Highlighted
New Member.
909 views

Code(-8014) Error processing attribute

I'm using IDM 4.7. I wrote the following policy in the loopback driver in order to add users on entitlement assignment.
The entitlement is valued.
<do-add-src-attr-value class-name="User" name="Group Membership">
<arg-dn>
<token-src-dn/>
</arg-dn>
<arg-value type="string">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>

When assigning an entitlement to a user i have the following error: Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY

The Trace file is as follows:
[11/15/18 11:13:13.024]:Group Membership Control ST:Applying policy: %+C%14CACMELBACKENT-maintain Group Membership based on Entitlements%-C.
[11/15/18 11:13:13.024]:Group Membership Control ST: Applying to modify #1.
[11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating selection criteria for rule 'Only allow add and modify operations'.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-operation not-equal "add") = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-operation not-equal "modify") = FALSE.
[11/15/18 11:13:13.024]:Group Membership Control ST: Rule rejected.
[11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating selection criteria for rule 'Group add or remove on entitlement'.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-class-name equal "User") = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-entitlement 'ACMELBACKENT-Assign Group Membership' changing) = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: Rule selected.
[11/15/18 11:13:13.024]:Group Membership Control ST: Applying rule 'Group add or remove on entitlement'.
[11/15/18 11:13:13.024]:Group Membership Control ST: Action: do-for-each(arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group Membership"))).
[11/15/18 11:13:13.024]:Group Membership Control ST: arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group Membership"))
[11/15/18 11:13:13.024]:Group Membership Control ST: token-added-entitlement("ACMELBACKENT-Assign Group Membership")
[11/15/18 11:13:13.024]:Group Membership Control ST: Token Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1"}.
[11/15/18 11:13:13.024]:Group Membership Control ST: Arg Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1"}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Performing actions for local-variable(current-node) = <entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1".
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-add-src-attr-value("Group Membership",class-name="User",arg-dn(token-src-dn()),token-local-variable("current-node")).
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-dn(token-src-dn())
[11/15/18 11:13:13.040]:Group Membership Control ST: token-src-dn()
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: "\IDVAULT-TREE\data\users\VKhoury".
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: "\IDVAULT-TREE\data\users\VKhoury".
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-string(token-local-variable("current-node"))
[11/15/18 11:13:13.040]:Group Membership Control ST: token-local-variable("current-node")
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-for-each(arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group Membership"))).
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group Membership"))
[11/15/18 11:13:13.040]:Group Membership Control ST: token-removed-entitlement("ACMELBACKENT-Assign Group Membership")
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: {}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: {}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Evaluating selection criteria for rule 'Terminate Further Operation Processing'.
[11/15/18 11:13:13.040]:Group Membership Control ST: Rule selected.
[11/15/18 11:13:13.040]:Group Membership Control ST: Applying rule 'Terminate Further Operation Processing'.
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-veto().
[11/15/18 11:13:13.040]:Group Membership Control ST: Direct command from policy
[11/15/18 11:13:13.040]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury" event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
<modify-attr attr-name="Group Membership">
<add-value>
<value type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
</add-value>
</modify-attr>
<operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
</modify>
</input>
</nds>
[11/15/18 11:13:13.040]:Group Membership Control ST: Stripping operation data from input document
[11/15/18 11:13:13.040]:Group Membership Control ST: Pumping XDS to eDirectory.
[11/15/18 11:13:13.040]:Group Membership Control ST: Performing operation modify for \IDVAULT-TREE\data\users\VKhoury.
[11/15/18 11:13:13.040]:Group Membership Control ST: --JCLNT-- \IDVAULT-TREE\system\driverset1\Group Membership Control : Duplicating : context = 656867519, tempContext = 656867482
[11/15/18 11:13:13.040]:Group Membership Control ST: --JCLNT-- \IDVAULT-TREE\system\driverset1\Group Membership Control : Calling free on tempContext = 656867482
[11/15/18 11:13:13.040]:Group Membership Control ST: Restoring operation data to output document
[11/15/18 11:13:13.040]:Group Membership Control ST: Processing returned document.
[11/15/18 11:13:13.040]:Group Membership Control ST: Processing operation <status> for .
[11/15/18 11:13:13.040]:Group Membership Control ST:
DirXML Log Event -------------------
Driver: \IDVAULT-TREE\system\driverset1\Group Membership Control
Channel: Subscriber
Status: Success
[11/15/18 11:13:13.117]:Group Membership Control ST: Processing operation <status> for .
[11/15/18 11:13:13.117]:Group Membership Control ST:
DirXML Log Event -------------------
Driver: \IDVAULT-TREE\system\driverset1\Group Membership Control
Channel: Subscriber
Status: Warning
Message: Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY
[11/15/18 11:13:13.180]:Group Membership Control ST: Direct command from policy result
[11/15/18 11:13:13.180]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d" level="success"><operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
<application>DirXML</application>
<module>Group Membership Control</module>
<object-dn></object-dn>
<component>Subscriber</component>
</status>
<status event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d" level="warning">Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY<operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
<application>DirXML</application>
<module>Group Membership Control</module>
<object-dn></object-dn>
<component>Subscriber</component>
</status>
</output>
</nds>
[11/15/18 11:13:13.180]:Group Membership Control ST:Policy returned:
[11/15/18 11:13:13.180]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input/>
</nds>
[11/15/18 11:13:13.180]:Group Membership Control ST:End transaction.
Labels (1)
0 Likes
11 Replies
Highlighted
Knowledge Partner
Knowledge Partner

There are quite a few things wrong in here so I'll try to add comments
after each section and trim out the rest so it's easier to read. In the
future, and even this time, it would help to see the input document that
started all of this, rather.than just showing the trace from a particular
spot in the middle of the operation (at the policy 'maintain Group
Membership based on Entitlements' in this case).

On 11/15/2018 04:16 AM, vkhoury wrote:
>
> I'm using IDM 4.7. I wrote the following policy in the loopback driver
> in order to add users on entitlement assignment.
> The entitlement is valued.
> <do-add-src-attr-value class-name="User" name="Group Membership">
> <arg-dn>
> <token-src-dn/>
> </arg-dn>


You should not need to specify the arg-dn at all; by default the
do-add-src-attr-value will modify the current object, which is your user,
and that is the DN you are specifying anyway. Maybe leave it alone at
this point, but it just looks weird and makes the system process more
(generating more trace) needlessly.

> <arg-value type="string">
> <token-local-variable name="current-node"/>
> </arg-value>
> </do-add-src-attr-value>


You are making reference t the 'current-node' local variable; that is
meant ot be used in a foreach loopp, but your policy above does not
mention a foreach loop, so that is either an incomplete bit of policy, or
else it is a misuse of the local variable. Some of them like current-node
and current-value are to be used in in certain places, and maybe you did
here (we'll see below) but then the whole policy should be shared for review.

> When assigning an entitlement to a user i have the following error:
> Code(-8014) Error processing attribute
> (\IDVAULT-TREE\data\users\VKhoury#Group Membership):
> novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY


Assuming the DN above is valid for the user, the -601 may mean that the
group pointed-to via the Group Membership attribute on that user is invalid.

> [11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating
> selection criteria for rule 'Group add or remove on entitlement'.
> [11/15/18 11:13:13.024]:Group Membership Control ST: (if-class-name
> equal "User") = TRUE.
> [11/15/18 11:13:13.024]:Group Membership Control ST:
> (if-entitlement 'ACMELBACKENT-Assign Group Membership' changing) =
> TRUE.
> [11/15/18 11:13:13.024]:Group Membership Control ST: Rule selected.
> [11/15/18 11:13:13.024]:Group Membership Control ST: Applying rule
> 'Group add or remove on entitlement'.
> [11/15/18 11:13:13.024]:Group Membership Control ST: Action:
> do-for-each(arg-node-set(token-added-entitlement("ACMELBACKENT-Assign
> Group Membership"))).
> [11/15/18 11:13:13.024]:Group Membership Control ST:
> arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group
> Membership"))
> [11/15/18 11:13:13.024]:Group Membership Control ST:
> token-added-entitlement("ACMELBACKENT-Assign Group Membership")
> [11/15/18 11:13:13.024]:Group Membership Control ST: Token
> Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group
> Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA"
> @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380"
> @state = "1"}.
> [11/15/18 11:13:13.024]:Group Membership Control ST: Arg Value:
> {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group
> Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA"
> @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380"
> @state = "1"}.
> [11/15/18 11:13:13.040]:Group Membership Control ST: Performing
> actions for local-variable(current-node) = <entitlement-impl> @id = ""
> @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn =
> "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn =
> "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state =
> "1".
> [11/15/18 11:13:13.040]:Group Membership Control ST: Action:
> do-add-src-attr-value("Group
> Membership",class-name="User",arg-dn(token-src-dn()),token-local-variable("current-node")).
> [11/15/18 11:13:13.040]:Group Membership Control ST:
> arg-dn(token-src-dn())
> [11/15/18 11:13:13.040]:Group Membership Control ST:
> token-src-dn()
> [11/15/18 11:13:13.040]:Group Membership Control ST:
> Token Value: "\IDVAULT-TREE\data\users\VKhoury".
> [11/15/18 11:13:13.040]:Group Membership Control ST: Arg
> Value: "\IDVAULT-TREE\data\users\VKhoury".
> [11/15/18 11:13:13.040]:Group Membership Control ST:
> arg-string(token-local-variable("current-node"))
> [11/15/18 11:13:13.040]:Group Membership Control ST:
> token-local-variable("current-node")
> [11/15/18 11:13:13.040]:Group Membership Control ST:
> Token Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".


That current-node local variable is returning a non-DN value even though
this attribute expects a DN. At the very least you would need to pull
this part to get just the DN portion, without the double-backslashes
throughout, to make it a useful value.

It appears that we were inside a do-foreach after all, so seeing that
policy might help come up with the complete fix.

> [11/15/18 11:13:13.040]:Group Membership Control ST: Arg
> Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
> [11/15/18 11:13:13.040]:Group Membership Control ST: Action:
> do-for-each(arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign
> Group Membership"))).
> [11/15/18 11:13:13.040]:Group Membership Control ST:
> arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group
> Membership"))
> [11/15/18 11:13:13.040]:Group Membership Control ST:
> token-removed-entitlement("ACMELBACKENT-Assign Group Membership")
> [11/15/18 11:13:13.040]:Group Membership Control ST: Token
> Value: {}.
> [11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value:
> {}.
> [11/15/18 11:13:13.040]:Group Membership Control ST: Evaluating
> selection criteria for rule 'Terminate Further Operation Processing'.
> [11/15/18 11:13:13.040]:Group Membership Control ST: Rule selected.
> [11/15/18 11:13:13.040]:Group Membership Control ST: Applying rule
> 'Terminate Further Operation Processing'.
> [11/15/18 11:13:13.040]:Group Membership Control ST: Action:
> do-veto().


Vetoing the original event is fine, but as a general thought be sure you
do not need to process this later on, e.g. in a subsequent policy that
might want to notify the group owners of changes, or to generate some kind
of audit of this change, or whatever. If anything other than this
entitlement change had come in with this entitlement change, that would
now be lost, and perhaps that's okay, but it's easy to do on accident with
a veto rather than a break. If you use a Null driver for business logic
like this then the events are auto-vetoed after all policies are done
regardless, which is one more reason why I like using Null drivers for
business logic.

> [11/15/18 11:13:13.040]:Group Membership Control ST: Direct command
> from policy
> [11/15/18 11:13:13.040]:Group Membership Control ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.7.0.0">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury"
> event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
> <modify-attr attr-name="Group Membership">
> <add-value>
> <value
> type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>


Clearly the value above is wrong; that is what you must fix ultimately
for this to have a chance of working, and that involves pulling out the
correct portion of the value from the entitlement value. Maybe look at
token-added-entitlement to see if that works for you:
https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/dirxmlscript/token-added-entitlement.html

I think that is all that matters. Ultimately fix the value of the group
membership attribute being sent back to the user, and you may also want,
once that works, to be sure that IDM is going to set the corresponding
Group object attribute (Member) automatically, or else add that in as
well. In addition to that, you MAY want the security attributes as well
if the group is to grant any kind of security equivalence (rights) within
the tree, and there is an attribute on both the User and Group for that
too, though usually I implement a Null driver just to keep those aligned
no matter the source to avoid needing to play too much in every policy
that manages group memberships.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

vkhoury;2490852 wrote:
I'm using IDM 4.7. I wrote the following policy in the loopback driver in order to add users on entitlement assignment.
The entitlement is valued.
<do-add-src-attr-value class-name="User" name="Group Membership">
<arg-dn>
<token-src-dn/>
</arg-dn>
<arg-value type="string">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>

When assigning an entitlement to a user i have the following error: Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY

The Trace file is as follows:
[11/15/18 11:13:13.024]:Group Membership Control ST:Applying policy: %+C%14CACMELBACKENT-maintain Group Membership based on Entitlements%-C.
[11/15/18 11:13:13.024]:Group Membership Control ST: Applying to modify #1.
[11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating selection criteria for rule 'Only allow add and modify operations'.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-operation not-equal "add") = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-operation not-equal "modify") = FALSE.
[11/15/18 11:13:13.024]:Group Membership Control ST: Rule rejected.
[11/15/18 11:13:13.024]:Group Membership Control ST: Evaluating selection criteria for rule 'Group add or remove on entitlement'.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-class-name equal "User") = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: (if-entitlement 'ACMELBACKENT-Assign Group Membership' changing) = TRUE.
[11/15/18 11:13:13.024]:Group Membership Control ST: Rule selected.
[11/15/18 11:13:13.024]:Group Membership Control ST: Applying rule 'Group add or remove on entitlement'.
[11/15/18 11:13:13.024]:Group Membership Control ST: Action: do-for-each(arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group Membership"))).
[11/15/18 11:13:13.024]:Group Membership Control ST: arg-node-set(token-added-entitlement("ACMELBACKENT-Assign Group Membership"))
[11/15/18 11:13:13.024]:Group Membership Control ST: token-added-entitlement("ACMELBACKENT-Assign Group Membership")
[11/15/18 11:13:13.024]:Group Membership Control ST: Token Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1"}.
[11/15/18 11:13:13.024]:Group Membership Control ST: Arg Value: {<entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1"}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Performing actions for local-variable(current-node) = <entitlement-impl> @id = "" @name = "ACMELBACKENT-Assign Group Membership" @qualified-src-dn = "O=data\OU=users\CN=VKhoury" @src = "UA" @src-dn = "\IDVAULT-TREE\data\users\VKhoury" @src-entry-id = "34380" @state = "1".
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-add-src-attr-value("Group Membership",class-name="User",arg-dn(token-src-dn()),token-local-variable("current-node")).
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-dn(token-src-dn())
[11/15/18 11:13:13.040]:Group Membership Control ST: token-src-dn()
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: "\IDVAULT-TREE\data\users\VKhoury".
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: "\IDVAULT-TREE\data\users\VKhoury".
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-string(token-local-variable("current-node"))
[11/15/18 11:13:13.040]:Group Membership Control ST: token-local-variable("current-node")
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: "{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}".
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-for-each(arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group Membership"))).
[11/15/18 11:13:13.040]:Group Membership Control ST: arg-node-set(token-removed-entitlement("ACMELBACKENT-Assign Group Membership"))
[11/15/18 11:13:13.040]:Group Membership Control ST: token-removed-entitlement("ACMELBACKENT-Assign Group Membership")
[11/15/18 11:13:13.040]:Group Membership Control ST: Token Value: {}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Arg Value: {}.
[11/15/18 11:13:13.040]:Group Membership Control ST: Evaluating selection criteria for rule 'Terminate Further Operation Processing'.
[11/15/18 11:13:13.040]:Group Membership Control ST: Rule selected.
[11/15/18 11:13:13.040]:Group Membership Control ST: Applying rule 'Terminate Further Operation Processing'.
[11/15/18 11:13:13.040]:Group Membership Control ST: Action: do-veto().
[11/15/18 11:13:13.040]:Group Membership Control ST: Direct command from policy
[11/15/18 11:13:13.040]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury" event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
<modify-attr attr-name="Group Membership">
<add-value>
<value type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
</add-value>
</modify-attr>
<operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
</modify>
</input>
</nds>
[11/15/18 11:13:13.040]:Group Membership Control ST: Stripping operation data from input document
[11/15/18 11:13:13.040]:Group Membership Control ST: Pumping XDS to eDirectory.
[11/15/18 11:13:13.040]:Group Membership Control ST: Performing operation modify for \IDVAULT-TREE\data\users\VKhoury.
[11/15/18 11:13:13.040]:Group Membership Control ST: --JCLNT-- \IDVAULT-TREE\system\driverset1\Group Membership Control : Duplicating : context = 656867519, tempContext = 656867482
[11/15/18 11:13:13.040]:Group Membership Control ST: --JCLNT-- \IDVAULT-TREE\system\driverset1\Group Membership Control : Calling free on tempContext = 656867482
[11/15/18 11:13:13.040]:Group Membership Control ST: Restoring operation data to output document
[11/15/18 11:13:13.040]:Group Membership Control ST: Processing returned document.
[11/15/18 11:13:13.040]:Group Membership Control ST: Processing operation <status> for .
[11/15/18 11:13:13.040]:Group Membership Control ST:
DirXML Log Event -------------------
Driver: \IDVAULT-TREE\system\driverset1\Group Membership Control
Channel: Subscriber
Status: Success
[11/15/18 11:13:13.117]:Group Membership Control ST: Processing operation <status> for .
[11/15/18 11:13:13.117]:Group Membership Control ST:
DirXML Log Event -------------------
Driver: \IDVAULT-TREE\system\driverset1\Group Membership Control
Channel: Subscriber
Status: Warning
Message: Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY
[11/15/18 11:13:13.180]:Group Membership Control ST: Direct command from policy result
[11/15/18 11:13:13.180]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d" level="success"><operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
<application>DirXML</application>
<module>Group Membership Control</module>
<object-dn></object-dn>
<component>Subscriber</component>
</status>
<status event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d" level="warning">Code(-8014) Error processing attribute (\IDVAULT-TREE\data\users\VKhoury#Group Membership): novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY<operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
<application>DirXML</application>
<module>Group Membership Control</module>
<object-dn></object-dn>
<component>Subscriber</component>
</status>
</output>
</nds>
[11/15/18 11:13:13.180]:Group Membership Control ST:Policy returned:
[11/15/18 11:13:13.180]:Group Membership Control ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input/>
</nds>
[11/15/18 11:13:13.180]:Group Membership Control ST:End transaction.


Hi vkhoury,

Are you sure, that you trying to add to Group Membership attribute information in the right format?
Group Membership described in schema like DN.

LDAP Name
groupMembership
Syntax
Distinguished Name

I believe, that you suppose to add to this attribute DN of your group.
\IDVAULT-TREE\data\groups\TestGroup3 instead your current value ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"


<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.7.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury" event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
<modify-attr attr-name="Group Membership">
<add-value>
<value type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
</add-value>
</modify-attr>
<operation-data>
<entitlement-impl id="" name="ACMELBACKENT-Assign Group Membership" qualified-src-dn="O=data\OU=users\CN=VKhoury" src="UA" src-dn="\IDVAULT-TREE\data\users\VKhoury" src-entry-id="34380" state="1">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</entitlement-impl>
</operation-data>
</modify>
</input>
</nds>
0 Likes
Highlighted
New Member.

Hi ab,
I realized the the issue was the format of the group membership DN in current-node.
I dunno the reason but i tried to adjust it the DN by using Replace and substring tokens.
It works fine now. But i still want to figure out why it is written in this format.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

On 11/15/2018 8:54 AM, vkhoury wrote:
>
> Hi ab,
> I realized the the issue was the format of the group membership DN in
> current-node.
> I dunno the reason but i tried to adjust it the DN by using Replace and
> substring tokens.
> It works fine now. But i still want to figure out why it is written in
> this format.


When you use a Token-Entitlement, Token-AddedEntitlement,
Token-RemovedEntitlement and loop over the values, $current-node is the
contents of the <param> node, inside the component[@name='path.xml'].

So in a IDM4 format entitlement it is a JSON string.

{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}

Thus you can treat it as JSON and get the value back. So use the ECMA
function I referenced.

Or you can treat it as a string and process it to what you want, in
XPATH you could:

substring-before(substring-after($current-node,'{"ID":"),'"}')

In Policy you could do the same.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

On 11/15/2018 6:16 AM, vkhoury wrote:
> <modify class-name="User" dest-dn="\IDVAULT-TREE\data\users\VKhoury"
> event-id="vanessa-netiq3-nds#20181115111312#1#7:329aff27-86a2-46bc-a3d0-b6d2a21ce95d">
> <modify-attr attr-name="Group Membership">
> <add-value>
> <value
> type="string">{"ID":"\\IDVAULT-TREE\\data\\groups\\TestGroup3"}</value>
> </add-value>


So you correctly read the parameter out of the Entitlement. But the
syntax is as you can see in the above sample, JSON and eDIR DN's ain't JSON.

So you can use the ECMA function included in all drivers as
es:getEntParamField($current-node,"ID") in an Set local variable to an
XPATH of that statement.

This would strip out the value of the ID Node in the JSON. Now I am NOT
sure if the \\ will be reduced to \ as appropriate, in which case you
might need to then do a Replace All of \\\\ with \\ (\ is escaped to \\
so \\ is escaped to \\\\ and the replace of \ is escaped to \\ ).

That is not even word salad, that is ASCII salad. MMM... ASCII Salad
(said in Homer's voice).

0 Likes
Highlighted
New Member.

Hi geoff,
Yup that's write i already tried to solve this by using replace and substring tokens.
But yea your alternative is better :).
I will go for it.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

On 11/15/2018 8:54 AM, vkhoury wrote:
>
> Hi geoff,
> Yup that's write i already tried to solve this by using replace and
> substring tokens.
> But yea your alternative is better :).


Just assume that, and it will save you time. 🙂

Glad it helped.


0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Geoffrey Carman wrote:

> So you correctly read the parameter out of the Entitlement. But the syntax is
> as you can see in the above sample, JSON and eDIR DN's ain't JSON.
>
> So you can use the ECMA function included in all drivers as
> es:getEntParamField($current-node,"ID") in an Set local variable to an XPATH
> of that statement.
>
> This would strip out the value of the ID Node in the JSON. Now I am NOT sure
> if the \\ will be reduced to \ as appropriate, in which case you might need
> to then do a Replace All of \\\\ with \\ (\ is escaped to \\ so \\ is escaped
> to \\\\ and the replace of \ is escaped to \\ ).
>


Depending on which version of es:getEntParamField you use there are some bugs
with escaped chars. Especially as you are usually dealing with multiple layers
of escapes. One for JSON and the other for the target system involved.

In the case of LDAP as target system (such as AD) I've found that the escaping
of the escaping (yes word salad again) used to work when they used eval in this
function but no longer works correctly with the more "safe" json parse.

Was a while back but thought I had determined that the returned instance in the
source system driver should properly escape the data as it sees fit first. Had
an old AD driver so maybe this is fixed in newer code from the vendor.

Summary, is you should use getEntParamField - but make sure to test for edge
cases.

--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

On 11/16/2018 7:23 AM, Alex McHugh wrote:
> Geoffrey Carman wrote:
>
>> So you correctly read the parameter out of the Entitlement. But the syntax is
>> as you can see in the above sample, JSON and eDIR DN's ain't JSON.
>>
>> So you can use the ECMA function included in all drivers as
>> es:getEntParamField($current-node,"ID") in an Set local variable to an XPATH
>> of that statement.
>>
>> This would strip out the value of the ID Node in the JSON. Now I am NOT sure
>> if the \\ will be reduced to \ as appropriate, in which case you might need
>> to then do a Replace All of \\\\ with \\ (\ is escaped to \\ so \\ is escaped
>> to \\\\ and the replace of \ is escaped to \\ ).
>>

>
> Depending on which version of es:getEntParamField you use there are some bugs
> with escaped chars. Especially as you are usually dealing with multiple layers
> of escapes. One for JSON and the other for the target system involved.
>
> In the case of LDAP as target system (such as AD) I've found that the escaping
> of the escaping (yes word salad again) used to work when they used eval in this
> function but no longer works correctly with the more "safe" json parse.
>
> Was a while back but thought I had determined that the returned instance in the
> source system driver should properly escape the data as it sees fit first. Had
> an old AD driver so maybe this is fixed in newer code from the vendor.
>
> Summary, is you should use getEntParamField - but make sure to test for edge
> cases.


Dang those edge cases! Thanks for the heads up!

Is \ one of those characters with issues?


0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Geoffrey Carman wrote:

> Is \ one of those characters with issues?


IIRC, yes

--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

On 11/16/2018 9:53 AM, Alex McHugh wrote:
> Geoffrey Carman wrote:
>
>> Is \ one of those characters with issues?

>
> IIRC, yes


Well that makes it awkward.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.