ADDriver Delete Events "Operation vetoed on unassociated"


For some reason, recently, my AD Driver no longer deletes the associated
Active Directory account when I delete the eDirectory user object.
:mad:

Response from driver: "*Operation vetoed on unassociated object*"

I'll post a level 3 trace if I can figure out how to attach the log file


--
plummb
------------------------------------------------------------------------
plummb's Profile: https://forums.netiq.com/member.php?userid=1727
View this thread: https://forums.netiq.com/showthread.php?t=51659


  • Here's the level 3 (not very helpful)

    [09/02/14 14:53:54.296]:mmcf domain ST:Applying policy: % CCVeto
    Trigger%-C.
    [09/02/14 14:53:54.296]:mmcf domain ST: Applying to delete #1.
    [09/02/14 14:53:54.296]:mmcf domain ST: Evaluating selection criteria
    for rule 'Veto Trigger Events'.
    [09/02/14 14:53:54.297]:mmcf domain ST: (if-operation equal
    "trigger") = FALSE.
    [09/02/14 14:53:54.297]:mmcf domain ST: Rule rejected.
    [09/02/14 14:53:54.297]:mmcf domain ST:Policy returned:
    [09/02/14 14:53:54.297]:mmcf domain ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.0.2.2">DirXML</product>
    <contact>Novell, Inc.</contact>
    </source>
    <input>
    <delete cached-time="20140902185354.232Z" class-name="User"
    event-id="VMIDMMETA#20140902185354#3#1:268b602c-7060-4a6c-efab-2c608b266070"
    qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=Btester1"
    src-dn="\META\IDM\Person\Users\Btester1" src-entry-id="116766"
    timestamp="1409683943#1"/>
    </input>
    </nds>
    [09/02/14 14:53:54.298]:mmcf domain ST:Subscriber processing delete for
    \META\IDM\Person\Users\Btester1.
    [09/02/14 14:53:54.298]:mmcf domain ST:Processing returned document.
    [09/02/14 14:53:54.298]:mmcf domain ST:Processing operation <status> for
    ..
    [09/02/14 14:53:54.298]:mmcf domain ST:
    DirXML Log Event -------------------
    Driver: \META\IDM\eDirMeta\mmcf domain
    Channel: Subscriber
    Object: \META\IDM\Person\Users\Btester1
    Status: Warning
    Message: Code(-8019) Operation vetoed on unassociated object.
    [09/02/14 14:53:54.387]:mmcf domain ST:End transaction.


    --
    plummb
    ------------------------------------------------------------------------
    plummb's Profile: https://forums.netiq.com/member.php?userid=1727
    View this thread: https://forums.netiq.com/showthread.php?t=51659


  • plummb;248241 Wrote:
    > Here's the level 3 (not very helpful)
    >
    > [09/02/14 14:53:54.296]:mmcf domain ST:Applying policy: % CCVeto
    > Trigger%-C.
    > [09/02/14 14:53:54.296]:mmcf domain ST: Applying to delete #1.
    > [09/02/14 14:53:54.296]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Veto Trigger Events'.
    > [09/02/14 14:53:54.297]:mmcf domain ST: (if-operation equal
    > "trigger") = FALSE.
    > [09/02/14 14:53:54.297]:mmcf domain ST: Rule rejected.
    > [09/02/14 14:53:54.297]:mmcf domain ST:Policy returned:
    > [09/02/14 14:53:54.297]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.0.2.2">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <delete cached-time="20140902185354.232Z" class-name="User"
    > event-id="VMIDMMETA#20140902185354#3#1:268b602c-7060-4a6c-efab-2c608b266070"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=Btester1"
    > src-dn="\META\IDM\Person\Users\Btester1" src-entry-id="116766"
    > timestamp="1409683943#1"/>
    > </input>
    > </nds>
    > [09/02/14 14:53:54.298]:mmcf domain ST:Subscriber processing delete for
    > \META\IDM\Person\Users\Btester1.
    > [09/02/14 14:53:54.298]:mmcf domain ST:Processing returned document.
    > [09/02/14 14:53:54.298]:mmcf domain ST:Processing operation <status> for
    > .
    > [09/02/14 14:53:54.298]:mmcf domain ST:
    > DirXML Log Event -------------------
    > Driver: \META\IDM\eDirMeta\mmcf domain
    > Channel: Subscriber
    > Object: \META\IDM\Person\Users\Btester1
    > Status: Warning
    > Message: Code(-8019) Operation vetoed on unassociated object.
    > [09/02/14 14:53:54.387]:mmcf domain ST:End transaction.



    Hi plummb,
    Are you sure that your user has valid association?

    My Delete Event for associated users has "additional" *association*
    part, that not available in in your doc:

    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.0.2.5">DirXML</product>
    <contact>Novell, Inc.</contact>
    </source>
    <input>
    <delete cached-time="20140902202339.343Z" class-name="User"
    event-id="fx-iv#20140902202339#1#1:93500bae-b112-412d-1b8b-ae0b509312b1"
    qualified-src-dn="O=bxxx\OU=Sxxx\CN=sxxx24"
    src-dn="\XXX-TREE\bxxx\Sxxx\sxxx24" src-entry-id="678688"
    timestamp="1408651036#1">
    *<association
    state="associated">defe8cc3d92f1946b93xxxxxb4554c0c</association>*
    </delete>
    </input>
    </nds>


    --
    al_b
    ------------------------------------------------------------------------
    al_b's Profile: https://forums.netiq.com/member.php?userid=209
    View this thread: https://forums.netiq.com/showthread.php?t=51659

  • plummb wrote:

    >
    > For some reason, recently, my AD Driver no longer deletes the associated
    > Active Directory account when I delete the eDirectory user object.
    > :mad:
    >
    > Response from driver: "*Operation vetoed on unassociated object*"


    This is self explanatory. The user wasn't ever properly associated with AD prior to the point when the delete event was generated.

    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
  • Exactly, and it sounds like you (plummb) believe that this is incorrect
    and that the user IS associated with a corresponding object in the MAD
    environment. A few reasons for possible discrepancies:

    Something else cleared the association already. What would do this?
    Well, any driver or other client to the directory could in theory do this,
    but if it's happening on many users (not just one or two by accident) the
    most-likely cause is that somebody deleted the driver object and then
    recreated it; currently the association is maintained via DN relationships
    in the association value, so deleting the driver object to recreate it
    (rename, move to another DriverSet, whatever the reason) would cause all
    associations to be lost. This is rare, and you should definitely know
    about this kind of event.

    Another option is that the association was never there. If the user never
    changes their password (not required to) then maybe nobody ever noticed
    that credentials and other settings were not synchronizing. It's
    possible, and probably more-likely than the option above.

    If you know that an association existed (because you have a backup
    confirming as much) then what happened between then (the backup time) and
    now that could have removed the association? With IDM the potential for
    great power means other drivers could somehow get involved (though you'd
    need to add logic in to do that yourself as there is no way normally for
    one driver to stomp on another driver's associations), and you'll need to
    know if anybody else has access to do things like run ndsrepair commands
    (to potentially strip associations from the entire server, though this
    would impact all objects' associations, not jut one or two, and all
    associations, not just one driver config's).

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • This same event transpires on any of my users. Sync is just fine between
    eDir and MAD. All passwords and meta data sync just as intended. When
    trying to delete, this event occurs. I can recreate this with any
    account.

    Here is a new account (exported in LDIF with driver association):
    dn: cn=MyTest,ou=Users,ou=Person,o=IDM
    changetype: add
    DirXML-Associations: cn=mmcf
    domain,cn=eDirMeta,o=IDM#1#240cd0c1276899428c5869
    fb7098a607

    Here is the Level 3 on the delete event

    [09/02/14 19:19:00.206]:mmcf domain ST:Processing events for
    transaction.
    [09/02/14 19:19:00.206]:mmcf domain ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.0.2.2">DirXML</product>
    <contact>Novell, Inc.</contact>
    </source>
    <input>
    <delete cached-time="20140902231900.169Z" class-name="User"
    event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    timestamp="1409699668#1"/>
    </input>
    </nds>
    [09/02/14 19:19:00.207]:mmcf domain ST:Applying event transformation
    policies.
    [09/02/14 19:19:00.207]:mmcf domain ST:Applying policy:
    % CCsub-etp-Scoping%-C.
    [09/02/14 19:19:00.208]:mmcf domain ST: Applying to delete #1.
    [09/02/14 19:19:00.208]:mmcf domain ST: Evaluating selection criteria
    for rule 'Veto specify events'.
    [09/02/14 19:19:00.208]:mmcf domain ST: (if-operation equal "move")
    = FALSE.
    [09/02/14 19:19:00.208]:mmcf domain ST: (if-operation equal "sync")
    = FALSE.
    [09/02/14 19:19:00.208]:mmcf domain ST: Rule rejected.
    [09/02/14 19:19:00.208]:mmcf domain ST: Evaluating selection criteria
    for rule 'Break if the Event is wanted'.
    [09/02/14 19:19:00.209]:mmcf domain ST: (if-association associated)
    = FALSE.
    [09/02/14 19:19:00.209]:mmcf domain ST: (if-class-name equal
    "User") = TRUE.
    [09/02/14 19:19:00.209]:mmcf domain ST: (if-src-dn in-subtree
    "idm\person") = TRUE.
    [09/02/14 19:19:00.209]:mmcf domain ST: Rule selected.
    [09/02/14 19:19:00.209]:mmcf domain ST: Applying rule 'Break if the
    Event is wanted'.
    [09/02/14 19:19:00.209]:mmcf domain ST: Action: do-break().
    [09/02/14 19:19:00.210]:mmcf domain ST:Policy returned:
    [09/02/14 19:19:00.210]:mmcf domain ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.0.2.2">DirXML</product>
    <contact>Novell, Inc.</contact>
    </source>
    <input>
    <delete cached-time="20140902231900.169Z" class-name="User"
    event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    timestamp="1409699668#1"/>
    </input>
    </nds>
    [09/02/14 19:19:00.211]:mmcf domain ST:Applying policy:
    % CCsub-etp-Reset Attributes%-C.
    [09/02/14 19:19:00.211]:mmcf domain ST: Applying to delete #1.
    [09/02/14 19:19:00.211]:mmcf domain ST: Evaluating selection criteria
    for rule 'Reset DirXML-ADAliasName if changing'.
    [09/02/14 19:19:00.211]:mmcf domain ST: (if-operation equal
    "modify") = FALSE.
    [09/02/14 19:19:00.211]:mmcf domain ST: Rule rejected.
    [09/02/14 19:19:00.211]:mmcf domain ST: Evaluating selection criteria
    for rule 'Reset DirXML-ADContext if changing'.
    [09/02/14 19:19:00.212]:mmcf domain ST: (if-operation equal
    "modify") = FALSE.
    [09/02/14 19:19:00.212]:mmcf domain ST: Rule rejected.
    [09/02/14 19:19:00.212]:mmcf domain ST: Evaluating selection criteria
    for rule 'Block Empty Modifies'.
    [09/02/14 19:19:00.212]:mmcf domain ST: (if-class-name equal
    "User") = TRUE.
    [09/02/14 19:19:00.212]:mmcf domain ST: (if-operation equal
    "modify") = FALSE.
    [09/02/14 19:19:00.212]:mmcf domain ST: Rule rejected.
    [09/02/14 19:19:00.212]:mmcf domain ST:Policy returned:
    [09/02/14 19:19:00.213]:mmcf domain ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.0.2.2">DirXML</product>
    <contact>Novell, Inc.</contact>
    </source>
    <input>
    <delete cached-time="20140902231900.169Z" class-name="User"
    event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    timestamp="1409699668#1"/>
    </input>
    </nds>
    [09/02/14 19:19:00.213]:mmcf domain ST:Applying policy:
    % CCsub-etp-Exch%-C.
    [09/02/14 19:19:00.214]:mmcf domain ST: Applying to delete #1.
    [09/02/14 19:19:00.214]:mmcf domain ST: Evaluating selection criteria
    for rule 'Capture Delete Event, get homeMDB from AD'.
    [09/02/14 19:19:00.214]:mmcf domain ST: (if-class-name equal
    "User") = TRUE.
    [09/02/14 19:19:00.214]:mmcf domain ST: (if-operation equal
    "delete") = TRUE.
    [09/02/14 19:19:00.214]:mmcf domain ST: Rule selected.
    [09/02/14 19:19:00.214]:mmcf domain ST: Applying rule 'Capture Delete
    Event, get homeMDB from AD'.
    [09/02/14 19:19:00.215]:mmcf domain ST: Action:
    do-set-local-variable("local.homeMDB",scope="policy",token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))).
    [09/02/14 19:19:00.215]:mmcf domain ST:
    arg-string(token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB")))
    [09/02/14 19:19:00.215]:mmcf domain ST:
    token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))
    [09/02/14 19:19:00.216]:mmcf domain ST:
    token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))
    [09/02/14 19:19:00.216]:mmcf domain ST:
    token-dest-attr("mmcHomeMDB")
    [09/02/14 19:19:00.216]:mmcf domain ST: Token Value: "".
    [09/02/14 19:19:00.216]:mmcf domain ST: Arg Value: "".
    [09/02/14 19:19:00.216]:mmcf domain ST: Token Value: "".
    [09/02/14 19:19:00.216]:mmcf domain ST: Arg Value: "".
    [09/02/14 19:19:00.217]:mmcf domain ST: Action: do-if().
    [09/02/14 19:19:00.217]:mmcf domain ST: Evaluating conditions.
    [09/02/14 19:19:00.217]:mmcf domain ST: (if-local-variable
    'local.homeMDB' match ". ") = FALSE.
    [09/02/14 19:19:00.217]:mmcf domain ST: Performing else actions.
    [09/02/14 19:19:00.217]:mmcf domain ST: Action: do-break().
    [09/02/14 19:19:00.217]:mmcf domain ST:Policy returned:
    [09/02/14 19:19:00.217]:mmcf domain ST:
    <nds dtdversion="4.0" ndsversion="8.x">

    <input>
    <delete cached-time="20140902231900.169Z" class-name="User"
    event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    timestamp="1409699668#1"/>
    </input>
    </nds>
    [09/02/14 19:19:00.220]:mmcf domain ST:Applying policy:
    % CCFISMA%-C.
    [09/02/14 19:19:00.220]:mmcf domain ST: Applying to delete #1.
    [09/02/14 19:19:00.220]:mmcf domain ST: Evaluating selection criteria
    for rule 'Check Last Login Time - Act Accordingly'.
    [09/02/14 19:19:00.220]:mmcf domain ST: (if-operation equal
    "trigger") = FALSE.
    [09/02/14 19:19:00.220]:mmcf domain ST: Rule rejected.
    [09/02/14 19:19:00.221]:mmcf domain ST:Policy returned:
    [09/02/14 19:19:00.221]:mmcf domain ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.0.2.2">DirXML</product>
    <contact>Novell, Inc.</contact>
    </source>
    <input>
    <delete cached-time="20140902231900.169Z" class-name="User"
    event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    timestamp="1409699668#1"/>
    </input>
    </nds>
    [09/02/14 19:19:00.222]:mmcf domain ST:Applying policy: % CCVeto
    Trigger%-C.
    [09/02/14 19:19:00.222]:mmcf domain ST: Applying to delete #1.
    [09/02/14 19:19:00.222]:mmcf domain ST: Evaluating selection criteria
    for rule 'Veto Trigger Events'.
    [09/02/14 19:19:00.222]:mmcf domain ST: (if-operation equal
    "trigger") = FALSE.
    [09/02/14 19:19:00.222]:mmcf domain ST: Rule rejected.
    [09/02/14 19:19:00.222]:mmcf domain ST:Policy returned:
    [09/02/14 19:19:00.222]:mmcf domain ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.0.2.2">DirXML</product>
    <contact>Novell, Inc.</contact>
    </source>
    <input>
    <delete cached-time="20140902231900.169Z" class-name="User"
    event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    timestamp="1409699668#1"/>
    </input>
    </nds>
    [09/02/14 19:19:00.223]:mmcf domain ST:Subscriber processing delete for
    \META\IDM\Person\Users\MyTest.
    [09/02/14 19:19:00.223]:mmcf domain ST:Processing returned document.
    [09/02/14 19:19:00.224]:mmcf domain ST:Processing operation <status> for
    ..
    [09/02/14 19:19:00.224]:mmcf domain ST:
    DirXML Log Event -------------------
    Driver: \META\IDM\eDirMeta\mmcf domain
    Channel: Subscriber
    Object: \META\IDM\Person\Users\MyTest
    Status: Warning
    Message: Code(-8019) Operation vetoed on unassociated object.
    [09/02/14 19:19:00.302]:mmcf domain ST:End transaction.


    --
    plummb
    ------------------------------------------------------------------------
    plummb's Profile: https://forums.netiq.com/member.php?userid=1727
    View this thread: https://forums.netiq.com/showthread.php?t=51659

  • Same as before... your object is not associated.

    Export an object's DirXML-Associations attribute via LDAP and then try the
    delete. I'm guessing you will not have a processed value, which is the
    problem.

    It may be useful to post a trace of a user you think is synchronizing
    properly, and then export the DirXML-Associations attribute AFTER that
    synchronization from eDir to MAD takes place properly, when there should
    be a completed association. After that, process the delete and post the
    full trace.

    On 09/02/2014 05:25 PM, plummb wrote:
    >
    > This same event transpires on any of my users. Sync is just fine between
    > eDir and MAD. All passwords and meta data sync just as intended. When
    > trying to delete, this event occurs. I can recreate this with any
    > account.
    >
    > Here is a new account (exported in LDIF with driver association):
    > dn: cn=MyTest,ou=Users,ou=Person,o=IDM
    > changetype: add
    > DirXML-Associations: cn=mmcf
    > domain,cn=eDirMeta,o=IDM#1#240cd0c1276899428c5869
    > fb7098a607
    >
    > Here is the Level 3 on the delete event
    >
    > [09/02/14 19:19:00.206]:mmcf domain ST:Processing events for
    > transaction.
    > [09/02/14 19:19:00.206]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.0.2.2">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <delete cached-time="20140902231900.169Z" class-name="User"
    > event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    > src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    > timestamp="1409699668#1"/>
    > </input>
    > </nds>
    > [09/02/14 19:19:00.207]:mmcf domain ST:Applying event transformation
    > policies.
    > [09/02/14 19:19:00.207]:mmcf domain ST:Applying policy:
    > % CCsub-etp-Scoping%-C.
    > [09/02/14 19:19:00.208]:mmcf domain ST: Applying to delete #1.
    > [09/02/14 19:19:00.208]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Veto specify events'.
    > [09/02/14 19:19:00.208]:mmcf domain ST: (if-operation equal "move")
    > = FALSE.
    > [09/02/14 19:19:00.208]:mmcf domain ST: (if-operation equal "sync")
    > = FALSE.
    > [09/02/14 19:19:00.208]:mmcf domain ST: Rule rejected.
    > [09/02/14 19:19:00.208]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Break if the Event is wanted'.
    > [09/02/14 19:19:00.209]:mmcf domain ST: (if-association associated)
    > = FALSE.
    > [09/02/14 19:19:00.209]:mmcf domain ST: (if-class-name equal
    > "User") = TRUE.
    > [09/02/14 19:19:00.209]:mmcf domain ST: (if-src-dn in-subtree
    > "idm\person") = TRUE.
    > [09/02/14 19:19:00.209]:mmcf domain ST: Rule selected.
    > [09/02/14 19:19:00.209]:mmcf domain ST: Applying rule 'Break if the
    > Event is wanted'.
    > [09/02/14 19:19:00.209]:mmcf domain ST: Action: do-break().
    > [09/02/14 19:19:00.210]:mmcf domain ST:Policy returned:
    > [09/02/14 19:19:00.210]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.0.2.2">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <delete cached-time="20140902231900.169Z" class-name="User"
    > event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    > src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    > timestamp="1409699668#1"/>
    > </input>
    > </nds>
    > [09/02/14 19:19:00.211]:mmcf domain ST:Applying policy:
    > % CCsub-etp-Reset Attributes%-C.
    > [09/02/14 19:19:00.211]:mmcf domain ST: Applying to delete #1.
    > [09/02/14 19:19:00.211]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Reset DirXML-ADAliasName if changing'.
    > [09/02/14 19:19:00.211]:mmcf domain ST: (if-operation equal
    > "modify") = FALSE.
    > [09/02/14 19:19:00.211]:mmcf domain ST: Rule rejected.
    > [09/02/14 19:19:00.211]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Reset DirXML-ADContext if changing'.
    > [09/02/14 19:19:00.212]:mmcf domain ST: (if-operation equal
    > "modify") = FALSE.
    > [09/02/14 19:19:00.212]:mmcf domain ST: Rule rejected.
    > [09/02/14 19:19:00.212]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Block Empty Modifies'.
    > [09/02/14 19:19:00.212]:mmcf domain ST: (if-class-name equal
    > "User") = TRUE.
    > [09/02/14 19:19:00.212]:mmcf domain ST: (if-operation equal
    > "modify") = FALSE.
    > [09/02/14 19:19:00.212]:mmcf domain ST: Rule rejected.
    > [09/02/14 19:19:00.212]:mmcf domain ST:Policy returned:
    > [09/02/14 19:19:00.213]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.0.2.2">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <delete cached-time="20140902231900.169Z" class-name="User"
    > event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    > src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    > timestamp="1409699668#1"/>
    > </input>
    > </nds>
    > [09/02/14 19:19:00.213]:mmcf domain ST:Applying policy:
    > % CCsub-etp-Exch%-C.
    > [09/02/14 19:19:00.214]:mmcf domain ST: Applying to delete #1.
    > [09/02/14 19:19:00.214]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Capture Delete Event, get homeMDB from AD'.
    > [09/02/14 19:19:00.214]:mmcf domain ST: (if-class-name equal
    > "User") = TRUE.
    > [09/02/14 19:19:00.214]:mmcf domain ST: (if-operation equal
    > "delete") = TRUE.
    > [09/02/14 19:19:00.214]:mmcf domain ST: Rule selected.
    > [09/02/14 19:19:00.214]:mmcf domain ST: Applying rule 'Capture Delete
    > Event, get homeMDB from AD'.
    > [09/02/14 19:19:00.215]:mmcf domain ST: Action:
    > do-set-local-variable("local.homeMDB",scope="policy",token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))).
    > [09/02/14 19:19:00.215]:mmcf domain ST:
    > arg-string(token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB")))
    > [09/02/14 19:19:00.215]:mmcf domain ST:
    > token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))
    > [09/02/14 19:19:00.216]:mmcf domain ST:
    > token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))
    > [09/02/14 19:19:00.216]:mmcf domain ST:
    > token-dest-attr("mmcHomeMDB")
    > [09/02/14 19:19:00.216]:mmcf domain ST: Token Value: "".
    > [09/02/14 19:19:00.216]:mmcf domain ST: Arg Value: "".
    > [09/02/14 19:19:00.216]:mmcf domain ST: Token Value: "".
    > [09/02/14 19:19:00.216]:mmcf domain ST: Arg Value: "".
    > [09/02/14 19:19:00.217]:mmcf domain ST: Action: do-if().
    > [09/02/14 19:19:00.217]:mmcf domain ST: Evaluating conditions.
    > [09/02/14 19:19:00.217]:mmcf domain ST: (if-local-variable
    > 'local.homeMDB' match ". ") = FALSE.
    > [09/02/14 19:19:00.217]:mmcf domain ST: Performing else actions.
    > [09/02/14 19:19:00.217]:mmcf domain ST: Action: do-break().
    > [09/02/14 19:19:00.217]:mmcf domain ST:Policy returned:
    > [09/02/14 19:19:00.217]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    >
    > <input>
    > <delete cached-time="20140902231900.169Z" class-name="User"
    > event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    > src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    > timestamp="1409699668#1"/>
    > </input>
    > </nds>
    > [09/02/14 19:19:00.220]:mmcf domain ST:Applying policy:
    > % CCFISMA%-C.
    > [09/02/14 19:19:00.220]:mmcf domain ST: Applying to delete #1.
    > [09/02/14 19:19:00.220]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Check Last Login Time - Act Accordingly'.
    > [09/02/14 19:19:00.220]:mmcf domain ST: (if-operation equal
    > "trigger") = FALSE.
    > [09/02/14 19:19:00.220]:mmcf domain ST: Rule rejected.
    > [09/02/14 19:19:00.221]:mmcf domain ST:Policy returned:
    > [09/02/14 19:19:00.221]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.0.2.2">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <delete cached-time="20140902231900.169Z" class-name="User"
    > event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    > src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    > timestamp="1409699668#1"/>
    > </input>
    > </nds>
    > [09/02/14 19:19:00.222]:mmcf domain ST:Applying policy: % CCVeto
    > Trigger%-C.
    > [09/02/14 19:19:00.222]:mmcf domain ST: Applying to delete #1.
    > [09/02/14 19:19:00.222]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Veto Trigger Events'.
    > [09/02/14 19:19:00.222]:mmcf domain ST: (if-operation equal
    > "trigger") = FALSE.
    > [09/02/14 19:19:00.222]:mmcf domain ST: Rule rejected.
    > [09/02/14 19:19:00.222]:mmcf domain ST:Policy returned:
    > [09/02/14 19:19:00.222]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.0.2.2">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <delete cached-time="20140902231900.169Z" class-name="User"
    > event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    > src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    > timestamp="1409699668#1"/>
    > </input>
    > </nds>
    > [09/02/14 19:19:00.223]:mmcf domain ST:Subscriber processing delete for
    > \META\IDM\Person\Users\MyTest.
    > [09/02/14 19:19:00.223]:mmcf domain ST:Processing returned document.
    > [09/02/14 19:19:00.224]:mmcf domain ST:Processing operation <status> for
    > .
    > [09/02/14 19:19:00.224]:mmcf domain ST:
    > DirXML Log Event -------------------
    > Driver: \META\IDM\eDirMeta\mmcf domain
    > Channel: Subscriber
    > Object: \META\IDM\Person\Users\MyTest
    > Status: Warning
    > Message: Code(-8019) Operation vetoed on unassociated object.
    > [09/02/14 19:19:00.302]:mmcf domain ST:End transaction.
    >
    >


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
  • On 2014-09-03 01:25, plummb wrote:
    >
    > This same event transpires on any of my users. Sync is just fine between
    > eDir and MAD. All passwords and meta data sync just as intended. When
    > trying to delete, this event occurs. I can recreate this with any
    > account.
    >
    > Here is a new account (exported in LDIF with driver association):
    > dn: cn=MyTest,ou=Users,ou=Person,o=IDM
    > changetype: add
    > DirXML-Associations: cn=mmcf
    > domain,cn=eDirMeta,o=IDM#1#240cd0c1276899428c5869
    > fb7098a607
    >
    > Here is the Level 3 on the delete event
    >
    > [09/02/14 19:19:00.206]:mmcf domain ST:Processing events for
    > transaction.
    > [09/02/14 19:19:00.206]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.0.2.2">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <delete cached-time="20140902231900.169Z" class-name="User"
    > event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    > src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    > timestamp="1409699668#1"/>
    > </input>
    > </nds>
    > [09/02/14 19:19:00.207]:mmcf domain ST:Applying event transformation
    > policies.
    > [09/02/14 19:19:00.207]:mmcf domain ST:Applying policy:
    > % CCsub-etp-Scoping%-C.
    > [09/02/14 19:19:00.208]:mmcf domain ST: Applying to delete #1.
    > [09/02/14 19:19:00.208]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Veto specify events'.
    > [09/02/14 19:19:00.208]:mmcf domain ST: (if-operation equal "move")
    > = FALSE.
    > [09/02/14 19:19:00.208]:mmcf domain ST: (if-operation equal "sync")
    > = FALSE.
    > [09/02/14 19:19:00.208]:mmcf domain ST: Rule rejected.
    > [09/02/14 19:19:00.208]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Break if the Event is wanted'.
    > [09/02/14 19:19:00.209]:mmcf domain ST: (if-association associated)
    > = FALSE.
    > [09/02/14 19:19:00.209]:mmcf domain ST: (if-class-name equal
    > "User") = TRUE.
    > [09/02/14 19:19:00.209]:mmcf domain ST: (if-src-dn in-subtree
    > "idm\person") = TRUE.
    > [09/02/14 19:19:00.209]:mmcf domain ST: Rule selected.
    > [09/02/14 19:19:00.209]:mmcf domain ST: Applying rule 'Break if the
    > Event is wanted'.
    > [09/02/14 19:19:00.209]:mmcf domain ST: Action: do-break().
    > [09/02/14 19:19:00.210]:mmcf domain ST:Policy returned:
    > [09/02/14 19:19:00.210]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.0.2.2">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <delete cached-time="20140902231900.169Z" class-name="User"
    > event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    > src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    > timestamp="1409699668#1"/>
    > </input>
    > </nds>
    > [09/02/14 19:19:00.211]:mmcf domain ST:Applying policy:
    > % CCsub-etp-Reset Attributes%-C.
    > [09/02/14 19:19:00.211]:mmcf domain ST: Applying to delete #1.
    > [09/02/14 19:19:00.211]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Reset DirXML-ADAliasName if changing'.
    > [09/02/14 19:19:00.211]:mmcf domain ST: (if-operation equal
    > "modify") = FALSE.
    > [09/02/14 19:19:00.211]:mmcf domain ST: Rule rejected.
    > [09/02/14 19:19:00.211]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Reset DirXML-ADContext if changing'.
    > [09/02/14 19:19:00.212]:mmcf domain ST: (if-operation equal
    > "modify") = FALSE.
    > [09/02/14 19:19:00.212]:mmcf domain ST: Rule rejected.
    > [09/02/14 19:19:00.212]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Block Empty Modifies'.
    > [09/02/14 19:19:00.212]:mmcf domain ST: (if-class-name equal
    > "User") = TRUE.
    > [09/02/14 19:19:00.212]:mmcf domain ST: (if-operation equal
    > "modify") = FALSE.
    > [09/02/14 19:19:00.212]:mmcf domain ST: Rule rejected.
    > [09/02/14 19:19:00.212]:mmcf domain ST:Policy returned:
    > [09/02/14 19:19:00.213]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.0.2.2">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <delete cached-time="20140902231900.169Z" class-name="User"
    > event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    > src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    > timestamp="1409699668#1"/>
    > </input>
    > </nds>
    > [09/02/14 19:19:00.213]:mmcf domain ST:Applying policy:
    > % CCsub-etp-Exch%-C.
    > [09/02/14 19:19:00.214]:mmcf domain ST: Applying to delete #1.
    > [09/02/14 19:19:00.214]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Capture Delete Event, get homeMDB from AD'.
    > [09/02/14 19:19:00.214]:mmcf domain ST: (if-class-name equal
    > "User") = TRUE.
    > [09/02/14 19:19:00.214]:mmcf domain ST: (if-operation equal
    > "delete") = TRUE.
    > [09/02/14 19:19:00.214]:mmcf domain ST: Rule selected.
    > [09/02/14 19:19:00.214]:mmcf domain ST: Applying rule 'Capture Delete
    > Event, get homeMDB from AD'.
    > [09/02/14 19:19:00.215]:mmcf domain ST: Action:
    > do-set-local-variable("local.homeMDB",scope="policy",token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))).
    > [09/02/14 19:19:00.215]:mmcf domain ST:
    > arg-string(token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB")))
    > [09/02/14 19:19:00.215]:mmcf domain ST:
    > token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))
    > [09/02/14 19:19:00.216]:mmcf domain ST:
    > token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))
    > [09/02/14 19:19:00.216]:mmcf domain ST:
    > token-dest-attr("mmcHomeMDB")
    > [09/02/14 19:19:00.216]:mmcf domain ST: Token Value: "".
    > [09/02/14 19:19:00.216]:mmcf domain ST: Arg Value: "".
    > [09/02/14 19:19:00.216]:mmcf domain ST: Token Value: "".
    > [09/02/14 19:19:00.216]:mmcf domain ST: Arg Value: "".
    > [09/02/14 19:19:00.217]:mmcf domain ST: Action: do-if().
    > [09/02/14 19:19:00.217]:mmcf domain ST: Evaluating conditions.
    > [09/02/14 19:19:00.217]:mmcf domain ST: (if-local-variable
    > 'local.homeMDB' match ". ") = FALSE.
    > [09/02/14 19:19:00.217]:mmcf domain ST: Performing else actions.
    > [09/02/14 19:19:00.217]:mmcf domain ST: Action: do-break().
    > [09/02/14 19:19:00.217]:mmcf domain ST:Policy returned:
    > [09/02/14 19:19:00.217]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    >
    > <input>
    > <delete cached-time="20140902231900.169Z" class-name="User"
    > event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    > src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    > timestamp="1409699668#1"/>
    > </input>
    > </nds>
    > [09/02/14 19:19:00.220]:mmcf domain ST:Applying policy:
    > % CCFISMA%-C.
    > [09/02/14 19:19:00.220]:mmcf domain ST: Applying to delete #1.
    > [09/02/14 19:19:00.220]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Check Last Login Time - Act Accordingly'.
    > [09/02/14 19:19:00.220]:mmcf domain ST: (if-operation equal
    > "trigger") = FALSE.
    > [09/02/14 19:19:00.220]:mmcf domain ST: Rule rejected.
    > [09/02/14 19:19:00.221]:mmcf domain ST:Policy returned:
    > [09/02/14 19:19:00.221]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.0.2.2">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <delete cached-time="20140902231900.169Z" class-name="User"
    > event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    > src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    > timestamp="1409699668#1"/>
    > </input>
    > </nds>
    > [09/02/14 19:19:00.222]:mmcf domain ST:Applying policy: % CCVeto
    > Trigger%-C.
    > [09/02/14 19:19:00.222]:mmcf domain ST: Applying to delete #1.
    > [09/02/14 19:19:00.222]:mmcf domain ST: Evaluating selection criteria
    > for rule 'Veto Trigger Events'.
    > [09/02/14 19:19:00.222]:mmcf domain ST: (if-operation equal
    > "trigger") = FALSE.
    > [09/02/14 19:19:00.222]:mmcf domain ST: Rule rejected.
    > [09/02/14 19:19:00.222]:mmcf domain ST:Policy returned:
    > [09/02/14 19:19:00.222]:mmcf domain ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Standard" version="4.0.2.2">DirXML</product>
    > <contact>Novell, Inc.</contact>
    > </source>
    > <input>
    > <delete cached-time="20140902231900.169Z" class-name="User"
    > event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
    > qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
    > src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
    > timestamp="1409699668#1"/>
    > </input>
    > </nds>
    > [09/02/14 19:19:00.223]:mmcf domain ST:Subscriber processing delete for
    > \META\IDM\Person\Users\MyTest.
    > [09/02/14 19:19:00.223]:mmcf domain ST:Processing returned document.
    > [09/02/14 19:19:00.224]:mmcf domain ST:Processing operation <status> for
    > ..
    > [09/02/14 19:19:00.224]:mmcf domain ST:
    > DirXML Log Event -------------------
    > Driver: \META\IDM\eDirMeta\mmcf domain
    > Channel: Subscriber
    > Object: \META\IDM\Person\Users\MyTest
    > Status: Warning
    > Message: Code(-8019) Operation vetoed on unassociated object.
    > [09/02/14 19:19:00.302]:mmcf domain ST:End transaction.
    >
    >

    Does the driver have rights to read the DirXML-Association attribute? Check direct rigths or security equivalence.

    Best regards,
    Tobias

  • I know the association is valid. After the user object is created with a
    'Processed' association to the domain, there is a separate driver that
    creates a Unique ID for that object and later publishes it
    (successfully) back to MAD. Here's a bit of that event:
    <input>
    <modify class-name="user" event-id="mmcf domain##1483b822cd9##0"
    src-dn="CN=MyUser,CN=Users,DC=mmcf,DC=mehealth,DC=org">
    <association>96521f1ee353414987850fd677166af0</association>
    <modify-attr attr-name="employeeNumber">
    <remove-all-values/>
    <add-value>
    <value naming="false" type="string">MH62811</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>

    and later on after the send....

    DirXML Log Event -------------------
    Driver: \META\IDM\eDirMeta\mmcf domain
    Channel: Publisher
    Object: CN=MyUser,CN=Users,DC=mmcf,DC=mehealth,DC=org
    (IDM\Person\Users\MyUser)
    Status: Success

    Export of MAD User shows employeeType populated successfully with
    MH62811

    LDIF export in eDirectory:
    dn: cn=MyUser,ou=Users,ou=Person,o=IDM
    changetype: add
    DirXML-Associations: cn=mmcf
    domain,cn=eDirMeta,o=IDM#1#96521f1ee353414987850fd677166af0

    Trace on Delete is the same as shown before - ending with:

    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Standard" version="4.0.2.2">DirXML</product>
    <contact>Novell, Inc.</contact>
    </source>
    <input>
    <delete cached-time="20140903124251.660Z" class-name="User"
    event-id="VMIDMMETA#20140903124251#3#1:a4158b4e-3389-47b2-9882-4e8b15a48933"
    qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyUser"
    src-dn="\META\IDM\Person\Users\MyUser" src-entry-id="116783"
    timestamp="1409747508#1"/>
    </input>
    </nds>
    [09/03/14 08:42:51.707]:mmcf domain ST:Subscriber processing delete for
    \META\IDM\Person\Users\MyUser.
    [09/03/14 08:42:51.708]:mmcf domain ST:Processing returned document.
    [09/03/14 08:42:51.708]:mmcf domain ST:Processing operation <status> for
    ..
    [09/03/14 08:42:51.708]:mmcf domain ST:
    DirXML Log Event -------------------
    Driver: \META\IDM\eDirMeta\mmcf domain
    Channel: Subscriber
    Object: \META\IDM\Person\Users\MyUser
    Status: Warning
    Message: Code(-8019) Operation vetoed on unassociated object.
    [09/03/14 08:42:51.771]:mmcf domain ST:End transaction.


    --
    plummb
    ------------------------------------------------------------------------
    plummb's Profile: https://forums.netiq.com/member.php?userid=1727
    View this thread: https://forums.netiq.com/showthread.php?t=51659


  • Security Equiv is as the admin account. The sync of data is working
    fine. It just doesn't see an association at the time of delete.


    --
    plummb
    ------------------------------------------------------------------------
    plummb's Profile: https://forums.netiq.com/member.php?userid=1727
    View this thread: https://forums.netiq.com/showthread.php?t=51659

  • What is causing the delete, and how exactly? For example, I'm guessing
    you're doing this using iManager, just choosing the user and hitting
    Delete, or using an LDAP tool like Apache Directory Studio where you
    choose he object (which still has the association presumably) and then
    pressing the delete key. If anything other than those two methods, please
    elaborate.

    The reason I ask is that I've seen applications before that "helpfully"
    stripped off attributes before deleting objects. Seems unlikely here, but
    worth checking out.

    Also, do you have any other IDM drivers involved at all?

    Could you post your level three trace of the driver startup through a
    delete event, perhaps something like SUSE Paste or Pastebin or something
    if it's too big to post here? The reason is that it may be interesting to
    see how ECVs are set in case something stands out there.

    I presume that the eDirectory partition holding this user is a full
    read/write or Master replica, and not filtered at all. Please correct me
    if I'm wrong.

    For a test, stop the driver config and cause a delete, then look at the
    cache (cache inspector) and see if the XML has an association. Start the
    driver and let is continue to see if things behave the same way (catching
    the trace at the same time). Any different?

    Since I cannot find it in your other posts, could you please confirm
    eDirectory versions/patches and IDM version/patches?

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...