Knowledge Partner
Knowledge Partner

Re: AD driver

This particular trace shows a rename, not a move, so a different code path
was taken which makes sense as your initial report was about renames/moves
coming back after an add, and this is not an add (looks like you just
changed an attribute on a user).

If you have the engine-side trace from this transaction, you can probably
either see a rename from the start (if you renamed the object) or else a
synthesized rename event from an action, similar to what was done with the
previous (now disabled) move action.

The problem, per your description, is that your move logic is firing when
it should not. It should fire whens somebody is made inactive, but
instead it is firing on an add event (never correct, perhaps). You could
add a condition to your move-event rule that basically skips past the rule
if the operation is an add, and that may do the trick so you both get
moves when you want them (on user disabled) but not when you do not want
them (on user adds).

Getting the conditions/criteria for rules right for all situations can be
one of the bigger challenges of IDM work; per the cliche quote, with great
power, comes great responsibility. I think you're up for it, though
(eight posts today... you're not giving up for sure). It may help to have
some kind of design document for each driver that specifics what should
happen, and when. Part of that template should include what happens for
each type of event, and then as you create policies and their rules you
can be sure that all of the possible situations are handled, even if
"handled" means an explicit veto, or no action at all, or whatever.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
wferguson1 Absent Member.
Absent Member.

Re: AD driver


Thank you for hanging in there with me. The attachment I uploaded named
"trace on add080715.txt" is the engine side trace of an add operation
like you were describing. Would you be able to kindly look at that and
tell me if you see a rename taking place as you suggested. I have been
going over this for days now and just can't find it. Thanks again.


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD driver

wferguson <wferguson@no-mx.forums.microfocus.com> wrote:
> Thank you for hanging in there with me. The attachment I uploaded named
> "trace on add080715.txt" is the engine side trace of an add operation
> like you were describing. Would you be able to kindly look at that and
> tell me if you see a rename taking place as you suggested. I have been
> going over this for days now and just can't find it. Thanks again.
>


That trace shows an add with a move immediately after (due to your command
transform that moves a user in AD)

This will generate a. The following looped back events for the specific
user on publisher channel.

1. Add
2. Move
3. rename

There is a policy in the publisher event transform that should normally
veto out the rename.

However that policy relies on an itp policy called itp-SubscriberUserAdd
which updates the DirXML-ADContext attribute on add-association and that
policy appears absent in your driver.

This particular policy was added to the default packages/preconfigured
around the time of IDM 4.0.

So the absence of that policy likely explains the rename you see in the
publisher channel.

Regardless. It seems counter-intuitive to add and then move straight away.

I would scope your command transform move policy to only apply to modifies
and adjust your placement policy to include the same logic that your move
code reflects (where necessary)

Note you can specify multiple placement rules. The last one that sets the
dest-dn will win.

That way rather than place and move straight afterwards you place in the
correct location (saving a move)
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD driver

wferguson <wferguson@no-mx.forums.microfocus.com> wrote:
> How do you suggest that I move accounts in the AD domain when they go to
> inactive in eDir.....? This is basically what I am trying to
> accomplish...so


There is no technical reason why you shouldn't move accounts in AD as you
described.

How and where you implement the move is really the key.

Also making use of the default rules and policy is important as the
defaults are often there for a reason.

For the AD driver - Microsoft doesn't provide the perpetrator (user who
made the change) as part of the change notification API that the netiq AD
driver shim uses.

As a consequence of this, the NetIQ driver echoes back all relevant changes
(including the ones it just sent to AD) via the publisher channel. So if
you move an object in AD via a subscriber channel event, the next poll, the
shim will report a corresponding move and rename on the publisher channel.
(as Aaron has already mentioned) this is because the shim can't determine
which actually occurred in AD.

Normally, the merge logic built into the idm engine optimizes out changes
which IDM already knows about.

There is a default policy in the publisher event transform that is designed
to work out which event actually occurred (and veto the other event). Prior
to this policy (i.e. Input transform) it is 100% normal to see both.

It is not uncommon for this policy to be rendered ineffective by other
(well intentioned) changes in the default driver config.

> 1) determine the context of the account in the destination directory
>
> 2) determine if the account is active or not in eDir


I would trigger off this (as op-attr changing) first. Rather than waste
time determining the current context in AD first.

> 3) move the account if the src and dest local variables are
> different.... hence the "move account" rule in my CTP
>



--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD driver


Hi wferguson,
Actually you initiated this move operation in your code (without
reason)!

> 16:35:30 CCEE940 Drvrs: Driver ST: Evaluating selection criteria for
> rule 'Move Account'.
> 16:35:30 CCEE940 Drvrs: Driver ST: (if-local-variable 'destcontext'
> available) = TRUE.
> 16:35:30 CCEE940 Drvrs: Driver ST: (if-local-variable 'NewContext'
> available) = TRUE.
> 16:35:30 CCEE940 Drvrs: Driver ST: Expanded variable reference
> '$NewContext$' to 'OU=ACTIVE,DC=xxx,DC=xxx,DC=xxx'.
> 16:35:30 CCEE940 Drvrs: Driver ST: (if-local-variable 'destcontext'
> not-equal "$NewContext$") = TRUE.
> 16:35:30 CCEE940 Drvrs: Driver ST: Rule selected.
> 16:35:30 CCEE940 Drvrs: Driver ST: Applying rule 'Move Account'.
> 16:35:30 CCEE940 Drvrs: Driver ST: Action:
> *do-move-dest-object(when="after",arg-dn(token-local-variable("NewContext"))).*
> 16:35:30 CCEE940 Drvrs: Driver ST:
> arg-dn(token-local-variable("NewContext"))
> 16:35:30 CCEE940 Drvrs: Driver ST: token-local-variable("NewContext")
> 16:35:30 CCEE940 Drvrs: Driver ST: Token Value:
> "OU=ACTIVE,DC=xxx,DC=xxx,DC=xxx".
> 16:35:30 CCEE940 Drvrs: Driver ST: Arg Value:
> "OU=ACTIVE,DC=xxx,DC=xxx,DC=xxx".
> 16:35:30 CCEE940 Drvrs: Driver ST:Policy returned:
> 16:35:30 CCEE940 Drvrs: Driver ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.2.2">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add cached-time="20150807203529.280Z" class-name="User"
> dest-dn="cn=User\, User A.,OU=ACTIVE,DC=xxx,DC=xxx,DC=xxx"
> event-id="id4#20150807203528#2#1:02f26c8a-9131-472b-0098-8a6cf2023191"
> qualified-src-dn="O=xxx\OU=USER\CN=User" src-dn="xxx"
> src-entry-id="37899" timestamp="0#0">
> <add-attr attr-name="CN">
> <value naming="true" timestamp="1265039838#62"
> type="string">User</value>
> </add-attr>
> <add-attr attr-name="Given Name">
> <value timestamp="1265039838#5" type="string">User</value>
> </add-attr>
> <add-attr attr-name="xxx">
> <value timestamp="1438799919#3" type="string">active</value>
> </add-attr>
> <add-attr attr-name="Initials">
> <value timestamp="1265039838#10" type="string">A</value>
> </add-attr>
> <add-attr attr-name="Password Expiration Time">
> <value timestamp="1432323153#54" type="time">1447875147</value>
> </add-attr>
> <add-attr attr-name="id">
> <value timestamp="1438884139#2" type="string">xxx</value>
> </add-attr>
> <add-attr attr-name="Surname">
> <value timestamp="1312485263#7" type="string">User</value>
> </add-attr>
> <add-attr attr-name="DirXML-ADAliasName">
> <value type="string">User@domain.com</value>
> </add-attr>
> <add-attr attr-name="CN">
> <value>User</value>
> </add-attr>
> <add-attr attr-name="Login Disabled">
> <value type="string">false</value>
> </add-attr>
> 16:35:30 CCEE940 Drvrs: <add-attr attr-name="Full Name">
> <value type="string">User, User A.</value>
> </add-attr>
> <password><!-- content suppressed --></password>
> <operation-data>
> <password-subscribe-status>
> <association/>
> </password-subscribe-status>
> </operation-data>
> </add>
> <MOVE CLASS-NAME=\"USER\" DEST-DN=\"CN=USER\, USER
> A.,OU=ACTIVE,DC=XXX,DC=XXX,DC=XXX\"
> EVENT-ID=\"ID4#20150807203528#2#1:02F26C8A-9131-472B-0098-8A6CF2023191\"
> QUALIFIED-SRC-DN=\"O=XXX\OU=USER\CN=USER\" SRC-DN=\"XXX\"
> SRC-ENTRY-ID=\"37899\">
> <PARENT DEST-DN=\"OU=ACTIVE,DC=XXX,DC=XXX,DC=XXX\"/>
> </MOVE>
> </input>
> </nds>



--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
wferguson1 Absent Member.
Absent Member.

Re: AD driver


I've made some suggested changes and am uploading a new copy of my
engine trace. This is for an add of account which I am initiating the
sync by modifying the email address.


+----------------------------------------------------------------------+
|Filename: traceonaddDRIVERupdate.txt |
|Download: https://forums.netiq.com/attachment.php?attachmentid=325 |
+----------------------------------------------------------------------+

--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
wferguson1 Absent Member.
Absent Member.

Re: AD driver


With the updated trace of my account add, this attachment shows what I
am seeing over and over again in the remote loader trace and it is what
I am trying to stop / prevent. When the AD driver performs it's
scheduled poll, this is how the remote loader reacts and what it
does/sends to eDir.


+----------------------------------------------------------------------+
|Filename: remote loader trace on polling cycle.txt |
|Download: https://forums.netiq.com/attachment.php?attachmentid=326 |
+----------------------------------------------------------------------+

--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD driver


AD driver use DirSync for recognize changes in AD.
> Microsoft Active Directory Directory Synchronization Control or DirSync
> control is an LDAP server extension that enables an application to
> search a directory partition for objects that have changed since a
> previous state.

http://tinyurl.com/nmlqkan

Geoffrey provided pretty good (like usual) and simple explanation about
AD driver loopback effect:

> Thus every event sent to Active Directory via the driver on the
> Subscriber channel will loop back on the Publisher channel a few seconds
> later. This is because Active Directory cannot tell that the driver just
> made the change and discard it. (Which the Subscriber channel on all
> drivers will do. If your driver writes something to eDirectory on the
> Publisher channel, it will not generate an event on that same drivers
> Subscriber channel. Which is good else you could get into all sorts of
> horrible loops. But this has a negative affect, that you might need to
> make a change in DriverA’s Pub channel and have DriverB’s Sub channel
> watch for it to tweak the event further, so that DriverA can then
> respond on its Sub channel. The benefits of loopback protection very
> much outweighs the downsides).
>
> Well this Loopback event in Active Directory is usually handled out of
> the box by Optimize Modify. If the attributes are bidrectionally
> synchronizing this just works. A change is made in eDirectory by
> something (maybe HR? Maybe some other system) and it is sent to Active
> Directory, and then a few seconds later Active Directory sends it back
> to eDirectory on the Publisher channel.

http://tinyurl.com/qf668d7


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
wferguson1 Absent Member.
Absent Member.

Re: AD driver


Words cannot explain how thankful I am to everyone who posted on this
forum....Praise the Lord this is FIXED!
2 things
1) The extra move taking place on add's needed to be mitigated
--completed by adding condition if operation not equal to add
2) The sending looping of AD events back to eDir needed to be stopped
--completed by setting the filter on those particular attributes to
"optimize modify" and now when the AD driver polls AD, the remote loader
just has a simple message of "get changes object 0x0000" and "object
changes complete". I also had some attribute marked to reset when
changed in AD, I tested that and the reset option still works perfectly
fine....if I modify one of those attributes in AD, it gets reset during
the next poll as it should.

Thank you all so very much!!


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD driver


Good job, wferguson!
Thank you for detailed report!

Alex


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
Knowledge Partner
Knowledge Partner

Re: AD driver


Now you have "clean" *add* doc without any "fake" (initiated by your
code) *move* operations.
Good job!


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=53997

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.