Code(-8014) Error processing attribute

I'm using IDM 4.7. I wrote the following policy in the loopback driver in order to add users on entitlement assignment.
The entitlement is valued.
<do-add-src-attr-value class-name="User" name="Group Membership">
<arg-dn>
<token-src-dn/>
</arg-dn>
<arg-value type="string">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>

When assigning an entitlement to a user i have the following error: Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY

The Trace file is as follows:
[11/15/18 11:13:13.024]:Group Membership Control ST:Applying policy: % CCACMELBACKENT-maintain Group Membership based on Entitlements%-C.
[11/15/18 11:13:13.024]:Group Membership Control ST: Applying to modify #1.
[11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating selection criteria for rule 'Only allow add and modify operations'.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-operation not-equal "add") = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-operation not-equal "modify") = FALSE.
[11/15/18 11:13:13.024]:Group Membership Control ST: Rule rejected.
[11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating selection criteria for rule 'Group add or remove on entitlement'.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-class-name equal "User") = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-entitlement 'ACMELBACKENT-Assign Group Membership' changing) = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: Rule selected.
[11/15/18 11:13:13.024]:Group Membership Control ST: Applying rule 'Group add or remove on entitlement'.
[11/15/18 11:13:13.024]:Group Membership Control ST: Action: do-for-each(arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group Membership"))).
[11/15/18 11:13:13.024]:Group Membership Control ST: arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group Membership"))
[11/15/18 11:13:13.024]:Group Membership Control ST: token-added-entitlement("ACMELBACKENT-Assign Group Membership")
[11/15/18 11:13:13.024]:Group Membership Control ST: Token Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1"}.
[11/15/18 11:13:13.024]:Group Membership Control ST: Arg Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1"}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Performing actions for local-variable(current-node) = <entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1".
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-add-src-attr-value("Group Membership",class-name="User",arg-dn(token-src-dn()),token-local-variable("current-node")).
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-dn(token-src-dn())
[11/15/18 11:13:13.040]:Group Membership Control ST: token-src-dn()
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: "\IDVAULT-TREE\data\users\VKhoury".
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: "\IDVAULT-TREE\data\users\VKhoury".
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-string(token-local-variable("current-node"))
[11/15/18 11:13:13.040]:Group Membership Control ST: token-local-variable("current-node")
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-for-each(arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group Membership"))).
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group Membership"))
[11/15/18 11:13:13.040]:Group Membership Control ST: token-removed-entitlement("ACMELBACKENT-Assign Group Membership")
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: {}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: {}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Evaluating selection criteria for rule 'Terminate Further Operation Processing'.
[11/15/18 11:13:13.040]:Group Membership Control ST: Rule selected.
[11/15/18 11:13:13.040]:Group Membership Control ST: Applying rule 'Terminate Further Operation Processing'.
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-veto().
[11/15/18 11:13:13.040]:Group Membership Control ST: Direct command from policy
[11/15/18 11:13:13.040]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury" event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
<modify-attr attr-name="Group Membership">
<add-value>
<value type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
</add-value>
</modify-attr>
<operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
</modify>
</input>
</nds>
[11/15/18 11:13:13.040]:Group Membership Control ST: Stripping operation data from input document
[11/15/18 11:13:13.040]:Group Membership Control ST: Pumping XDS to eDirectory.
[11/15/18 11:13:13.040]:Group Membership Control ST: Performing operation modify for \IDVAULT-TREE\data\users\VKhoury.
[11/15/18 11:13:13.040]:Group Membership Control ST: --JCLNT-- \IDVAULT-TREE\system\driverset1\Group Membership Control : Duplicating : context = 656867519, tempContext = 656867482
[11/15/18 11:13:13.040]:Group Membership Control ST: --JCLNT-- \IDVAULT-TREE\system\driverset1\Group Membership Control : Calling free on tempContext = 656867482
[11/15/18 11:13:13.040]:Group Membership Control ST: Restoring operation data to output document
[11/15/18 11:13:13.040]:Group Membership Control ST: Processing returned document.
[11/15/18 11:13:13.040]:Group Membership Control ST: Processing operation <status> for .
[11/15/18 11:13:13.040]:Group Membership Control ST:
DirXML Log Event -------------------
Driver: \IDVAULT-TREE\system\driverset1\Group Membership Control
Channel: Subscriber
Status: Success
[11/15/18 11:13:13.117]:Group Membership Control ST: Processing operation <status> for .
[11/15/18 11:13:13.117]:Group Membership Control ST:
DirXML Log Event -------------------
Driver: \IDVAULT-TREE\system\driverset1\Group Membership Control
Channel: Subscriber
Status: Warning
Message: Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY
[11/15/18 11:13:13.180]:Group Membership Control ST: Direct command from policy result
[11/15/18 11:13:13.180]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d" level="success"><operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
<application>DirXML</application>
<module>Group Membership Control</module>
<object-dn></object-dn>
<component>Subscriber</component>
</status>
<status event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d" level="warning">Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY<operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
<application>DirXML</application>
<module>Group Membership Control</module>
<object-dn></object-dn>
<component>Subscriber</component>
</status>
</output>
</nds>
[11/15/18 11:13:13.180]:Group Membership Control ST:Policy returned:
[11/15/18 11:13:13.180]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input/>
</nds>
[11/15/18 11:13:13.180]:Group Membership Control ST:End transaction.
  • There are quite a few things wrong in here so I'll try to add comments
    after each section and trim out the rest so it's easier to read. In the
    future, and even this time, it would help to see the input document that
    started all of this, rather.than just showing the trace from a particular
    spot in the middle of the operation (at the policy 'maintain Group
    Membership based on Entitlements' in this case).

    On 11/15/2018 04:16 AM, vkhoury wrote:
    >
    > I'm using IDM 4.7. I wrote the following policy in the loopback driver
    > in order to add users on entitlement assignment.
    > The entitlement is valued.
    > <do-add-src-attr-value class-name="User" name="Group Membership">
    > <arg-dn>
    > <token-src-dn/>
    > </arg-dn>


    You should not need to specify the arg-dn at all; by default the
    do-add-src-attr-value will modify the current object, which is your user,
    and that is the DN you are specifying anyway. Maybe leave it alone at
    this point, but it just looks weird and makes the system process more
    (generating more trace) needlessly.

    > <arg-value type="string">
    > <token-local-variable name="current-node"/>
    > </arg-value>
    > </do-add-src-attr-value>


    You are making reference t the 'current-node' local variable; that is
    meant ot be used in a foreach loopp, but your policy above does not
    mention a foreach loop, so that is either an incomplete bit of policy, or
    else it is a misuse of the local variable. Some of them like current-node
    and current-value are to be used in in certain places, and maybe you did
    here (we'll see below) but then the whole policy should be shared for review.

    > When assigning an entitlement to a user i have the following error:
    > Code(-8014) Error processing attribute
    > (\IDVAULT-TREE\data\users\VKhoury#Group Membership):
    > novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY


    Assuming the DN above is valid for the user, the -601 may mean that the
    group pointed-to via the Group Membership attribute on that user is invalid.

    > [11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating
    > selection criteria for rule 'Group add or remove on entitlement'.
    > [11/15/18 11:13:13.024]:Group Membership Control ST: (if-class-name
    > equal "User") = TRUE.
    > [11/15/18 11:13:13.024]:Group Membership Control ST:
    > (if-entitlement 'ACMELBACKENT-Assign Group Membership' changing) =
    > TRUE.
    > [11/15/18 11:13:13.024]:Group Membership Control ST: Rule selected.
    > [11/15/18 11:13:13.024]:Group Membership Control ST: Applying rule
    > 'Group add or remove on entitlement'.
    > [11/15/18 11:13:13.024]:Group Membership Control ST: Action:
    > do-for-each(arg-node-set(token-added-entitlement("ACMELBACKENT-Assign
    > Group Membership"))).
    > [11/15/18 11:13:13.024]:Group Membership Control ST:
    > arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group
    > Membership"))
    > [11/15/18 11:13:13.024]:Group Membership Control ST:
    > token-added-entitlement("ACMELBACKENT-Assign Group Membership")
    > [11/15/18 11:13:13.024]:Group Membership Control ST: Token
    > Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group
    > Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA"
    > @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380"
    > @state = "1"}.
    > [11/15/18 11:13:13.024]:Group Membership Control ST: Arg Value:
    > {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group
    > Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA"
    > @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380"
    > @state = "1"}.
    > [11/15/18 11:13:13.040]:Group Membership Control ST: Performing
    > actions for local-variable(current-node) = <entitlement-impl> @id = ""
    > @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn =
    > "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn =
    > "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state =
    > "1".
    > [11/15/18 11:13:13.040]:Group Membership Control ST: Action:
    > do-add-src-attr-value("Group
    > Membership",class-name="User",arg-dn(token-src-dn()),token-local-variable("current-node")).
    > [11/15/18 11:13:13.040]:Group Membership Control ST:
    > arg-dn(token-src-dn())
    > [11/15/18 11:13:13.040]:Group Membership Control ST:
    > token-src-dn()
    > [11/15/18 11:13:13.040]:Group Membership Control ST:
    > Token Value: "\IDVAULT-TREE\data\users\VKhoury".
    > [11/15/18 11:13:13.040]:Group Membership Control ST: Arg
    > Value: "\IDVAULT-TREE\data\users\VKhoury".
    > [11/15/18 11:13:13.040]:Group Membership Control ST:
    > arg-string(token-local-variable("current-node"))
    > [11/15/18 11:13:13.040]:Group Membership Control ST:
    > token-local-variable("current-node")
    > [11/15/18 11:13:13.040]:Group Membership Control ST:
    > Token Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".


    That current-node local variable is returning a non-DN value even though
    this attribute expects a DN. At the very least you would need to pull
    this part to get just the DN portion, without the double-backslashes
    throughout, to make it a useful value.

    It appears that we were inside a do-foreach after all, so seeing that
    policy might help come up with the complete fix.

    > [11/15/18 11:13:13.040]:Group Membership Control ST: Arg
    > Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
    > [11/15/18 11:13:13.040]:Group Membership Control ST: Action:
    > do-for-each(arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign
    > Group Membership"))).
    > [11/15/18 11:13:13.040]:Group Membership Control ST:
    > arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group
    > Membership"))
    > [11/15/18 11:13:13.040]:Group Membership Control ST:
    > token-removed-entitlement("ACMELBACKENT-Assign Group Membership")
    > [11/15/18 11:13:13.040]:Group Membership Control ST: Token
    > Value: {}.
    > [11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value:
    > {}.
    > [11/15/18 11:13:13.040]:Group Membership Control ST: Evaluating
    > selection criteria for rule 'Terminate Further Operation Processing'.
    > [11/15/18 11:13:13.040]:Group Membership Control ST: Rule selected.
    > [11/15/18 11:13:13.040]:Group Membership Control ST: Applying rule
    > 'Terminate Further Operation Processing'.
    > [11/15/18 11:13:13.040]:Group Membership Control ST: Action:
    > do-veto().


    Vetoing the original event is fine, but as a general thought be sure you
    do not need to process this later on, e.g. in a subsequent policy that
    might want to notify the group owners of changes, or to generate some kind
    of audit of this change, or whatever. If anything other than this
    entitlement change had come in with this entitlement change, that would
    now be lost, and perhaps that's okay, but it's easy to do on accident with
    a veto rather than a break. If you use a Null driver for business logic
    like this then the events are auto-vetoed after all policies are done
    regardless, which is one more reason why I like using Null drivers for
    business logic.

    > [11/15/18 11:13:13.040]:Group Membership Control ST: Direct command
    > from policy
    > [11/15/18 11:13:13.040]:Group Membership Control ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.7.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury"
    > event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
    > <modify-attr attr-name="Group Membership">
    > <add-value>
    > <value
    > type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>


    Clearly the value above is wrong; that is what you must fix ultimately
    for this to have a chance of working, and that involves pulling out the
    correct portion of the value from the entitlement value. Maybe look at
    token-added-entitlement to see if that works for you:
    https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/dirxmlscript/token-added-entitlement.html

    I think that is all that matters. Ultimately fix the value of the group
    membership attribute being sent back to the user, and you may also want,
    once that works, to be sure that IDM is going to set the corresponding
    Group object attribute (Member) automatically, or else add that in as
    well. In addition to that, you MAY want the security attributes as well
    if the group is to grant any kind of security equivalence (rights) within
    the tree, and there is an attribute on both the User and Group for that
    too, though usually I implement a Null driver just to keep those aligned
    no matter the source to avoid needing to play too much in every policy
    that manages group memberships.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • vkhoury;2490852 wrote:
    I'm using IDM 4.7. I wrote the following policy in the loopback driver in order to add users on entitlement assignment.
    The entitlement is valued.
    <do-add-src-attr-value class-name="User" name="Group Membership">
    <arg-dn>
    <token-src-dn/>
    </arg-dn>
    <arg-value type="string">
    <token-local-variable name="current-node"/>
    </arg-value>
    </do-add-src-attr-value>

    When assigning an entitlement to a user i have the following error: Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY

    The Trace file is as follows:
    [11/15/18 11:13:13.024]:Group Membership Control ST:Applying policy: % CCACMELBACKENT-maintain Group Membership based on Entitlements%-C.
    [11/15/18 11:13:13.024]:Group Membership Control ST: Applying to modify #1.
    [11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating selection criteria for rule 'Only allow add and modify operations'.
    [11/15/18 11:13:13.024]:Group Membership Control ST: (if-operation not-equal "add") = TRUE.
    [11/15/18 11:13:13.024]:Group Membership Control ST: (if-operation not-equal "modify") = FALSE.
    [11/15/18 11:13:13.024]:Group Membership Control ST: Rule rejected.
    [11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating selection criteria for rule 'Group add or remove on entitlement'.
    [11/15/18 11:13:13.024]:Group Membership Control ST: (if-class-name equal "User") = TRUE.
    [11/15/18 11:13:13.024]:Group Membership Control ST: (if-entitlement 'ACMELBACKENT-Assign Group Membership' changing) = TRUE.
    [11/15/18 11:13:13.024]:Group Membership Control ST: Rule selected.
    [11/15/18 11:13:13.024]:Group Membership Control ST: Applying rule 'Group add or remove on entitlement'.
    [11/15/18 11:13:13.024]:Group Membership Control ST: Action: do-for-each(arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group Membership"))).
    [11/15/18 11:13:13.024]:Group Membership Control ST: arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group Membership"))
    [11/15/18 11:13:13.024]:Group Membership Control ST: token-added-entitlement("ACMELBACKENT-Assign Group Membership")
    [11/15/18 11:13:13.024]:Group Membership Control ST: Token Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1"}.
    [11/15/18 11:13:13.024]:Group Membership Control ST: Arg Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1"}.
    [11/15/18 11:13:13.040]:Group Membership Control ST: Performing actions for local-variable(current-node) = <entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1".
    [11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-add-src-attr-value("Group Membership",class-name="User",arg-dn(token-src-dn()),token-local-variable("current-node")).
    [11/15/18 11:13:13.040]:Group Membership Control ST: arg-dn(token-src-dn())
    [11/15/18 11:13:13.040]:Group Membership Control ST: token-src-dn()
    [11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: "\IDVAULT-TREE\data\users\VKhoury".
    [11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: "\IDVAULT-TREE\data\users\VKhoury".
    [11/15/18 11:13:13.040]:Group Membership Control ST: arg-string(token-local-variable("current-node"))
    [11/15/18 11:13:13.040]:Group Membership Control ST: token-local-variable("current-node")
    [11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
    [11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
    [11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-for-each(arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group Membership"))).
    [11/15/18 11:13:13.040]:Group Membership Control ST: arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group Membership"))
    [11/15/18 11:13:13.040]:Group Membership Control ST: token-removed-entitlement("ACMELBACKENT-Assign Group Membership")
    [11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: {}.
    [11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: {}.
    [11/15/18 11:13:13.040]:Group Membership Control ST: Evaluating selection criteria for rule 'Terminate Further Operation Processing'.
    [11/15/18 11:13:13.040]:Group Membership Control ST: Rule selected.
    [11/15/18 11:13:13.040]:Group Membership Control ST: Applying rule 'Terminate Further Operation Processing'.
    [11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-veto().
    [11/15/18 11:13:13.040]:Group Membership Control ST: Direct command from policy
    [11/15/18 11:13:13.040]:Group Membership Control ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.7.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury" event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
    <modify-attr attr-name="Group Membership">
    <add-value>
    <value type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
    </add-value>
    </modify-attr>
    <operation-data>
    <entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
    </operation-data>
    </modify>
    </input>
    </nds>
    [11/15/18 11:13:13.040]:Group Membership Control ST: Stripping operation data from input document
    [11/15/18 11:13:13.040]:Group Membership Control ST: Pumping XDS to eDirectory.
    [11/15/18 11:13:13.040]:Group Membership Control ST: Performing operation modify for \IDVAULT-TREE\data\users\VKhoury.
    [11/15/18 11:13:13.040]:Group Membership Control ST: --JCLNT-- \IDVAULT-TREE\system\driverset1\Group Membership Control : Duplicating : context = 656867519, tempContext = 656867482
    [11/15/18 11:13:13.040]:Group Membership Control ST: --JCLNT-- \IDVAULT-TREE\system\driverset1\Group Membership Control : Calling free on tempContext = 656867482
    [11/15/18 11:13:13.040]:Group Membership Control ST: Restoring operation data to output document
    [11/15/18 11:13:13.040]:Group Membership Control ST: Processing returned document.
    [11/15/18 11:13:13.040]:Group Membership Control ST: Processing operation <status> for .
    [11/15/18 11:13:13.040]:Group Membership Control ST:
    DirXML Log Event -------------------
    Driver: \IDVAULT-TREE\system\driverset1\Group Membership Control
    Channel: Subscriber
    Status: Success
    [11/15/18 11:13:13.117]:Group Membership Control ST: Processing operation <status> for .
    [11/15/18 11:13:13.117]:Group Membership Control ST:
    DirXML Log Event -------------------
    Driver: \IDVAULT-TREE\system\driverset1\Group Membership Control
    Channel: Subscriber
    Status: Warning
    Message: Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY
    [11/15/18 11:13:13.180]:Group Membership Control ST: Direct command from policy result
    [11/15/18 11:13:13.180]:Group Membership Control ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.7.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d" level="success"><operation-data>
    <entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
    </operation-data>
    <application>DirXML</application>
    <module>Group Membership Control</module>
    <object-dn></object-dn>
    <component>Subscriber</component>
    </status>
    <status event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d" level="warning">Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY<operation-data>
    <entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
    </operation-data>
    <application>DirXML</application>
    <module>Group Membership Control</module>
    <object-dn></object-dn>
    <component>Subscriber</component>
    </status>
    </output>
    </nds>
    [11/15/18 11:13:13.180]:Group Membership Control ST:Policy returned:
    [11/15/18 11:13:13.180]:Group Membership Control ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.7.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input/>
    </nds>
    [11/15/18 11:13:13.180]:Group Membership Control ST:End transaction.


    Hi vkhoury,

    Are you sure, that you trying to add to Group Membership attribute information in the right format?
    Group Membership described in schema like DN.

    LDAP Name
    groupMembership
    Syntax
    Distinguished Name

    I believe, that you suppose to add to this attribute DN of your group.
    \IDVAULT-TREE\data\groups\TestGroup3 instead your current value ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"


    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.7.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury" event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
    <modify-attr attr-name="Group Membership">
    <add-value>
    <value type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
    </add-value>
    </modify-attr>
    <operation-data>
    <entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
    </operation-data>
    </modify>
    </input>
    </nds>
  • On 11/15/2018 6:16 AM, vkhoury wrote:
    > <modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury"
    > event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
    > <modify-attr attr-name="Group Membership">
    > <add-value>
    > <value
    > type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
    > </add-value>


    So you correctly read the parameter out of the Entitlement. But the
    syntax is as you can see in the above sample, JSON and eDIR DN's ain't JSON.

    So you can use the ECMA function included in all drivers as
    es:getEntParamField($current-node,"ID") in an Set local variable to an
    XPATH of that statement.

    This would strip out the value of the ID Node in the JSON. Now I am NOT
    sure if the \\ will be reduced to \ as appropriate, in which case you
    might need to then do a Replace All of \\\\ with \\ (\ is escaped to \\
    so \\ is escaped to \\\\ and the replace of \ is escaped to \\ ).

    That is not even word salad, that is ASCII salad. MMM... ASCII Salad
    (said in Homer's voice).

  • Hi ab,
    I realized the the issue was the format of the group membership DN in current-node.
    I dunno the reason but i tried to adjust it the DN by using Replace and substring tokens.
    It works fine now. But i still want to figure out why it is written in this format.
  • Hi geoff,
    Yup that's write i already tried to solve this by using replace and substring tokens.
    But yea your alternative is better :).
    I will go for it.
  • On 11/15/2018 8:54 AM, vkhoury wrote:
    >
    > Hi ab,
    > I realized the the issue was the format of the group membership DN in
    > current-node.
    > I dunno the reason but i tried to adjust it the DN by using Replace and
    > substring tokens.
    > It works fine now. But i still want to figure out why it is written in
    > this format.


    When you use a Token-Entitlement, Token-AddedEntitlement,
    Token-RemovedEntitlement and loop over the values, $current-node is the
    contents of the <param> node, inside the component[@name='path.xml'].

    So in a IDM4 format entitlement it is a JSON string.

    {"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}

    Thus you can treat it as JSON and get the value back. So use the ECMA
    function I referenced.

    Or you can treat it as a string and process it to what you want, in
    XPATH you could:

    substring-before(substring-after($current-node,'{"ID":"),'"}')

    In Policy you could do the same.
  • On 11/15/2018 8:54 AM, vkhoury wrote:
    >
    > Hi geoff,
    > Yup that's write i already tried to solve this by using replace and
    > substring tokens.
    > But yea your alternative is better :).


    Just assume that, and it will save you time. :)

    Glad it helped.


  • Geoffrey Carman wrote:

    > So you correctly read the parameter out of the Entitlement. But the syntax is
    > as you can see in the above sample, JSON and eDIR DN's ain't JSON.
    >
    > So you can use the ECMA function included in all drivers as
    > es:getEntParamField($current-node,"ID") in an Set local variable to an XPATH
    > of that statement.
    >
    > This would strip out the value of the ID Node in the JSON. Now I am NOT sure
    > if the \\ will be reduced to \ as appropriate, in which case you might need
    > to then do a Replace All of \\\\ with \\ (\ is escaped to \\ so \\ is escaped
    > to \\\\ and the replace of \ is escaped to \\ ).
    >


    Depending on which version of es:getEntParamField you use there are some bugs
    with escaped chars. Especially as you are usually dealing with multiple layers
    of escapes. One for JSON and the other for the target system involved.

    In the case of LDAP as target system (such as AD) I've found that the escaping
    of the escaping (yes word salad again) used to work when they used eval in this
    function but no longer works correctly with the more "safe" json parse.

    Was a while back but thought I had determined that the returned instance in the
    source system driver should properly escape the data as it sees fit first. Had
    an old AD driver so maybe this is fixed in newer code from the vendor.

    Summary, is you should use getEntParamField - but make sure to test for edge
    cases.

    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
  • On 11/16/2018 7:23 AM, Alex McHugh wrote:
    > Geoffrey Carman wrote:
    >
    >> So you correctly read the parameter out of the Entitlement. But the syntax is
    >> as you can see in the above sample, JSON and eDIR DN's ain't JSON.
    >>
    >> So you can use the ECMA function included in all drivers as
    >> es:getEntParamField($current-node,"ID") in an Set local variable to an XPATH
    >> of that statement.
    >>
    >> This would strip out the value of the ID Node in the JSON. Now I am NOT sure
    >> if the \\ will be reduced to \ as appropriate, in which case you might need
    >> to then do a Replace All of \\\\ with \\ (\ is escaped to \\ so \\ is escaped
    >> to \\\\ and the replace of \ is escaped to \\ ).
    >>

    >
    > Depending on which version of es:getEntParamField you use there are some bugs
    > with escaped chars. Especially as you are usually dealing with multiple layers
    > of escapes. One for JSON and the other for the target system involved.
    >
    > In the case of LDAP as target system (such as AD) I've found that the escaping
    > of the escaping (yes word salad again) used to work when they used eval in this
    > function but no longer works correctly with the more "safe" json parse.
    >
    > Was a while back but thought I had determined that the returned instance in the
    > source system driver should properly escape the data as it sees fit first. Had
    > an old AD driver so maybe this is fixed in newer code from the vendor.
    >
    > Summary, is you should use getEntParamField - but make sure to test for edge
    > cases.


    Dang those edge cases! Thanks for the heads up!

    Is \ one of those characters with issues?


  • Geoffrey Carman wrote:

    > Is \ one of those characters with issues?


    IIRC, yes

    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below