Stonej Absent Member.
Absent Member.
1380 views

Active Directory Driver Error


Hello All,

HELP...

I have over 1000 users been added today to my IDM system (4.0.2, sp7)
from a JDBC source. I have an active Directory driver (4.0.2) that our
users use to login. For some reason the users are not being created.
Part of the trace is shown below :

<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20150311_120000"
instance="\LHU-TREE\lhu\services\LHUDS\Active Directory Driver"
version="4.0.1.0">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status
event-id="idm1#20150804151619#1#1:433ed172-b0a4-47fc-a894-72d13e43a4b0"
level="error" type="driver-general">
<ldap-err ldap-rc="19" ldap-rc-name="LDAP_CONSTRAINT_VIOLATION">
<client-err ldap-rc="19"
ldap-rc-name="LDAP_CONSTRAINT_VIOLATION">Constraint
Violation</client-err>
<server-err>00002081: AtrErr: DSID-031513A5, #1:
0: 00002081: DSID-031513A5, problem 1005 (CONSTRAINT_ATT_TYPE),
data 0, Att 150003 (mail)
</server-err>
<server-err-ex win32-rc="8321"/>
</ldap-err>
<operation-data attempt-to-match="true"
unmatched-src-dn="CN=15000028,OU=Users">
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</status>
<status
event-id="idm1#20150804151619#1#1:433ed172-b0a4-47fc-a894-72d13e43a4b0"
level="warning" type="driver-general">
<ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
<client-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">No
Such Object</client-err>
<server-err>0000208D: NameErr: DSID-0310020A, problem 2001
(NO_OBJECT), data 0, best match of:
'DC=XXX,DC=XXX,DC=XXX,DC=XXX'
</server-err>
<server-err-ex win32-rc="8333"/>
</ldap-err>
<operation-data attempt-to-match="true"
unmatched-src-dn="CN=15000028,OU=Users">
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</status>
</output>
</nds>


To me this looks like its having a problem with the "mail" attribute.
When I look at the record in ConsoleOne its showing as a two valued
attribute. 015000028@XXX.XXX - and that breaks down to 0 and
15000028@XXX.XXX

I need to force these users across so I was thinking of removing the
mail attribute and putting the correct one in, but when i do that it
puts the multi value back and then AD refuses to budge.

Can anyone help me to one, fix the driver so it doesn't do that and two
to force the users over to active directory, even by making a small
change on the record, country for example which isn't used here.

Thanks


--
Stonej
------------------------------------------------------------------------
Stonej's Profile: https://forums.netiq.com/member.php?userid=4156
View this thread: https://forums.netiq.com/showthread.php?t=53969

Labels (1)
0 Likes
6 Replies
Knowledge Partner
Knowledge Partner

Re: Active Directory Driver Error


Hi Stonej,
Could you provide trace after Output Transformation? (before sending
this doc to AD)


--
al_b
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=53969

0 Likes
Knowledge Partner
Knowledge Partner

Re: Active Directory Driver Error

On Tue, 04 Aug 2015 15:25:54 +0000, Stonej wrote:

> Hello All,
>
> HELP...
>
> I have over 1000 users been added today to my IDM system (4.0.2, sp7)
> from a JDBC source. I have an active Directory driver (4.0.2) that our
> users use to login. For some reason the users are not being created.
> Part of the trace is shown below :


Really kinda need to see the full trace, or at least the <add> document
being sent to the shim.


> <nds dtdversion="1.1" ndsversion="8.7"> <source>
> <product asn1id="" build="20150311_120000"
> instance="\LHU-TREE\lhu\services\LHUDS\Active Directory Driver"
> version="4.0.1.0">AD</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <output>
> <status
> event-id="idm1#20150804151619#1#1:433ed172-b0a4-47fc-a894-72d13e43a4b0"
> level="error" type="driver-general">
> <ldap-err ldap-rc="19" ldap-rc-name="LDAP_CONSTRAINT_VIOLATION">
> <client-err ldap-rc="19"
> ldap-rc-name="LDAP_CONSTRAINT_VIOLATION">Constraint
> Violation</client-err>
> <server-err>00002081: AtrErr: DSID-031513A5, #1: 0: 00002081:
> DSID-031513A5, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 150003
> (mail)
> </server-err>
> <server-err-ex win32-rc="8321"/>
> </ldap-err>
> <operation-data attempt-to-match="true"
> unmatched-src-dn="CN=15000028,OU=Users"> <password-subscribe-status>
> <association/>
> </password-subscribe-status>
> </operation-data>
> </status>
> <status
> event-id="idm1#20150804151619#1#1:433ed172-b0a4-47fc-a894-72d13e43a4b0"
> level="warning" type="driver-general"> <ldap-err ldap-rc="32"
> ldap-rc-name="LDAP_NO_SUCH_OBJECT"> <client-err ldap-rc="32"
> ldap-rc-name="LDAP_NO_SUCH_OBJECT">No Such Object</client-err>
> <server-err>0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT),
> data 0, best match of:
> 'DC=XXX,DC=XXX,DC=XXX,DC=XXX'
> </server-err>
> <server-err-ex win32-rc="8333"/>
> </ldap-err>
> <operation-data attempt-to-match="true"
> unmatched-src-dn="CN=15000028,OU=Users"> <password-subscribe-status>
> <association/>
> </password-subscribe-status>
> </operation-data>
> </status>
> </output>
> </nds>
>
>
> To me this looks like its having a problem with the "mail" attribute.
> When I look at the record in ConsoleOne its showing as a two valued
> attribute. 015000028@XXX.XXX - and that breaks down to 0 and
> 15000028@XXX.XXX


That would be a structured attribute, probably not something you want to
feed to your MAD domain anyway.


> I need to force these users across so I was thinking of removing the
> mail attribute and putting the correct one in, but when i do that it
> puts the multi value back and then AD refuses to budge.


Take 'mail' out of your Filter and restart the driver.


> Can anyone help me to one, fix the driver so it doesn't do that and two
> to force the users over to active directory, even by making a small
> change on the record, country for example which isn't used here.


You can resync or migrate-from in iManager.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
rs_0 Respected Contributor.
Respected Contributor.

Re: Active Directory Driver Error


The only time I have had issues with a multi valued attribute going from
eDirectory into Active Directory is when there are two values applied to
the attribute. Typically if there is only one value in the multi valued
attribute there isn't an issue.


--
stampsr
------------------------------------------------------------------------
stampsr's Profile: https://forums.netiq.com/member.php?userid=7353
View this thread: https://forums.netiq.com/showthread.php?t=53969

0 Likes
Knowledge Partner
Knowledge Partner

Re: Active Directory Driver Error

stampsr <stampsr@no-mx.forums.microfocus.com> wrote:
> The only time I have had issues with a multi valued attribute going from
> eDirectory into Active Directory is when there are two values applied to
> the attribute. Typically if there is only one value in the multi valued
> attribute there isn't an issue.
>


There is a piece of code that attempts to handle this somewhat generically
(for AD at least) that is hosted by Geoffrey as a package.

The thread related to this is here:

https://forums.netiq.com/showthread.php?48674-Bugfixing-Generic-Single-valued-Schema-Enforcement




--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Active Directory Driver Error

On 8/6/2015 8:29 AM, Alex McHugh wrote:
> stampsr <stampsr@no-mx.forums.microfocus.com> wrote:
>> The only time I have had issues with a multi valued attribute going from
>> eDirectory into Active Directory is when there are two values applied to
>> the attribute. Typically if there is only one value in the multi valued
>> attribute there isn't an issue.
>>

>
> There is a piece of code that attempts to handle this somewhat generically
> (for AD at least) that is hosted by Geoffrey as a package.
>
> The thread related to this is here:
>
> https://forums.netiq.com/showthread.php?48674-Bugfixing-Generic-Single-valued-Schema-Enforcement


And this is a nice advert for the consulting firm I work for, CIS, where
we host some packages that are of generic utility to all folks.

Consider adding a Package Repo to your Designer with this URL:

http://idmfolder.ciscony.com/cis-idm-repo/

we have a number of interesting packages there.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Active Directory Driver Error


>I need to force these users across so I was thinking of removing the

mail attribute and putting the correct one in, but when i do that it
puts the multi value back and then AD refuses to budge.
I believe you tried to fix this user from C1.

Like usual. we have many ways to resolve the issue.
1. Edit "E-Mail Address" in iManager
2. Update Mail attribute via LDAP
3. etc

Merging 2 eDir values to 1 in AD will not help: AD expected to see email
address string in specific format.


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=53969

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.