md:output_handler should be the first element after xsl:stylesheet. The content of the stylesheet can be validated separately. With the md:output_handler element it is possible to define how the policy data is processed after the XSLT transformation is applied. The idea is that a driver program or script can access this metadata information with a suitable XPath and can handle the output of the transformation accordingly. md:file is the typical output handler for IPA config policies. The driver program will created a file and write the output of the transformation to this this or merge with the content of the local file depending on the information provided by the policy. The md:exec_with_args will use a line of the output of the transformation a command line argument of a program. The result of the XSLT transformation will be piped by the driver to stdin of another program when using md:exec_with_stdin_pipe. Maybe we will have a separate output handler to write to the client's ldb. It is possible to generate more than one type of output for more than one output handler. To switch between different types of output a parameter with different values can be used. The driver program can access the name of the parameter (md:param_name) and the value (md:param_value) of the current output handler with suitable XPath statements. It is important that a file is created with the right access permissions to avoid either security or usability troubles. md:name, the full name of the file, is the only required attribute. /.* The standard unix access control to a file is determined by its owner, its group and the access permissions. If this attributes are missing a sensible default should be assumes. For example owner root, group root and 0400 permissions. You have to define either all three or none of the attributes. The permission must be specified in octal mode. [0-7]{4} If the client system supports SELinux you can specify the SELinux context for the file, otherwise a sensible default will be used (restorecon). To execute a process we need the full path of the file to execute, optional some arguments and the user and group context under which the procrss should run. If md:user and md:group are missing, the least privileges, e.g. nobody/nogroup should be assumed. /.* The following is a dummy element to catch all elements from different namespaces, e.g. comments and documentation