Highlighted
Respected Contributor.
Respected Contributor.
882 views

Code Map Refresh/Entitlement query issue with AD driver - Group Entitlement v4.7.2

Hello everyone. I'm running out of time. We are very close to the go live date, and we have a pretty critical and stopper incident with the AD Connector. So early in the process of development in development environment and later in the production environment the entitlement query worked pretty well (i have entitlements of groups in IDM). But in some point, it became non-functional. So after serious talk with the client and doing some debugging research i have the following information so far:

  • The AD Driver have 3 types of entitlement. The only entitlement i can query is de User Account entitlement. With the other two types of entitlement (group and exchange), i get the following error in the user app web (for the group entitlement)
    • Resource is not configured for permission reconciliation for entitlement cn=group,cn=active directory driver,cn=driverset,ou=idm,ou=services,o=***
  • The tomcat log of the user app (with the debugging configured for modules com.novell.idm.nrf.persist and com.novell.idm.nrf.service show's me the same error. 
  • The AD Driver its not logging the word (Inject XDS), like geoffc recommends to search in this post https://community.microfocus.com/t5/Identity-Manager-User/Code-Map-Refresh-issue-with-AD-driver-Group-Entitlement/td-p/2344586#

I didn't check the remote loader yet because, IDM are not showing me any clue that it is processing the request for the entitlement query of the AD groups.
So i get a clear error from the user app (but I'm not sure if fixing this one will resolve de issue). But, cheeking this error, got me to this guide

https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin/data/netiq-identity-manager-cprs-permission-reconciliation.html

But still the error i'ts no clear.. "Resource is not configured for permission reconciliation for entitlement" do i need to create a resource with the group entitlement, even if the entitlement has no value? Another thing is that when i try to find resource in the search box that is below in the section CPRS Assignments Table, i got this error in the log of the user app tomcat:

netiq [RBPM] Internal Error "String index out of range: -1"

So anyone can help me with a clue of how to resolve this issue? Thanks in advance!

Labels (2)
21 Replies
Highlighted
Respected Contributor.
Respected Contributor.

So i tried to find the GCV to enable/disabled CPRS support in the AD Driver and there isn't any. Should i try to create the GCV like says in this post? https://www.netiq.com/documentation/identity-manager-47/driver_admin/data/t4722xhykas8.html (section: Deploying Custom Entitlement Package for Identity Applications).

To respond your question im executing the permisson reconciliation from the idmdash view of the UA, because in the version 4.7.2 the IDMProv view is deprecated. Thank's in advance for all your help geoffc!!

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hi.

Throwing in my two cents.

Have you found this at the support site:

https://support.microfocus.com/kb/doc.php?id=7009476

I have used that before and it has helped me in solving issues with code map refresh in the past.

Best regards

Marcus

Highlighted
Respected Contributor.
Respected Contributor.

Hi Marcus! Thx i will use the post to do some test in the afternoon and i will back to you with the result.

Highlighted
Outstanding Contributor.
Outstanding Contributor.

At the same time look at the driver trace, as it will give you more information about what is going on in the driver. 

‘catalina.out’ will show you what is being send to the driver (query), and what is coming back, if you get an error there, then the problem is some where in the driver (timeout, etc.), if the driver sends a nice instance document, and then the UserApp chokes on that, then the problem in with the UserApp.

Highlighted
Respected Contributor.
Respected Contributor.

So i checked the support post, but i dind't reach the solution so far. Basically the support post tell me to do some validations that i am already doing. The first and only error that i'm getting in the User Application is

  • Resource is not configured for permission reconciliation for entitlement cn=group,cn=active directory driver,cn=driverset,ou=idm,ou=services,o=***


This error somehow blocks the following operations, and the query is never send to the AD Driver, so i think, is a configuration on the driver or a user application error. So i already checked the Driver Entitlement configuration (and group entitlement sync is true), in addition i checked the XML of that configuration and both looks correct (for more info you can look at the XML in this post). I Checked also the XML query-extensions in the driver configuratión, and checked the group object under the driver OU in the directory. So i think what i need to resolve first it's that the UA module can send the request to do the group entitlement reconciliation, but there isn't any info related. I need help!

Highlighted
Super Contributor.
Super Contributor.

I think there is some option in RRSD or UA driver where you set if you want to use Roles, Resources, and entitlements for each separate option...

I checked in my project but couldn't find one, I think you should check just to make sure I didn't miss anything.

Might be a good idea to check User Application settings (web-app in browser), perhaps that is where I remember those settings from?

Let's hope this is the solution 😅

Highlighted
Respected Contributor.
Respected Contributor.

Thx for the answer Zan! I didn't find those options, cheked the UA driver (GCV and GEV) and the RBPM driver (GCV and GEV).

Highlighted
Super Contributor.
Super Contributor.

Found it, it is under Advanced Settings in GCV-Entitlements of AD driver configuration (I attached default/my settings of advanced settings group, I recommend comparing it):

 

<group>
<definition display-name="Advanced settings" name="drv.entitlement.extensions.show" type="enum">
<description>Entitlement extensions enable additional functionality like data collection and others. These settings should not be changed.</description>
<value>true</value>
<enum-choice display-name="show">true</enum-choice>
<enum-choice display-name="hide">false</enum-choice>
</definition>
<subordinates active-value="true">
<header display-name="Data Collection"/>
<group>
<definition display-name="Enable data collection" name="drv.datacollection.enable" type="enum">
<description>If you turn on data collection here, this driver participates in data collection by the Data Collection Service through the Managed System Gateway Driver.</description>
<value>true</value>
<enum-choice display-name="Yes">true</enum-choice>
<enum-choice display-name="No">false</enum-choice>
</definition>
<subordinates active-value="true">
<definition display-name="Allow data collection from user accounts" name="drv.datacollection.UserAccount" type="enum">
<description>Select 'Yes' to allow data collection by the Data Collection Service through the Managed System Gateway Driver for user accounts.</description>
<value>false</value>
<enum-choice display-name="Yes">true</enum-choice>
<enum-choice display-name="No">false</enum-choice>
</definition>
<definition display-name="Allow data collection from groups" name="drv.datacollection.Group" type="enum">
<description>Select 'Yes' to allow data collection by the Data Collection Service through the Managed System Gateway Driver for groups.</description>
<value>true</value>
<enum-choice display-name="Yes">true</enum-choice>
<enum-choice display-name="No">false</enum-choice>
</definition>
<definition display-name="Allow data collection from Exchange mailboxes" name="drv.datacollection.ExchangeMailbox" type="enum">
<description>Select 'Yes' to allow data collection by the Data Collection Service through the Managed System Gateway Driver for Exchange mailboxes.</description>
<value>true</value>
<enum-choice display-name="Yes">true</enum-choice>
<enum-choice display-name="No">false</enum-choice>
</definition>
</subordinates>
</group>
<header display-name="Role Mapping"/>
<group>
<definition display-name="Enable role mapping" name="drv.rolemapping.enable" type="enum">
<description>If you turn on role mapping here, this driver is be visible to the role mapping administrator.</description>
<value>true</value>
<enum-choice display-name="Yes">true</enum-choice>
<enum-choice display-name="No">false</enum-choice>
</definition>
<subordinates active-value="true">
<definition display-name="Allow mapping of user accounts" name="drv.rolemapping.UserAccount" type="enum">
<description>Select true if you want to allow mapping of user accounts in the role mapping administrator.</description>
<value>true</value>
<enum-choice display-name="Yes">true</enum-choice>
<enum-choice display-name="No">false</enum-choice>
</definition>
<definition display-name="Allow mapping of groups" name="drv.rolemapping.Group" type="enum">
<description>Select true if you want to allow mapping of groups in the role mapping administrator.</description>
<value>true</value>
<enum-choice display-name="Yes">true</enum-choice>
<enum-choice display-name="No">false</enum-choice>
</definition>
<definition display-name="Allow mapping of Exchange mailboxes" name="drv.rolemapping.ExchangeMailbox" type="enum">
<description>Select true if you want to allow mapping of Exchange mailboxes in the role mapping administrator.</description>
<value>true</value>
<enum-choice display-name="Yes">true</enum-choice>
<enum-choice display-name="No">false</enum-choice>
</definition>
</subordinates>
</group>
<header display-name="Resource Mapping"/>
<group>
<definition display-name="Enable resource mapping" name="drv.resourcemapping.enable" type="enum">
<description>If you turn on resource mapping here, this driver is available for resource mapping in the roles-based provisioning module.</description>
<value>true</value>
<enum-choice display-name="Yes">true</enum-choice>
<enum-choice display-name="No">false</enum-choice>
</definition>
<subordinates active-value="true">
<definition display-name="Allow mapping of user accounts" name="drv.resourcemapping.UserAccount" type="enum">
<description>Select true if you want to allow mapping of user accounts in the roles-based provisioning module.</description>
<value>true</value>
<enum-choice display-name="Yes">true</enum-choice>
<enum-choice display-name="No">false</enum-choice>
</definition>
<definition display-name="Allow mapping of groups" name="drv.resourcemapping.Group" type="enum">
<description>Select true if you want to allow mapping of groups in the roles-based provisioning module.</description>
<value>true</value>
<enum-choice display-name="Yes">true</enum-choice>
<enum-choice display-name="No">false</enum-choice>
</definition>
<definition display-name="Allow mapping of Exchange mailboxes" name="drv.resourcemapping.ExchangeMailbox" type="enum">
<description>Select true if you want to allow mapping of Exchange mailboxes in the roles-based provisioning module.</description>
<value>true</value>
<enum-choice display-name="Yes">true</enum-choice>
<enum-choice display-name="No">false</enum-choice>
</definition>
</subordinates>
</group>
<header display-name="Entitlement Extensions"/>
<definition display-name="User account extensions" multiline="true" name="drv.entitlement.extensions.UserAccount" type="string">
<description>Children of the &lt;entitlement-extensions> node are being added below the corresponding entitlement element in the EntitlementConfiguration resource object.</description>
<value xml:space="preserve">&lt;entitlement-extensions>
&lt;member-assignment-query>
&lt;query-xml>
&lt;nds dtdversion="2.0">
&lt;input>
&lt;query class-name="User" scope="subtree">
&lt;search-class class-name="User"/>
&lt;read-attr/>
&lt;/query>
&lt;/input>
&lt;/nds>
&lt;/query-xml>
&lt;/member-assignment-query>
&lt;query-extensions>
&lt;query-xml>
&lt;read-attr attr-name="dirxml-uACAccountDisable"/>
&lt;read-attr attr-name="userPrincipalName"/>
&lt;read-attr attr-name="sAMAccountName"/>
&lt;operation-data data-collection-query="true">&lt;/operation-data>
&lt;/query-xml>
&lt;/query-extensions>
&lt;account>
&lt;account-id source="read-attr" source-name="sAMAccountName"/>
&lt;account-id source="read-attr" source-name="userPrincipalName"/>
&lt;account-id source="src-dn"/>
&lt;account-id source="association"/>
&lt;account-status active="false" inactive="true" source="read-attr" source-name="dirxml-uACAccountDisable"/>
&lt;/account>
&lt;/entitlement-extensions></value>
</definition>
<definition display-name="Group extensions" multiline="true" name="drv.entitlement.extensions.Group" type="string">
<description>Children of the &lt;entitlement-extensions> node are being added below the corresponding entitlement element in the EntitlementConfiguration resource object.</description>
<value xml:space="preserve">&lt;entitlement-extensions>
&lt;member-assignment-extensions>
&lt;query-xml>
&lt;read-attr attr-name="member"/>
&lt;/query-xml>
&lt;/member-assignment-extensions>
&lt;query-extensions>
&lt;query-xml>
&lt;read-attr attr-name="owner"/>
&lt;read-attr attr-name="sAMAccountName"/>
&lt;operation-data data-collection-query="true">&lt;/operation-data>
&lt;/query-xml>
&lt;/query-extensions>
&lt;/entitlement-extensions></value>
</definition>
<definition display-name="Exchange mailbox extensions" multiline="true" name="drv.entitlement.extensions.ExchangeMailbox" type="string">
<description>Children of the &lt;entitlement-extensions> node are being added below the corresponding entitlement element in the EntitlementConfiguration resource object.</description>
<value xml:space="preserve">&lt;entitlement-extensions>
&lt;member-assignment-query>
&lt;query-xml>
&lt;nds dtdversion="2.0">
&lt;input>
&lt;query class-name="msExchPrivateMDB" scope="subtree">
&lt;search-class class-name="msExchPrivateMDB"/>
&lt;/query>
&lt;/input>
&lt;/nds>
&lt;/query-xml>
&lt;/member-assignment-query>
&lt;member-assignment-extensions>
&lt;query-xml>
&lt;read-attr attr-name="homeMDBBL"/>
&lt;/query-xml>
&lt;/member-assignment-extensions>
&lt;/entitlement-extensions></value>
</definition>
</subordinates>
</group>

tmp.png

 

This is probably a kick in the dark (I don't think these settings should matter).

 

If this doesn't help you should probably elevate the UA trace and investigate that one.

Highlighted
Respected Contributor.
Respected Contributor.

Well i checked all the GCV values but overall in think is the same (in my script i have two more lines but i think is because the format).

Highlighted
Super Contributor.
Super Contributor.

Yes, those two lines are from previous XML, I copied only important and general part...

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.