Highlighted
agorian Trusted Contributor.
Trusted Contributor.
96 views

AD Entitlement data collection is running, even when disabled

Hi guys,

 

SLES 11 SP3, IDM 4.5.6.1, AD Driver 4.0.3.0, Packages: AD Base 2.2.5, AD Default configuration 2.5.2, AD Entitlements 2.5.4, AD Audit Entitlements 1.0.0 and Audit 1.0.0

 

Apparently entitlement data collection is running even with disabled option:

 

 

 

[07/09/19 11:12:28.422]:IDM2CORP ST:Injecting User Agent XDS command document into Subscriber channel.
[07/09/19 11:12:28.423]:IDM2CORP ST:Applying command transformation policies.
[07/09/19 11:12:28.424]:IDM2CORP ST:Applying policy: %+C%14CSUB_CommandTransform%-C.
[07/09/19 11:12:28.424]:IDM2CORP ST:  Applying to query #1.
[07/09/19 11:12:28.425]:IDM2CORP ST:    Evaluating selection criteria for rule 'Write back ADContext on merge operations'.
[07/09/19 11:12:28.426]:IDM2CORP ST:      (if-xpath true "@from-merge="true"") = FALSE.
[07/09/19 11:12:28.426]:IDM2CORP ST:    Rule rejected.
[07/09/19 11:12:28.427]:IDM2CORP ST:Policy returned:
[07/09/19 11:12:28.427]:IDM2CORP ST:
nds dtdversion="2.0">
					input>
						query class-name="Group" event-id="ENTITLEMENT:Group" scope="subtree">
							search-class class-name="Group"/>
							read-attr attr-name="Description"/>
						/query>
					/input>
				/nds>

 

 

 

 

As AD has thousand of groups, this takes forever  to process and a manually driver restart resolves for 24 hours.

 

AD Group Entitlement is configured without Query-X:

 

?xml version="1.0" encoding="UTF-8"?>!DOCTYPE entitlement PUBLIC "dirxmlentitlements" "/Applications/Designer/plugins/com.novell.idm.entitlements_4.0.0.201812171538/DTD/dirxmlentitlements.dtd"><entitlement conflict-resolution="union" description="The Group Entitlement grants or denies membership in a group in Active Directory.  When revoked, the user is removed from the group. The group membership entitlement is not enforced on the publisher channel: If a user is added to a controlled group in Active Directory by some external tool, the user is not removed by the driver. Further, if the entitlement is removed from the user object instead of being simply revoked, the driver takes no action." display-name="Group Membership Entitlement">
	values multi-valued="true">
		query-app>
			query-xml>
				nds dtdversion="2.0">
					input>
						query class-name="Group" event-id="ENTITLEMENT:Group" scope="subtree">
							search-class class-name="Group"/>
							read-attr attr-name="Description"/>
						/query>
					/input>
				/nds>
			/query-xml>
			result-set>
				display-name>
					token-src-dn/>
				/display-name>
				description>
					token-attr attr-name="Description"/>
				/description>
				ent-value>
					token-association/>
				/ent-value>
			/result-set>
		/query-app>
	/values>
/entitlement>	
			
		
	

 

 

 

 

Also entitlement configuration has data-collection disabled (all entitlements have data-collection disabled):

 

 

 

		<entitlement data-collection="false" dn="CN=Group,CN=IDM2CORP,CN=DriverSet01,OU=IDM,OU=Sistema,O=Bradesco" parameter-format="legacy" resource-mapping="true" role-mapping="true">
			<type category="security grouping" id="group" name="group">
				<display-name>
					<value langCode="de">Gruppe</value>
					<value langCode="en">Group</value>
				</display-name>
			</type>
			<native-value source="src-dn"/>
			<member-assignment-extensions>
				<query-xml>
					<read-attr attr-name="member"/>
				</query-xml>
			</member-assignment-extensions>
			<query-extensions>
				<query-xml>
					<read-attr attr-name="owner"/>
					<read-attr attr-name="sAMAccountName"/>
					<operation-data data-collection-query="true"/>
				</query-xml>
			</query-extensions>
		</entitlement>

 

 

 

 

PCRS is also disabled by GCVs and all Startup policies are commented. So, what can I do to stop this event? Change Group Entitlement to administrator-defined values? Put an explicit command policy to veto this kind of event? Is something from RRSD/UAD (code map refresh)?

Labels (1)
1 Reply
agorian Trusted Contributor.
Trusted Contributor.

Re: AD Entitlement data collection is running, even when disabled

Yes, this was code map refresh. To not change RBPM configuration, we changed group entitlement to administrator-defined values and this problem is "solved" (actually driver still receiving an event, but without queries on destination).
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.