Code(-9010) An exception occurred: novell.jclient.JCExcepti

I'm using IDM 4.5. I have a database with a table named 'hr_pers' where 'manager' is an attribute with a constraint of foreign key. Since one of users can be a manager.
I was trying to sync this attribute to AD. I realized that the attribute is referencing a DN (IDVAULT-TREE\users\data\Name). I added an attribute to the vault names 'mngrid' (dsingle valued and of type DN).
The attribute is added to the filter and to schema mapping.
But while mapping i have the following error:
<nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
<source>
<product build="20141001_0706" instance="PostgreSQL" version="4.0.0.2">DirXML Driver for JDBC</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" dest-dn="data\users\VKhoury" dest-entry-id="34053" event-id="ID=4,table=HR_PERS" src-dn="ID=4,table=HR_PERS">
<association>ID=4,table=HR_PERS</association>
<modify-attr attr-name="mngrid">
<remove-all-values/>
<add-value>
<value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[09/03/18 14:29:54.888]:trace1 PT:Filtering out notification-only attributes.
[09/03/18 14:29:54.888]:trace1 PT:Pumping XDS to eDirectory.
[09/03/18 14:29:54.888]:trace1 PT:Performing operation modify for data\users\VKhoury.
[09/03/18 14:29:54.888]:trace1 PT:--JCLNT-- \IDVAULT-TREE\system\driverset1\PostgreSQL - Publisher : Duplicating : context = 1353318507, tempContext = 1353318509
[09/03/18 14:29:54.888]:trace1 PT:Modifying entry data\users\VKhoury.
[09/03/18 14:29:54.888]:trace1 PT:--JCLNT-- \IDVAULT-TREE\system\driverset1\PostgreSQL - Publisher : Calling free on tempContext = 1353318509
[09/03/18 14:29:54.888]:trace1 PT:
DirXML Log Event -------------------
Driver: \IDVAULT-TREE\system\driverset1\PostgreSQL
Channel: Publisher
Object: ID=4,table=HR_PERS (data\users\VKhoury)
Status: Error
Message: Code(-9010) An exception occurred: novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE
[09/03/18 14:29:54.888]:trace1 PT:Fixing up association references.
[09/03/18 14:29:54.888]:trace1 PT:Applying schema mapping policies to output.
[09/03/18 14:29:54.888]:trace1 PT:Applying policy: % CCNOVLPGSDISYN-smp%-C.
[09/03/18 14:29:54.888]:trace1 PT:Applying policy: % CCNOVLJDBCDACL-smp%-C.
[09/03/18 14:29:54.888]:trace1 PT: Applying to status #1.
[09/03/18 14:29:54.888]:trace1 PT:Policy returned:
[09/03/18 14:29:54.888]:trace1 PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="ID=4,table=HR_PERS" level="error">Code(-9010) An exception occurred: novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
<module>PostgreSQL</module>
<object-dn>ID=4,table=HR_PERS (data\users\VKhoury)</object-dn>
<component>Publisher</component>
</status>
</output>
</nds>
I don't know what type of attribute to use in this case.
  • The attribute type is probably fine but the error means you have likely
    not extended this particular user to be able to use this new attribute.
    Did you add it to an auxiliary class (hopefully) or maybe even the User
    class (please no)? If neither of those, then while the attribute exists
    in schema it is not available to ANY class of object, which also explains
    your problem.

    Normally you should create a new attribute (if necessary; why not use the
    'manager' attribute that is available to the User class already in
    eDirectory), add it to an auxiliary class as an optional attribute, and
    then when you want that attribute to be on a user you add that auxiliary
    object class to the object and the attribute is now available. This
    basically lets you bolt any attributes to any objects as needed in a very
    flexible way.

    Since you did not mention doing it, I presume you did not create an
    auxiliary class which is the problem. If you did, then show us the full
    trace of the event leading to what you show below. The IDM engine will
    auto-add the auxiliary classes needed for a new attribute on the fly, but
    only if you add it early enough in the channel (prior to the Publisher
    Command Transformation Policyset (CTP)). I presume that was the case
    here, but without the full trace I cannot tell. If correct, simply create
    an auxiliary class with the attribute as an optional attribute and then
    try again.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • The attribute is added to an auxiliary table named 'IDVAULT'.
    I created an attribute because the existing one is multivalued.
    The trace file is as follows:
    [09/03/18 14:29:54.857]:trace1 PT:Applying policy: % CCSchema map%-C.
    [09/03/18 14:29:54.857]:trace1 PT: Mapping class-name 'hr_pers' to 'User'.
    [09/03/18 14:29:54.857]:trace1 PT: Mapping attr-name 'midname' to 'Initials'.
    [09/03/18 14:29:54.857]:trace1 PT: Mapping attr-name 'midname' to 'Initials'.
    [09/03/18 14:29:54.857]:trace1 PT: Mapping attr-name 'firstname' to 'Given Name'.
    [09/03/18 14:29:54.857]:trace1 PT: Mapping attr-name 'firstname' to 'Given Name'.
    [09/03/18 14:29:54.857]:trace1 PT: Mapping attr-name 'manager' to 'mngrid'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'manager' to 'mngrid'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'jobtitle' to 'JobTitle'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'jobtitle' to 'JobTitle'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'id' to 'workforceID'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'id' to 'workforceID'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'status' to 'Status'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'status' to 'Status'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'department' to 'Department'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'department' to 'Department'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'telephonenumber' to 'Telephone Number'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'telephonenumber' to 'Telephone Number'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'lastname' to 'Surname'.
    [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'lastname' to 'Surname'.
    [09/03/18 14:29:54.872]:trace1 PT:Resolving association references.
    [09/03/18 14:29:54.872]:trace1 PT:No event transformation policies.
    [09/03/18 14:29:54.872]:trace1 PT:Applying publisher filter.
    [09/03/18 14:29:54.872]:trace1 PT:Publisher processing modify for ID=4,table=HR_PERS.
    [09/03/18 14:29:54.872]:trace1 PT:Reading relevant attributes from data\users\VKhoury.
    [09/03/18 14:29:54.872]:trace1 PT:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.5.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <query class-name="User" dest-dn="data\users\VKhoury" dest-entry-id="34053" scope="entry">
    <read-attr attr-name="Department"/>
    <read-attr attr-name="Given Name"/>
    <read-attr attr-name="Initials"/>
    <read-attr attr-name="JobTitle"/>
    <read-attr attr-name="mngrid"/>
    <read-attr attr-name="Status"/>
    <read-attr attr-name="Surname"/>
    <read-attr attr-name="Telephone Number"/>
    <read-attr attr-name="workforceID"/>
    <read-attr attr-name="Object Class"/>
    </query>
    </input>
    </nds>
    [09/03/18 14:29:54.872]:trace1 PT:Pumping XDS to eDirectory.
    [09/03/18 14:29:54.872]:trace1 PT:Performing operation query for data\users\VKhoury.
    [09/03/18 14:29:54.872]:trace1 PT:--JCLNT-- \IDVAULT-TREE\system\driverset1\PostgreSQL - Publisher : Duplicating : context = 1353318507, tempContext = 1353318509
    [09/03/18 14:29:54.872]:trace1 PT:--JCLNT-- \IDVAULT-TREE\system\driverset1\PostgreSQL - Publisher : Calling free on tempContext = 1353318509
    [09/03/18 14:29:54.872]:trace1 PT:Read result:
    [09/03/18 14:29:54.872]:trace1 PT:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.5.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <instance class-name="User" event-id="0" qualified-src-dn="O=data\OU=users\CN=VKhoury" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34053">
    <association state="associated">ID=4,table=HR_PERS</association>
    <attr attr-name="Department">
    <value timestamp="1535699431#8" type="string">eng</value>
    </attr>
    <attr attr-name="Given Name">
    <value timestamp="1535699431#4" type="string">Vanessa</value>
    </attr>
    <attr attr-name="Initials">
    <value timestamp="1535699431#3" type="string">Farid</value>
    </attr>
    <attr attr-name="JobTitle">
    <value timestamp="1535701249#2" type="string">manager</value>
    </attr>
    <attr attr-name="Status">
    <value timestamp="1535699431#7" type="int">0</value>
    </attr>
    <attr attr-name="Surname">
    <value timestamp="1535699431#10" type="string">Khoury</value>
    </attr>
    <attr attr-name="Telephone Number">
    <value timestamp="1535699431#9" type="teleNumber">70771865</value>
    </attr>
    <attr attr-name="workforceID">
    <value timestamp="1535699431#6" type="string">4</value>
    </attr>
    <attr attr-name="Object Class">
    <value timestamp="1535699431#15" type="string">User</value>
    <value timestamp="1535699431#16" type="string">IDVault</value>
    <value timestamp="1535699431#17" type="string">Organizational Person</value>
    <value timestamp="1535699431#18" type="string">Person</value>
    <value timestamp="1535699431#19" type="string">ndsLoginProperties</value>
    <value timestamp="1535699431#20" type="string">Top</value>
    <value timestamp="1535699444#6" type="string">DirXML-ApplicationAttrs</value>
    </attr>
    </instance>
    <status event-id="0" level="success"></status>
    </output>
    </nds>
    [09/03/18 14:29:54.872]:trace1 PT:Found non-class attribute mngrid.
    [09/03/18 14:29:54.872]:trace1 PT:Optimize Modify returned:
    [09/03/18 14:29:54.872]:trace1 PT:
    <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    <source>
    <product build="20141001_0706" instance="PostgreSQL" version="4.0.0.2">DirXML Driver for JDBC</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="data\users\VKhoury" dest-entry-id="34053" event-id="ID=4,table=HR_PERS" src-dn="ID=4,table=HR_PERS">
    <association>ID=4,table=HR_PERS</association>
    <modify-attr attr-name="mngrid">
    <remove-all-values/>
    <add-value>
    <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [09/03/18 14:29:54.872]:trace1 PT:Applying command transformation policies.
    [09/03/18 14:29:54.872]:trace1 PT:Applying policy: % CCNOVLPWDSYNC-pub-ctp-DefaultPwd%-C.
    [09/03/18 14:29:54.872]:trace1 PT: Applying to modify #1.
    [09/03/18 14:29:54.872]:trace1 PT: Evaluating selection criteria for rule 'On User add, provide the default password if no password exists'.
    [09/03/18 14:29:54.872]:trace1 PT: (if-operation equal "add") = FALSE.
    [09/03/18 14:29:54.872]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.872]:trace1 PT:Policy returned:
    [09/03/18 14:29:54.872]:trace1 PT:
    <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    <source>
    <product build="20141001_0706" instance="PostgreSQL" version="4.0.0.2">DirXML Driver for JDBC</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="data\users\VKhoury" dest-entry-id="34053" event-id="ID=4,table=HR_PERS" src-dn="ID=4,table=HR_PERS">
    <association>ID=4,table=HR_PERS</association>
    <modify-attr attr-name="mngrid">
    <remove-all-values/>
    <add-value>
    <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [09/03/18 14:29:54.872]:trace1 PT:Applying policy: % CCNOVLPWDSYNC-pub-ctp-DefaultPwd%-C.
    [09/03/18 14:29:54.872]:trace1 PT: Applying to modify #1.
    [09/03/18 14:29:54.872]:trace1 PT: Evaluating selection criteria for rule 'On User add, provide the default password if no password exists'.
    [09/03/18 14:29:54.872]:trace1 PT: (if-operation equal "add") = FALSE.
    [09/03/18 14:29:54.872]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.872]:trace1 PT:Policy returned:
    [09/03/18 14:29:54.872]:trace1 PT:
    <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    <source>
    <product build="20141001_0706" instance="PostgreSQL" version="4.0.0.2">DirXML Driver for JDBC</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="data\users\VKhoury" dest-entry-id="34053" event-id="ID=4,table=HR_PERS" src-dn="ID=4,table=HR_PERS">
    <association>ID=4,table=HR_PERS</association>
    <modify-attr attr-name="mngrid">
    <remove-all-values/>
    <add-value>
    <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [09/03/18 14:29:54.872]:trace1 PT:Applying policy: % CCNOVLPWDSYNC-pub-ctp-CheckPwdGCV%-C.
    [09/03/18 14:29:54.872]:trace1 PT: Applying to modify #1.
    [09/03/18 14:29:54.872]:trace1 PT: Evaluating selection criteria for rule 'Block publishing passwords to the Identity Vault when adding an object'.
    [09/03/18 14:29:54.872]:trace1 PT: (if-global-variable 'enable-password-publish' equal "false") = FALSE.
    [09/03/18 14:29:54.872]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.872]:trace1 PT: Evaluating selection criteria for rule 'Block sending modify-password changes to the Identity Vault'.
    [09/03/18 14:29:54.872]:trace1 PT: (if-global-variable 'enable-password-publish' equal "false") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    [09/03/18 14:29:54.888]:trace1 PT:
    <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    <source>
    <product build="20141001_0706" instance="PostgreSQL" version="4.0.0.2">DirXML Driver for JDBC</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="data\users\VKhoury" dest-entry-id="34053" event-id="ID=4,table=HR_PERS" src-dn="ID=4,table=HR_PERS">
    <association>ID=4,table=HR_PERS</association>
    <modify-attr attr-name="mngrid">
    <remove-all-values/>
    <add-value>
    <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [09/03/18 14:29:54.888]:trace1 PT:Applying policy: % CCNOVLPWDSYNC-pub-ctp-PublishDistPwd%-C.
    [09/03/18 14:29:54.888]:trace1 PT: Applying to modify #1.
    [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for rule 'Add nspmDistributionAttribute attribute to add operation'.
    [09/03/18 14:29:54.888]:trace1 PT: (if-global-variable 'publish-password-to-dp' equal "true") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for rule 'Change modify-password operations to a modify'.
    [09/03/18 14:29:54.888]:trace1 PT: (if-global-variable 'publish-password-to-dp' equal "true") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    [09/03/18 14:29:54.888]:trace1 PT:
    <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    <source>
    <product build="20141001_0706" instance="PostgreSQL" version="4.0.0.2">DirXML Driver for JDBC</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="data\users\VKhoury" dest-entry-id="34053" event-id="ID=4,table=HR_PERS" src-dn="ID=4,table=HR_PERS">
    <association>ID=4,table=HR_PERS</association>
    <modify-attr attr-name="mngrid">
    <remove-all-values/>
    <add-value>
    <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [09/03/18 14:29:54.888]:trace1 PT:Applying policy: % CCNOVLPWDSYNC-pub-ctp-PublishNDSPwd%-C.
    [09/03/18 14:29:54.888]:trace1 PT: Applying to modify #1.
    [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for rule 'Block publishing passwords to eDirectory password'.
    [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "add") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for rule 'Block sending modify-password changes to the eDirectory password'.
    [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "modify-password") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    [09/03/18 14:29:54.888]:trace1 PT:
    <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    <source>
    <product build="20141001_0706" instance="PostgreSQL" version="4.0.0.2">DirXML Driver for JDBC</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="data\users\VKhoury" dest-entry-id="34053" event-id="ID=4,table=HR_PERS" src-dn="ID=4,table=HR_PERS">
    <association>ID=4,table=HR_PERS</association>
    <modify-attr attr-name="mngrid">
    <remove-all-values/>
    <add-value>
    <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [09/03/18 14:29:54.888]:trace1 PT:Applying policy: % CCNOVLPWDSYNC-pub-ctp-AddPwdPayload%-C.
    [09/03/18 14:29:54.888]:trace1 PT: Applying to modify #1.
    [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for rule 'Add operation-data element to password operations'.
    [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "add") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "add") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "modify-password") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "modify") = TRUE.
    [09/03/18 14:29:54.888]:trace1 PT: (if-xpath true "modify-attr[@attr-name='nspmDistributionPassword']") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for rule 'Add payload data to password operations'.
    [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "add") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "add") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "modify-password") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "modify") = TRUE.
    [09/03/18 14:29:54.888]:trace1 PT: (if-xpath true "modify-attr[@attr-name='nspmDistributionPassword']") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    [09/03/18 14:29:54.888]:trace1 PT:
    <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    <source>
    <product build="20141001_0706" instance="PostgreSQL" version="4.0.0.2">DirXML Driver for JDBC</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="data\users\VKhoury" dest-entry-id="34053" event-id="ID=4,table=HR_PERS" src-dn="ID=4,table=HR_PERS">
    <association>ID=4,table=HR_PERS</association>
    <modify-attr attr-name="mngrid">
    <remove-all-values/>
    <add-value>
    <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [09/03/18 14:29:54.888]:trace1 PT:Filtering out notification-only attributes.
    [09/03/18 14:29:54.888]:trace1 PT:Pumping XDS to eDirectory.
    [09/03/18 14:29:54.888]:trace1 PT:Performing operation modify for data\users\VKhoury.
    [09/03/18 14:29:54.888]:trace1 PT:--JCLNT-- \IDVAULT-TREE\system\driverset1\PostgreSQL - Publisher : Duplicating : context = 1353318507, tempContext = 1353318509
    [09/03/18 14:29:54.888]:trace1 PT:Modifying entry data\users\VKhoury.
    [09/03/18 14:29:54.888]:trace1 PT:--JCLNT-- \IDVAULT-TREE\system\driverset1\PostgreSQL - Publisher : Calling free on tempContext = 1353318509
    [09/03/18 14:29:54.888]:trace1 PT:
    DirXML Log Event -------------------
    Driver: \IDVAULT-TREE\system\driverset1\PostgreSQL
    Channel: Publisher
    Object: ID=4,table=HR_PERS (data\users\VKhoury)
    Status: Error
    Message: Code(-9010) An exception occurred: novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE
    [09/03/18 14:29:54.888]:trace1 PT:Fixing up association references.
    [09/03/18 14:29:54.888]:trace1 PT:Applying schema mapping policies to output.
    [09/03/18 14:29:54.888]:trace1 PT:Applying policy: % CCNOVLPGSDISYN-smp%-C.
    [09/03/18 14:29:54.888]:trace1 PT:Applying policy: % CCNOVLJDBCDACL-smp%-C.
    [09/03/18 14:29:54.888]:trace1 PT: Applying to status #1.
    [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    [09/03/18 14:29:54.888]:trace1 PT:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.5.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status event-id="ID=4,table=HR_PERS" level="error">Code(-9010) An exception occurred: novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
    <module>PostgreSQL</module>
    <object-dn>ID=4,table=HR_PERS (data\users\VKhoury)</object-dn>
    <component>Publisher</component>
    </status>
    </output>
    </nds>
    [09/03/18 14:29:54.888]:trace1 PT:Applying policy: % CCSchema map%-C.
    [09/03/18 14:29:54.888]:trace1 PT:Applying output transformation policies.
    [09/03/18 14:29:54.888]:trace1 PT:Applying policy: % CCNOVLJDBCDACL-itp-StripReadAttr%-C.
    [09/03/18 14:29:54.888]:trace1 PT: Applying to status #1.
    [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for rule 'Strip Description Attribute'.
    [09/03/18 14:29:54.888]:trace1 PT: (if-class-name match "indirect.grp|direct.view_grp") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    [09/03/18 14:29:54.888]:trace1 PT:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.5.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status event-id="ID=4,table=HR_PERS" level="error">Code(-9010) An exception occurred: novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
    <module>PostgreSQL</module>
    <object-dn>ID=4,table=HR_PERS (data\users\VKhoury)</object-dn>
    <component>Publisher</component>
    </status>
    </output>
    </nds>
    [09/03/18 14:29:54.888]:trace1 PT:Applying policy: % CCNOVLPGSDISYN-otp-ReformatFax%-C.
    [09/03/18 14:29:54.888]:trace1 PT: Applying to status #1.
    [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for rule 'User: Reformat fax number as string'.
    [09/03/18 14:29:54.888]:trace1 PT: (if-class-name equal "direct.view_usr") = FALSE.
    [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    [09/03/18 14:29:54.888]:trace1 PT:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.5.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status event-id="ID=4,table=HR_PERS" level="error">Code(-9010) An exception occurred: novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
    <module>PostgreSQL</module>
    <object-dn>ID=4,table=HR_PERS (data\users\VKhoury)</object-dn>
    <component>Publisher</component>
    </status>
    </output>
    </nds>
    [09/03/18 14:29:54.904]:trace1 PT:Applying policy: % CCNOVLPWDSYNC-otp-EmailOnFailedPwdPub%-C.
    [09/03/18 14:29:54.904]:trace1 PT: Applying to status #1.
    [09/03/18 14:29:54.904]:trace1 PT: Evaluating selection criteria for rule 'Send e-mail for a failed publish password operation'.
    [09/03/18 14:29:54.904]:trace1 PT: (if-global-variable 'notify-user-on-password-dist-failure' equal "true") = TRUE.
    [09/03/18 14:29:54.904]:trace1 PT: (if-operation equal "status") = TRUE.
    [09/03/18 14:29:54.904]:trace1 PT: (if-xpath true "self::status[@level != 'success']/operation-data/password-publish-status") = FALSE.
    [09/03/18 14:29:54.904]:trace1 PT: Rule rejected.
    [09/03/18 14:29:54.904]:trace1 PT:Policy returned:
    [09/03/18 14:29:54.904]:trace1 PT:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.5.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status event-id="ID=4,table=HR_PERS" level="error">Code(-9010) An exception occurred: novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
    <module>PostgreSQL</module>
    <object-dn>ID=4,table=HR_PERS (data\users\VKhoury)</object-dn>
    <component>Publisher</component>
    </status>
    </output>
    </nds>
    [09/03/18 14:29:54.904]:trace1 PT:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.5.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status event-id="ID=4,table=HR_PERS" level="error">Code(-9010) An exception occurred: novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
    <module>PostgreSQL</module>
    <object-dn>ID=4,table=HR_PERS (data\users\VKhoury)</object-dn>
    <component>Publisher</component>
    </status>
    </output>
  • On 9/3/2018 7:54 AM, vkhoury wrote:
    >
    > I'm using IDM 4.5. I have a database with a table named 'hr_pers' where
    > 'manager' is an attribute with a constraint of foreign key. Since one of
    > users can be a manager.
    > I was trying to sync this attribute to AD. I realized that the attribute
    > is referencing a DN (IDVAULT-TREE\users\data\Name). I added an attribute
    > to the vault names 'mngrid' (dsingle valued and of type DN).
    > The attribute is added to the filter and to schema mapping.
    > But while mapping i have the following error:
    > <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    > <source>
    > <product build="20141001_0706" instance="PostgreSQL"
    > version="4.0.0.2">DirXML Driver for JDBC</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <modify class-name="User" dest-dn="data\users\VKhoury"
    > dest-entry-id="34053" event-id="ID=4,table=HR_PERS"
    > src-dn="ID=4,table=HR_PERS">
    > <association>ID=4,table=HR_PERS</association>
    > <modify-attr attr-name="mngrid">
    > <remove-all-values/>
    > <add-value>
    > <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    > </add-value>
    > </modify-attr>
    > </modify>
    > </input>
    > </nds>
    > [09/03/18 14:29:54.888]:trace1 PT:Filtering out notification-only
    > attributes.
    > [09/03/18 14:29:54.888]:trace1 PT:Pumping XDS to eDirectory.
    > [09/03/18 14:29:54.888]:trace1 PT:Performing operation modify for
    > data\users\VKhoury.
    > [09/03/18 14:29:54.888]:trace1 PT:--JCLNT--
    > \IDVAULT-TREE\system\driverset1\PostgreSQL - Publisher : Duplicating :
    > context = 1353318507, tempContext = 1353318509
    > [09/03/18 14:29:54.888]:trace1 PT:Modifying entry data\users\VKhoury.
    > [09/03/18 14:29:54.888]:trace1 PT:--JCLNT--
    > \IDVAULT-TREE\system\driverset1\PostgreSQL - Publisher : Calling free on
    > tempContext = 1353318509
    > [09/03/18 14:29:54.888]:trace1 PT:
    > DirXML Log Event -------------------
    > Driver: \IDVAULT-TREE\system\driverset1\PostgreSQL
    > Channel: Publisher
    > Object: ID=4,table=HR_PERS (data\users\VKhoury)
    > Status: Error
    > Message: Code(-9010) An exception occurred:
    > novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE
    > [09/03/18 14:29:54.888]:trace1 PT:Fixing up association references.
    > [09/03/18 14:29:54.888]:trace1 PT:Applying schema mapping policies to
    > output.
    > [09/03/18 14:29:54.888]:trace1 PT:Applying policy:
    > % CCNOVLPGSDISYN-smp%-C.
    > [09/03/18 14:29:54.888]:trace1 PT:Applying policy:
    > % CCNOVLJDBCDACL-smp%-C.
    > [09/03/18 14:29:54.888]:trace1 PT: Applying to status #1.
    > [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    > [09/03/18 14:29:54.888]:trace1 PT:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.5.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <output>
    > <status event-id="ID=4,table=HR_PERS" level="error">Code(-9010) An
    > exception occurred: novell.jclient.JCException: modifyEntry -608
    > ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
    > <module>PostgreSQL</module>
    > <object-dn>ID=4,table=HR_PERS (data\users\VKhoury)</object-dn>
    > <component>Publisher</component>
    > </status>
    > </output>
    > </nds>
    > I don't know what type of attribute to use in this case.


    So several issues here I suspect.

    1) 609 illegal attribute makes me think you made the attribute but maybe
    did not add it to any Aux classes?

    2) You want to store a manager DN in the vault. From AD? Why?

    If you have an attr node with @type='dn' then the engine will try to
    convert that DN as needed to an associated object.

    So lets talk Pub channel. Manager changes in AD. The Manager in AD is a
    DN and it comes in as LDAP format. Clearly that is not correct and it is
    the LDAP DN for the AD structure, which makes no sense for eDir of the IDV.

    So the engine looks at the DN's association value (comes in as
    @association-ref="Some GUID value") and sees if any eDir users have a
    DirXML-Association with that value and if so, uses the associated
    objects eDir DN. I.e. It converted it successfully.

    If it cannot find an associated object, it drops the attribute.

    So if the AD manager is in the IDV and associated, the engine should
    just magically handle it.

    This is also a downside of a DN syntax attribute, since the engine
    always tries to convert and drops if it fails, so you cannot send a DN
    through to a string attribute, since the engine will try to convert it.


  • On 9/3/2018 8:34 AM, vkhoury wrote:
    >
    > The attribute is added to an auxiliary table named 'IDVAULT'.
    > I created an attribute because the existing one is multivalued.


    I think you are missing Aaron's point.

    In eDirectory, attributes can exist, floating in the ether. You cannot
    use them (instantiate them) until they are defined as part of a class.
    Aux class is the best choice for your use case.

    You are talking about mapping it. Aaron is talking about the eDir
    schema itself.



    > The trace file is as follows:
    > [09/03/18 14:29:54.857]:trace1 PT:Applying policy:
    > % CCSchema map%-C.
    > [09/03/18 14:29:54.857]:trace1 PT: Mapping class-name 'hr_pers' to
    > 'User'.
    > [09/03/18 14:29:54.857]:trace1 PT: Mapping attr-name 'midname' to
    > 'Initials'.
    > [09/03/18 14:29:54.857]:trace1 PT: Mapping attr-name 'midname' to
    > 'Initials'.
    > [09/03/18 14:29:54.857]:trace1 PT: Mapping attr-name 'firstname' to
    > 'Given Name'.
    > [09/03/18 14:29:54.857]:trace1 PT: Mapping attr-name 'firstname' to
    > 'Given Name'.
    > [09/03/18 14:29:54.857]:trace1 PT: Mapping attr-name 'manager' to
    > 'mngrid'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'manager' to
    > 'mngrid'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'jobtitle' to
    > 'JobTitle'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'jobtitle' to
    > 'JobTitle'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'id' to
    > 'workforceID'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'id' to
    > 'workforceID'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'status' to
    > 'Status'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'status' to
    > 'Status'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'department' to
    > 'Department'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'department' to
    > 'Department'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'telephonenumber'
    > to 'Telephone Number'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'telephonenumber'
    > to 'Telephone Number'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'lastname' to
    > 'Surname'.
    > [09/03/18 14:29:54.872]:trace1 PT: Mapping attr-name 'lastname' to
    > 'Surname'.
    > [09/03/18 14:29:54.872]:trace1 PT:Resolving association references.
    > [09/03/18 14:29:54.872]:trace1 PT:No event transformation policies.
    > [09/03/18 14:29:54.872]:trace1 PT:Applying publisher filter.
    > [09/03/18 14:29:54.872]:trace1 PT:Publisher processing modify for
    > ID=4,table=HR_PERS.
    > [09/03/18 14:29:54.872]:trace1 PT:Reading relevant attributes from
    > data\users\VKhoury.
    > [09/03/18 14:29:54.872]:trace1 PT:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.5.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <query class-name="User" dest-dn="data\users\VKhoury"
    > dest-entry-id="34053" scope="entry">
    > <read-attr attr-name="Department"/>
    > <read-attr attr-name="Given Name"/>
    > <read-attr attr-name="Initials"/>
    > <read-attr attr-name="JobTitle"/>
    > <read-attr attr-name="mngrid"/>
    > <read-attr attr-name="Status"/>
    > <read-attr attr-name="Surname"/>
    > <read-attr attr-name="Telephone Number"/>
    > <read-attr attr-name="workforceID"/>
    > <read-attr attr-name="Object Class"/>
    > </query>
    > </input>
    > </nds>
    > [09/03/18 14:29:54.872]:trace1 PT:Pumping XDS to eDirectory.
    > [09/03/18 14:29:54.872]:trace1 PT:Performing operation query for
    > data\users\VKhoury.
    > [09/03/18 14:29:54.872]:trace1 PT:--JCLNT--
    > \IDVAULT-TREE\system\driverset1\PostgreSQL - Publisher : Duplicating :
    > context = 1353318507, tempContext = 1353318509
    > [09/03/18 14:29:54.872]:trace1 PT:--JCLNT--
    > \IDVAULT-TREE\system\driverset1\PostgreSQL - Publisher : Calling free on
    > tempContext = 1353318509
    > [09/03/18 14:29:54.872]:trace1 PT:Read result:
    > [09/03/18 14:29:54.872]:trace1 PT:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.5.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <output>
    > <instance class-name="User" event-id="0"
    > qualified-src-dn="O=data\OU=users\CN=VKhoury"
    > src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34053">
    > <association state="associated">ID=4,table=HR_PERS</association>
    > <attr attr-name="Department">
    > <value timestamp="1535699431#8" type="string">eng</value>
    > </attr>
    > <attr attr-name="Given Name">
    > <value timestamp="1535699431#4" type="string">Vanessa</value>
    > </attr>
    > <attr attr-name="Initials">
    > <value timestamp="1535699431#3" type="string">Farid</value>
    > </attr>
    > <attr attr-name="JobTitle">
    > <value timestamp="1535701249#2" type="string">manager</value>
    > </attr>
    > <attr attr-name="Status">
    > <value timestamp="1535699431#7" type="int">0</value>
    > </attr>
    > <attr attr-name="Surname">
    > <value timestamp="1535699431#10" type="string">Khoury</value>
    > </attr>
    > <attr attr-name="Telephone Number">
    > <value timestamp="1535699431#9"
    > type="teleNumber">70771865</value>
    > </attr>
    > <attr attr-name="workforceID">
    > <value timestamp="1535699431#6" type="string">4</value>
    > </attr>
    > <attr attr-name="Object Class">
    > <value timestamp="1535699431#15" type="string">User</value>
    > <value timestamp="1535699431#16" type="string">IDVault</value>
    > <value timestamp="1535699431#17" type="string">Organizational
    > Person</value>
    > <value timestamp="1535699431#18" type="string">Person</value>
    > <value timestamp="1535699431#19"
    > type="string">ndsLoginProperties</value>
    > <value timestamp="1535699431#20" type="string">Top</value>
    > <value timestamp="1535699444#6"
    > type="string">DirXML-ApplicationAttrs</value>
    > </attr>
    > </instance>
    > <status event-id="0" level="success"></status>
    > </output>
    > </nds>
    > [09/03/18 14:29:54.872]:trace1 PT:Found non-class attribute mngrid.
    > [09/03/18 14:29:54.872]:trace1 PT:Optimize Modify returned:
    > [09/03/18 14:29:54.872]:trace1 PT:
    > <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    > <source>
    > <product build="20141001_0706" instance="PostgreSQL"
    > version="4.0.0.2">DirXML Driver for JDBC</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <modify class-name="User" dest-dn="data\users\VKhoury"
    > dest-entry-id="34053" event-id="ID=4,table=HR_PERS"
    > src-dn="ID=4,table=HR_PERS">
    > <association>ID=4,table=HR_PERS</association>
    > <modify-attr attr-name="mngrid">
    > <remove-all-values/>
    > <add-value>
    > <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    > </add-value>
    > </modify-attr>
    > </modify>
    > </input>
    > </nds>
    > [09/03/18 14:29:54.872]:trace1 PT:Applying command transformation
    > policies.
    > [09/03/18 14:29:54.872]:trace1 PT:Applying policy:
    > % CCNOVLPWDSYNC-pub-ctp-DefaultPwd%-C.
    > [09/03/18 14:29:54.872]:trace1 PT: Applying to modify #1.
    > [09/03/18 14:29:54.872]:trace1 PT: Evaluating selection criteria for
    > rule 'On User add, provide the default password if no password exists'.
    > [09/03/18 14:29:54.872]:trace1 PT: (if-operation equal "add") =
    > FALSE.
    > [09/03/18 14:29:54.872]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.872]:trace1 PT:Policy returned:
    > [09/03/18 14:29:54.872]:trace1 PT:
    > <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    > <source>
    > <product build="20141001_0706" instance="PostgreSQL"
    > version="4.0.0.2">DirXML Driver for JDBC</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <modify class-name="User" dest-dn="data\users\VKhoury"
    > dest-entry-id="34053" event-id="ID=4,table=HR_PERS"
    > src-dn="ID=4,table=HR_PERS">
    > <association>ID=4,table=HR_PERS</association>
    > <modify-attr attr-name="mngrid">
    > <remove-all-values/>
    > <add-value>
    > <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    > </add-value>
    > </modify-attr>
    > </modify>
    > </input>
    > </nds>
    > [09/03/18 14:29:54.872]:trace1 PT:Applying policy:
    > % CCNOVLPWDSYNC-pub-ctp-DefaultPwd%-C.
    > [09/03/18 14:29:54.872]:trace1 PT: Applying to modify #1.
    > [09/03/18 14:29:54.872]:trace1 PT: Evaluating selection criteria for
    > rule 'On User add, provide the default password if no password exists'.
    > [09/03/18 14:29:54.872]:trace1 PT: (if-operation equal "add") =
    > FALSE.
    > [09/03/18 14:29:54.872]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.872]:trace1 PT:Policy returned:
    > [09/03/18 14:29:54.872]:trace1 PT:
    > <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    > <source>
    > <product build="20141001_0706" instance="PostgreSQL"
    > version="4.0.0.2">DirXML Driver for JDBC</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <modify class-name="User" dest-dn="data\users\VKhoury"
    > dest-entry-id="34053" event-id="ID=4,table=HR_PERS"
    > src-dn="ID=4,table=HR_PERS">
    > <association>ID=4,table=HR_PERS</association>
    > <modify-attr attr-name="mngrid">
    > <remove-all-values/>
    > <add-value>
    > <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    > </add-value>
    > </modify-attr>
    > </modify>
    > </input>
    > </nds>
    > [09/03/18 14:29:54.872]:trace1 PT:Applying policy:
    > % CCNOVLPWDSYNC-pub-ctp-CheckPwdGCV%-C.
    > [09/03/18 14:29:54.872]:trace1 PT: Applying to modify #1.
    > [09/03/18 14:29:54.872]:trace1 PT: Evaluating selection criteria for
    > rule 'Block publishing passwords to the Identity Vault when adding an
    > object'.
    > [09/03/18 14:29:54.872]:trace1 PT: (if-global-variable
    > 'enable-password-publish' equal "false") = FALSE.
    > [09/03/18 14:29:54.872]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.872]:trace1 PT: Evaluating selection criteria for
    > rule 'Block sending modify-password changes to the Identity Vault'.
    > [09/03/18 14:29:54.872]:trace1 PT: (if-global-variable
    > 'enable-password-publish' equal "false") = FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    > [09/03/18 14:29:54.888]:trace1 PT:
    > <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    > <source>
    > <product build="20141001_0706" instance="PostgreSQL"
    > version="4.0.0.2">DirXML Driver for JDBC</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <modify class-name="User" dest-dn="data\users\VKhoury"
    > dest-entry-id="34053" event-id="ID=4,table=HR_PERS"
    > src-dn="ID=4,table=HR_PERS">
    > <association>ID=4,table=HR_PERS</association>
    > <modify-attr attr-name="mngrid">
    > <remove-all-values/>
    > <add-value>
    > <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    > </add-value>
    > </modify-attr>
    > </modify>
    > </input>
    > </nds>
    > [09/03/18 14:29:54.888]:trace1 PT:Applying policy:
    > % CCNOVLPWDSYNC-pub-ctp-PublishDistPwd%-C.
    > [09/03/18 14:29:54.888]:trace1 PT: Applying to modify #1.
    > [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for
    > rule 'Add nspmDistributionAttribute attribute to add operation'.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-global-variable
    > 'publish-password-to-dp' equal "true") = FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for
    > rule 'Change modify-password operations to a modify'.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-global-variable
    > 'publish-password-to-dp' equal "true") = FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    > [09/03/18 14:29:54.888]:trace1 PT:
    > <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    > <source>
    > <product build="20141001_0706" instance="PostgreSQL"
    > version="4.0.0.2">DirXML Driver for JDBC</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <modify class-name="User" dest-dn="data\users\VKhoury"
    > dest-entry-id="34053" event-id="ID=4,table=HR_PERS"
    > src-dn="ID=4,table=HR_PERS">
    > <association>ID=4,table=HR_PERS</association>
    > <modify-attr attr-name="mngrid">
    > <remove-all-values/>
    > <add-value>
    > <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    > </add-value>
    > </modify-attr>
    > </modify>
    > </input>
    > </nds>
    > [09/03/18 14:29:54.888]:trace1 PT:Applying policy:
    > % CCNOVLPWDSYNC-pub-ctp-PublishNDSPwd%-C.
    > [09/03/18 14:29:54.888]:trace1 PT: Applying to modify #1.
    > [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for
    > rule 'Block publishing passwords to eDirectory password'.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "add") =
    > FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for
    > rule 'Block sending modify-password changes to the eDirectory
    > password'.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal
    > "modify-password") = FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    > [09/03/18 14:29:54.888]:trace1 PT:
    > <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    > <source>
    > <product build="20141001_0706" instance="PostgreSQL"
    > version="4.0.0.2">DirXML Driver for JDBC</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <modify class-name="User" dest-dn="data\users\VKhoury"
    > dest-entry-id="34053" event-id="ID=4,table=HR_PERS"
    > src-dn="ID=4,table=HR_PERS">
    > <association>ID=4,table=HR_PERS</association>
    > <modify-attr attr-name="mngrid">
    > <remove-all-values/>
    > <add-value>
    > <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    > </add-value>
    > </modify-attr>
    > </modify>
    > </input>
    > </nds>
    > [09/03/18 14:29:54.888]:trace1 PT:Applying policy:
    > % CCNOVLPWDSYNC-pub-ctp-AddPwdPayload%-C.
    > [09/03/18 14:29:54.888]:trace1 PT: Applying to modify #1.
    > [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for
    > rule 'Add operation-data element to password operations'.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "add") =
    > FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "add") =
    > FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal
    > "modify-password") = FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "modify") =
    > TRUE.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-xpath true
    > "modify-attr[@attr-name='nspmDistributionPassword']") = FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for
    > rule 'Add payload data to password operations'.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "add") =
    > FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "add") =
    > FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal
    > "modify-password") = FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-operation equal "modify") =
    > TRUE.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-xpath true
    > "modify-attr[@attr-name='nspmDistributionPassword']") = FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    > [09/03/18 14:29:54.888]:trace1 PT:
    > <nds dtdversion="2.0" ndsversion="8.x" xmlns:jdbc="urn:dirxml:jdbc">
    > <source>
    > <product build="20141001_0706" instance="PostgreSQL"
    > version="4.0.0.2">DirXML Driver for JDBC</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <modify class-name="User" dest-dn="data\users\VKhoury"
    > dest-entry-id="34053" event-id="ID=4,table=HR_PERS"
    > src-dn="ID=4,table=HR_PERS">
    > <association>ID=4,table=HR_PERS</association>
    > <modify-attr attr-name="mngrid">
    > <remove-all-values/>
    > <add-value>
    > <value type="dn">\IDVAULT-TREE\data\users\PKhoury</value>
    > </add-value>
    > </modify-attr>
    > </modify>
    > </input>
    > </nds>
    > [09/03/18 14:29:54.888]:trace1 PT:Filtering out notification-only
    > attributes.
    > [09/03/18 14:29:54.888]:trace1 PT:Pumping XDS to eDirectory.
    > [09/03/18 14:29:54.888]:trace1 PT:Performing operation modify for
    > data\users\VKhoury.
    > [09/03/18 14:29:54.888]:trace1 PT:--JCLNT--
    > \IDVAULT-TREE\system\driverset1\PostgreSQL - Publisher : Duplicating :
    > context = 1353318507, tempContext = 1353318509
    > [09/03/18 14:29:54.888]:trace1 PT:Modifying entry data\users\VKhoury.
    > [09/03/18 14:29:54.888]:trace1 PT:--JCLNT--
    > \IDVAULT-TREE\system\driverset1\PostgreSQL - Publisher : Calling free on
    > tempContext = 1353318509
    > [09/03/18 14:29:54.888]:trace1 PT:
    > DirXML Log Event -------------------
    > Driver: \IDVAULT-TREE\system\driverset1\PostgreSQL
    > Channel: Publisher
    > Object: ID=4,table=HR_PERS (data\users\VKhoury)
    > Status: Error
    > Message: Code(-9010) An exception occurred:
    > novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE
    > [09/03/18 14:29:54.888]:trace1 PT:Fixing up association references.
    > [09/03/18 14:29:54.888]:trace1 PT:Applying schema mapping policies to
    > output.
    > [09/03/18 14:29:54.888]:trace1 PT:Applying policy:
    > % CCNOVLPGSDISYN-smp%-C.
    > [09/03/18 14:29:54.888]:trace1 PT:Applying policy:
    > % CCNOVLJDBCDACL-smp%-C.
    > [09/03/18 14:29:54.888]:trace1 PT: Applying to status #1.
    > [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    > [09/03/18 14:29:54.888]:trace1 PT:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.5.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <output>
    > <status event-id="ID=4,table=HR_PERS" level="error">Code(-9010) An
    > exception occurred: novell.jclient.JCException: modifyEntry -608
    > ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
    > <module>PostgreSQL</module>
    > <object-dn>ID=4,table=HR_PERS (data\users\VKhoury)</object-dn>
    > <component>Publisher</component>
    > </status>
    > </output>
    > </nds>
    > [09/03/18 14:29:54.888]:trace1 PT:Applying policy:
    > % CCSchema map%-C.
    > [09/03/18 14:29:54.888]:trace1 PT:Applying output transformation
    > policies.
    > [09/03/18 14:29:54.888]:trace1 PT:Applying policy:
    > % CCNOVLJDBCDACL-itp-StripReadAttr%-C.
    > [09/03/18 14:29:54.888]:trace1 PT: Applying to status #1.
    > [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for
    > rule 'Strip Description Attribute'.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-class-name match
    > "indirect.grp|direct.view_grp") = FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    > [09/03/18 14:29:54.888]:trace1 PT:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.5.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <output>
    > <status event-id="ID=4,table=HR_PERS" level="error">Code(-9010) An
    > exception occurred: novell.jclient.JCException: modifyEntry -608
    > ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
    > <module>PostgreSQL</module>
    > <object-dn>ID=4,table=HR_PERS (data\users\VKhoury)</object-dn>
    > <component>Publisher</component>
    > </status>
    > </output>
    > </nds>
    > [09/03/18 14:29:54.888]:trace1 PT:Applying policy:
    > % CCNOVLPGSDISYN-otp-ReformatFax%-C.
    > [09/03/18 14:29:54.888]:trace1 PT: Applying to status #1.
    > [09/03/18 14:29:54.888]:trace1 PT: Evaluating selection criteria for
    > rule 'User: Reformat fax number as string'.
    > [09/03/18 14:29:54.888]:trace1 PT: (if-class-name equal
    > "direct.view_usr") = FALSE.
    > [09/03/18 14:29:54.888]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.888]:trace1 PT:Policy returned:
    > [09/03/18 14:29:54.888]:trace1 PT:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.5.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <output>
    > <status event-id="ID=4,table=HR_PERS" level="error">Code(-9010) An
    > exception occurred: novell.jclient.JCException: modifyEntry -608
    > ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
    > <module>PostgreSQL</module>
    > <object-dn>ID=4,table=HR_PERS (data\users\VKhoury)</object-dn>
    > <component>Publisher</component>
    > </status>
    > </output>
    > </nds>
    > [09/03/18 14:29:54.904]:trace1 PT:Applying policy:
    > % CCNOVLPWDSYNC-otp-EmailOnFailedPwdPub%-C.
    > [09/03/18 14:29:54.904]:trace1 PT: Applying to status #1.
    > [09/03/18 14:29:54.904]:trace1 PT: Evaluating selection criteria for
    > rule 'Send e-mail for a failed publish password operation'.
    > [09/03/18 14:29:54.904]:trace1 PT: (if-global-variable
    > 'notify-user-on-password-dist-failure' equal "true") = TRUE.
    > [09/03/18 14:29:54.904]:trace1 PT: (if-operation equal "status") =
    > TRUE.
    > [09/03/18 14:29:54.904]:trace1 PT: (if-xpath true
    > "self::status[@level !=
    > 'success']/operation-data/password-publish-status") = FALSE.
    > [09/03/18 14:29:54.904]:trace1 PT: Rule rejected.
    > [09/03/18 14:29:54.904]:trace1 PT:Policy returned:
    > [09/03/18 14:29:54.904]:trace1 PT:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.5.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <output>
    > <status event-id="ID=4,table=HR_PERS" level="error">Code(-9010) An
    > exception occurred: novell.jclient.JCException: modifyEntry -608
    > ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
    > <module>PostgreSQL</module>
    > <object-dn>ID=4,table=HR_PERS (data\users\VKhoury)</object-dn>
    > <component>Publisher</component>
    > </status>
    > </output>
    > </nds>
    > [09/03/18 14:29:54.904]:trace1 PT:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.5.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <output>
    > <status event-id="ID=4,table=HR_PERS" level="error">Code(-9010) An
    > exception occurred: novell.jclient.JCException: modifyEntry -608
    > ERR_ILLEGAL_ATTRIBUTE<application>DirXML</application>
    > <module>PostgreSQL</module>
    > <object-dn>ID=4,table=HR_PERS (data\users\VKhoury)</object-dn>
    > <component>Publisher</component>
    > </status>
    > </output>
    >
    >


  • Exactly; ignore IDM and go into eDirectory and try to add this attribute
    to an object. Normally you will not be able to do it, and not just
    because there is no plugin created explicitly for it, but because it will
    not show up under the 'Other' sub-tab (under the 'General' tab I believe)
    because it is not allowed on any type of object; after all, this is new,
    and until it is allowed to be on a type (class) of object in schema, it is
    just a lonely attribute with no purpose.

    You could also try this via LDAP. Use Apache Directory Studio and go to
    your user object and right-click: Add Attribute. Find your attribute, or
    type it in, and you'll probably get an error back from Directory Studio
    telling you that it is not allowed, but it'll let you try to continue
    anyway. You'll then add a value, maybe in the proper format, but
    ultimately eDirectory will then tell Directory Studio that there is an
    error (the same as IDM) because the attribute is not allowed.

    If you first add the auxiliary class which holds the new attribute to the
    objectClass list (Add Value in Directory Studio, or the corresponding
    option in iManager) then at that time (or later) you will also be able to
    add the new attribute to the user.

    With all of that written, I do not see why using a multi-valued attribute
    is a bad thing; you are probably only managing it via this JDBC driver
    from IDM, right? Seems like it might be a lot easier to use default
    schema, work past your issue, and possibly handle cases where you think
    multiple values may exist, than extending schema, but at the end of the
    day either way can work; it is just (probably) more work to extend schema,
    especially where this is not an attribute limited to one driver, so now
    you must change the microsoft active directory (MAD) driver configuration
    as well, not to mention any others that should act based on the user's
    manager.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.


  • So several issues here I suspect.

    1) 609 illegal attribute makes me think you made the attribute but maybe
    did not add it to any Aux classes?

    2) You want to store a manager DN in the vault. From AD? Why?



    1) I made sure the attribute 'mngrid' is added to the auxiliary table 'IDVAULT'. So i don't think this is the issue.
    2) I'm not trying to store a manager DN from AD but from PostgreSQL database to the vault. i'M planning later on to use this Dn in order to write the correct 'Objectsid'
    in AD. But for now i'm trying to map the manager dn to the vault. Regarding the issue of association, i think the issue is that no association is being found.
    However, I don't get it why since the Dn is as follows : \IDVAULT-Tree\users\data\ManagerName
  • On 09/04/2018 01:04 AM, vkhoury wrote:
    >
    >> So several issues here I suspect.
    >>
    >> 1) 609 illegal attribute makes me think you made the attribute but
    >> maybe
    >> did not add it to any Aux classes?
    >>
    >> 2) You want to store a manager DN in the vault. From AD? Why?
    >>
    >>

    >
    > 1) I made sure the attribute 'mngrid' is added to the auxiliary table
    > 'IDVAULT'. So i don't think this is the issue.


    The mapping table is not the issue; the issue, as the error you previously
    reported shows, is that you have not done something properly w within
    eDirectory around schema.

    If you have not created an auxiliary class, then that is the problem. If
    you have created that auxiliary class and linked the new attribute to it
    as an optional attribute, then you should try adding it to the user.


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • why? You mean i have to try adding it to user instead of an auxiliary class?
  • On 09/04/2018 02:24 AM, vkhoury wrote:
    >
    > why? You mean i have to try adding it to user instead of an auxiliary
    > class?


    If by "it" you mean your attribute, then no you should not do that in
    schema. Generally it is best to leave the base/shipped schema alone and
    use auxiliary classes in order to add new attributes to existing classes
    of objects.

    A -609 error means the attribute you are trying to add to an object is
    illegal, meaning the object's schema class(es) will not allow you to add
    that attribute. This could happen when you try to add something like
    DirXML-Act1 to a user object, since that attribute is intended to be on an
    IDM driver configuration object. It will also happen with any new attributes.

    Geoffrey reiterated that -609 means a schema problem, to which you
    responded that you had added the attribute to "auxiliary table IDVAULT",
    which I presume means an IDM mapping table. IDM is built on top of
    eDirectory, so regardless of how you map attributes within IDM you must
    follow the rules of schema defined in code (which largely follow the LDAP
    RFCs and state the same thing, thus you cannot add a new mngrid attribute
    to a User (inetOrgPerson) class of object unless you first link that
    attribute to a class, usually an auxiliary class, and then extend each
    given object with that particular auxiliary class (which IDM will do for
    you if setup properly).

    You can test that the schema side works by using LDAP tools or iManager to
    add the attribute to the user. Once that part works, the rest on your IDM
    side may be okay, but without success without IDM there is no guarantee
    you can get it with IDM, just like without turning a computer on there is
    no guarantee you can get a script for that computer to run successfully.
    Maybe the computer is already turned on (eDirectory is already setup
    properly), but in this thread I have not seen anything confirming that,
    and I would start there to make sure everything is ready.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • ab;2486886 wrote:
    On 09/04/2018 02:24 AM, vkhoury wrote:
    >
    > why? You mean i have to try adding it to user instead of an auxiliary
    > class?


    If by "it" you mean your attribute, then no you should not do that in
    schema. Generally it is best to leave the base/shipped schema alone and
    use auxiliary classes in order to add new attributes to existing classes
    of objects.

    A -609 error means the attribute you are trying to add to an object is
    illegal, meaning the object's schema class(es) will not allow you to add
    that attribute. This could happen when you try to add something like
    DirXML-Act1 to a user object, since that attribute is intended to be on an
    IDM driver configuration object. It will also happen with any new attributes.

    Geoffrey reiterated that -609 means a schema problem, to which you
    responded that you had added the attribute to "auxiliary table IDVAULT",
    which I presume means an IDM mapping table. IDM is built on top of
    eDirectory, so regardless of how you map attributes within IDM you must
    follow the rules of schema defined in code (which largely follow the LDAP
    RFCs and state the same thing, thus you cannot add a new mngrid attribute
    to a User (inetOrgPerson) class of object unless you first link that
    attribute to a class, usually an auxiliary class, and then extend each
    given object with that particular auxiliary class (which IDM will do for
    you if setup properly).

    You can test that the schema side works by using LDAP tools or iManager to
    add the attribute to the user. Once that part works, the rest on your IDM
    side may be okay, but without success without IDM there is no guarantee
    you can get it with IDM, just like without turning a computer on there is
    no guarantee you can get a script for that computer to run successfully.
    Maybe the computer is already turned on (eDirectory is already setup
    properly), but in this thread I have not seen anything confirming that,
    and I would start there to make sure everything is ready.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.


    What i have done is the following:
    In Imanager:
    I created an attribute called 'mngrid' and i added it to the auxiliary class 'IDVAULT'.
    The user schema is extended with this auxiliary class 'IDVAULT'.
    In designer i imported the new schema.
    Under Publish channel >Schema mapping , i added the new atrribute.
    That part worked fine. No errors occured.
    I don't get what is missing in my schema.