Adding an Aux class in a ADAM/LDS driver?

We are trying to add a user in ADAM/LDS. When it is just an effective
class (not User/inetOrgperson) it works fine. But if we need to add
attrs that are in Aux classes, it looks like the way the <add> event
gets structured,

<add-attr attr-name="objectClass">
<value type="string">eduPerson</value>
</add-attr>
<add-attr attr-name="objectClass">
<value type="string">newPilotPerson</value>
</add-attr>

Seems like it is not adding a second value, rather it is overwriting
each time. So we always get an object class violation.

Tried reformatting the XML to look more like:

<add-attr attr-name="objectClass">
<value type="string">eduPerson</value>
<value type="string">newPilotPerson</value>
</add-attr>

But you can't, since the shim adds the @class-name as an add-value of
object class as the first attribute in the event. And it happens in the
shim, so you cannot apply policy to try and fix it.

Is it possible to add a user in LDS/ADAM and Aux classes and attrs from
the aux classes in the same event?

This is surprising behavior, and not what we expected, but seems to be
what is happening. Does not seem to happen in the AD Driver in my
experience.

IDM 4.5.02 with latest AD shim.
  • Geoffrey Carman wrote:

    >
    > Is it possible to add a user in LDS/ADAM and Aux classes and attrs from the aux classes in the same event?


    Does it work if you add as a regular user and then do all the aux stuff on a modify?
    I've done some ugly hacks in the past to get around stuff like this.

    > This is surprising behavior, and not what we expected, but seems to be what is happening. Does not seem to happen in the AD Driver in my experience.


    I agree, quite surprising, almost seems like a bug (at least in part)
  • On 5/12/2015 4:35 PM, Alex McHugh wrote:
    > Geoffrey Carman wrote:
    >
    >>
    >> Is it possible to add a user in LDS/ADAM and Aux classes and attrs from the aux classes in the same event?

    >
    > Does it work if you add as a regular user and then do all the aux stuff on a modify?
    > I've done some ugly hacks in the past to get around stuff like this.


    That is the plan I am voting for. Wondering if anyone else has tried it
    with this shim this way before. Or if anyone knows that this is a
    specific issue.

    >> This is surprising behavior, and not what we expected, but seems to be what is happening. Does not seem to happen in the AD Driver in my experience.

    >
    > I agree, quite surprising, almost seems like a bug (at least in part)


    It does. Not quite there yet, still trying to understand it.



  • Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
    > On 5/12/2015 4:35 PM, Alex McHugh wrote:
    >> Geoffrey Carman wrote:
    >>
    >>>
    >>> Is it possible to add a user in LDS/ADAM and Aux classes and attrs from
    >>> the aux classes in the same event?

    >>
    >> Does it work if you add as a regular user and then do all the aux stuff on a modify?
    >> I've done some ugly hacks in the past to get around stuff like this.

    >
    > That is the plan I am voting for. Wondering if anyone else has tried it
    > with this shim this way before. Or if anyone knows that this is a specific issue.
    >


    Never worked with this driver before. Sorry.
    Always assumed it was very similar to AD shim.


    --
    If you find this post helpful and are logged into the web interface, show
    your appreciation and click on the star below...
  • On 5/13/2015 3:47 AM, Alex McHugh wrote:
    > Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
    >> On 5/12/2015 4:35 PM, Alex McHugh wrote:
    >>> Geoffrey Carman wrote:
    >>>
    >>>>
    >>>> Is it possible to add a user in LDS/ADAM and Aux classes and attrs from
    >>>> the aux classes in the same event?
    >>>
    >>> Does it work if you add as a regular user and then do all the aux stuff on a modify?
    >>> I've done some ugly hacks in the past to get around stuff like this.

    >>
    >> That is the plan I am voting for. Wondering if anyone else has tried it
    >> with this shim this way before. Or if anyone knows that this is a specific issue.
    >>

    >
    > Never worked with this driver before. Sorry.
    > Always assumed it was very similar to AD shim.


    It actually IS the AD Shim.

  • On 5/13/2015 3:47 AM, Alex McHugh wrote:
    > Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
    >> On 5/12/2015 4:35 PM, Alex McHugh wrote:
    >>> Geoffrey Carman wrote:
    >>>
    >>>>
    >>>> Is it possible to add a user in LDS/ADAM and Aux classes and attrs from
    >>>> the aux classes in the same event?
    >>>
    >>> Does it work if you add as a regular user and then do all the aux stuff on a modify?
    >>> I've done some ugly hacks in the past to get around stuff like this.

    >>
    >> That is the plan I am voting for. Wondering if anyone else has tried it
    >> with this shim this way before. Or if anyone knows that this is a specific issue.
    >>

    >
    > Never worked with this driver before. Sorry.
    > Always assumed it was very similar to AD shim.


    It actually IS the AD Shim.

  • Geoffrey Carman wrote:

    > It actually IS the AD Shim.


    So it is just different policies and driver properties that makes it ADAM/LDS??

    Then again - I've never had to add object classes on add to the standard object class for the AD driver.

  • alexmchugh;257087 Wrote:
    > Geoffrey Carman wrote:
    >
    > > It actually IS the AD Shim.

    >
    > So it is just different policies and driver properties that makes it
    > ADAM/LDS??
    >
    > Then again - I've never had to add object classes on add to the standard
    > object class for the AD driver.


    That is one of those "who, in their right mind, would do that in AD"
    sort of things. I never have either. But ADAM/LDS is "supposed" to be
    more of a generic LDAP Directory. I wrote a work-around for this issue,
    where the objectClass values and aux class attributes are added using a
    when=after setting. The driver code appears to be a much older version
    of the AD Driver, as there are no packages involved, just the old
    fashioned XML import. Not sure if the disconnect is the NetIQ shim not
    doing something different it should be doing for ADAM/LDS, or if
    Microsoft still does not understand LDAP.


    --
    tse7147
    ------------------------------------------------------------------------
    tse7147's Profile: https://forums.netiq.com/member.php?userid=466
    View this thread: https://forums.netiq.com/showthread.php?t=53472

  • tse7147 wrote:

    > where the objectClass values and aux class attributes are added using a
    > when=after setting


    I prefer to tag with operation data and then act on the add-association as this is more reliable when the add fails.
    However your approach works also.