Anonymous_User Absent Member.
Absent Member.
652 views

AD Driver, Shim not writing to LDAP


Hi,

I have a IdM 4.02 installation running an AD driver. It's using a 4.02
remote loader on Windows 2008 R2.

It was working fine, until we noticed some accounts had all their
attributes stripped. Even new account are being created without 99% of
their attributes.

In the trace we see that the rules/filters let the attributes go to
the remote loader, but when the shim goes to write to LDAP, doesn't
write most of the values.

Here is a level 5 remote loader trace.

Any ideas?

Thanks> Eric.


Code:
--------------------

<add cached-time="20130408164716.963Z" class-name="user" dest-dn="CN=testad,DC=Domain" event-id="SERVER#20130408164716#7#2:49971645-f8f2-459d-66b0-45169749f2f8" qualified-src-dn="O=CBCSRC\OU=USERS\OU=ACTIVE\CN=testad" src-dn="\TREE\testad" src-entry-id="54405" timestamp="1365439635#5">
<add-attr attr-name="carLicense">
<value timestamp="1365439627#14" type="state">false</value>
</add-attr>
<add-attr attr-name="displayName">
<value timestamp="1365439627#11" type="string">AD TEST</value>
</add-attr>
<add-attr attr-name="givenName">
<value timestamp="1365439627#20" type="string">AD</value>
</add-attr>
<add-attr attr-name="mail">
<value timestamp="1365439635#5" type="string">AD.TEST@email.com</value>
</add-attr>
<add-attr attr-name="physicalDeliveryOfficeName">
<value timestamp="1365439627#10" type="string">TORONTO</value>
</add-attr>
<add-attr attr-name="preferredLanguage">
<value timestamp="1365439627#5" type="structured">
<component name="string">English</component>
</value>
</add-attr>
<add-attr attr-name="accountExpires">
<value type="octet">130115547600000000</value>
</add-attr>
<add-attr attr-name="manager">
<value association-ref="2b1e76b78c7b6e4fbbea7b3597877e73" timestamp="1365439627#6" type="dn">\TREE\VEYSEYE</value>
</add-attr>
<add-attr attr-name="department">
<value timestamp="1365439627#8" type="string">A&E (ARTS & ENTERTAINMENT)</value>
</add-attr>
<add-attr attr-name="sn">

DirXML: [04/08/13 12:47:17.54]: <value timestamp="1365439627#16" type="string">TEST</value>
</add-attr>
<add-attr attr-name="title">
<value timestamp="1365439627#19" type="string">test</value>
</add-attr>
<add-attr attr-name="userPrincipalName">
<value type="string">testad@domain</value>
</add-attr>
<add-attr attr-name="sAMAccountName">
<value type="string">testad</value>
</add-attr>
<add-attr attr-name="dirxml-uACAccountDisable">
<value type="string">false</value>
</add-attr>
<password><!-- content suppressed --></password>
</add>
</input>
</nds>
DirXML: [04/08/13 12:47:17.54]: ADDriver: parse command

className user
destDN CN=testad,DC=Domain
eventId SERVER#20130408164716#7#2:49971645-f8f2-459d-66b0-45169749f2f8
association
DirXML: [04/08/13 12:47:17.54]: ADDriver: MadCommandAdd::onCommand
DirXML: [04/08/13 12:47:17.54]: ADDriver: MadCommandAdd::insertXdsAttributes()
DirXML: [04/08/13 12:47:17.54]: ADDriver: carLicense
DirXML: [04/08/13 12:47:17.54]: ADDriver: displayName
DirXML: [04/08/13 12:47:17.56]: ADDriver: givenName
DirXML: [04/08/13 12:47:17.56]: ADDriver: mail
DirXML: [04/08/13 12:47:17.56]: ADDriver: physicalDeliveryOfficeName
DirXML: [04/08/13 12:47:17.56]: ADDriver: preferredLanguage
DirXML: [04/08/13 12:47:17.56]: ADDriver: accountExpires
DirXML: [04/08/13 12:47:17.56]: ADDriver: manager
DirXML: [04/08/13 12:47:17.56]: ADDriver: department
DirXML: [04/08/13 12:47:17.56]: ADDriver: sn
DirXML: [04/08/13 12:47:17.57]: ADDriver: title
DirXML: [04/08/13 12:47:17.57]: ADDriver: userPrincipalName
DirXML: [04/08/13 12:47:17.57]: ADDriver: sAMAccountName
DirXML: [04/08/13 12:47:17.57]: ADDriver: dirxml-uACAccountDisable
DirXML: [04/08/13 12:47:17.57]: ADDriver: Add user CN=testad,DC=Domain
LDAPMod operations:
add attribute objectClass
>> user

add attribute objectCategory
>> CN=Person,CN=Schema,CN=Configuration,DC=in,DC=domain

add attribute accountExpires
>> 130115547600000000

add attribute manager
>> CN=VEYSEYE,OU=OTT,OU=ONT,OU=Identity Management Accounts,DC=media,DC=in,DC=domain

DirXML: [04/08/13 12:47:17.62]: ADDriver: change password: old=(none), new=***
DirXML: [04/08/13 12:47:17.70]: ADDriver: password change complete
DirXML: [04/08/13 12:47:17.70]: ADDriver: set userAccountControl returns 0x0000
DirXML: [04/08/13 12:47:17.70]: Loader: subscriptionShim->execute() returned:
DirXML: [04/08/13 12:47:17.70]: Loader: XML Document:
DirXML: [04/08/13 12:47:17.70]: <nds ndsversion="8.7" dtdversion="1.1">


--------------------


--
EricVeysey
------------------------------------------------------------------------
EricVeysey's Profile: https://forums.netiq.com/member.php?userid=493
View this thread: https://forums.netiq.com/showthread.php?t=47513

Labels (1)
0 Likes
25 Replies
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver, Shim not writing to LDAP

Can you show us a startup trace from the engine side? The only thing that
looks really strange is the link to the manager; is that user in the same
domain? Is this a single-domain environment? Is the w2k8 r2 box a domain
controller? With that information hopefully the trace will provide good data.

Good luck.
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD Driver, Shim not writing to LDAP

On 4/9/2013 1:59 PM, ab wrote:
> Can you show us a startup trace from the engine side? The only thing that
> looks really strange is the link to the manager; is that user in the same
> domain? Is this a single-domain environment? Is the w2k8 r2 box a domain
> controller? With that information hopefully the trace will provide good data.


You know, I wonder if the shim is throwing an error on the manager
attribute and thus stopping. Alas, the ordering and process order seems
out of your control.

Could you test the exact same case, sans manager?

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver, Shim not writing to LDAP

On 09.04.2013 19:14, EricVeysey wrote:
> <add-attr attr-name="preferredLanguage">
> <value timestamp="1365439627#5" type="structured">
> <component name="string">English</component>
> </value>
> </add-attr>


Could it be this attribute?

Preferred language is a string attribute in AD (not structured).
However I seem to recall that the Driver shim just discards the
structured part and only syncs the text.

The manager also looks a suspect (it's a solid bet as it is the last
event the shim is processing before it gives up)

But at the same time.. the association-ref seems to resolve to something
(I've synced to manager in another AD domain by association-ref plenty
of times before) - which makes me doubt it is the actual problem. The
IDM DN which looks suspicious is redundant and should be ignored by the
driver shim (when an valid association-ref is available, it is used)

I was suspicious of the "octet" format used here (octet is for base64
encoded binary blobs):

<add-attr attr-name="accountExpires">
<value type="octet">130115547600000000</value>

But I just tested this and it worked in my 402 environment.

I'd suggest you try and narrow it down by temporarily removing specific
attributes from the event sent to AD and seeing if the add is
successful. Start with excluding manager attribute.

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver, Shim not writing to LDAP


Hi Eric,
Could you enable "LDAP trace" on AD side?
May be we will receive more information about "internal" AD-LDAP
processes?

http://tinyurl.com/cwcrjsl

KLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NTDS\DIAGNOSTICS

Here you will find available REG_DWORD options that can be changed to an
advanced logging:

1 Knowledge Consistency Checker (KCC)
2 Security Events
3 ExDS Interface Events
4 MAPI Interface Events
5 Replication Events
6 Garbage Collection
7 Internal Configuration
8 Directory Access
9 Internal Processing
10 Performance Counters
11 Initialization/Termination
12 Service Control
13 Name Resolution
14 Backup
15 Field Engineering
16 LDAP INTERFACE EVENTS
17 Setup
18 Global Catalog
19 Inter-site Messaging

Alex

alexmchugh;228388 Wrote:
> On 09.04.2013 19:14, EricVeysey wrote:
> > <add-attr attr-name="preferredLanguage">
> > <value timestamp="1365439627#5" type="structured">
> > <component name="string">English</component>
> > </value>
> > </add-attr>

>
> Could it be this attribute?
>
> Preferred language is a string attribute in AD (not structured).
> However I seem to recall that the Driver shim just discards the
> structured part and only syncs the text.
>
> The manager also looks a suspect (it's a solid bet as it is the last
> event the shim is processing before it gives up)
>
> But at the same time.. the association-ref seems to resolve to
> something
> (I've synced to manager in another AD domain by association-ref plenty
> of times before) - which makes me doubt it is the actual problem. The
> IDM DN which looks suspicious is redundant and should be ignored by the
> driver shim (when an valid association-ref is available, it is used)
>
> I was suspicious of the "octet" format used here (octet is for base64
> encoded binary blobs):
>
> <add-attr attr-name="accountExpires">
> <value type="octet">130115547600000000</value>
>
> But I just tested this and it worked in my 402 environment.
>
> I'd suggest you try and narrow it down by temporarily removing specific
> attributes from the event sent to AD and seeing if the add is
> successful. Start with excluding manager attribute.
>
> --
> ----------------------------------------------------------------------
> Alex McHugh
> NetIQ Knowledge Partner http://forums.netiq.com
>
> Please post questions in the forums. No support is provided via email.



--
al_b
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=47513

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver, Shim not writing to LDAP

On 09.04.2013 21:52, Alex McHugh wrote:
> On 09.04.2013 19:14, EricVeysey wrote:
>> <add-attr attr-name="preferredLanguage">
>> <value timestamp="1365439627#5" type="structured">
>> <component name="string">English</component>
>> </value>
>> </add-attr>

>
> Could it be this attribute?
>
> Preferred language is a string attribute in AD (not structured).
> However I seem to recall that the Driver shim just discards the
> structured part and only syncs the text.


After some quick testing, I'm pretty sure the problem is the way you try
to set preferredLanguage attribute.

I tested setting it the same way in my 402 / AD 2008 R2 environment and
got the following (note the driver shim processes delete attribute
preferredLanguage but never sets it to a new value) - I checked directly
in AD afterwards and the attribute wasn't set either.

DirXML: [04/09/13 22:02:42.25]: Loader: Calling subscriptionShim->execute()
DirXML: [04/09/13 22:02:42.25]: Loader: XML Document:
DirXML: [04/09/13 22:02:42.25]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.1">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="user" event-id="trigger-job:TEST1#20130409200317#0#0">
<association>67403fb9e4ee334f8c3f048bb665790c</association>
<modify-attr attr-name="preferredLanguage">
<remove-all-values/>
<add-value>
<value type="structured">
<component name="string">English</component>
</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [04/09/13 22:02:42.25]: ADDriver: parse command

className user
destDN
eventId trigger-job:TEST1#20130409200317#0#0
association 67403fb9e4ee334f8c3f048bb665790c
DirXML: [04/09/13 22:02:42.25]: ADDriver: parse modify class = user
DirXML: [04/09/13 22:02:42.25]: ADDriver: association
DirXML: [04/09/13 22:02:42.25]: ADDriver:
67403fb9e4ee334f8c3f048bb665790c
DirXML: [04/09/13 22:02:42.25]: ADDriver: modify-attr
DirXML: [04/09/13 22:02:42.25]: ADDriver: remove-all-values
DirXML: [04/09/13 22:02:42.25]: ADDriver: add-value
DirXML: [04/09/13 22:02:42.25]: ADDriver: value
DirXML: [04/09/13 22:02:42.25]: ADDriver:
DirXML: [04/09/13 22:02:42.25]: ADDriver: ldap_modify user
CN=Test1,OU=Users,OU=ACME,DC=Lab,DC=com
LDAPMod operations:
delete attribute preferredLanguage
DirXML: [04/09/13 22:02:42.25]: Loader: subscriptionShim->execute()
returned:
DirXML: [04/09/13 22:02:42.25]: Loader: XML Document:
DirXML: [04/09/13 22:02:42.25]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.0.0" asn1id="" build="20120330_120000"
instance="\IDM\ACME\System\IDM\DriverSet\AD">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status level="success" event-id="trigger-job:TEST1#20130409200317#0#0"/>
</output>
</nds>
DirXML: [04/09/13 22:02:42.25]:
DirXML Log Event -------------------
Driver = \IDM\ACME\System\IDM\DriverSet\AD
Thread = Subscriber Channel
Level = success



--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD Driver, Shim not writing to LDAP

> After some quick testing, I'm pretty sure the problem is the way you try
> to set preferredLanguage attribute.


And you can fix this with a trivial policy addition:

<do-reformat-op-attr name="preferredLanguage">
<arg-value type="string">
<token-local-variable name="current-value"/>
</arg-value>
</do-reformat-op-attr>

This say reformat the operation attribute preferredLanguage, and to what
values? Well use the magic current-value variable, which implies, do
this one step for each value that is in the event document.

The trick is that the result, the <arg-value> will be of type="string",
which has the effect of converting it from structured to string. Though
if it is <component> in the event, maybe it needs to be a smidgen more
complex as:

<do-reformat-op-attr name="preferredLanguage">
<arg-value type="string">
<token-xpath expression="$current-value/component[@name='string']"/>
</arg-value>
</do-reformat-op-attr>

Which says use XPATH to get the $current-value variables child node,
component, but only if it is named string.

Though I think my first one would work, as it would concat all component
values together into one string, which would be the same thing.





> DirXML: [04/09/13 22:02:42.25]: <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.2.1">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <modify class-name="user"
> event-id="trigger-job:TEST1#20130409200317#0#0">
> <association>67403fb9e4ee334f8c3f048bb665790c</association>
> <modify-attr attr-name="preferredLanguage">
> <remove-all-values/>
> <add-value>
> <value type="structured">
> <component name="string">English</component>
> </value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver, Shim not writing to LDAP

On 09.04.2013 22:32, Geoffrey Carman wrote:
> The trick is that the result, the <arg-value> will be of type="string",
> which has the effect of converting it from structured to string. Though
> if it is <component> in the event, maybe it needs to be a smidgen more
> complex as:
>
> <do-reformat-op-attr name="preferredLanguage">
> <arg-value type="string">
> <token-xpath
> expression="$current-value/component[@name='string']"/>
> </arg-value>
> </do-reformat-op-attr>
>
> Which says use XPATH to get the $current-value variables child node,
> component, but only if it is named string.
>
> Though I think my first one would work, as it would concat all component
> values together into one string, which would be the same thing.


Both approaches work with the document in question, but I'd go with the
more correct solution of the second one.

I'm struggling to understand how this particular attribute got set as
structured in the first place, from what I can see the corresponding
"preferredLanguage" attribute in eDirectory is single valued Case Ignore
String.

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver, Shim not writing to LDAP

On 4/9/13 3:13 PM, Alex McHugh wrote:

> I'm struggling to understand how this particular attribute got set as
> structured in the first place, from what I can see the corresponding
> "preferredLanguage" attribute in eDirectory is single valued Case Ignore
> String.
>


The Language attribute in eDir is a single valued Case-Ignore List (not
String) and can contain a list of languages in the order of preference.

--
Shon
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver, Shim not writing to LDAP

On 09.04.2013 23:31, Shon Vella wrote:
> On 4/9/13 3:13 PM, Alex McHugh wrote:
>
>> I'm struggling to understand how this particular attribute got set as
>> structured in the first place, from what I can see the corresponding
>> "preferredLanguage" attribute in eDirectory is single valued Case Ignore
>> String.
>>

>
> The Language attribute in eDir is a single valued Case-Ignore List (not
> String) and can contain a list of languages in the order of preference.



Shon, thanks - you are a wealth of information as usual (I was looking
at the wrong attribute in eDirectory preferredLanguage (which is
Case-Ignore String) not Language (which is indeed Case-Ignore List).

Ok - in that case the solution is to use Geoffrey's second example, with
one small tweak of the XPath to ensure that only the first value in the
list is synced.

<do-reformat-op-attr name="preferredLanguage">
<arg-value type="string">
<token-xpath
expression="$current-value/component[@name='string'][1]"/>
</arg-value>
</do-reformat-op-attr>

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD Driver, Shim not writing to LDAP


> <do-reformat-op-attr name="preferredLanguage">
> <arg-value type="string">
> <token-xpath
> expression="$current-value/component[@name='string'][1]"/>
> </arg-value>
> </do-reformat-op-attr>


I was thinking about why, there would be a component of name string, and
Shon's answer makes it very clear this is the way to go, only get the
first one.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver, Shim not writing to LDAP


Thanks for all your help, I've removed all the unnecessary attributes
and just tried creating accounts with basic attributes with the same
result.

I can't figure out for the life of me why the shim isn't passing the
commands to the ldapmod.

Code:
--------------------

DirXML: [04/10/13 13:29:40.94]: Loader: Calling subscriptionShim->execute()
DirXML: [04/10/13 13:29:40.94]: Loader: XML Document:
DirXML: [04/10/13 13:29:40.94]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.1">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add cached-time="20130410172940.288Z" class-name="user" dest-dn="CN=greencar,ou=TOR,ou=ONT,OU=Identity Management Accounts,DC=media,DC=in,DC=cbcsrc,DC=ca" event-id="mtllnidm1#20130410172940#10#1:872ff4db-6374-41b7-55b1-dbf42f877463" qualified-src-dn="O=CBCSRC\OU=USERS\OU=ACTIVE\CN=greencar" src-dn="\META\CBCSRC\USERS\ACTIVE\greencar" src-entry-id="53913" timestamp="1365614980#3">
<add-attr attr-name="displayName">
<value timestamp="1365614973#2" type="string">green car</value>
</add-attr>
<add-attr attr-name="givenName">
<value timestamp="1365614973#6" type="string">green</value>
</add-attr>
<add-attr attr-name="physicalDeliveryOfficeName">
<value timestamp="1365614973#9" type="string">Toronto</value>
</add-attr>
<add-attr attr-name="sn">
<value timestamp="1365614973#10" type="string">car</value>
</add-attr>
<add-attr attr-name="title">
<value timestamp="1365614973#4" type="string">title</value>
</add-attr>
<add-attr attr-name="userPrincipalName">
<value type="string">greencar@media.in.cbcsrc.ca</value>
</add-attr>
<add-attr attr-name="sAMAccountName">
<value type="string">greencar</value>
</add-attr>
<add-attr attr-name="dirxml-uACAccountDisable">
<value type="string">false</value>
</add-attr>
<password><!-- content suppressed --></password>
</add>
</input>
</nds>
DirXML: [04/10/13 13:29:40.94]: ADDriver: parse command

className user
destDN CN=greencar,ou=TOR,ou=ONT,OU=Identity Management Accounts,DC=media,DC=in,DC=cbcsrc,DC=ca
eventId mtllnidm1#20130410172940#10#1:872ff4db-6374-41b7-55b1-dbf42f877463
association
DirXML: [04/10/13 13:29:40.94]: ADDriver: MadCommandAdd::onCommand
DirXML: [04/10/13 13:29:40.94]: ADDriver: MadCommandAdd::insertXdsAttributes()
DirXML: [04/10/13 13:29:40.94]: ADDriver: displayName
DirXML: [04/10/13 13:29:40.94]: ADDriver: givenName
DirXML: [04/10/13 13:29:40.94]: ADDriver: physicalDeliveryOfficeName
DirXML: [04/10/13 13:29:40.94]: ADDriver: sn
DirXML: [04/10/13 13:29:40.94]: ADDriver: title
DirXML: [04/10/13 13:29:40.94]: ADDriver: userPrincipalName
DirXML: [04/10/13 13:29:40.94]: ADDriver: sAMAccountName
DirXML: [04/10/13 13:29:40.94]: ADDriver: dirxml-uACAccountDisable
DirXML: [04/10/13 13:29:40.94]: ADDriver: Add user CN=greencar,ou=TOR,ou=ONT,OU=Identity Management Accounts,DC=media,DC=in,DC=cbcsrc,DC=ca
LDAPMod operations:
add attribute objectClass
>> user

add attribute objectCategory
>> CN=Person,CN=Schema,CN=Configuration,DC=in,DC=cbcsrc,DC=ca

DirXML: [04/10/13 13:29:40.95]: ADDriver: change password: old=(none), new=***
DirXML: [04/10/13 13:29:41.03]: ADDriver: password change complete
DirXML: [04/10/13 13:29:41.03]: ADDriver: set userAccountControl returns 0x0000
DirXML: [04/10/13 13:29:41.03]: Loader: subscriptionShim->execute() returned:
DirXML: [04/10/13 13:29:41.03]: Loader: XML Document:
DirXML: [04/10/13 13:29:41.03]: <nds ndsversion="8.7" dtdversion="1.1">
<source>

--------------------


--
EricVeysey
------------------------------------------------------------------------
EricVeysey's Profile: https://forums.netiq.com/member.php?userid=493
View this thread: https://forums.netiq.com/showthread.php?t=47513

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver, Shim not writing to LDAP


FYI: We believe that this issue seems to be being caused by schema
corruption in AD.
The AD Shim was not creating a LDAPModify event due to the fact that the
syntax for the attribute in eDirectory was string, while the in AD it
was "brcdAdVfData", which is invalid. So the shim apparently saw that
the attribute syntax did not match, so it ignored attribute update
operation.


--
denchris
------------------------------------------------------------------------
denchris's Profile: https://forums.netiq.com/member.php?userid=908
View this thread: https://forums.netiq.com/showthread.php?t=47513

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver, Shim not writing to LDAP

On Thu, 11 Apr 2013 16:04:02 +0000, denchris wrote:

> FYI: We believe that this issue seems to be being caused by schema
> corruption in AD.
> The AD Shim was not creating a LDAPModify event due to the fact that the
> syntax for the attribute in eDirectory was string, while the in AD it
> was "brcdAdVfData", which is invalid.


brcdAdVfData seems to be from Brocade Communications Systems, so if
you've recently made any changes using Brocade's stuff, that could be
what caused this.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD Driver, Shim not writing to LDAP


So I see the problem with the language but we've totally removed
language and the rest of the attributes even sent one by one still don't
get written:


Code:
--------------------
DirXML: [04/10/13 13:29:41.23]: Loader: Received 'subscriber execute' document
DirXML: [04/10/13 13:29:41.23]: Loader: XML Document:
DirXML: [04/10/13 13:29:41.23]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.1">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20130410172940.497Z" class-name="user" event-id="mtllnidm1#20130410172939#7#2:69fb7a80-939a-4abb-7baa-807afb699a93" qualified-src-dn="O=CBCSRC\OU=USERS\OU=ACTIVE\CN=greencar" src-dn="\META\CBCSRC\USERS\ACTIVE\greencar" src-entry-id="53913" timestamp="1365614980#44">
<association state="associated">ae56931ce8609743abe62a3e364ac112</association>
<modify-attr attr-name="mail">
<add-value>
<value timestamp="1365614980#44" type="string">green.car@cbc.ca</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [04/10/13 13:29:41.23]: Loader: Calling subscriptionShim->execute()
DirXML: [04/10/13 13:29:41.23]: Loader: XML Document:
DirXML: [04/10/13 13:29:41.23]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.1">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20130410172940.497Z" class-name="user" event-id="mtllnidm1#20130410172939#7#2:69fb7a80-939a-4abb-7baa-807afb699a93" qualified-src-dn="O=CBCSRC\OU=USERS\OU=ACTIVE\CN=greencar" src-dn="\META\CBCSRC\USERS\ACTIVE\greencar" src-entry-id="53913" timestamp="1365614980#44">
<association state="associated">ae56931ce8609743abe62a3e364ac112</association>
<modify-attr attr-name="mail">
<add-value>
<value timestamp="1365614980#44" type="string">green.car@cbc.ca</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [04/10/13 13:29:41.23]: ADDriver: parse command

className user
destDN
eventId mtllnidm1#20130410172939#7#2:69fb7a80-939a-4abb-7baa-807afb699a93
association ae56931ce8609743abe62a3e364ac112
DirXML: [04/10/13 13:29:41.23]: ADDriver: parse modify class = user
DirXML: [04/10/13 13:29:41.23]: ADDriver: association
DirXML: [04/10/13 13:29:41.23]: ADDriver: ae56931ce8609743abe62a3e364ac112
DirXML: [04/10/13 13:29:41.23]: ADDriver: modify-attr
DirXML: [04/10/13 13:29:41.23]: ADDriver: add-value
DirXML: [04/10/13 13:29:41.23]: ADDriver: value
DirXML: [04/10/13 13:29:41.23]: ADDriver: green.car@cbc.ca
DirXML: [04/10/13 13:29:41.23]: ADDriver: ldap_modify user CN=greencar,OU=TOR,OU=ONT,OU=Identity Management Accounts,DC=media,DC=in,DC=cbcsrc,DC=ca
*LDAPMOD OPERATIONS:*
DirXML: [04/10/13 13:29:41.23]: Loader: subscriptionShim->execute() returned:
DirXML: [04/10/13 13:29:41.23]: Loader: XML Document:
DirXML: [04/10/13 13:29:41.23]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="3.5.17" asn1id="" build="20120419_120000" instance="\META\CBCSRC\IDM\IDM Drivers\ActiveDirectory">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status level="success" event-id="mtllnidm1#20130410172939#7#2:69fb7a80-939a-4abb-7baa-807afb699a93"/>
</output>
</nds>
DirXML: [04/10/13 13:29:41.23]:
DirXML Log Event -------------------
Driver = \META\CBCSRC\IDM\IDM Drivers\ActiveDirectory
Thread = Subscriber Channel
Object = \META\CBCSRC\USERS\ACTIVE\greencar
Level = success


--------------------


--
EricVeysey
------------------------------------------------------------------------
EricVeysey's Profile: https://forums.netiq.com/member.php?userid=493
View this thread: https://forums.netiq.com/showthread.php?t=47513

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.