vkhoury;2490852 wrote:
I'm using IDM 4.7. I wrote the following policy in the loopback driver in order to add users on entitlement assignment.
The entitlement is valued.
<do-add-src-attr-value class-name="User" name="Group Membership">
<arg-dn>
<token-src-dn/>
</arg-dn>
<arg-value type="string">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>

When assigning an entitlement to a user i have the following error: Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY

The Trace file is as follows:
[11/15/18 11:13:13.024]:Group Membership Control ST:Applying policy: % CCACMELBACKENT-maintain Group Membership based on Entitlements%-C.
[11/15/18 11:13:13.024]:Group Membership Control ST: Applying to modify #1.
[11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating selection criteria for rule 'Only allow add and modify operations'.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-operation not-equal "add") = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-operation not-equal "modify") = FALSE.
[11/15/18 11:13:13.024]:Group Membership Control ST: Rule rejected.
[11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating selection criteria for rule 'Group add or remove on entitlement'.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-class-name equal "User") = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-entitlement 'ACMELBACKENT-Assign Group Membership' changing) = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: Rule selected.
[11/15/18 11:13:13.024]:Group Membership Control ST: Applying rule 'Group add or remove on entitlement'.
[11/15/18 11:13:13.024]:Group Membership Control ST: Action: do-for-each(arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group Membership"))).
[11/15/18 11:13:13.024]:Group Membership Control ST: arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group Membership"))
[11/15/18 11:13:13.024]:Group Membership Control ST: token-added-entitlement("ACMELBACKENT-Assign Group Membership")
[11/15/18 11:13:13.024]:Group Membership Control ST: Token Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1"}.
[11/15/18 11:13:13.024]:Group Membership Control ST: Arg Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1"}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Performing actions for local-variable(current-node) = <entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1".
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-add-src-attr-value("Group Membership",class-name="User",arg-dn(token-src-dn()),token-local-variable("current-node")).
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-dn(token-src-dn())
[11/15/18 11:13:13.040]:Group Membership Control ST: token-src-dn()
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: "\IDVAULT-TREE\data\users\VKhoury".
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: "\IDVAULT-TREE\data\users\VKhoury".
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-string(token-local-variable("current-node"))
[11/15/18 11:13:13.040]:Group Membership Control ST: token-local-variable("current-node")
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-for-each(arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group Membership"))).
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group Membership"))
[11/15/18 11:13:13.040]:Group Membership Control ST: token-removed-entitlement("ACMELBACKENT-Assign Group Membership")
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: {}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: {}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Evaluating selection criteria for rule 'Terminate Further Operation Processing'.
[11/15/18 11:13:13.040]:Group Membership Control ST: Rule selected.
[11/15/18 11:13:13.040]:Group Membership Control ST: Applying rule 'Terminate Further Operation Processing'.
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-veto().
[11/15/18 11:13:13.040]:Group Membership Control ST: Direct command from policy
[11/15/18 11:13:13.040]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury" event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
<modify-attr attr-name="Group Membership">
<add-value>
<value type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
</add-value>
</modify-attr>
<operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
</modify>
</input>
</nds>
[11/15/18 11:13:13.040]:Group Membership Control ST: Stripping operation data from input document
[11/15/18 11:13:13.040]:Group Membership Control ST: Pumping XDS to eDirectory.
[11/15/18 11:13:13.040]:Group Membership Control ST: Performing operation modify for \IDVAULT-TREE\data\users\VKhoury.
[11/15/18 11:13:13.040]:Group Membership Control ST: --JCLNT-- \IDVAULT-TREE\system\driverset1\Group Membership Control : Duplicating : context = 656867519, tempContext = 656867482
[11/15/18 11:13:13.040]:Group Membership Control ST: --JCLNT-- \IDVAULT-TREE\system\driverset1\Group Membership Control : Calling free on tempContext = 656867482
[11/15/18 11:13:13.040]:Group Membership Control ST: Restoring operation data to output document
[11/15/18 11:13:13.040]:Group Membership Control ST: Processing returned document.
[11/15/18 11:13:13.040]:Group Membership Control ST: Processing operation <status> for .
[11/15/18 11:13:13.040]:Group Membership Control ST:
DirXML Log Event -------------------
Driver: \IDVAULT-TREE\system\driverset1\Group Membership Control
Channel: Subscriber
Status: Success
[11/15/18 11:13:13.117]:Group Membership Control ST: Processing operation <status> for .
[11/15/18 11:13:13.117]:Group Membership Control ST:
DirXML Log Event -------------------
Driver: \IDVAULT-TREE\system\driverset1\Group Membership Control
Channel: Subscriber
Status: Warning
Message: Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY
[11/15/18 11:13:13.180]:Group Membership Control ST: Direct command from policy result
[11/15/18 11:13:13.180]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d" level="success"><operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
<application>DirXML</application>
<module>Group Membership Control</module>
<object-dn></object-dn>
<component>Subscriber</component>
</status>
<status event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d" level="warning">Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY<operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
<application>DirXML</application>
<module>Group Membership Control</module>
<object-dn></object-dn>
<component>Subscriber</component>
</status>
</output>
</nds>
[11/15/18 11:13:13.180]:Group Membership Control ST:Policy returned:
[11/15/18 11:13:13.180]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input/>
</nds>
[11/15/18 11:13:13.180]:Group Membership Control ST:End transaction.

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury" event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
<modify-attr attr-name="Group Membership">
<add-value>
<value type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
</add-value>
</modify-attr>
<operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
</modify>
</input>
</nds>