Anonymous_User Absent Member.
Absent Member.
662 views

AD driver, sync new object class not working


Hi all,

We've been using IDM to sync from eDir to AD for about 10 years now
without really any problems. Recently, we wanted to add a new attribute
to sync over from eDir to AD, and I'm having a heck of a time getting it
to work. In the past, we've added additional attribs to sync without a
problem, but they've always been attributes tied to the regular user
classes. However, this is a custom millikinPerson class that we've
created in eDir. (And yup, the OID is custom just for Millikin, we
requested our own, so we don't have to worry about conflicts.)

Basically, I have a muRole attrib of the millikinPerson class that I'm
trying to get over into AD. I created a new millikinPerson auxillary
class in AD, and assigned it a muRole attribute, and that all seems
fine. I've set things up in IDM according to the NetIQ documentation,
but for some reason, nothing that I do seems to make IDM want to sync
this attribute. I can create new users, change users, etc., and
everything syncs over except for this attrib. It's not even referenced
in the level 3 trace that I've got going in our IDM environment.

Here are some links to screenshots and a copy of the IDM log:

IDM log file: http://admin.millikin.edu/~cmyers/idm/idm_log.txt
Schema map pic: http://admin.millikin.edu/~cmyers/idm/schema_map.png
Driver filter xml: http://admin.millikin.edu/~cmyers/idm/filter.xml
Driver filter pic: http://admin.millikin.edu/~cmyers/idm/filter.png

Is there any way that I can figure out why it doesn't like this? We're
using IDM 3.6.1 on OES 2 SP3/SLES10.

Thanks!
Chris


--
smily_03
------------------------------------------------------------------------
smily_03's Profile: https://forums.netiq.com/member.php?userid=1191
View this thread: https://forums.netiq.com/showthread.php?t=51193

Labels (1)
0 Likes
9 Replies
Anonymous_User Absent Member.
Absent Member.

Re: AD driver, sync new object class not working

When you created this new schema in eDirectory did you link the attribute
to a effective class (a new type of object) or to an aux class which you
then use to extend the capabilities of a effective class like user? If
your new class is an aux class, then you do not put it in the filter at
all but instead just put your desired attributes linked to that aux class
directly in the filter under the effective class of the object which will
hold those attributes, so, for example, 'User'. Aux classes are not
checked for events since they can go anywhere, and the attribute is really
stored on an object of some effective class, so that (the effective class)
is what you use in the filter and then link any attributes possible,
whether part of that effective class, a superclass, or an aux class, to
that part of the filter.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver, sync new object class not working


Cool. It is an aux class in both eDir and AD.

I went ahead and removed the millikinPerson class from the driver
filter. However, now I'm hitting a bit of a roadblock.

If I click on User in the filter, then click on Add Attribute, muRole
isn't available in the list. So, I went to the schema manager to see if
I could add it to the User class' attribute list, and it let me pick
muRole on the eDir side, but it's not in the list on the Application
(AD) side (even after hitting "Refresh Application Schema.")

I thought, well, maybe I have to remove the millikinPerson class from
the schema class list, so I tried that, but it still doesn't show up for
selection in the "Application Attributes" side.

Here are the screenshots I took when I created the attribute and class
in AD; I followed Microsoft's documentation to set it up:
http://technet.microsoft.com/en-us/library/bb727064.aspx

New attrib: http://admin.millikin.edu/~cmyers/idm/newattrib.png
New class: http://admin.millikin.edu/~cmyers/idm/newclass.png
Add attrib to millikinPerson class:
http://admin.millikin.edu/~cmyers/idm/addattrib.png

Chris


--
smily_03
------------------------------------------------------------------------
smily_03's Profile: https://forums.netiq.com/member.php?userid=1191
View this thread: https://forums.netiq.com/showthread.php?t=51193

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver, sync new object class not working

Have you tried ignoring that and seeing if, once added to the eDir filter,
it just works?

You may need to detect the presence of this attribute and add the aux
class in MAD to the operation as well... but that's just a theory since
usually you need an aux class assigned to an object before the aux class's
attributes are available. The engine handles this on the vault side when
changes come into it, but I do not know that the MAD shim is similarly
helpful for things going to MAD.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver, sync new object class not working


Ok cool. We're getting closer, but it's still not happy 😕

I removed the millikinPerson class from the filter, and added muRole to
the User class (with nothing in the "application name" field for the
attribute since I can't select it at this point.) Now, when I update the
attribute in eDir, it tries to push over, but I'm getting a class
violation:

<output>
<status
event-id="mulinedir2#20140626194207#2#1:fb4d9eb3-0418-4c78-60af-b39e4dfb1804"
level="error" type="driver-general">
<ldap-err ldap-rc="65" ldap-rc-name="LDAP_OBJECT_CLASS_VIOLATION">
<client-err ldap-rc="65"
ldap-rc-name="LDAP_OBJECT_CLASS_VIOLATION">Object Class
Violation</client-err>
<server-err>0000207D: UpdErr: DSID-03150F9F, problem 6002
(OBJ_CLASS_VIOLATION), data 0
</server-err>
<server-err-ex win32-rc="8317"/>
</ldap-err>
</status>
</output>

http://admin.millikin.edu/~cmyers/idm/idm_log_2.txt


--
smily_03
------------------------------------------------------------------------
smily_03's Profile: https://forums.netiq.com/member.php?userid=1191
View this thread: https://forums.netiq.com/showthread.php?t=51193

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver, sync new object class not working

On Thu, 26 Jun 2014 19:54:01 +0000, smily 03 wrote:

> Ok cool. We're getting closer, but it's still not happy 😕
>
> I removed the millikinPerson class from the filter, and added muRole to
> the User class (with nothing in the "application name" field for the
> attribute since I can't select it at this point.)


Application name? That sounds like the Schema Map, not the Filter.


> Now, when I update the
> attribute in eDir, it tries to push over, but I'm getting a class
> violation:


How is your millikinPerson aux class defined in MAD?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver, sync new object class not working

Did you try this part?

"You may need to detect the presence of this attribute and add the aux
class in MAD to the operation as well... "

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver, sync new object class not working


I think I'm going to have a celebratory beer when I get home tonight 😄

Aaron and David - thank you very much for your help with this 🙂 Your
advice, combined with this forum post:
http://tinyurl.com/noncy6p

helped me formulate a rule that fits our environment perfectly, and sets
up the millikinPerson class in AD automatically now 😄

<rule>
<description>MILLIKIN ADDITION 6-27-14 for millikinPerson
class</description>
<conditions>
<and>
<if-class-name op="equal">user</if-class-name>
<if-dest-attr name="objectClass"
op="not-equal">millikinPerson</if-dest-attr>
</and>
</conditions>
<actions>
<do-add-dest-attr-value class-name="user" name="objectClass"
when="after">
<arg-value type="string">
<token-text xml:space="preserve">millikinPerson</token-text>
</arg-value>
</do-add-dest-attr-value>
</actions>
</rule>

I'm having it evaluate on every operation, since we have around 40,000
accounts in AD that wouldn't have the class.

I did some testing on new and existing accounts, and it works properly!
It also handles the muRole attribute successfully now.

I can't think you both enough; if you're ever over (or down) this way,
let me know and I'll buy you a beer too 🙂


--
smily_03
------------------------------------------------------------------------
smily_03's Profile: https://forums.netiq.com/member.php?userid=1191
View this thread: https://forums.netiq.com/showthread.php?t=51193

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver, sync new object class not working

On Thu, 26 Jun 2014 19:12:14 +0000, ab wrote:

> Have you tried ignoring that and seeing if, once added to the eDir
> filter, it just works?
>
> You may need to detect the presence of this attribute and add the aux
> class in MAD to the operation as well... but that's just a theory since
> usually you need an aux class assigned to an object before the aux
> class's attributes are available. The engine handles this on the vault
> side when changes come into it, but I do not know that the MAD shim is
> similarly helpful for things going to MAD.


In my niuOrgPerson-AD.ldif file, I have:

dn: CN=User,CN=Schema,CN=Configuration,DC=Win2k3,DC=NIU,DC=EDU
changetype: modify
add: auxiliaryClass
auxiliaryClass: niuOrgPerson


so that the AuxClass is added to User objects, after which I don't need
to do anything special in IDM to add niuOrgPerson attributes to User
objects in MAD.

There may be other, possibly even better, ways to do this. I was
following MS documentation on how to do AuxClass attributes when I set
this up. It works.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver, sync new object class not working

On Thu, 26 Jun 2014 19:04:01 +0000, smily 03 wrote:

> Cool. It is an aux class in both eDir and AD.
>
> I went ahead and removed the millikinPerson class from the driver
> filter. However, now I'm hitting a bit of a roadblock.
>
> If I click on User in the filter, then click on Add Attribute, muRole
> isn't available in the list.


What I normally do when dealing with niuOrgPerson attributes:

XML edit
copy and paste another attribute
change the attribute name
save and return to the regular filter edit view of things


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.