Anonymous_User Absent Member.
Absent Member.
253 views

Bi-Directional eDir quirck after creating new user


Hi All,

We've got a Bi-Directional eDir driver. When I create a user from
iManager I keep getting the error MISSING_MANDATORY and I'm guessing
it's the password but I'm not entirely sure how that's possible.
After this, the driver doesn't sync anything else, it just retries this
object over and over.

This is how I break it and get it fixed:
- Create user->Sync fails on missing mandatory
- Stop driver
- Stop eDir on the connected system
- go to /var/opt/novell/eDirectory/data/dib
- rm *.TAO
- Start eDir
- Start driver on IDM system
- Migrate into vault on driver, select User->CN->input CN
- Voila, it syncs, no problem at all

Now the quirck is that I haven't actually changed anything in the
account, I didn't set another password or whatever.

I ran a complete health check, updated to the latest IDM patches on both
the IDM system and installed the newest changelog driver on the
connected system, which did not fix it. I can easily reproduce this by
creating another account.

Here's the trace: http://pastebin.com/Up5pt4fj

Any ideas?


--
bpenris
------------------------------------------------------------------------
bpenris's Profile: https://forums.netiq.com/member.php?userid=5485
View this thread: https://forums.netiq.com/showthread.php?t=51564

Labels (1)
0 Likes
12 Replies
Knowledge Partner
Knowledge Partner

Re: Bi-Directional eDir quirck after creating new user

bpenris wrote:

> When I create a user from
> iManager I keep getting the error MISSING_MANDATORY and I'm guessing
> it's the password but I'm not entirely sure how that's possible.


The only mandatory attribute for users is "Surname" ()besides CN or UID as
naming attrs) and that's missing in your add event.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Bi-Directional eDir quirck after creating new user

On a User object in eDirectory there are three mandatory attributes:
Object Class
Surname
CN

Your object lacks the Surname, so thus the -608 error appropriately
returned. Add Surname/sn to your filter set to synchronize on the
Publisher channel and that will hopefully work past this initial error.
Post a trace of the driver config startup to see the filter as configured.
Be sure to restart the driver (thus getting a startup trace) to apply any
changes to things like the filter.

Why things never pick up from there, well that's probably normal. I guess
I"m a little surprised that the error does not cause the system to skip
the current event, but perhaps the -608 is programmed to be a retry
instead of something that clears the cache, and perhaps that's even a bug.
For now, though, I'd fix the -608 (you'll never get a user created in
eDir without a surname) and then see if pursuing the rest is still
worthwhile. IDM tries to NOT lose events, and retrying is the only way to
do that, so in your case this may be desirable behavior to prevent data
loss due to a configuration (filter) issue. Of course, when you delete
the changelog on the remote side then there is no way for the system to
know what it has recently been told to no longer know. 🙂

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Bi-Directional eDir quirck after creating new user

ab wrote:

> On a User object in eDirectory there are three mandatory attributes:
> Object Class
> Surname
> CN


Exactly, I missed Object Class (which is mandatory for every object in Edir -
or are there any exceptions?). CN is interesting, since it's mandatory even
through naming can be done with uniqueID or OU instead. Why would one have to
have a CN in that case? Just a limitation in the schema definition mechanism
that cannot handle soem thing like "Object Class, Surname and one out of
UniqueID, CN or UID"?
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Bi-Directional eDir quirck after creating new user

Lothar Haeger wrote:

> and one out of UniqueID, CN or UID"?


"...or OU", of course.

______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Bi-Directional eDir quirck after creating new user

On 08/20/2014 06:05 AM, Lothar Haeger wrote:
> Lothar Haeger wrote:
>
>> and one out of UniqueID, CN or UID"?


Yes, perhaps; twenty-year-old code and backwards compatibility in mind
probably.

> "...or OU", of course.


I've always wondered if anybody ever sets that for naming on a User; I've
never seen it, and I've corrected more than a few people who didn't know
that was an option because I'm guessing nobody has ever done it in real
life. I have no idea why you'd name a user based on that either.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Bi-Directional eDir quirck after creating new user


ab;247808 Wrote:
> Your object lacks the Surname, so thus the -608 error appropriately
> returned. Add Surname/sn to your filter set to synchronize on the
> Publisher channel and that will hopefully work past this initial error.
> Post a trace of the driver config startup to see the filter as
> configured.
> Be sure to restart the driver (thus getting a startup trace) to apply
> any
> changes to things like the filter.

n00bmode: Is this what you mean? The set of arrows on the right are the
bi-directional eDir driver:
[image: http://puu.sh/b0lGV/3cf79b275e.jpg]
/n00bmode


Startup trace: http://pastebin.com/s7WKUDy7


> Why things never pick up from there, well that's probably normal. I
> guess
> I"m a little surprised that the error does not cause the system to skip
> the current event, but perhaps the -608 is programmed to be a retry
> instead of something that clears the cache, and perhaps that's even a
> bug.
> For now, though, I'd fix the -608 (you'll never get a user created in
> eDir without a surname) and then see if pursuing the rest is still
> worthwhile. IDM tries to NOT lose events, and retrying is the only way
> to
> do that, so in your case this may be desirable behavior to prevent data
> loss due to a configuration (filter) issue. Of course, when you delete
> the changelog on the remote side then there is no way for the system to
> know what it has recently been told to no longer know. 🙂

Yes that sounds logical. I wish there was a way to force it to continue
though.


Also Thanks @Lothar 🙂 I'd give both of you stars but I'm not allowed
to.


--
bpenris
------------------------------------------------------------------------
bpenris's Profile: https://forums.netiq.com/member.php?userid=5485
View this thread: https://forums.netiq.com/showthread.php?t=51564

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Bi-Directional eDir quirck after creating new user

On 08/20/2014 07:15 AM, bpenris wrote:
>
> n00bmode: Is this what you mean? The set of arrows on the right are the
> bi-directional eDir driver:
> [image: http://puu.sh/b0lGV/3cf79b275e.jpg]
> /n00bmode


Yes so that's a good start. If Designer (your picture) is consistent with
what is deployed in the vault (presumably it is because of your trace
below) then that's good.

> Startup trace: http://pastebin.com/s7WKUDy7


This looks like a recent restart. Either you've made a change and things
may work, or you have not but did a while ago and things may work, or you
have not and never did so things are still broken. In the last situation,
go and check your merge authority. Under the driver object (in Designer)
double-click on the filter. For the Surname attribute the merge authority
should be set to Default (by default) and I am not sure that's happening
for you. The DTD for the filter attribute states that, even if not set,
it should be Default, but something is amiss then.

>> For now, though, I'd fix the -608 (you'll never get a user created in
>> eDir without a surname) and then see if pursuing the rest is still
>> worthwhile. IDM tries to NOT lose events, and retrying is the only way
>> to
>> do that, so in your case this may be desirable behavior to prevent data
>> loss due to a configuration (filter) issue. Of course, when you delete
>> the changelog on the remote side then there is no way for the system to
>> know what it has recently been told to no longer know. 🙂

> Yes that sounds logical. I wish there was a way to force it to continue
> though.


You could add a rule in there stating, if a User, and if an add, then veto
if any of the required attributes are missing. In theory they should
always be there, and if not then they may (really unlikely) may come in a
subsequent event, but with your filter set to send those they really
should be there from the start; this is the nature of things defined in
schema as mandatory. It's not optional, it's not delayed, it's always
there. Missing it for a nanosecond but sending the event along and then
not having the mandatory attributes pulled in would be the weirdest timing
issue I've seen in a while. Still, maybe that's it.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Bi-Directional eDir quirck after creating new user


ab;247825 Wrote:
> Yes so that's a good start. If Designer (your picture) is consistent
> with
> what is deployed in the vault (presumably it is because of your trace
> below) then that's good.

Yes it is except for the trace level.

> This looks like a recent restart. Either you've made a change and
> things
> may work, or you have not but did a while ago and things may work, or
> you
> have not and never did so things are still broken. In the last
> situation,
> go and check your merge authority. Under the driver object (in
> Designer)
> double-click on the filter. For the Surname attribute the merge
> authority
> should be set to Default (by default) and I am not sure that's
> happening
> for you. The DTD for the filter attribute states that, even if not
> set,
> it should be Default, but something is amiss then.

Merge authority is set to Default for Surname.


> You could add a rule in there stating, if a User, and if an add, then
> veto
> if any of the required attributes are missing.

Yes I was pondering to do that but I'd rather fix the underlying
problem.

> In theory they should always be there, and if not then they may (really
> unlikely) may come in a
> subsequent event, but with your filter set to send those they really
> should be there from the start; this is the nature of things defined in
> schema as mandatory. It's not optional, it's not delayed, it's always
> there. Missing it for a nanosecond but sending the event along and
> then
> not having the mandatory attributes pulled in would be the weirdest
> timing
> issue I've seen in a while. Still, maybe that's it.

I've found that if I point iMangler to the replica where the changelog
driver resorts, the problem goes away or at least I'm no longer able to
reproduce it. I could point the driver at our master replica but that
one get's hammered during the day ánd the changelog driver 'sometimes'
crashes ndsd when starting the driver. I don't know why but this is even
true in an isolated test environment where I first tried to implement
the driver. The patch addressed a couple of related issues iirc but I've
still seen at least one ndsd crash after the update.


Thanks again for your assistance 🙂


--
bpenris
------------------------------------------------------------------------
bpenris's Profile: https://forums.netiq.com/member.php?userid=5485
View this thread: https://forums.netiq.com/showthread.php?t=51564

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Bi-Directional eDir quirck after creating new user

Do you have Priority Sync enabled in eDirectory 8.8? It's a feature that
allows you to send specified attributes immediately instead of waiting for
the default sync interval. It is not a default, and is not common, but
it's the only thing of which I can imagine (and I'm really stretching
here) that may cause an object to come through missing mandatory
attributes; I really do not think that should happen even with Priority
Sync, since to what object would the expedited attributes be linked if the
object has not yet replicated after creation? Makes no sense, but there
you go.

Other options may be to try the older eDirectory driver. This would
require a full IDM engine install on a box in your other tree.

A better alternative may be to setup ahead of time and try to export an
object you're about to create from the IDM box over and over (via LDAP) to
see when it shows up via replication, and if (just using eDirectory and
LDAP) you can see it missing mandatory attributes somehow.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Bi-Directional eDir quirck after creating new user


ab;247830 Wrote:
> Do you have Priority Sync enabled in eDirectory 8.8?

I've played around with it a lot because I think it's an awesome feature
but there's no need for it in an environment that's as small as ours.
I've checked nonetheless but no, it's not enabled.

> Other options may be to try the older eDirectory driver. This would
> require a full IDM engine install on a box in your other tree.

That's on my mind as well but I very much dislike the way of eDir trees
and it will basically mean that I'm the only one that'll be able to
manage the system. Do not want that.

> A better alternative may be to setup ahead of time and try to export an
> object you're about to create from the IDM box over and over (via LDAP)
> to
> see when it shows up via replication, and if (just using eDirectory and
> LDAP) you can see it missing mandatory attributes somehow.

The veto policy works for now. We'll see how it runs over the next few
days.

Thank you AB!


--
bpenris
------------------------------------------------------------------------
bpenris's Profile: https://forums.netiq.com/member.php?userid=5485
View this thread: https://forums.netiq.com/showthread.php?t=51564

0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: Bi-Directional eDir quirck after creating new user

On 08/20/2014 03:18 PM, bpenris wrote:
>
>> see when it shows up via replication, and if (just using eDirectory and
>> LDAP) you can see it missing mandatory attributes somehow.

> The veto policy works for now. We'll see how it runs over the next few
> days.


That is interesting. To me, this implies that right after the first
operation, another operation comes through with the full event. If that
is true, that's very interesting.

If you have a second, I'd be interested in having the situation duplicated
again, and then getting that TAO file of yours that you delete to fix
things. I am guessing that, in there, you'll have both events, and having
proof that this does happen may be a good basis for a bug against the
changelog module. E-mail it to me if you are inclined to do this; if not,
no biggie.

Thanks for posting your success.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.