Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
1625 views

ADDriver Delete Events "Operation vetoed on unassociated"


For some reason, recently, my AD Driver no longer deletes the associated
Active Directory account when I delete the eDirectory user object.
:mad:

Response from driver: "*Operation vetoed on unassociated object*"

I'll post a level 3 trace if I can figure out how to attach the log file


--
plummb
------------------------------------------------------------------------
plummb's Profile: https://forums.netiq.com/member.php?userid=1727
View this thread: https://forums.netiq.com/showthread.php?t=51659

Labels (1)
0 Likes
27 Replies
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"


Here's the level 3 (not very helpful)

[09/02/14 14:53:54.296]:mmcf domain ST:Applying policy: %+C%14CVeto
Trigger%-C.
[09/02/14 14:53:54.296]:mmcf domain ST: Applying to delete #1.
[09/02/14 14:53:54.296]:mmcf domain ST: Evaluating selection criteria
for rule 'Veto Trigger Events'.
[09/02/14 14:53:54.297]:mmcf domain ST: (if-operation equal
"trigger") = FALSE.
[09/02/14 14:53:54.297]:mmcf domain ST: Rule rejected.
[09/02/14 14:53:54.297]:mmcf domain ST:Policy returned:
[09/02/14 14:53:54.297]:mmcf domain ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.2">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<delete cached-time="20140902185354.232Z" class-name="User"
event-id="VMIDMMETA#20140902185354#3#1:268b602c-7060-4a6c-efab-2c608b266070"
qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=Btester1"
src-dn="\META\IDM\Person\Users\Btester1" src-entry-id="116766"
timestamp="1409683943#1"/>
</input>
</nds>
[09/02/14 14:53:54.298]:mmcf domain ST:Subscriber processing delete for
\META\IDM\Person\Users\Btester1.
[09/02/14 14:53:54.298]:mmcf domain ST:Processing returned document.
[09/02/14 14:53:54.298]:mmcf domain ST:Processing operation <status> for
..
[09/02/14 14:53:54.298]:mmcf domain ST:
DirXML Log Event -------------------
Driver: \META\IDM\eDirMeta\mmcf domain
Channel: Subscriber
Object: \META\IDM\Person\Users\Btester1
Status: Warning
Message: Code(-8019) Operation vetoed on unassociated object.
[09/02/14 14:53:54.387]:mmcf domain ST:End transaction.


--
plummb
------------------------------------------------------------------------
plummb's Profile: https://forums.netiq.com/member.php?userid=1727
View this thread: https://forums.netiq.com/showthread.php?t=51659

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"


plummb;248241 Wrote:
> Here's the level 3 (not very helpful)
>
> [09/02/14 14:53:54.296]:mmcf domain ST:Applying policy: %+C%14CVeto
> Trigger%-C.
> [09/02/14 14:53:54.296]:mmcf domain ST: Applying to delete #1.
> [09/02/14 14:53:54.296]:mmcf domain ST: Evaluating selection criteria
> for rule 'Veto Trigger Events'.
> [09/02/14 14:53:54.297]:mmcf domain ST: (if-operation equal
> "trigger") = FALSE.
> [09/02/14 14:53:54.297]:mmcf domain ST: Rule rejected.
> [09/02/14 14:53:54.297]:mmcf domain ST:Policy returned:
> [09/02/14 14:53:54.297]:mmcf domain ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.0.2.2">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <delete cached-time="20140902185354.232Z" class-name="User"
> event-id="VMIDMMETA#20140902185354#3#1:268b602c-7060-4a6c-efab-2c608b266070"
> qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=Btester1"
> src-dn="\META\IDM\Person\Users\Btester1" src-entry-id="116766"
> timestamp="1409683943#1"/>
> </input>
> </nds>
> [09/02/14 14:53:54.298]:mmcf domain ST:Subscriber processing delete for
> \META\IDM\Person\Users\Btester1.
> [09/02/14 14:53:54.298]:mmcf domain ST:Processing returned document.
> [09/02/14 14:53:54.298]:mmcf domain ST:Processing operation <status> for
> .
> [09/02/14 14:53:54.298]:mmcf domain ST:
> DirXML Log Event -------------------
> Driver: \META\IDM\eDirMeta\mmcf domain
> Channel: Subscriber
> Object: \META\IDM\Person\Users\Btester1
> Status: Warning
> Message: Code(-8019) Operation vetoed on unassociated object.
> [09/02/14 14:53:54.387]:mmcf domain ST:End transaction.



Hi plummb,
Are you sure that your user has valid association?

My Delete Event for associated users has "additional" *association*
part, that not available in in your doc:

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.5">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<delete cached-time="20140902202339.343Z" class-name="User"
event-id="fx-iv#20140902202339#1#1:93500bae-b112-412d-1b8b-ae0b509312b1"
qualified-src-dn="O=bxxx\OU=Sxxx\CN=sxxx24"
src-dn="\XXX-TREE\bxxx\Sxxx\sxxx24" src-entry-id="678688"
timestamp="1408651036#1">
*<association
state="associated">defe8cc3d92f1946b93xxxxxb4554c0c</association>*
</delete>
</input>
</nds>


--
al_b
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=51659

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"

plummb wrote:

>
> For some reason, recently, my AD Driver no longer deletes the associated
> Active Directory account when I delete the eDirectory user object.
> :mad:
>
> Response from driver: "*Operation vetoed on unassociated object*"


This is self explanatory. The user wasn't ever properly associated with AD prior to the point when the delete event was generated.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"

Exactly, and it sounds like you (plummb) believe that this is incorrect
and that the user IS associated with a corresponding object in the MAD
environment. A few reasons for possible discrepancies:

Something else cleared the association already. What would do this?
Well, any driver or other client to the directory could in theory do this,
but if it's happening on many users (not just one or two by accident) the
most-likely cause is that somebody deleted the driver object and then
recreated it; currently the association is maintained via DN relationships
in the association value, so deleting the driver object to recreate it
(rename, move to another DriverSet, whatever the reason) would cause all
associations to be lost. This is rare, and you should definitely know
about this kind of event.

Another option is that the association was never there. If the user never
changes their password (not required to) then maybe nobody ever noticed
that credentials and other settings were not synchronizing. It's
possible, and probably more-likely than the option above.

If you know that an association existed (because you have a backup
confirming as much) then what happened between then (the backup time) and
now that could have removed the association? With IDM the potential for
great power means other drivers could somehow get involved (though you'd
need to add logic in to do that yourself as there is no way normally for
one driver to stomp on another driver's associations), and you'll need to
know if anybody else has access to do things like run ndsrepair commands
(to potentially strip associations from the entire server, though this
would impact all objects' associations, not jut one or two, and all
associations, not just one driver config's).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"


This same event transpires on any of my users. Sync is just fine between
eDir and MAD. All passwords and meta data sync just as intended. When
trying to delete, this event occurs. I can recreate this with any
account.

Here is a new account (exported in LDIF with driver association):
dn: cn=MyTest,ou=Users,ou=Person,o=IDM
changetype: add
DirXML-Associations: cn=mmcf
domain,cn=eDirMeta,o=IDM#1#240cd0c1276899428c5869
fb7098a607

Here is the Level 3 on the delete event

[09/02/14 19:19:00.206]:mmcf domain ST:Processing events for
transaction.
[09/02/14 19:19:00.206]:mmcf domain ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.2">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<delete cached-time="20140902231900.169Z" class-name="User"
event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
timestamp="1409699668#1"/>
</input>
</nds>
[09/02/14 19:19:00.207]:mmcf domain ST:Applying event transformation
policies.
[09/02/14 19:19:00.207]:mmcf domain ST:Applying policy:
%+C%14Csub-etp-Scoping%-C.
[09/02/14 19:19:00.208]:mmcf domain ST: Applying to delete #1.
[09/02/14 19:19:00.208]:mmcf domain ST: Evaluating selection criteria
for rule 'Veto specify events'.
[09/02/14 19:19:00.208]:mmcf domain ST: (if-operation equal "move")
= FALSE.
[09/02/14 19:19:00.208]:mmcf domain ST: (if-operation equal "sync")
= FALSE.
[09/02/14 19:19:00.208]:mmcf domain ST: Rule rejected.
[09/02/14 19:19:00.208]:mmcf domain ST: Evaluating selection criteria
for rule 'Break if the Event is wanted'.
[09/02/14 19:19:00.209]:mmcf domain ST: (if-association associated)
= FALSE.
[09/02/14 19:19:00.209]:mmcf domain ST: (if-class-name equal
"User") = TRUE.
[09/02/14 19:19:00.209]:mmcf domain ST: (if-src-dn in-subtree
"idm\person") = TRUE.
[09/02/14 19:19:00.209]:mmcf domain ST: Rule selected.
[09/02/14 19:19:00.209]:mmcf domain ST: Applying rule 'Break if the
Event is wanted'.
[09/02/14 19:19:00.209]:mmcf domain ST: Action: do-break().
[09/02/14 19:19:00.210]:mmcf domain ST:Policy returned:
[09/02/14 19:19:00.210]:mmcf domain ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.2">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<delete cached-time="20140902231900.169Z" class-name="User"
event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
timestamp="1409699668#1"/>
</input>
</nds>
[09/02/14 19:19:00.211]:mmcf domain ST:Applying policy:
%+C%14Csub-etp-Reset Attributes%-C.
[09/02/14 19:19:00.211]:mmcf domain ST: Applying to delete #1.
[09/02/14 19:19:00.211]:mmcf domain ST: Evaluating selection criteria
for rule 'Reset DirXML-ADAliasName if changing'.
[09/02/14 19:19:00.211]:mmcf domain ST: (if-operation equal
"modify") = FALSE.
[09/02/14 19:19:00.211]:mmcf domain ST: Rule rejected.
[09/02/14 19:19:00.211]:mmcf domain ST: Evaluating selection criteria
for rule 'Reset DirXML-ADContext if changing'.
[09/02/14 19:19:00.212]:mmcf domain ST: (if-operation equal
"modify") = FALSE.
[09/02/14 19:19:00.212]:mmcf domain ST: Rule rejected.
[09/02/14 19:19:00.212]:mmcf domain ST: Evaluating selection criteria
for rule 'Block Empty Modifies'.
[09/02/14 19:19:00.212]:mmcf domain ST: (if-class-name equal
"User") = TRUE.
[09/02/14 19:19:00.212]:mmcf domain ST: (if-operation equal
"modify") = FALSE.
[09/02/14 19:19:00.212]:mmcf domain ST: Rule rejected.
[09/02/14 19:19:00.212]:mmcf domain ST:Policy returned:
[09/02/14 19:19:00.213]:mmcf domain ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.2">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<delete cached-time="20140902231900.169Z" class-name="User"
event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
timestamp="1409699668#1"/>
</input>
</nds>
[09/02/14 19:19:00.213]:mmcf domain ST:Applying policy:
%+C%14Csub-etp-Exch%-C.
[09/02/14 19:19:00.214]:mmcf domain ST: Applying to delete #1.
[09/02/14 19:19:00.214]:mmcf domain ST: Evaluating selection criteria
for rule 'Capture Delete Event, get homeMDB from AD'.
[09/02/14 19:19:00.214]:mmcf domain ST: (if-class-name equal
"User") = TRUE.
[09/02/14 19:19:00.214]:mmcf domain ST: (if-operation equal
"delete") = TRUE.
[09/02/14 19:19:00.214]:mmcf domain ST: Rule selected.
[09/02/14 19:19:00.214]:mmcf domain ST: Applying rule 'Capture Delete
Event, get homeMDB from AD'.
[09/02/14 19:19:00.215]:mmcf domain ST: Action:
do-set-local-variable("local.homeMDB",scope="policy",token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))).
[09/02/14 19:19:00.215]:mmcf domain ST:
arg-string(token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB")))
[09/02/14 19:19:00.215]:mmcf domain ST:
token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))
[09/02/14 19:19:00.216]:mmcf domain ST:
token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))
[09/02/14 19:19:00.216]:mmcf domain ST:
token-dest-attr("mmcHomeMDB")
[09/02/14 19:19:00.216]:mmcf domain ST: Token Value: "".
[09/02/14 19:19:00.216]:mmcf domain ST: Arg Value: "".
[09/02/14 19:19:00.216]:mmcf domain ST: Token Value: "".
[09/02/14 19:19:00.216]:mmcf domain ST: Arg Value: "".
[09/02/14 19:19:00.217]:mmcf domain ST: Action: do-if().
[09/02/14 19:19:00.217]:mmcf domain ST: Evaluating conditions.
[09/02/14 19:19:00.217]:mmcf domain ST: (if-local-variable
'local.homeMDB' match ".+") = FALSE.
[09/02/14 19:19:00.217]:mmcf domain ST: Performing else actions.
[09/02/14 19:19:00.217]:mmcf domain ST: Action: do-break().
[09/02/14 19:19:00.217]:mmcf domain ST:Policy returned:
[09/02/14 19:19:00.217]:mmcf domain ST:
<nds dtdversion="4.0" ndsversion="8.x">

<input>
<delete cached-time="20140902231900.169Z" class-name="User"
event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
timestamp="1409699668#1"/>
</input>
</nds>
[09/02/14 19:19:00.220]:mmcf domain ST:Applying policy:
%+C%14CFISMA%-C.
[09/02/14 19:19:00.220]:mmcf domain ST: Applying to delete #1.
[09/02/14 19:19:00.220]:mmcf domain ST: Evaluating selection criteria
for rule 'Check Last Login Time - Act Accordingly'.
[09/02/14 19:19:00.220]:mmcf domain ST: (if-operation equal
"trigger") = FALSE.
[09/02/14 19:19:00.220]:mmcf domain ST: Rule rejected.
[09/02/14 19:19:00.221]:mmcf domain ST:Policy returned:
[09/02/14 19:19:00.221]:mmcf domain ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.2">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<delete cached-time="20140902231900.169Z" class-name="User"
event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
timestamp="1409699668#1"/>
</input>
</nds>
[09/02/14 19:19:00.222]:mmcf domain ST:Applying policy: %+C%14CVeto
Trigger%-C.
[09/02/14 19:19:00.222]:mmcf domain ST: Applying to delete #1.
[09/02/14 19:19:00.222]:mmcf domain ST: Evaluating selection criteria
for rule 'Veto Trigger Events'.
[09/02/14 19:19:00.222]:mmcf domain ST: (if-operation equal
"trigger") = FALSE.
[09/02/14 19:19:00.222]:mmcf domain ST: Rule rejected.
[09/02/14 19:19:00.222]:mmcf domain ST:Policy returned:
[09/02/14 19:19:00.222]:mmcf domain ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.2">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<delete cached-time="20140902231900.169Z" class-name="User"
event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
timestamp="1409699668#1"/>
</input>
</nds>
[09/02/14 19:19:00.223]:mmcf domain ST:Subscriber processing delete for
\META\IDM\Person\Users\MyTest.
[09/02/14 19:19:00.223]:mmcf domain ST:Processing returned document.
[09/02/14 19:19:00.224]:mmcf domain ST:Processing operation <status> for
..
[09/02/14 19:19:00.224]:mmcf domain ST:
DirXML Log Event -------------------
Driver: \META\IDM\eDirMeta\mmcf domain
Channel: Subscriber
Object: \META\IDM\Person\Users\MyTest
Status: Warning
Message: Code(-8019) Operation vetoed on unassociated object.
[09/02/14 19:19:00.302]:mmcf domain ST:End transaction.


--
plummb
------------------------------------------------------------------------
plummb's Profile: https://forums.netiq.com/member.php?userid=1727
View this thread: https://forums.netiq.com/showthread.php?t=51659

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"

Same as before... your object is not associated.

Export an object's DirXML-Associations attribute via LDAP and then try the
delete. I'm guessing you will not have a processed value, which is the
problem.

It may be useful to post a trace of a user you think is synchronizing
properly, and then export the DirXML-Associations attribute AFTER that
synchronization from eDir to MAD takes place properly, when there should
be a completed association. After that, process the delete and post the
full trace.

On 09/02/2014 05:25 PM, plummb wrote:
>
> This same event transpires on any of my users. Sync is just fine between
> eDir and MAD. All passwords and meta data sync just as intended. When
> trying to delete, this event occurs. I can recreate this with any
> account.
>
> Here is a new account (exported in LDIF with driver association):
> dn: cn=MyTest,ou=Users,ou=Person,o=IDM
> changetype: add
> DirXML-Associations: cn=mmcf
> domain,cn=eDirMeta,o=IDM#1#240cd0c1276899428c5869
> fb7098a607
>
> Here is the Level 3 on the delete event
>
> [09/02/14 19:19:00.206]:mmcf domain ST:Processing events for
> transaction.
> [09/02/14 19:19:00.206]:mmcf domain ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.0.2.2">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <delete cached-time="20140902231900.169Z" class-name="User"
> event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
> qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
> src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
> timestamp="1409699668#1"/>
> </input>
> </nds>
> [09/02/14 19:19:00.207]:mmcf domain ST:Applying event transformation
> policies.
> [09/02/14 19:19:00.207]:mmcf domain ST:Applying policy:
> %+C%14Csub-etp-Scoping%-C.
> [09/02/14 19:19:00.208]:mmcf domain ST: Applying to delete #1.
> [09/02/14 19:19:00.208]:mmcf domain ST: Evaluating selection criteria
> for rule 'Veto specify events'.
> [09/02/14 19:19:00.208]:mmcf domain ST: (if-operation equal "move")
> = FALSE.
> [09/02/14 19:19:00.208]:mmcf domain ST: (if-operation equal "sync")
> = FALSE.
> [09/02/14 19:19:00.208]:mmcf domain ST: Rule rejected.
> [09/02/14 19:19:00.208]:mmcf domain ST: Evaluating selection criteria
> for rule 'Break if the Event is wanted'.
> [09/02/14 19:19:00.209]:mmcf domain ST: (if-association associated)
> = FALSE.
> [09/02/14 19:19:00.209]:mmcf domain ST: (if-class-name equal
> "User") = TRUE.
> [09/02/14 19:19:00.209]:mmcf domain ST: (if-src-dn in-subtree
> "idm\person") = TRUE.
> [09/02/14 19:19:00.209]:mmcf domain ST: Rule selected.
> [09/02/14 19:19:00.209]:mmcf domain ST: Applying rule 'Break if the
> Event is wanted'.
> [09/02/14 19:19:00.209]:mmcf domain ST: Action: do-break().
> [09/02/14 19:19:00.210]:mmcf domain ST:Policy returned:
> [09/02/14 19:19:00.210]:mmcf domain ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.0.2.2">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <delete cached-time="20140902231900.169Z" class-name="User"
> event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
> qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
> src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
> timestamp="1409699668#1"/>
> </input>
> </nds>
> [09/02/14 19:19:00.211]:mmcf domain ST:Applying policy:
> %+C%14Csub-etp-Reset Attributes%-C.
> [09/02/14 19:19:00.211]:mmcf domain ST: Applying to delete #1.
> [09/02/14 19:19:00.211]:mmcf domain ST: Evaluating selection criteria
> for rule 'Reset DirXML-ADAliasName if changing'.
> [09/02/14 19:19:00.211]:mmcf domain ST: (if-operation equal
> "modify") = FALSE.
> [09/02/14 19:19:00.211]:mmcf domain ST: Rule rejected.
> [09/02/14 19:19:00.211]:mmcf domain ST: Evaluating selection criteria
> for rule 'Reset DirXML-ADContext if changing'.
> [09/02/14 19:19:00.212]:mmcf domain ST: (if-operation equal
> "modify") = FALSE.
> [09/02/14 19:19:00.212]:mmcf domain ST: Rule rejected.
> [09/02/14 19:19:00.212]:mmcf domain ST: Evaluating selection criteria
> for rule 'Block Empty Modifies'.
> [09/02/14 19:19:00.212]:mmcf domain ST: (if-class-name equal
> "User") = TRUE.
> [09/02/14 19:19:00.212]:mmcf domain ST: (if-operation equal
> "modify") = FALSE.
> [09/02/14 19:19:00.212]:mmcf domain ST: Rule rejected.
> [09/02/14 19:19:00.212]:mmcf domain ST:Policy returned:
> [09/02/14 19:19:00.213]:mmcf domain ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.0.2.2">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <delete cached-time="20140902231900.169Z" class-name="User"
> event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
> qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
> src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
> timestamp="1409699668#1"/>
> </input>
> </nds>
> [09/02/14 19:19:00.213]:mmcf domain ST:Applying policy:
> %+C%14Csub-etp-Exch%-C.
> [09/02/14 19:19:00.214]:mmcf domain ST: Applying to delete #1.
> [09/02/14 19:19:00.214]:mmcf domain ST: Evaluating selection criteria
> for rule 'Capture Delete Event, get homeMDB from AD'.
> [09/02/14 19:19:00.214]:mmcf domain ST: (if-class-name equal
> "User") = TRUE.
> [09/02/14 19:19:00.214]:mmcf domain ST: (if-operation equal
> "delete") = TRUE.
> [09/02/14 19:19:00.214]:mmcf domain ST: Rule selected.
> [09/02/14 19:19:00.214]:mmcf domain ST: Applying rule 'Capture Delete
> Event, get homeMDB from AD'.
> [09/02/14 19:19:00.215]:mmcf domain ST: Action:
> do-set-local-variable("local.homeMDB",scope="policy",token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))).
> [09/02/14 19:19:00.215]:mmcf domain ST:
> arg-string(token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB")))
> [09/02/14 19:19:00.215]:mmcf domain ST:
> token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))
> [09/02/14 19:19:00.216]:mmcf domain ST:
> token-parse-dn(dest-dn-format="slash",length="1",src-dn-format="ldap",start="-1",token-dest-attr("mmcHomeMDB"))
> [09/02/14 19:19:00.216]:mmcf domain ST:
> token-dest-attr("mmcHomeMDB")
> [09/02/14 19:19:00.216]:mmcf domain ST: Token Value: "".
> [09/02/14 19:19:00.216]:mmcf domain ST: Arg Value: "".
> [09/02/14 19:19:00.216]:mmcf domain ST: Token Value: "".
> [09/02/14 19:19:00.216]:mmcf domain ST: Arg Value: "".
> [09/02/14 19:19:00.217]:mmcf domain ST: Action: do-if().
> [09/02/14 19:19:00.217]:mmcf domain ST: Evaluating conditions.
> [09/02/14 19:19:00.217]:mmcf domain ST: (if-local-variable
> 'local.homeMDB' match ".+") = FALSE.
> [09/02/14 19:19:00.217]:mmcf domain ST: Performing else actions.
> [09/02/14 19:19:00.217]:mmcf domain ST: Action: do-break().
> [09/02/14 19:19:00.217]:mmcf domain ST:Policy returned:
> [09/02/14 19:19:00.217]:mmcf domain ST:
> <nds dtdversion="4.0" ndsversion="8.x">
>
> <input>
> <delete cached-time="20140902231900.169Z" class-name="User"
> event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
> qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
> src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
> timestamp="1409699668#1"/>
> </input>
> </nds>
> [09/02/14 19:19:00.220]:mmcf domain ST:Applying policy:
> %+C%14CFISMA%-C.
> [09/02/14 19:19:00.220]:mmcf domain ST: Applying to delete #1.
> [09/02/14 19:19:00.220]:mmcf domain ST: Evaluating selection criteria
> for rule 'Check Last Login Time - Act Accordingly'.
> [09/02/14 19:19:00.220]:mmcf domain ST: (if-operation equal
> "trigger") = FALSE.
> [09/02/14 19:19:00.220]:mmcf domain ST: Rule rejected.
> [09/02/14 19:19:00.221]:mmcf domain ST:Policy returned:
> [09/02/14 19:19:00.221]:mmcf domain ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.0.2.2">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <delete cached-time="20140902231900.169Z" class-name="User"
> event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
> qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
> src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
> timestamp="1409699668#1"/>
> </input>
> </nds>
> [09/02/14 19:19:00.222]:mmcf domain ST:Applying policy: %+C%14CVeto
> Trigger%-C.
> [09/02/14 19:19:00.222]:mmcf domain ST: Applying to delete #1.
> [09/02/14 19:19:00.222]:mmcf domain ST: Evaluating selection criteria
> for rule 'Veto Trigger Events'.
> [09/02/14 19:19:00.222]:mmcf domain ST: (if-operation equal
> "trigger") = FALSE.
> [09/02/14 19:19:00.222]:mmcf domain ST: Rule rejected.
> [09/02/14 19:19:00.222]:mmcf domain ST:Policy returned:
> [09/02/14 19:19:00.222]:mmcf domain ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.0.2.2">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <delete cached-time="20140902231900.169Z" class-name="User"
> event-id="VMIDMMETA#20140902231900#3#1:9ead8b3c-b506-4482-e68f-3c8bad9e06b5"
> qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyTest"
> src-dn="\META\IDM\Person\Users\MyTest" src-entry-id="116773"
> timestamp="1409699668#1"/>
> </input>
> </nds>
> [09/02/14 19:19:00.223]:mmcf domain ST:Subscriber processing delete for
> \META\IDM\Person\Users\MyTest.
> [09/02/14 19:19:00.223]:mmcf domain ST:Processing returned document.
> [09/02/14 19:19:00.224]:mmcf domain ST:Processing operation <status> for
> .
> [09/02/14 19:19:00.224]:mmcf domain ST:
> DirXML Log Event -------------------
> Driver: \META\IDM\eDirMeta\mmcf domain
> Channel: Subscriber
> Object: \META\IDM\Person\Users\MyTest
> Status: Warning
> Message: Code(-8019) Operation vetoed on unassociated object.
> [09/02/14 19:19:00.302]:mmcf domain ST:End transaction.
>
>


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"


I know the association is valid. After the user object is created with a
'Processed' association to the domain, there is a separate driver that
creates a Unique ID for that object and later publishes it
(successfully) back to MAD. Here's a bit of that event:
<input>
<modify class-name="user" event-id="mmcf domain##1483b822cd9##0"
src-dn="CN=MyUser,CN=Users,DC=mmcf,DC=mehealth,DC=org">
<association>96521f1ee353414987850fd677166af0</association>
<modify-attr attr-name="employeeNumber">
<remove-all-values/>
<add-value>
<value naming="false" type="string">MH62811</value>
</add-value>
</modify-attr>
</modify>
</input>

and later on after the send....

DirXML Log Event -------------------
Driver: \META\IDM\eDirMeta\mmcf domain
Channel: Publisher
Object: CN=MyUser,CN=Users,DC=mmcf,DC=mehealth,DC=org
(IDM\Person\Users\MyUser)
Status: Success

Export of MAD User shows employeeType populated successfully with
MH62811

LDIF export in eDirectory:
dn: cn=MyUser,ou=Users,ou=Person,o=IDM
changetype: add
DirXML-Associations: cn=mmcf
domain,cn=eDirMeta,o=IDM#1#96521f1ee353414987850fd677166af0

Trace on Delete is the same as shown before - ending with:

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.2">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<delete cached-time="20140903124251.660Z" class-name="User"
event-id="VMIDMMETA#20140903124251#3#1:a4158b4e-3389-47b2-9882-4e8b15a48933"
qualified-src-dn="O=IDM\OU=Person\OU=Users\CN=MyUser"
src-dn="\META\IDM\Person\Users\MyUser" src-entry-id="116783"
timestamp="1409747508#1"/>
</input>
</nds>
[09/03/14 08:42:51.707]:mmcf domain ST:Subscriber processing delete for
\META\IDM\Person\Users\MyUser.
[09/03/14 08:42:51.708]:mmcf domain ST:Processing returned document.
[09/03/14 08:42:51.708]:mmcf domain ST:Processing operation <status> for
..
[09/03/14 08:42:51.708]:mmcf domain ST:
DirXML Log Event -------------------
Driver: \META\IDM\eDirMeta\mmcf domain
Channel: Subscriber
Object: \META\IDM\Person\Users\MyUser
Status: Warning
Message: Code(-8019) Operation vetoed on unassociated object.
[09/03/14 08:42:51.771]:mmcf domain ST:End transaction.


--
plummb
------------------------------------------------------------------------
plummb's Profile: https://forums.netiq.com/member.php?userid=1727
View this thread: https://forums.netiq.com/showthread.php?t=51659

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"

What is causing the delete, and how exactly? For example, I'm guessing
you're doing this using iManager, just choosing the user and hitting
Delete, or using an LDAP tool like Apache Directory Studio where you
choose he object (which still has the association presumably) and then
pressing the delete key. If anything other than those two methods, please
elaborate.

The reason I ask is that I've seen applications before that "helpfully"
stripped off attributes before deleting objects. Seems unlikely here, but
worth checking out.

Also, do you have any other IDM drivers involved at all?

Could you post your level three trace of the driver startup through a
delete event, perhaps something like SUSE Paste or Pastebin or something
if it's too big to post here? The reason is that it may be interesting to
see how ECVs are set in case something stands out there.

I presume that the eDirectory partition holding this user is a full
read/write or Master replica, and not filtered at all. Please correct me
if I'm wrong.

For a test, stop the driver config and cause a delete, then look at the
cache (cache inspector) and see if the XML has an association. Start the
driver and let is continue to see if things behave the same way (catching
the trace at the same time). Any different?

Since I cannot find it in your other posts, could you please confirm
eDirectory versions/patches and IDM version/patches?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"


I'm using iManager to perform all account work
eDirectory: 886 SP7
Identity Manager: 4.0.2.2

There are no other IDM Drivers 'Involved' in this event. I have many
other drivers but not playing a part in the process (if, that's what you
mean)

I have the driver startup log but it's far too large to post here. How
do I attach it?

Yes, this partition hass full read/write where the user is. IDM is also
running on the Master.


--
plummb
------------------------------------------------------------------------
plummb's Profile: https://forums.netiq.com/member.php?userid=1727
View this thread: https://forums.netiq.com/showthread.php?t=51659

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"

On 09/03/2014 07:35 AM, plummb wrote:
>
> I'm using iManager to perform all account work
> eDirectory: 886 SP7


Eek... 8.8 SP6 was kind of special. I'd probably take a minute or two to
upgrade it. Doing so should not break anything else, particularly if 8.8
SP6 is already using x86_64 (vs. x86_32) meaning IDM is also already using
the x86_64 version of the engine.

> Identity Manager: 4.0.2.2
>
> There are no other IDM Drivers 'Involved' in this event. I have many
> other drivers but not playing a part in the process (if, that's what you
> mean)


Well, I meant at all. The reason I was asking is in case one of those
other driver configs is doing something you would not like. What happens
if you stop them, then do the delete, and later start them after seeing if
things are better with this one driver config?

> I have the driver startup log but it's far too large to post here. How
> do I attach it?


Google for SUSE Paste (or some other paste site mentioned earlier) and
paste it there; that site will give you a link that you include in your
reply here, which we can then follow to see the contents of your trace.

> Yes, this partition hass full read/write where the user is. IDM is also
> running on the Master.


What about the test with the cache inspector?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"


eDir is 88 SP7

http://tny.cz/f69fbf4c

Startup Trace


--
plummb
------------------------------------------------------------------------
plummb's Profile: https://forums.netiq.com/member.php?userid=1727
View this thread: https://forums.netiq.com/showthread.php?t=51659

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"

plummb wrote:

>
> eDir is 88 SP7
>
> http://tny.cz/f69fbf4c


Maybe Aaron can see something that I can't, but this startup looked quite OK to me.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"

Well I forgot that the trace doesn't print out ECVs like it does GCVs
during startup, so hat wasn't as helpful as I'd thought, though seeing the
event in the cache sans association seems notable. I am not positive, but
that just seems wrong, else how would a delete EVER work correctly (since,
unlike on an add or modify, there is no object there from which the
association could potentially be retrieved)? Maybe it's just the view of
the cache doesn't show it, but I do not really think that is as likely as
the association is missing, considering the symptoms described in this
thread. Still, I have not had time to reproduce this so if anybody else
can (stop driver, delete object, view cache) that would be helpful.

The most-interesting thing to me is that I cannot find a 'Start
transaction' anywhere in the trace full of subscriber events. I must be
going crazy, but I have no memory of a Subscriber channel event showing up
without that. As a result, I wonder what is different here that would
cause that. Checking another trace here I definitely see that before
<delete/> (delete) events, so it should be here too. Relevant? Maybe
not, but pretty unusual.

Regarding the eDir version, originally you said '8.8 SP7 Patch 7' and
later you said it was SP7. Either way I'd probably upgrade to the latest
with 8.8 SP8, but if you cannot at least be sure you're on SP7. 8.8.6.7
is not SP7... that's SP6 Patch 7, and it makes a big difference in eDir
terms, and may apply here too.

Also, are you doing any auditing? Chances are your system is configured
to even if you do not mean to (unless you explicitly disabled it) but at
least let us know what your intention is with regard to auditing and then
post the uncommented lines from /etc/logevent.conf too, please:


grep -v -e '^#' -e '^$' /etc/logevent.conf


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: ADDriver Delete Events "Operation vetoed on unassociated"


Here is the full log:

http://tny.cz/bb06f17e

Change in attribute (employeeNumber) showing the association and
success
Driver Shut Down
Driver Start-Up
Delete Event

I performed the delete event while the driver was off. The cache
inspector did not show me an association, but it also did not show me
the association listed for other cached events, that processed just fine
post-startup.


--
plummb
------------------------------------------------------------------------
plummb's Profile: https://forums.netiq.com/member.php?userid=1727
View this thread: https://forums.netiq.com/showthread.php?t=51659

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.