Code(-8014) Error processing attribute

I'm using IDM 4.7. I wrote the following policy in the loopback driver in order to add users on entitlement assignment.
The entitlement is valued.
<do-add-src-attr-value class-name="User" name="Group Membership">
<arg-dn>
<token-src-dn/>
</arg-dn>
<arg-value type="string">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>

When assigning an entitlement to a user i have the following error: Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY

The Trace file is as follows:
[11/15/18 11:13:13.024]:Group Membership Control ST:Applying policy: % CCACMELBACKENT-maintain Group Membership based on Entitlements%-C.
[11/15/18 11:13:13.024]:Group Membership Control ST: Applying to modify #1.
[11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating selection criteria for rule 'Only allow add and modify operations'.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-operation not-equal "add") = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-operation not-equal "modify") = FALSE.
[11/15/18 11:13:13.024]:Group Membership Control ST: Rule rejected.
[11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating selection criteria for rule 'Group add or remove on entitlement'.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-class-name equal "User") = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-entitlement 'ACMELBACKENT-Assign Group Membership' changing) = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: Rule selected.
[11/15/18 11:13:13.024]:Group Membership Control ST: Applying rule 'Group add or remove on entitlement'.
[11/15/18 11:13:13.024]:Group Membership Control ST: Action: do-for-each(arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group Membership"))).
[11/15/18 11:13:13.024]:Group Membership Control ST: arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group Membership"))
[11/15/18 11:13:13.024]:Group Membership Control ST: token-added-entitlement("ACMELBACKENT-Assign Group Membership")
[11/15/18 11:13:13.024]:Group Membership Control ST: Token Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1"}.
[11/15/18 11:13:13.024]:Group Membership Control ST: Arg Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1"}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Performing actions for local-variable(current-node) = <entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1".
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-add-src-attr-value("Group Membership",class-name="User",arg-dn(token-src-dn()),token-local-variable("current-node")).
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-dn(token-src-dn())
[11/15/18 11:13:13.040]:Group Membership Control ST: token-src-dn()
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: "\IDVAULT-TREE\data\users\VKhoury".
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: "\IDVAULT-TREE\data\users\VKhoury".
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-string(token-local-variable("current-node"))
[11/15/18 11:13:13.040]:Group Membership Control ST: token-local-variable("current-node")
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-for-each(arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group Membership"))).
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group Membership"))
[11/15/18 11:13:13.040]:Group Membership Control ST: token-removed-entitlement("ACMELBACKENT-Assign Group Membership")
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: {}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: {}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Evaluating selection criteria for rule 'Terminate Further Operation Processing'.
[11/15/18 11:13:13.040]:Group Membership Control ST: Rule selected.
[11/15/18 11:13:13.040]:Group Membership Control ST: Applying rule 'Terminate Further Operation Processing'.
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-veto().
[11/15/18 11:13:13.040]:Group Membership Control ST: Direct command from policy
[11/15/18 11:13:13.040]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury" event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
<modify-attr attr-name="Group Membership">
<add-value>
<value type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
</add-value>
</modify-attr>
<operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
</modify>
</input>
</nds>
[11/15/18 11:13:13.040]:Group Membership Control ST: Stripping operation data from input document
[11/15/18 11:13:13.040]:Group Membership Control ST: Pumping XDS to eDirectory.
[11/15/18 11:13:13.040]:Group Membership Control ST: Performing operation modify for \IDVAULT-TREE\data\users\VKhoury.
[11/15/18 11:13:13.040]:Group Membership Control ST: --JCLNT-- \IDVAULT-TREE\system\driverset1\Group Membership Control : Duplicating : context = 656867519, tempContext = 656867482
[11/15/18 11:13:13.040]:Group Membership Control ST: --JCLNT-- \IDVAULT-TREE\system\driverset1\Group Membership Control : Calling free on tempContext = 656867482
[11/15/18 11:13:13.040]:Group Membership Control ST: Restoring operation data to output document
[11/15/18 11:13:13.040]:Group Membership Control ST: Processing returned document.
[11/15/18 11:13:13.040]:Group Membership Control ST: Processing operation <status> for .
[11/15/18 11:13:13.040]:Group Membership Control ST:
DirXML Log Event -------------------
Driver: \IDVAULT-TREE\system\driverset1\Group Membership Control
Channel: Subscriber
Status: Success
[11/15/18 11:13:13.117]:Group Membership Control ST: Processing operation <status> for .
[11/15/18 11:13:13.117]:Group Membership Control ST:
DirXML Log Event -------------------
Driver: \IDVAULT-TREE\system\driverset1\Group Membership Control
Channel: Subscriber
Status: Warning
Message: Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY
[11/15/18 11:13:13.180]:Group Membership Control ST: Direct command from policy result
[11/15/18 11:13:13.180]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d" level="success"><operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
<application>DirXML</application>
<module>Group Membership Control</module>
<object-dn></object-dn>
<component>Subscriber</component>
</status>
<status event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d" level="warning">Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY<operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
<application>DirXML</application>
<module>Group Membership Control</module>
<object-dn></object-dn>
<component>Subscriber</component>
</status>
</output>
</nds>
[11/15/18 11:13:13.180]:Group Membership Control ST:Policy returned:
[11/15/18 11:13:13.180]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input/>
</nds>
[11/15/18 11:13:13.180]:Group Membership Control ST:End transaction.
Parents
  • On 11/15/2018 6:16 AM, vkhoury wrote:
    > <modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury"
    > event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
    > <modify-attr attr-name="Group Membership">
    > <add-value>
    > <value
    > type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
    > </add-value>


    So you correctly read the parameter out of the Entitlement. But the
    syntax is as you can see in the above sample, JSON and eDIR DN's ain't JSON.

    So you can use the ECMA function included in all drivers as
    es:getEntParamField($current-node,"ID") in an Set local variable to an
    XPATH of that statement.

    This would strip out the value of the ID Node in the JSON. Now I am NOT
    sure if the \\ will be reduced to \ as appropriate, in which case you
    might need to then do a Replace All of \\\\ with \\ (\ is escaped to \\
    so \\ is escaped to \\\\ and the replace of \ is escaped to \\ ).

    That is not even word salad, that is ASCII salad. MMM... ASCII Salad
    (said in Homer's voice).

Reply
  • On 11/15/2018 6:16 AM, vkhoury wrote:
    > <modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury"
    > event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
    > <modify-attr attr-name="Group Membership">
    > <add-value>
    > <value
    > type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
    > </add-value>


    So you correctly read the parameter out of the Entitlement. But the
    syntax is as you can see in the above sample, JSON and eDIR DN's ain't JSON.

    So you can use the ECMA function included in all drivers as
    es:getEntParamField($current-node,"ID") in an Set local variable to an
    XPATH of that statement.

    This would strip out the value of the ID Node in the JSON. Now I am NOT
    sure if the \\ will be reduced to \ as appropriate, in which case you
    might need to then do a Replace All of \\\\ with \\ (\ is escaped to \\
    so \\ is escaped to \\\\ and the replace of \ is escaped to \\ ).

    That is not even word salad, that is ASCII salad. MMM... ASCII Salad
    (said in Homer's voice).

Children
  • Hi geoff,
    Yup that's write i already tried to solve this by using replace and substring tokens.
    But yea your alternative is better :).
    I will go for it.
  • On 11/15/2018 8:54 AM, vkhoury wrote:
    >
    > Hi geoff,
    > Yup that's write i already tried to solve this by using replace and
    > substring tokens.
    > But yea your alternative is better :).


    Just assume that, and it will save you time. :)

    Glad it helped.


  • Geoffrey Carman wrote:

    > So you correctly read the parameter out of the Entitlement. But the syntax is
    > as you can see in the above sample, JSON and eDIR DN's ain't JSON.
    >
    > So you can use the ECMA function included in all drivers as
    > es:getEntParamField($current-node,"ID") in an Set local variable to an XPATH
    > of that statement.
    >
    > This would strip out the value of the ID Node in the JSON. Now I am NOT sure
    > if the \\ will be reduced to \ as appropriate, in which case you might need
    > to then do a Replace All of \\\\ with \\ (\ is escaped to \\ so \\ is escaped
    > to \\\\ and the replace of \ is escaped to \\ ).
    >


    Depending on which version of es:getEntParamField you use there are some bugs
    with escaped chars. Especially as you are usually dealing with multiple layers
    of escapes. One for JSON and the other for the target system involved.

    In the case of LDAP as target system (such as AD) I've found that the escaping
    of the escaping (yes word salad again) used to work when they used eval in this
    function but no longer works correctly with the more "safe" json parse.

    Was a while back but thought I had determined that the returned instance in the
    source system driver should properly escape the data as it sees fit first. Had
    an old AD driver so maybe this is fixed in newer code from the vendor.

    Summary, is you should use getEntParamField - but make sure to test for edge
    cases.

    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
  • On 11/16/2018 7:23 AM, Alex McHugh wrote:
    > Geoffrey Carman wrote:
    >
    >> So you correctly read the parameter out of the Entitlement. But the syntax is
    >> as you can see in the above sample, JSON and eDIR DN's ain't JSON.
    >>
    >> So you can use the ECMA function included in all drivers as
    >> es:getEntParamField($current-node,"ID") in an Set local variable to an XPATH
    >> of that statement.
    >>
    >> This would strip out the value of the ID Node in the JSON. Now I am NOT sure
    >> if the \\ will be reduced to \ as appropriate, in which case you might need
    >> to then do a Replace All of \\\\ with \\ (\ is escaped to \\ so \\ is escaped
    >> to \\\\ and the replace of \ is escaped to \\ ).
    >>

    >
    > Depending on which version of es:getEntParamField you use there are some bugs
    > with escaped chars. Especially as you are usually dealing with multiple layers
    > of escapes. One for JSON and the other for the target system involved.
    >
    > In the case of LDAP as target system (such as AD) I've found that the escaping
    > of the escaping (yes word salad again) used to work when they used eval in this
    > function but no longer works correctly with the more "safe" json parse.
    >
    > Was a while back but thought I had determined that the returned instance in the
    > source system driver should properly escape the data as it sees fit first. Had
    > an old AD driver so maybe this is fixed in newer code from the vendor.
    >
    > Summary, is you should use getEntParamField - but make sure to test for edge
    > cases.


    Dang those edge cases! Thanks for the heads up!

    Is \ one of those characters with issues?


  • Geoffrey Carman wrote:

    > Is \ one of those characters with issues?


    IIRC, yes

    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
  • On 11/16/2018 9:53 AM, Alex McHugh wrote:
    > Geoffrey Carman wrote:
    >
    >> Is \ one of those characters with issues?

    >
    > IIRC, yes


    Well that makes it awkward.