AD driver not getting schema

veridicis · ‎2019-02-18

Hei gents, anyone have any idea for this?
I'm introducing an entitled AD driver and doing some testing to check policies/operations/stability.
On matching with an existing user I'm doing a query with no results (removed OU names, etc). The user exists in that location, the service account has plenty of rights.

[02/18/19 09:53:40.180]:ADentt ST:        Remote Interface Driver: Sending...
[02/18/19 09:53:40.180]:ADentt ST:        
<nds dtdversion="4.0" ndsversion="8.x">
  <source>
    <product edition="Advanced" version="4.7.1.1">DirXML</product>
    <contact>NetIQ Corporation</contact>
  </source>
  <input>
    <query class-name="user" dest-dn="CN=H21646,OU=Brukere,OU=,OU=,OU=,DC=,DC=" event-id="0" scope="entry">
      <search-class class-name="user"/>
      <read-attr/>
    </query>
  </input>
</nds>
[02/18/19 09:53:40.183]:ADentt ST:        Remote Interface Driver: Document sent.
[02/18/19 09:53:40.183]:ADentt ST:        Remote Interface Driver: Waiting for receive...
[02/18/19 09:53:40.200]:ADentt ST:        Remote Interface Driver: Received
[02/18/19 09:53:40.200]:ADentt ST:        
<nds dtdversion="1.1" ndsversion="8.7">
  <source>
    <product asn1id="" build="20180125_120000" instance="\IDV\service\IDM\DriverSet3\ADentt" version="4.1.1.0">AD</product>
    <contact>NetIQ Corporation</contact>
  </source>
  <output>
    <status event-id="0" level="success"/>
  </output>
</nds>

On the RL side trace I see:

DirXML: [02/18/19 09:53:40.91]: Loader: Received 'subscriber execute' document
DirXML: [02/18/19 09:53:40.91]: Loader: XML Document:
DirXML: [02/18/19 09:53:40.91]: <nds dtdversion="4.0" ndsversion="8.x">
	<source>
		<product edition="Advanced" version="4.7.1.1">DirXML</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<input>
		<query class-name="user" dest-dn="CN=H21646,OU=Brukere,OU=,OU=,OU=,DC=,DC=" event-id="0" scope="entry">
			<search-class class-name="user"/>
			<read-attr/>
		</query>
	</input>
</nds>
DirXML: [02/18/19 09:53:40.92]: Loader: Calling subscriptionShim->execute()
DirXML: [02/18/19 09:53:40.92]: Loader: XML Document:
DirXML: [02/18/19 09:53:40.92]: <nds dtdversion="4.0" ndsversion="8.x">
	<source>
		<product edition="Advanced" version="4.7.1.1">DirXML</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<input>
		<query class-name="user" dest-dn="CN=H21646,OU=Brukere,OU=,OU=,OU=,DC=,DC=" event-id="0" scope="entry">
			<search-class class-name="user"/>
			<read-attr/>
		</query>
	</input>
</nds>
DirXML: [02/18/19 09:53:40.93]: ADDriver: parse command

  className    user
  destDN       CN=H21646,OU=Brukere,OU=,OU=,OU=,DC=,DC=
  eventId      0
  association  
DirXML: [02/18/19 09:53:40.93]: ADDriver: query
DirXML: [02/18/19 09:53:40.93]: ADDriver: query constraints
DirXML: [02/18/19 09:53:40.93]: ADDriver:    warning: search-class user not in schema
DirXML: [02/18/19 09:53:40.93]: ADDriver:    read-attr (do not return attributes)
DirXML: [02/18/19 09:53:40.93]: Loader: subscriptionShim->execute() returned:
DirXML: [02/18/19 09:53:40.93]: Loader: XML Document:
DirXML: [02/18/19 09:53:40.93]: <nds ndsversion="8.7" dtdversion="1.1">
	<source>
		<product version="4.1.1.0" asn1id="" build="20180125_120000" instance="\IDV\service\IDM\DriverSet3\ADentt">AD</product>
		<contact>NetIQ Corporation</contact>
	</source>
	<output>
		<status level="success" event-id="0"/>
	</output>
</nds>

That warning seems to be the culprit.

--
Smile, IT confuses people!

aburgemeister · ‎2019-02-18

On 02/18/2019 06:34 AM, veridicis wrote:
> search-class user not in schema

I do not have a note of that in any trace I have stored, so maybe that's
new, or maybe it is not and it's a sign of a weird misconfiguration. Also
odd is that the user class-name is just right, so that's weird. It may be
useful to post a driver config startup trace to see hot that looks on the
Remote Loader (RL) side. An example from an old trace follows:


<query class-name="user" dest-dn="CN=John
Wayne,OU=northamerica,DC=company,DC=com" event-id="0" scope="entry">

Has this ever worked before, maybe in a Test environment of some sort? Is
anything weird about this microsoft active directory (MAD) environment?
Does that object exist right there (be triple-sure)? Have you tested with
a full administrator to make sure there isn't a weird problem connecting
fully due to privileges?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

al_b · ‎2019-02-18

ab;2495530 wrote:
On 02/18/2019 06:34 AM, veridicis wrote:
> search-class user not in schema

I do not have a note of that in any trace I have stored, so maybe that's
new, or maybe it is not and it's a sign of a weird misconfiguration. Also
odd is that the user class-name is just right, so that's weird. It may be
useful to post a driver config startup trace to see hot that looks on the
Remote Loader (RL) side. An example from an old trace follows:
<query class-name="user" dest-dn="CN=John
Wayne,OU=northamerica,DC=company,DC=com" event-id="0" scope="entry">
Has this ever worked before, maybe in a Test environment of some sort? Is
anything weird about this microsoft active directory (MAD) environment?
Does that object exist right there (be triple-sure)? Have you tested with
a full administrator to make sure there isn't a weird problem connecting
fully due to privileges?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

It is looks like permissions issue of driver service account.
you can try to initiate App schema refresh from your Designer and report here about results.

veridicis · ‎2019-02-19

al_b;2495548 wrote:
It is looks like permissions issue of driver service account.
you can try to initiate App schema refresh from your Designer and report here about results.

The service account is a Domain Admin, refresh schema from Designer doesn't work :/. "Not able to get schema definitions from server". And nothing in the RL trace.

To be fair, the current DC that's in use has seen better times. I am waiting for a new DC to be made available where I'll put the RL and point the entitled driver towards it.

--
Smile, IT confuses people!

veridicis · ‎2019-02-20

veridicis;2495572 wrote:
The service account is a Domain Admin, refresh schema from Designer doesn't work :/. "Not able to get schema definitions from server". And nothing in the RL trace.

To be fair, the current DC that's in use has seen better times. I am waiting for a new DC to be made available where I'll put the RL and point the entitled driver towards it.

So definitely something wrong/muddled with the DC, I installed the RL on a new DC and it initialized correctly. Queries and operations running through with no issues...
Thanks for all the suggestions so far.

--
Smile, IT confuses people!

Engine-Drivers