

@jcombs-pointblue jcombs-pointblue released this 17 Jun 10:11

DirXML Policy Simulator 1.0.0 — a headless, agent-driven test harness for NetIQ / OpenText Identity Manager (DirXML) channel policies. It runs the real IDM engine: assemble a driver's channel from its export, step it stage by stage (or rule by rule), answer the policies' queries from an in-memory directory seeded from a trace, and golden-test changes.

What it does

  • Real-engine execution of DirXML Script, XSLT, and schema-mapping policies — no eDirectory, no running driver.
  • Per-stage and per-rule stepping with the document, queries/commands, and rule trace at each step.
  • Driver-export aware — assembles the real subscriber/publisher chain in IDM policy-set order, with GCVs, the filter, and ECMAScript resources.
  • Trace miningbin/sim extract turns a production DSTrace log into a runnable case (real input event + directory data).
  • ECMAScript (es:), XSLT, and Java extension functions execute; missing pieces are reported clearly.
  • Golden tests, a CLI (run/step/test/record/extract/doctor), and a Claude Code skill (+ AGENTS.md) so an agent can drive it.

Install (no build)

Download dirxml-simulator-1.0.0.zip, unzip, drop your nine NetIQ jars into lib/ (see the README), and run bin/sim doctor. The proprietary jars are not bundled — you supply them.

Source builds with JDK 21 + Maven; tools/build-dist.sh reproduces the archive.