Releases: PointBlueTechnology/DirXMLSimulator
Release list
v1.5.0 — regression tooling & offline resolution
Builds on v1.4.0's input/integration sources with a regression-testing suite, policy analysis tools, and offline resolution of mapping tables and config scope.
Regression & CI
bin/sim test-all <dir>— run a whole case corpus as golden tests; PASS/FAIL/ERROR/SKIP summary, non-zero exit, optional JUnit (--junit) and JSON (--json) reports. Point CI at it.bin/sim harvest <configDir> <outDir>— mint a regression corpus from real Event Logger DB events: replay each through the current policies and snapshot the output as a golden (a change detector, not a correctness oracle).expected.assertions— XPath checks on the final output (exists/absent/equals/matches/count/vetoed), robust where a full golden is brittle.
Analysis
bin/sim compare <caseDir> --against <cfg>— run the same input through two policy sets (e.g. two git revisions) and report per-stage + final divergence.bin/sim coverage <dir>— which DirXML Script rules fired vs are defined across a corpus; lists never-fired rules.--jsonstructured output forrun/step/test/compare.
Offline resolution
Maptoken mapping tables now resolve headlessly — auto-extracted from a driver-set export, a Designer project, an LDIF dump, or live LDAP, or supplied via a case-localmapping-tables/dir.- Config scope — warns when a GCV (
token-global-variable) or a shared/Library policy is referenced but missing; supply a GCV inline withgcv.<name>=<value>.
Install
Download dirxml-simulator-1.5.0.zip, unzip, drop your nine NetIQ jars into lib/, and run bin/sim doctor. The proprietary jars are never bundled; only the open-source PostgreSQL JDBC driver is included. JDK 21 required.
Full docs: see docs/regression-testing.md, docs/mapping-tables-design.md, and the README.
DirXML Policy Simulator 1.4.0
Live-environment milestone: read driver config, schema, queries, and real events straight from a running vault — and from two new event sources.
New in 1.4.0
Read everything live from eDirectory (LDAP)
- Driver config —
ldapConfig=<DriverSetDN>reads theDirXML-Driversubtree directly from the running vault (policies, GCVs, filter, shim params), no export or project needed. A third config source alongside a driver export and a Designer project. - Schema —
schema=ldap(or automatically wheneverldap=is set) reads the eDir subschema (cn=schema), recovering the true NDS/DirXML names (viaX-NDS_NAME) and syntaxes — a full equivalent of a Designer*_schema.xml. - Queries — with
ldap=set, the chain's lookups are answered from live eDirectory, values normalized to native XDS by syntax (a binaryGUIDcomes backtype="octet"base64, not raw bytes). - TLS — cert validation is off by default (test directories use self-signed certs); set
ldapTrustAll=falseto require a valid cert.
Real input events from two new sources
- A stopped driver's event cache —
bin/sim dxcache <caseDir>reads a driver's queued, unprocessed subscriber transactions via DxCMD's LDAP extended operations. Running drivers are detected and reported (stop first). Needs the optionallib/ldap.jar. - The DirXML Event Logger database —
bin/sim dbevents <caseDir>queries a PostgreSQL history of captured events (by DN, driver, type, class, or date) and writes each as its own pickable transaction. The richest input source: real production traffic, persistent and searchable. The PostgreSQL JDBC driver is fetched by Maven and bundled in this release — nothing to stage.
Other
- LDIF can also seed the fake directory (
ldif=) with real objects, mapped to native XDS by the schema. - Docs (intro, quickstart, README, skill) updated to cover every source and integration.
Notes
- 112 tests green. JDK 21. The nine proprietary NetIQ jars are still required in
lib/(never bundled);ldap.jaris needed only for the DxCMD cache feature.
Assets
dirxml-simulator-1.4.0.jar— executable jar.dirxml-simulator-1.4.0.zip— clone-free distribution: jar + launchers + skill + docs + sample cases + the bundled open-source PostgreSQL driver.
DirXML Policy Simulator 1.3.0
Populate everything from a live LDAP connection — no Designer project, no manual exports.
New in 1.3.0
Read the eDirectory schema directly from LDAP
schema=ldap(or automatically wheneverldap=is set and no other schema is supplied) parses the eDir subschema (cn=schema) into the validation/normalization model. The true NDS/DirXML name comes from each definition'sX-NDS_NAMEextension (falling back to the LDAP name), and the syntax OID maps to the eDirsyn=the value normalizer uses — a full equivalent of a Designer*_schema.xml, no project needed. Validated on a real 2,150-attribute / 279-class subschema.
Read a driver's config directly from LDAP
ldapConfig=<DriverSetDN>+driver=<name>reads theDirXML-Driversubtree live from the vault (over theldap=connection) and assembles the channel chain — theDirXML-Policieslinkage, each policy'sXmlData, GCVs, filter, and shim params — instead of needing an LDIF file or an export. A third live source alongside the existing LDIF file.
TLS cert validation off by default
- The harness only ever points at test directories, which routinely use self-signed / internal-CA certs over
ldaps.ldapTrustAllnow defaults to true; setldapTrustAll=falseto require a valid cert.
Verified against a real eDirectory
The entire live-LDAP path was exercised end-to-end against a live eDir over ldaps:
- trust-all TLS connect + bind,
- schema read (NDS↔LDAP names + syntaxes),
- object query (a binary
GUIDreturned correctly astype="octet"base64, association extracted), - driver + driverset config read — all 19 drivers of a real DriverSet assembled in ~0.4 s; the CyberArk publisher chain ran through the CLI with the live-read schema-mapping policy applied (
Surname→familyName).
Notes
- 105 tests green. The nine proprietary NetIQ engine jars are still required in
lib/(never bundled). JDK 21.
Assets
dirxml-simulator-1.3.0.jar— executable jar.dirxml-simulator-1.3.0.zip— clone-free distribution: jar + launchers + skill + docs + sample cases + emptylib/.
DirXML Policy Simulator 1.2.0
Real-connector and live-vault testing, plus a third driver-config source.
New in 1.2.0
Test against the real connector (opt-in)
shim=truedrives the actual driverDriverShimas a terminal command sink: after the chain runs, its final command is handed toSubscriptionShim.execute, and a newshimsnapshot shows the connector's real status/association response — validating that your policies produced a payload the connector accepts. Pure-Java connectors (REST/SCIM/SOAP/JDBC/Delimited/Loopback); subscriber direction.ldap=ldaps://hostanswers the chain's (and the shim's) queries from live eDirectory over LDAP, with values normalized to native XDS form by schema syntax.- Both are off by default — absent keys mean unchanged behavior.
LDIF / live-LDAP as a driver-config source
ldifConfig=<vault.ldif>+driver=<name>assembles a driver's chain from an LDIF/LDAP export of the live Identity Vault — a third source alongside Designer exports and projects. One subtree dump carries the whole driver set's policies (DirXML-Policieslinkage + each rule'sXmlData), GCVs, filter, and shim params. Often the easiest path. (The export must request the DirXML data attributes — see the quickstart for the exactldapsearch.)- A policy whose content the engine rejects at build time (an unresolved map-table/resource reference, an uncompilable XPath) is skipped with a warning instead of failing the whole chain.
Seed the fake directory from LDIF
ldif=<file>loads real objects from anldapsearch/ICE dump as<instance>state (names mapped via the schema, values normalized by syntax —::base64 octet stays base64, generalized time → seconds, DN → slash form). Realistic data at scale without a trace.
Value-representation correctness
- New
LdapValueNormalizermaps LDAP↔native XDS by eDir syntax, fixing the deltas a naivetoString()gets wrong (octet → base64, time, DN, structured path/typed-name).
Agent guidance
- The skill now instructs agents to ask for missing inputs (config, event, seed data, secrets) and tell the user how to produce each, rather than running on empty data.
Notes
- 98 tests green. Validated on a real 19-driver Identity Vault export (Active Directory at 27 subscriber / 28 publisher stages).
- The nine proprietary NetIQ engine jars are still required in
lib/(never bundled). JDK 21.
Assets
dirxml-simulator-1.2.0.jar— the executable jar (run withjava -jar, with the NetIQ jars in../liborlib/).dirxml-simulator-1.2.0.zip— clone-free distribution: jar + launchers + skill + docs + sample cases + emptylib/.
DirXML Policy Simulator 1.1.0
DirXML Policy Simulator 1.1.0
A headless, agent-drivable test harness for NetIQ / OpenText Identity Manager (DirXML) channel policies. It runs the real IDM engine: assemble a driver's channel, step it stage by stage (or rule by rule), answer the policies' queries from an in-memory directory, and golden-test changes. A lot has landed since 1.0.0.
New since 1.0.0
- Two ways to supply driver config. A Designer driver export (
export=…) or a Designer project on disk (project=<dir>+driver=<name>) — the latter needs no export and additionally brings the project's GCVs, ECMAScript resources, and eDirectory schema (which exports omit). - Schema validation. With a schema available (
project=orschema=…),input.xds/directory.xdsare checked against the eDir schema — unknown class, misspelled/invalid attribute, or multiple values on a single-valued attribute. - External actions are faked.
do-invoke-rest-endpoint,do-send-email[-from-template], RBPM role/resource SOAP,do-start-workflow, XDAS, and SSO actions are faked by default — no live call, no hang; recorded asFAKED: …in the trace. For REST, supply a canned body (restResponse=…/rest-response.json) that downstream rules consume. - Named passwords. Supplied per case as secret values (
namedPassword.<name>=<value>), resolved throughtoken-named-password. - Entitlements confirmed op-driven —
token-added-entitlement/if-entitlementwork whenever the input op carries theDirXML-EntitlementRefchange. - Windows launcher (
bin/sim.cmd) alongsidebin/sim; shipped in the archive.
Core (since 1.0.0)
Real-engine execution of DirXML Script / XSLT / schema-mapping policies, per-stage and per-rule stepping, trace capture, an in-memory fake directory (with query-ex paging), driver-export chain assembly, ECMAScript (es:) and Java extension functions, trace mining (bin/sim extract), golden tests, the run/step/test/record/extract/doctor CLI, and a Claude Code skill (+ AGENTS.md).
Install (no build)
Download dirxml-simulator-1.1.0.zip, unzip, drop your nine NetIQ jars into lib/, and run bin/sim doctor (Windows: bin\sim.cmd doctor). The proprietary jars are not bundled — you supply them. Requires JDK 21. See docs/intro.md and docs/quickstart.md.
DirXML Policy Simulator 1.0.0
DirXML Policy Simulator 1.0.0 — a headless, agent-driven test harness for NetIQ / OpenText Identity Manager (DirXML) channel policies. It runs the real IDM engine: assemble a driver's channel from its export, step it stage by stage (or rule by rule), answer the policies' queries from an in-memory directory seeded from a trace, and golden-test changes.
What it does
- Real-engine execution of DirXML Script, XSLT, and schema-mapping policies — no eDirectory, no running driver.
- Per-stage and per-rule stepping with the document, queries/commands, and rule trace at each step.
- Driver-export aware — assembles the real subscriber/publisher chain in IDM policy-set order, with GCVs, the filter, and ECMAScript resources.
- Trace mining —
bin/sim extractturns a production DSTrace log into a runnable case (real input event + directory data). - ECMAScript (
es:), XSLT, and Java extension functions execute; missing pieces are reported clearly. - Golden tests, a CLI (
run/step/test/record/extract/doctor), and a Claude Code skill (+AGENTS.md) so an agent can drive it.
Install (no build)
Download dirxml-simulator-1.0.0.zip, unzip, drop your nine NetIQ jars into lib/ (see the README), and run bin/sim doctor. The proprietary jars are not bundled — you supply them.
Source builds with JDK 21 + Maven; tools/build-dist.sh reproduces the archive.