Environment
NetIQ Identity Manager 4.0
NetIQ Identity Manager 4.0.1
NetIQ Identity Manager 4.0.2
NetIQ eDirectory 8.8.7 and later
Situation
The matching rule fails due to finding multiple objects.
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="User" event-id="0" qualified-src-dn="O=data\OU=users\CN=user30" src-dn="\TREE\data\users\user30" src-entry-id="35521"/>
<instance class-name="Alias" event-id="0" qualified-src-dn="O=data\OU=aliases\CN=user30" src-dn="\TREE\data\aliases\user30" src-entry-id="35522"/>
<status event-id="0" level="success"></status>
</output>
</nds>
Resolution
As of eDirectory 8.8.7 will return alias objects if they have the same CN as the referring object.
Making sure that 'do-find-matching-object' only return the object with the requested Object Class will solve the issue.
Example:
<do-find-matching-object scope="subtree">
<arg-match-attr name="CN"/>
<arg-match-attr name="Object Class">
<arg-value type="string">
<token-text xml:space="preserve">User</token-text>
</arg-value>
</arg-match-attr>
</do-find-matching-object>
Additional Information
This have been reported to engineering.