LDAP errors can't update NetIQ data to AD

Getting errors on RL when trying to update NetIQ data to AD. Most commonly seeing them on title and department. This is severly impacting end users and our customers as if an AD account has expired and it needs to be extended via a form we created for customers, it fails do to the "atomic" modify from RL to AD. Has anyone seen this before I would think the solution would not be too complex but I cannot find from simple googling.

Thanks!
Casey

DirXML: [05/03/18 07:09:07.10]: Loader: Received 'subscriber execute' document
DirXML: [05/03/18 07:09:07.10]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.10]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="user" event-id="0" scope="entry">
<association>b1856054cc99b4478cf8fbac94c78ca4</association>
<read-attr attr-name="displayName"/>
</query>
</input>
</nds>
DirXML: [05/03/18 07:09:07.10]: Loader: Calling subscriptionShim->execute()
DirXML: [05/03/18 07:09:07.10]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.10]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="user" event-id="0" scope="entry">
<association>b1856054cc99b4478cf8fbac94c78ca4</association>
<read-attr attr-name="displayName"/>
</query>
</input>
</nds>
DirXML: [05/03/18 07:09:07.10]: ADDriver: parse command

className user
destDN
eventId 0
association b1856054cc99b4478cf8fbac94c78ca4
DirXML: [05/03/18 07:09:07.10]: ADDriver: query
DirXML: [05/03/18 07:09:07.10]: ADDriver: query constraints
DirXML: [05/03/18 07:09:07.10]: ADDriver: query
base DN: CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org,
filter: (objectClass=*),
return: (attribute values) objectClass, objectGUID, displayName,
DirXML: [05/03/18 07:09:07.10]: ADDriver: query
base DN: CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org,
filter: (objectClass=*),
return: (attribute values) objectClass, objectGUID, displayName,
DirXML: [05/03/18 07:09:07.10]: ADDriver: ldap get next page ( 2147483647)
DirXML: [05/03/18 07:09:07.10]: ADDriver: ldap get next page ( 2147483647)
DirXML: [05/03/18 07:09:07.10]: Loader: subscriptionShim->execute() returned:
DirXML: [05/03/18 07:09:07.10]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.10]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\EXAMPLE\system\Driver Set\AD-domainname">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<instance src-dn="CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org" class-name="user" event-id="0">
<association>b1856054cc99b4478cf8fbac94c78ca4</association>
<attr attr-name="displayName">
<value type="string" naming="true">Desiderato, Erika (STUDENT)</value>
</attr>
</instance>
<status level="success" event-id="0"/>
</output>
</nds>
DirXML: [05/03/18 07:09:07.10]:
DirXML Log Event -------------------
Driver = \EXAMPLE\system\Driver Set\AD-domainname
Thread = Subscriber Channel
Level = success
DirXML: [05/03/18 07:09:07.50]: Loader: Received 'subscriber execute' document
DirXML: [05/03/18 07:09:07.50]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.50]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180503140902.633Z" class-name="user" event-id="My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac" qualified-src-dn="O=data\OU=users\CN=EDESIDERATO" src-dn="\EXAMPLE\data\users\EDESIDERATO" src-entry-id="232674" timestamp="1525356542#83">
<association state="associated">b1856054cc99b4478cf8fbac94c78ca4</association>
<modify-attr attr-name="description">
<add-value>
<value timestamp="1525356542#81" type="string">MCE Student - Organizational Developmnt (719570)</value>
</add-value>
</modify-attr>
<modify-attr attr-name="department">
<remove-value>
<value timestamp="1525356537#32" type="string">Critical Care</value>
</remove-value>
<add-value>
<value timestamp="1525356542#79" type="string">Organizational Developmnt (719570)</value>
</add-value>
</modify-attr>
<modify-attr attr-name="userPrincipalName">
<remove-all-values/>
<add-value>
<value type="string">EDESIDERATO@EXAMPLE.com</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [05/03/18 07:09:07.50]: Loader: Calling subscriptionShim->execute()
DirXML: [05/03/18 07:09:07.50]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.50]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180503140902.633Z" class-name="user" event-id="My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac" qualified-src-dn="O=data\OU=users\CN=EDESIDERATO" src-dn="\EXAMPLE\data\users\EDESIDERATO" src-entry-id="232674" timestamp="1525356542#83">
<association state="associated">b1856054cc99b4478cf8fbac94c78ca4</association>
<modify-attr attr-name="description">
<add-value>
<value timestamp="1525356542#81" type="string">MCE Student - Organizational Developmnt (719570)</value>
</add-value>
</modify-attr>
<modify-attr attr-name="department">
<remove-value>
<value timestamp="1525356537#32" type="string">Critical Care</value>
</remove-value>
<add-value>
<value timestamp="1525356542#79" type="string">Organizational Developmnt (719570)</value>
</add-value>
</modify-attr>
<modify-attr attr-name="userPrincipalName">
<remove-all-values/>
<add-value>
<value type="string">EDESIDERATO@EXAMPLE.com</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [05/03/18 07:09:07.50]: ADDriver: parse command

className user
destDN
eventId My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac
association b1856054cc99b4478cf8fbac94c78ca4
DirXML: [05/03/18 07:09:07.50]: ADDriver: parse modify class = user
DirXML: [05/03/18 07:09:07.50]: ADDriver: association
DirXML: [05/03/18 07:09:07.50]: ADDriver: b1856054cc99b4478cf8fbac94c78ca4
DirXML: [05/03/18 07:09:07.50]: ADDriver: modify-attr
DirXML: [05/03/18 07:09:07.50]: ADDriver: add-value
DirXML: [05/03/18 07:09:07.50]: ADDriver: value
DirXML: [05/03/18 07:09:07.50]: ADDriver: MCE Student - Organizational Developmnt (719570)
DirXML: [05/03/18 07:09:07.50]: ADDriver: modify-attr
DirXML: [05/03/18 07:09:07.50]: ADDriver: remove-value
DirXML: [05/03/18 07:09:07.50]: ADDriver: value
DirXML: [05/03/18 07:09:07.50]: ADDriver: Critical Care
DirXML: [05/03/18 07:09:07.50]: ADDriver: add-value
DirXML: [05/03/18 07:09:07.50]: ADDriver: value
DirXML: [05/03/18 07:09:07.50]: ADDriver: Organizational Developmnt (719570)
DirXML: [05/03/18 07:09:07.50]: ADDriver: modify-attr
DirXML: [05/03/18 07:09:07.50]: ADDriver: remove-all-values
DirXML: [05/03/18 07:09:07.50]: ADDriver: add-value
DirXML: [05/03/18 07:09:07.50]: ADDriver: value
DirXML: [05/03/18 07:09:07.50]: ADDriver: EDESIDERATO@EXAMPLE.com
DirXML: [05/03/18 07:09:07.50]: ADDriver: ldap_modify user CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org
LDAPMod operations:
replace attribute description
>> MCE Student - Organizational Developmnt (719570)
delete attribute department
>> Critical Care
add attribute department
>> Organizational Developmnt (719570)
delete attribute userPrincipalName
add attribute userPrincipalName
>> EDESIDERATO@EXAMPLE.com
DirXML: [05/03/18 07:09:07.50]: Loader: subscriptionShim->execute() returned:
DirXML: [05/03/18 07:09:07.50]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.50]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\EXAMPLE\system\Driver Set\AD-domainname">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="error" type="driver-general" event-id="My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac">
<ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
<client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
<server-err>00002081: AtrErr: DSID-030F18AE, #1:
0: 00002081: DSID-030F18AE, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 2008d (department)
</server-err>
<server-err-ex win32-rc="8321"/>
</ldap-err>
</status>
</output>
</nds>
DirXML: [05/03/18 07:09:07.50]:
DirXML Log Event -------------------
Driver = \EXAMPLE\system\Driver Set\AD-domainname
Thread = Subscriber Channel
Object = \EXAMPLE\data\users\EDESIDERATO
Level = error
Message = <ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
<client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
<server-err>00002081: AtrErr: DSID-030F18AE, #1:
0: 00002081: DSID-030F18AE, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 2008d (department)
</server-err>
<server-err-ex win32-rc="8321"/>
</ldap-err>
  • It would help if we could see the whole event's trace, and not just from
    somewhere n the middle. Also it may help to see it from the perspective
    of the engine when the driver config is initially started so the filter
    settings and other things are shown.

    In this case the error coming back is that some change you are trying to
    make is already present in MAD. This implies that you are trying to do
    things that are already done (why?) and that your two environments are out
    of sync for some reason (why?). Knowing how things came to get into this
    state may be useful.


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • cosborne;2480413 wrote:
    Getting errors on RL when trying to update NetIQ data to AD. Most commonly seeing them on title and department. This is severly impacting end users and our customers as if an AD account has expired and it needs to be extended via a form we created for customers, it fails do to the "atomic" modify from RL to AD. Has anyone seen this before I would think the solution would not be too complex but I cannot find from simple googling.

    Thanks!
    Casey

    DirXML: [05/03/18 07:09:07.10]: Loader: Received 'subscriber execute' document
    DirXML: [05/03/18 07:09:07.10]: Loader: XML Document:
    DirXML: [05/03/18 07:09:07.10]: <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <query class-name="user" event-id="0" scope="entry">
    <association>b1856054cc99b4478cf8fbac94c78ca4</association>
    <read-attr attr-name="displayName"/>
    </query>
    </input>
    </nds>
    DirXML: [05/03/18 07:09:07.10]: Loader: Calling subscriptionShim->execute()
    DirXML: [05/03/18 07:09:07.10]: Loader: XML Document:
    DirXML: [05/03/18 07:09:07.10]: <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <query class-name="user" event-id="0" scope="entry">
    <association>b1856054cc99b4478cf8fbac94c78ca4</association>
    <read-attr attr-name="displayName"/>
    </query>
    </input>
    </nds>
    DirXML: [05/03/18 07:09:07.10]: ADDriver: parse command

    className user
    destDN
    eventId 0
    association b1856054cc99b4478cf8fbac94c78ca4
    DirXML: [05/03/18 07:09:07.10]: ADDriver: query
    DirXML: [05/03/18 07:09:07.10]: ADDriver: query constraints
    DirXML: [05/03/18 07:09:07.10]: ADDriver: query
    base DN: CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org,
    filter: (objectClass=*),
    return: (attribute values) objectClass, objectGUID, displayName,
    DirXML: [05/03/18 07:09:07.10]: ADDriver: query
    base DN: CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org,
    filter: (objectClass=*),
    return: (attribute values) objectClass, objectGUID, displayName,
    DirXML: [05/03/18 07:09:07.10]: ADDriver: ldap get next page ( 2147483647)
    DirXML: [05/03/18 07:09:07.10]: ADDriver: ldap get next page ( 2147483647)
    DirXML: [05/03/18 07:09:07.10]: Loader: subscriptionShim->execute() returned:
    DirXML: [05/03/18 07:09:07.10]: Loader: XML Document:
    DirXML: [05/03/18 07:09:07.10]: <nds ndsversion="8.7" dtdversion="1.1">
    <source>
    <product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\EXAMPLE\system\Driver Set\AD-domainname">AD</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <instance src-dn="CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org" class-name="user" event-id="0">
    <association>b1856054cc99b4478cf8fbac94c78ca4</association>
    <attr attr-name="displayName">
    <value type="string" naming="true">Desiderato, Erika (STUDENT)</value>
    </attr>
    </instance>
    <status level="success" event-id="0"/>
    </output>
    </nds>
    DirXML: [05/03/18 07:09:07.10]:
    DirXML Log Event -------------------
    Driver = \EXAMPLE\system\Driver Set\AD-domainname
    Thread = Subscriber Channel
    Level = success
    DirXML: [05/03/18 07:09:07.50]: Loader: Received 'subscriber execute' document
    DirXML: [05/03/18 07:09:07.50]: Loader: XML Document:
    DirXML: [05/03/18 07:09:07.50]: <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify cached-time="20180503140902.633Z" class-name="user" event-id="My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac" qualified-src-dn="O=data\OU=users\CN=EDESIDERATO" src-dn="\EXAMPLE\data\users\EDESIDERATO" src-entry-id="232674" timestamp="1525356542#83">
    <association state="associated">b1856054cc99b4478cf8fbac94c78ca4</association>
    <modify-attr attr-name="description">
    <add-value>
    <value timestamp="1525356542#81" type="string">MCE Student - Organizational Developmnt (719570)</value>
    </add-value>
    </modify-attr>
    <modify-attr attr-name="department">
    <remove-value>
    <value timestamp="1525356537#32" type="string">Critical Care</value>
    </remove-value>
    <add-value>
    <value timestamp="1525356542#79" type="string">Organizational Developmnt (719570)</value>
    </add-value>
    </modify-attr>
    <modify-attr attr-name="userPrincipalName">
    <remove-all-values/>
    <add-value>
    <value type="string">EDESIDERATO@EXAMPLE.com</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    DirXML: [05/03/18 07:09:07.50]: Loader: Calling subscriptionShim->execute()
    DirXML: [05/03/18 07:09:07.50]: Loader: XML Document:
    DirXML: [05/03/18 07:09:07.50]: <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify cached-time="20180503140902.633Z" class-name="user" event-id="My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac" qualified-src-dn="O=data\OU=users\CN=EDESIDERATO" src-dn="\EXAMPLE\data\users\EDESIDERATO" src-entry-id="232674" timestamp="1525356542#83">
    <association state="associated">b1856054cc99b4478cf8fbac94c78ca4</association>
    <modify-attr attr-name="description">
    <add-value>
    <value timestamp="1525356542#81" type="string">MCE Student - Organizational Developmnt (719570)</value>
    </add-value>
    </modify-attr>
    <modify-attr attr-name="department">
    <remove-value>
    <value timestamp="1525356537#32" type="string">Critical Care</value>
    </remove-value>
    <add-value>
    <value timestamp="1525356542#79" type="string">Organizational Developmnt (719570)</value>
    </add-value>
    </modify-attr>
    <modify-attr attr-name="userPrincipalName">
    <remove-all-values/>
    <add-value>
    <value type="string">EDESIDERATO@EXAMPLE.com</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    DirXML: [05/03/18 07:09:07.50]: ADDriver: parse command

    className user
    destDN
    eventId My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac
    association b1856054cc99b4478cf8fbac94c78ca4
    DirXML: [05/03/18 07:09:07.50]: ADDriver: parse modify class = user
    DirXML: [05/03/18 07:09:07.50]: ADDriver: association
    DirXML: [05/03/18 07:09:07.50]: ADDriver: b1856054cc99b4478cf8fbac94c78ca4
    DirXML: [05/03/18 07:09:07.50]: ADDriver: modify-attr
    DirXML: [05/03/18 07:09:07.50]: ADDriver: add-value
    DirXML: [05/03/18 07:09:07.50]: ADDriver: value
    DirXML: [05/03/18 07:09:07.50]: ADDriver: MCE Student - Organizational Developmnt (719570)
    DirXML: [05/03/18 07:09:07.50]: ADDriver: modify-attr
    DirXML: [05/03/18 07:09:07.50]: ADDriver: remove-value
    DirXML: [05/03/18 07:09:07.50]: ADDriver: value
    DirXML: [05/03/18 07:09:07.50]: ADDriver: Critical Care
    DirXML: [05/03/18 07:09:07.50]: ADDriver: add-value
    DirXML: [05/03/18 07:09:07.50]: ADDriver: value
    DirXML: [05/03/18 07:09:07.50]: ADDriver: Organizational Developmnt (719570)
    DirXML: [05/03/18 07:09:07.50]: ADDriver: modify-attr
    DirXML: [05/03/18 07:09:07.50]: ADDriver: remove-all-values
    DirXML: [05/03/18 07:09:07.50]: ADDriver: add-value
    DirXML: [05/03/18 07:09:07.50]: ADDriver: value
    DirXML: [05/03/18 07:09:07.50]: ADDriver: EDESIDERATO@EXAMPLE.com
    DirXML: [05/03/18 07:09:07.50]: ADDriver: ldap_modify user CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org
    LDAPMod operations:
    replace attribute description
    >> MCE Student - Organizational Developmnt (719570)
    delete attribute department
    >> Critical Care
    add attribute department
    >> Organizational Developmnt (719570)
    delete attribute userPrincipalName
    add attribute userPrincipalName
    >> EDESIDERATO@EXAMPLE.com
    DirXML: [05/03/18 07:09:07.50]: Loader: subscriptionShim->execute() returned:
    DirXML: [05/03/18 07:09:07.50]: Loader: XML Document:
    DirXML: [05/03/18 07:09:07.50]: <nds ndsversion="8.7" dtdversion="1.1">
    <source>
    <product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\EXAMPLE\system\Driver Set\AD-domainname">AD</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status level="error" type="driver-general" event-id="My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac">
    <ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
    <client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
    <server-err>00002081: AtrErr: DSID-030F18AE, #1:
    0: 00002081: DSID-030F18AE, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 2008d (department)
    </server-err>
    <server-err-ex win32-rc="8321"/>
    </ldap-err>
    </status>
    </output>
    </nds>
    DirXML: [05/03/18 07:09:07.50]:
    DirXML Log Event -------------------
    Driver = \EXAMPLE\system\Driver Set\AD-domainname
    Thread = Subscriber Channel
    Object = \EXAMPLE\data\users\EDESIDERATO
    Level = error
    Message = <ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
    <client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
    <server-err>00002081: AtrErr: DSID-030F18AE, #1:
    0: 00002081: DSID-030F18AE, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 2008d (department)
    </server-err>
    <server-err-ex win32-rc="8321"/>
    </ldap-err>


    As Aaron says, it sounds like your environments are out of sync, so you're trying to remove a value that isn't there, and the subsequent add value fails because it's already present or some such. You'd need to have a look at the object in MAD to see what's there and what isn't.

    The root problem is that IDM assumes that your environments are in sync, because that's what it does. Where people get involved and make that not true, you see things like this happen. There have been some previous solutions posted to this forum, but here's mine:

    Create a GCV of attributes you want to overwrite when they change (title, department). Then put this on your subscriber command transform:


    <rule>
    <description>Force Attribute Updates</description>
    <comment xml:space="preserve">Force overwrite of attributes in destination to fix any that are incorrect.</comment>
    <conditions>
    <and>
    <if-operation mode="nocase" op="equal">modify</if-operation>
    <if-global-variable name="MAD-ForceAttrsList" op="available"/>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="ForceAttributes" scope="policy">
    <arg-node-set>
    <token-split delimiter=",">
    <token-global-variable name="MAD-ForceAttrsList"/>
    </token-split>
    </arg-node-set>
    </do-set-local-variable>
    <do-for-each>
    <arg-node-set>
    <token-local-variable name="ForceAttributes"/>
    </arg-node-set>
    <arg-actions>
    <do-if>
    <arg-conditions>
    <and>
    <if-op-attr name="$current-node$" op="available"/>
    <if-xpath op="not-true">modify-attr[@attr-name=$current-node]/remove-all-values</if-xpath>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-trace-message>
    <arg-string>
    <token-text xml:space="preserve">Overwriting destination attribute: </token-text>
    <token-local-variable name="current-node"/>
    <token-text xml:space="preserve"> </token-text>
    <token-op-attr name="$current-node$"/>
    </arg-string>
    </do-trace-message>
    <do-append-xml-element before="add-value" expression="*[@attr-name=$current-node]" name="remove-all-values"/>
    <do-strip-xpath expression="modify-attr[@attr-name=$current-node]/remove-value"/>
    </arg-actions>
    <arg-actions/>
    </do-if>
    </arg-actions>
    </do-for-each>
    </actions>
    </rule>
  • On 5/4/2018 4:46 PM, cosborne wrote:
    > <output>
    > <status level="error"
    > type="driver-general" event-id="My Clinical
    > Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac">
    > <ldap-err ldap-rc="20"
    > ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
    >
    > <client-err ldap-rc="20"
    > ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value
    > Exists</client-err>
    >
    > <server-err>00002081: AtrErr: DSID-030F18AE, #1:
    > 0: 00002081: DSID-030F18AE, problem 1006
    > (ATT_OR_VALUE_EXISTS), data 0, Att 2008d (department)
    > </server-err>
    >
    > <server-err-ex win32-rc="8321"/>
    > </ldap-err>
    > </status>
    > </output>


    Look at the <server-err-ex win32-rc="8321"> node and look up 8321 at
    this page:
    https://msdn.microsoft.com/en-us/library/ms681390(VS.85).aspx

    8321 says:
    ERROR_DS_SINGLE_VALUE_CONSTRAINT

    8321 (0x2081)

    Multiple values were specified for an attribute that can have only
    one value.



    So single valued attribute and you are adding a second value.

    Change it to Set Dest Attr if you can, so you have a <remove-all-values>
    instead of a remove-value/add-value since once you are out of sync, you
    are in trouble.

    What I did was make a package call Multi Valued Attribute cleaner that
    reads the AD schema and learns which attrs are single valued, and
    converts modifies to include a remove-all-values node.

    You can get that from my companies public Repo:

    https://idmfolder.ciscony.com/cis-idm-repo/

    Add it in Designer and you can try it in your driver.


  • Support pointed me to this code, which is in the output tranformation policy, it has seemed to work, detects if it is single or multi valued and makes right call accordingly, here is the code:

    <rule>
    <description>[CIS] Handle Multi-to-single valued conversions</description>
    <comment xml:space="preserve">Generic Rule which reads the application schema from AD and determines if it needs to take only the first value from a multi-valued eDirectory attribute
    </comment>
    <conditions>
    <or>
    <if-operation mode="case" op="equal">modify</if-operation>
    <if-operation mode="case" op="equal">add</if-operation>
    </or>
    </conditions>
    <actions>
    <do-if>
    <arg-conditions>
    <and>
    <if-local-variable name="APP-SCHEMA" op="not-available"/>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-set-local-variable name="APP-SCHEMA" scope="driver">
    <arg-node-set>
    <token-xml-parse notrace="true">
    <token-base64-decode notrace="true">
    <token-src-attr name="DirXML-ApplicationSchema" notrace="true">
    <arg-dn>
    <token-global-variable name="dirxml.auto.driverdn"/>
    </arg-dn>
    </token-src-attr>
    </token-base64-decode>
    </token-xml-parse>
    </arg-node-set>
    </do-set-local-variable>
    </arg-actions>
    <arg-actions/>
    </do-if>
    <do-for-each>
    <arg-node-set>
    <token-xpath expression=".//@attr-name"/>
    </arg-node-set>
    <arg-actions>
    <do-set-local-variable name="CLASS" scope="policy">
    <arg-string>
    <token-class-name/>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="ATTR-DEF" notrace="true" scope="policy">
    <arg-node-set>
    <token-xpath expression="$APP-SCHEMA/schema-def/class-def/attr-def[@attr-name=$current-node]"/>
    </arg-node-set>
    </do-set-local-variable>
    <do-set-local-variable name="MULTI-VALUED" scope="policy">
    <arg-string>
    <token-xpath expression="$ATTR-DEF[1]/@multi-valued"/>
    </arg-string>
    </do-set-local-variable>
    <do-if>
    <arg-conditions>
    <and>
    <if-local-variable mode="nocase" name="MULTI-VALUED" op="equal">false</if-local-variable>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-set-local-variable name="VALUE" scope="policy">
    <arg-string>
    <token-op-attr name="$current-node$"/>
    </arg-string>
    </do-set-local-variable>
    <do-strip-op-attr name="$current-node$"/>
    <do-set-dest-attr-value name="$current-node$">
    <arg-value>
    <token-local-variable name="VALUE"/>
    </arg-value>
    </do-set-dest-attr-value>
    </arg-actions>
    <arg-actions/>
    </do-if>
    </arg-actions>
    </do-for-each>
    </actions>
    </rule>
  • On 5/14/2018 12:24 PM, cosborne wrote:
    >
    > Support pointed me to this code, which is in the output tranformation
    > policy, it has seemed to work, detects if it is single or multi valued
    > and makes right call accordingly, here is the code:



    Hmm, I am a little annoyed. My name was in the Comment fields, and
    someone removed it. Not cool man, not cool! :)

    This is from a package I maintain.

    Please show me the trace of it failing so we can fix it.

    Do you happen to have the package installed on your driver? (Look at
    this policy object in LDAP and show us the DirXML-PkgGUID value, since
    if you import it and do not have the package in your local Designer
    instance, it won't report it as installed on the driver).


    > <rule>
    > <description>[CIS] Handle Multi-to-single valued
    > conversions</description>
    > <comment xml:space="preserve">Generic Rule which reads the application
    > schema from AD and determines if it needs to take only the first value
    > from a multi-valued eDirectory attribute
    > </comment>
    > <conditions>
    > <or>
    > <if-operation mode="case" op="equal">modify</if-operation>
    > <if-operation mode="case" op="equal">add</if-operation>
    > </or>
    > </conditions>
    > <actions>
    > <do-if>
    > <arg-conditions>
    > <and>
    > <if-local-variable name="APP-SCHEMA" op="not-available"/>
    > </and>
    > </arg-conditions>
    > <arg-actions>
    > <do-set-local-variable name="APP-SCHEMA" scope="driver">
    > <arg-node-set>
    > <token-xml-parse notrace="true">
    > <token-base64-decode notrace="true">
    > <token-src-attr name="DirXML-ApplicationSchema"
    > notrace="true">
    > <arg-dn>
    > <token-global-variable name="dirxml.auto.driverdn"/>
    > </arg-dn>
    > </token-src-attr>
    > </token-base64-decode>
    > </token-xml-parse>
    > </arg-node-set>
    > </do-set-local-variable>
    > </arg-actions>
    > <arg-actions/>
    > </do-if>
    > <do-for-each>
    > <arg-node-set>
    > <token-xpath expression=".//@attr-name"/>
    > </arg-node-set>
    > <arg-actions>
    > <do-set-local-variable name="CLASS" scope="policy">
    > <arg-string>
    > <token-class-name/>
    > </arg-string>
    > </do-set-local-variable>
    > <do-set-local-variable name="ATTR-DEF" notrace="true"
    > scope="policy">
    > <arg-node-set>
    > <token-xpath
    > expression="$APP-SCHEMA/schema-def/class-def/attr-def[@attr-name=$current-node]"/>
    > </arg-node-set>
    > </do-set-local-variable>
    > <do-set-local-variable name="MULTI-VALUED" scope="policy">
    > <arg-string>
    > <token-xpath expression="$ATTR-DEF[1]/@multi-valued"/>
    > </arg-string>
    > </do-set-local-variable>
    > <do-if>
    > <arg-conditions>
    > <and>
    > <if-local-variable mode="nocase" name="MULTI-VALUED"
    > op="equal">false</if-local-variable>
    > </and>
    > </arg-conditions>
    > <arg-actions>
    > <do-set-local-variable name="VALUE" scope="policy">
    > <arg-string>
    > <token-op-attr name="$current-node$"/>
    > </arg-string>
    > </do-set-local-variable>
    > <do-strip-op-attr name="$current-node$"/>
    > <do-set-dest-attr-value name="$current-node$">
    > <arg-value>
    > <token-local-variable name="VALUE"/>
    > </arg-value>
    > </do-set-dest-attr-value>
    > </arg-actions>
    > <arg-actions/>
    > </do-if>
    > </arg-actions>
    > </do-for-each>
    > </actions>
    > </rule>
    >
    >