In Identitiy manager bidirectional driver sync not working

In novell Identity manager bidirectional driver sync not working.can anyone please suggest
  • In log it is showing - LDAPInterface.doLDAPAdd() Error: LDAPException: Insufficient Access Rights (50) Insu
    fficient Access Rights
    LDAPException: Server Message: NDS error: no access (-672)
  • can anyone please help its urgent it is in production server .My mail id shilginjose@gmail.com
  • If you did not specify a user with sufficient privileges either as the
    local security equivalence or with the remote tree, then that would cause
    a -672. Where the rights need to be given depends on where the rights are
    lacking. Post a level three (3) trace of driver startup and we'll look at it.

    If you are in a hurry, you may want to call Micro Focus for official support.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • On 5/25/2019 2:34 AM, KSEB wrote:
    >
    > can anyone please help its urgent it is in production server .My mail id
    > shilginjose@gmail.com


    as Aaron suggested, there are two sets of permissons.

    IDV side where the driver gets permission to modify objects in the iDV.
    These would be Pub channel events where remote eDir changes are writing
    to the IDV.

    On the Remote eDir side, you specify an account in the driver
    configuration (Authentication ID and password) for Sub channel events to
    write to the remote LDAP.

    So as Aaron suggested, post a trace of startup. If this worked before,
    it seems unlikely the permissions suddenly changed so it could be
    totally unrelated.

    Look at the driver config, find the user specified as the authetication
    ID and then in the Remote eDir, if you use iManager, use the Rights,
    Rights to other objects, and specify this object to see its permissions.
    Make sure it can read and write to th eobject and attributes in the
    filter.


  • There are several inconsistencies here.

    Your original complaint was about a -672 error, which I do not see
    anywhere in the trace. Where is that?

    Also, it appears you are using TCP 389, which generally you should not as
    there is no guarantee of privacy, unless you happened to use TLS/SSL on
    that port instead of 636, which you so far have not done.

    Also, for some reason you have your driver config pointing to 127.0.0.1
    which is your vault box. Using this as a Null or loopback type of driver
    config is not recommended; you should be pointing this to another tree.
    Maybe you are, and just have a really odd setup on this box, but I think
    it more likely this is a misconfiguration.

    It may help if you describe when this worked last, how it broke since
    then, and what its purpose is. If you are starting with a new system, you
    should do this in a test environment. If you have a consultant or
    somebody setting this up for the first time (or if you are that
    consultant), you should setup a test environment to understand the
    technology before deploying it in Production.

    IDM is a wonderful technology, and used properly it will save tons of
    mistakes, money, and improve security in an environment. Used
    incorrectly, it can do bad things as easily as it can do good things
    (maybe more easily). Great power, great responsibility, etc.

    A driver config startup trace would still be appreciated, though the GCV
    screenshots show some of what was sought.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • Your original complaint was about a -672 error, which I do not see
    anywhere in the trace. Where is that?

    Actually now iam testing in test environment to resolve the issue.Yesterday the trace i was sent is the test environment driver start trace.

    Also, it appears you are using TCP 389, which generally you should not as
    there is no guarantee of privacy, unless you happened to use TLS/SSL on
    that port instead of 636, which you so far have not done.

    Also, for some reason you have your driver config pointing to 127.0.0.1
    which is your vault box. Using this as a Null or loopback type of driver
    config is not recommended; you should be pointing this to another tree.
    Maybe you are, and just have a really odd setup on this box, but I think
    it more likely this is a misconfiguration.

    It may help if you describe when this worked last, how it broke since
    then, and what its purpose is. If you are starting with a new system, you
    should do this in a test environment. If you have a consultant or
    somebody setting this up for the first time (or if you are that
    consultant), you should setup a test environment to understand the
    technology before deploying it in Production.

    I have checked in test environment it was working.I tested in test environment in this also sync is not working.

    IDM is a wonderful technology, and used properly it will save tons of
    mistakes, money, and improve security in an environment. Used
    incorrectly, it can do bad things as easily as it can do good things
    (maybe more easily). Great power, great responsibility, etc.

    A driver config startup trace would still be appreciated, though the GCV
    screenshots show some of what was sought.


    Any trace needed to find the issue..Any suggestion ?