Bi-Directional eDir quirck after creating new user


Hi All,

We've got a Bi-Directional eDir driver. When I create a user from
iManager I keep getting the error MISSING_MANDATORY and I'm guessing
it's the password but I'm not entirely sure how that's possible.
After this, the driver doesn't sync anything else, it just retries this
object over and over.

This is how I break it and get it fixed:
- Create user->Sync fails on missing mandatory
- Stop driver
- Stop eDir on the connected system
- go to /var/opt/novell/eDirectory/data/dib
- rm *.TAO
- Start eDir
- Start driver on IDM system
- Migrate into vault on driver, select User->CN->input CN
- Voila, it syncs, no problem at all

Now the quirck is that I haven't actually changed anything in the
account, I didn't set another password or whatever.

I ran a complete health check, updated to the latest IDM patches on both
the IDM system and installed the newest changelog driver on the
connected system, which did not fix it. I can easily reproduce this by
creating another account.

Here's the trace: http://pastebin.com/Up5pt4fj

Any ideas?


--
bpenris
------------------------------------------------------------------------
bpenris's Profile: https://forums.netiq.com/member.php?userid=5485
View this thread: https://forums.netiq.com/showthread.php?t=51564

  • bpenris wrote:

    > When I create a user from
    > iManager I keep getting the error MISSING_MANDATORY and I'm guessing
    > it's the password but I'm not entirely sure how that's possible.


    The only mandatory attribute for users is "Surname" ()besides CN or UID as
    naming attrs) and that's missing in your add event.
  • On a User object in eDirectory there are three mandatory attributes:
    Object Class
    Surname
    CN

    Your object lacks the Surname, so thus the -608 error appropriately
    returned. Add Surname/sn to your filter set to synchronize on the
    Publisher channel and that will hopefully work past this initial error.
    Post a trace of the driver config startup to see the filter as configured.
    Be sure to restart the driver (thus getting a startup trace) to apply any
    changes to things like the filter.

    Why things never pick up from there, well that's probably normal. I guess
    I"m a little surprised that the error does not cause the system to skip
    the current event, but perhaps the -608 is programmed to be a retry
    instead of something that clears the cache, and perhaps that's even a bug.
    For now, though, I'd fix the -608 (you'll never get a user created in
    eDir without a surname) and then see if pursuing the rest is still
    worthwhile. IDM tries to NOT lose events, and retrying is the only way to
    do that, so in your case this may be desirable behavior to prevent data
    loss due to a configuration (filter) issue. Of course, when you delete
    the changelog on the remote side then there is no way for the system to
    know what it has recently been told to no longer know. :-)

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
  • ab wrote:

    > On a User object in eDirectory there are three mandatory attributes:
    > Object Class
    > Surname
    > CN


    Exactly, I missed Object Class (which is mandatory for every object in Edir -
    or are there any exceptions?). CN is interesting, since it's mandatory even
    through naming can be done with uniqueID or OU instead. Why would one have to
    have a CN in that case? Just a limitation in the schema definition mechanism
    that cannot handle soem thing like "Object Class, Surname and one out of
    UniqueID, CN or UID"?
  • Lothar Haeger wrote:

    > and one out of UniqueID, CN or UID"?


    "...or OU", of course.

  • On 08/20/2014 06:05 AM, Lothar Haeger wrote:
    > Lothar Haeger wrote:
    >
    >> and one out of UniqueID, CN or UID"?


    Yes, perhaps; twenty-year-old code and backwards compatibility in mind
    probably.

    > "...or OU", of course.


    I've always wondered if anybody ever sets that for naming on a User; I've
    never seen it, and I've corrected more than a few people who didn't know
    that was an option because I'm guessing nobody has ever done it in real
    life. I have no idea why you'd name a user based on that either.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • ab;247808 Wrote:
    > Your object lacks the Surname, so thus the -608 error appropriately
    > returned. Add Surname/sn to your filter set to synchronize on the
    > Publisher channel and that will hopefully work past this initial error.
    > Post a trace of the driver config startup to see the filter as
    > configured.
    > Be sure to restart the driver (thus getting a startup trace) to apply
    > any
    > changes to things like the filter.

    n00bmode: Is this what you mean? The set of arrows on the right are the
    bi-directional eDir driver:
    [image: > /n00bmode

    Yes so that's a good start. If Designer (your picture) is consistent with
    what is deployed in the vault (presumably it is because of your trace
    below) then that's good.

    > Startup trace:
    http://pastebin.com/s7WKUDy7

    This looks like a recent restart. Either you've made a change and things
    may work, or you have not but did a while ago and things may work, or you
    have not and never did so things are still broken. In the last situation,
    go and check your merge authority. Under the driver object (in Designer)
    double-click on the filter. For the Surname attribute the merge authority
    should be set to Default (by default) and I am not sure that's happening
    for you. The DTD for the filter attribute states that, even if not set,
    it should be Default, but something is amiss then.

    >> For now, though, I'd fix the -608 (you'll never get a user created in
    >> eDir without a surname) and then see if pursuing the rest is still
    >> worthwhile. IDM tries to NOT lose events, and retrying is the only way
    >> to
    >> do that, so in your case this may be desirable behavior to prevent data
    >> loss due to a configuration (filter) issue. Of course, when you delete
    >> the changelog on the remote side then there is no way for the system to
    >> know what it has recently been told to no longer know. :-)

    > Yes that sounds logical. I wish there was a way to force it to continue
    > though.


    You could add a rule in there stating, if a User, and if an add, then veto
    if any of the required attributes are missing. In theory they should
    always be there, and if not then they may (really unlikely) may come in a
    subsequent event, but with your filter set to send those they really
    should be there from the start; this is the nature of things defined in
    schema as mandatory. It's not optional, it's not delayed, it's always
    there. Missing it for a nanosecond but sending the event along and then
    not having the mandatory attributes pulled in would be the weirdest timing
    issue I've seen in a while. Still, maybe that's it.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • ab;247825 Wrote:
    > Yes so that's a good start. If Designer (your picture) is consistent
    > with
    > what is deployed in the vault (presumably it is because of your trace
    > below) then that's good.

    Yes it is except for the trace level.

    > This looks like a recent restart. Either you've made a change and
    > things
    > may work, or you have not but did a while ago and things may work, or
    > you
    > have not and never did so things are still broken. In the last
    > situation,
    > go and check your merge authority. Under the driver object (in
    > Designer)
    > double-click on the filter. For the Surname attribute the merge
    > authority
    > should be set to Default (by default) and I am not sure that's
    > happening
    > for you. The DTD for the filter attribute states that, even if not
    > set,
    > it should be Default, but something is amiss then.

    Merge authority is set to Default for Surname.


    > You could add a rule in there stating, if a User, and if an add, then
    > veto
    > if any of the required attributes are missing.

    Yes I was pondering to do that but I'd rather fix the underlying
    problem.

    > In theory they should always be there, and if not then they may (really
    > unlikely) may come in a
    > subsequent event, but with your filter set to send those they really
    > should be there from the start; this is the nature of things defined in
    > schema as mandatory. It's not optional, it's not delayed, it's always
    > there. Missing it for a nanosecond but sending the event along and
    > then
    > not having the mandatory attributes pulled in would be the weirdest
    > timing
    > issue I've seen in a while. Still, maybe that's it.

    I've found that if I point iMangler to the replica where the changelog
    driver resorts, the problem goes away or at least I'm no longer able to
    reproduce it. I could point the driver at our master replica but that
    one get's hammered during the day ánd the changelog driver 'sometimes'
    crashes ndsd when starting the driver. I don't know why but this is even
    true in an isolated test environment where I first tried to implement
    the driver. The patch addressed a couple of related issues iirc but I've
    still seen at least one ndsd crash after the update.


    Thanks again for your assistance :)


    --
    bpenris
    ------------------------------------------------------------------------
    bpenris's Profile: https://forums.netiq.com/member.php?userid=5485
    View this thread: https://forums.netiq.com/showthread.php?t=51564

  • Do you have Priority Sync enabled in eDirectory 8.8? It's a feature that
    allows you to send specified attributes immediately instead of waiting for
    the default sync interval. It is not a default, and is not common, but
    it's the only thing of which I can imagine (and I'm really stretching
    here) that may cause an object to come through missing mandatory
    attributes; I really do not think that should happen even with Priority
    Sync, since to what object would the expedited attributes be linked if the
    object has not yet replicated after creation? Makes no sense, but there
    you go.

    Other options may be to try the older eDirectory driver. This would
    require a full IDM engine install on a box in your other tree.

    A better alternative may be to setup ahead of time and try to export an
    object you're about to create from the IDM box over and over (via LDAP) to
    see when it shows up via replication, and if (just using eDirectory and
    LDAP) you can see it missing mandatory attributes somehow.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • ab;247830 Wrote:
    > Do you have Priority Sync enabled in eDirectory 8.8?

    I've played around with it a lot because I think it's an awesome feature
    but there's no need for it in an environment that's as small as ours.
    I've checked nonetheless but no, it's not enabled.

    > Other options may be to try the older eDirectory driver. This would
    > require a full IDM engine install on a box in your other tree.

    That's on my mind as well but I very much dislike the way of eDir trees
    and it will basically mean that I'm the only one that'll be able to
    manage the system. Do not want that.

    > A better alternative may be to setup ahead of time and try to export an
    > object you're about to create from the IDM box over and over (via LDAP)
    > to
    > see when it shows up via replication, and if (just using eDirectory and
    > LDAP) you can see it missing mandatory attributes somehow.

    The veto policy works for now. We'll see how it runs over the next few
    days.

    Thank you AB!


    --
    bpenris
    ------------------------------------------------------------------------
    bpenris's Profile: https://forums.netiq.com/member.php?userid=5485
    View this thread: https://forums.netiq.com/showthread.php?t=51564