Permission Onbarding Job not working


Hi,

during testing we found that for some reason the automatc creation of
ressources is not working with the Permission OnboardingJob.

We simply were experimenting on this feature on a standard AD driver
with the default NEtIQ packages.

Further digging into the problem we found in the level 3 log of the job,
that the job claims not to be able to read the permission mapping object
with error 672!

After hat we checked the edir rights of either the uaadmin user and the
job, and found that eDirectory is reporting for either supervisor rights
to the whole tree!

The strange thing is that we see this issue in one environment where in
a similar environment (cloned virtual servers) it is working.

Any suggestion what to look at?

Thanks!


--
tschloesser
------------------------------------------------------------------------
tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=55718


  • Hers the log data provieded for the job:
    [04/14/16 02:23:22.748]:PermissionOnboarding JT:Worker thread for job
    '\IDVAULT-TREE\system\driverset1\Custom Entitlement Service
    Driver\PermissionOnboarding' starting.
    [04/14/16 02:23:22.849]:PermissionOnboarding JT:Worker thread for job
    '\IDVAULT-TREE\system\driverset1\Custom Entitlement Service
    Driver\PermissionOnboarding' exiting.
    [04/14/16 02:23:22.871]:PermissionOnboarding JT:Worker thread for job
    '\IDVAULT-TREE\system\driverset1\Custom Entitlement Service
    Driver\PermissionOnboarding' starting.
    [04/14/16 02:23:22.871]:PermissionOnboarding JT:InitIDMJob: Executing
    Permissing Onboarding Job
    [04/14/16 02:23:22.873]:PermissionOnboarding JT:Received command
    document from job.
    [04/14/16 02:23:22.873]:PermissionOnboarding JT:
    <nds dtdversion="2.0">
    <input>
    <query class-name="DirXML-Resource"
    dest-dn="\IDVAULT-TREE\system\driverset1\Custom Entitlement Service
    Driver\PermissionEntMapping" scope="entry">
    <search-class class-name="DirXML-Resource"/>
    <read-attr attr-name="DirXML-Data"/>
    <read-attr attr-name="cn"/>
    <operation-data data-collection-query="true"/>
    </query>
    </input>
    </nds>
    [04/14/16 02:23:22.873]:PermissionOnboarding JT:Pumping XDS to
    eDirectory.
    [04/14/16 02:23:22.873]:PermissionOnboarding JT:Performing operation
    query for \IDVAULT-TREE\system\driverset1\Custom Entitlement Service
    Driver\PermissionEntMapping.
    [04/14/16 02:23:22.874]:PermissionOnboarding JT:--JCLNT-- Job
    \IDVAULT-TREE\system\driverset1\Custom Entitlement Service
    Driver\PermissionOnboarding : Duplicating : context = 1495859491,
    tempContext = 1495859456
    [04/14/16 02:23:22.874]:PermissionOnboarding JT:--JCLNT-- Job
    \IDVAULT-TREE\system\driverset1\Custom Entitlement Service
    Driver\PermissionOnboarding : Calling free on tempContext = 1495859456
    [04/14/16 02:23:22.875]:PermissionOnboarding JT:Result of job command:
    [04/14/16 02:23:22.875]:PermissionOnboarding JT:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.5.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <instance class-name="DirXML-Resource"
    qualified-src-dn="O=system\CN=driverset1\CN=Custom Entitlement Service
    Driver\CN=PermissionEntMapping"
    src-dn="\IDVAULT-TREE\system\driverset1\Custom Entitlement Service
    Driver\PermissionEntMapping" src-entry-id="34053">
    <operation-data data-collection-query="true"/>
    <attr attr-name="DirXML-Data">
    <value timestamp="1460618750#30" type="octet">.......</value>
    </attr>
    <attr attr-name="CN">
    <value naming="true" timestamp="1421790838#251"
    type="string">PermissionEntMapping</value>
    </attr>
    </instance>
    <status level="success"><operation-data
    data-collection-query="true"/>
    </status>
    </output>
    </nds>
    [04/14/16 02:23:22.878]:PermissionOnboarding JT:InitIDMJob: Failed to
    evaluate XPath Node Expression. Exception: null
    [04/14/16 02:23:22.878]:PermissionOnboarding JT:InitIDMJob: Unable to
    read permission mapping object, No Access (-672)
    [04/14/16 02:23:22.878]:PermissionOnboarding JT:
    Job Final result -------------------
    Job: \IDVAULT-TREE\system\driverset1\Custom Entitlement Service
    Driver\PermissionOnboarding
    Status: Error
    Message: Unable to read permission mapping object, No Access
    (-672)
    Code: -672
    [04/14/16 02:23:22.879]:PermissionOnboarding JT:Worker thread for job
    '\IDVAULT-TREE\system\driverset1\Custom Entitlement Service
    Driver\PermissionOnboarding' exiting.


    --
    tschloesser
    ------------------------------------------------------------------------
    tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
    View this thread: https://forums.netiq.com/showthread.php?t=55718