Marcus Tornberg Super Contributor.
Super Contributor.
1032 views

Code map refresh - invalid request 641

Hi!

I have a problem with code map refresh. This occurs on all drivers (and yes, they are up and running, nothing shows in the driver traces).

IDM 4.7.1

The main error I see in catalina is:
LDAP: error code 80 - invalid request (-641)]

But I cannot figure out what causes this.

Any ideas to help me is appreciated.


2019-05-02 16:22:31,257 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataModel] (https-jsse-nio-8443-exec-10) [RBPM] VDM.getEntityDefinition(String, Locale):sys-nrf-entitlement
2019-05-02 16:22:31,257 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntity: cn=useraccount,cn=activedirectory,cn=driverset1,o=system
2019-05-02 16:22:31,258 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getLdapAttributes Attributes and values
2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] Attribute ID: modifyTimestamp
2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] 20180419124321Z
2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] Attribute ID: objectClass
2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] Top
2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] DirXML-Entitlement
2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] DirXML-PkgItemAux
2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] Attribute ID: XmlData
2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] <?xml version="1.0" encoding="UTF-8"?><entitlement conflict-resolution="union" description="The User Account entitlement grants or denies an account in Active Directory for the user. When granted, the user is given an enabled logon account. When revoked, the logon account is either disabled or deleted depeding on how the drive is configured." display-name="User Account Entitlement">
<values multi-valued="false">
<query-app>
<query-xml>
<nds dtdversion="2.0">
<input>
<query class-name="ADDomain" scope="subtree">
<search-class class-name="ADDomain"/>
<read-attr attr-name="ADDomainValue"/>
<read-attr attr-name="ADDomainDisplayName"/>
<read-attr attr-name="ADDomainDescription"/>
</query>
</input>
</nds>
</query-xml>
<result-set>
<display-name>
<token-attr attr-name="ADDomainDisplayName"/>
</display-name>
<description>
<token-attr attr-name="ADDomainDescription"/>
</description>
<ent-value>
<token-attr attr-name="ADDomainValue"/>
</ent-value>
</result-set>
</query-app>
</values>
</entitlement>
2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.checking if object instance contains the required objectClass per DAL definition: sys-nrf-entitlement
2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.does contain required (search=true or auxilliary=false) objectClass:DirXML-Entitlement
2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.object instance is correct type
2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntityResultList
2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataModel] (https-jsse-nio-8443-exec-10) [RBPM] VDM.getEntityDefinition(String, Locale):sys-nrf-idmresource
2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataModel] (https-jsse-nio-8443-exec-10) [RBPM] VDM.getEntityDefinition(String, Locale):sys-nrf-idmresource
2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntityResultList query filter: (&(|(objectClass=DirXML-Resource))(DirXML-ContentType=text/vnd.novell.idm.entitlementConfiguration+xml))
2019-05-02 16:22:31,514 ERROR [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10) [RBPM] Unable to complete the CODE MAP refresh for entitlement: cn=useraccount,cn=activedirectory,cn=driverset1,o=system.
com.novell.idm.nrf.exception.NrfException: Error occurred populating code map table(s) for entitlement: cn=useraccount,cn=activedirectory,cn=driverset1,o=system. The most likely cause is that the IDM driver containing the entitlement is not started, or there is a communication issue between the remote loader and driver. Refer to the following stack trace for more details. A NDS trace log may help with driver related issues.
at com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:394)
at com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:154)
at com.novell.idm.nrf.service.ProvisioningCodeMapService.populateCodeMapTablesFromQuery(ProvisioningCodeMapService.java:801)
at com.novell.idm.nrf.service.ProvisioningCodeMapService.updateViewFromEntitlement(ProvisioningCodeMapService.java:307)
at com.novell.idm.nrf.service.ProvisioningCodeMapService.refreshViewFromEntitlement(ProvisioningCodeMapService.java:101)
at com.novell.idm.nrf.service.CodeMapEngine.updateEntitlementToCodeMapView(CodeMapEngine.java:387)
at com.novell.idm.nrf.service.CodeMapEngine.refreshCodeMap(CodeMapEngine.java:245)
at com.netiq.idm.rest.catalog.CodeMapRefreshService.entitlementRefresh(CodeMapRefreshService.java:154)
at sun.reflect.GeneratedMethodAccessor771.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168)
at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:67)
at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:259)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:133)
at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:83)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:133)
at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:71)
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:990)
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:941)
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:932)
at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:384)
at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:451)
at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:632)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.netiq.idm.rest.catalog.RestAuthFilter.doFilter(RestAuthFilter.java:100)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.novell.common.auth.JAASFilter.doFilter(JAASFilter.java:145)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.novell.common.auth.saml.AuthTokenGeneratorFilter.doFilter(AuthTokenGeneratorFilter.java:108)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:125)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.novell.soa.common.i18n.BestLocaleServletFilter.doFilter(BestLocaleServletFilter.java:241)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.novell.common.ForceNoCacheFilter.doFilter(ForceNoCacheFilter.java:69)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.novell.common.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.novell.common.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:132)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:322)
at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:193)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.novell.idm.nrf.exception.NrfException: Error occurred running the entitlement/nds queries for entitlement Dn: cn=useraccount,cn=activedirectory,cn=driverset1,o=system, Query XML: <?xml version="1.0" encoding="UTF-8"?><nds dtdversion="2.0">
<input>
<query class-name="ADDomain" scope="subtree">
<search-class class-name="ADDomain"/>
<read-attr attr-name="ADDomainValue"/>
<read-attr attr-name="ADDomainDisplayName"/>
<read-attr attr-name="ADDomainDescription"/>
</query>
</input>
</nds>

at com.novell.idm.nrf.persist.PopulateCodeMap.queryDriver(PopulateCodeMap.java:2018)
at com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:262)
... 75 more
Caused by: javax.naming.NamingException: [LDAP: error code 80 - invalid request (-641)]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3198)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3279)
at sun.reflect.GeneratedMethodAccessor699.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sssw.fw.directory.realm.impl.jndildap.EboLdapContextProxyHandler.invokeMethod(EboLdapContextProxyHandler.java:145)
at com.sssw.fw.directory.realm.impl.jndildap.EboLdapContextProxyHandler.invoke(EboLdapContextProxyHandler.java:86)
at com.sun.proxy.$Proxy27.extendedOperation(Unknown Source)
at com.novell.idm.nrf.persist.PopulateCodeMap.queryDriver(PopulateCodeMap.java:2009)
... 76 more
2019-05-02 16:22:31,526 INFO [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10) [RBPM] CODE MAP refresh on entitlement: [cn=useraccount,cn=activedirectory,cn=driverset1,o=system] failed.
2019-05-02 16:22:31,526 DEBUG [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10) [RBPM] Setting m_refreshInProgress to false after refresh.


Best regards
Marcus
Labels (1)
0 Likes
16 Replies
Knowledge Partner
Knowledge Partner

Re: Code map refresh - invalid request 641

On 5/2/2019 10:34 AM, marcus jonsson wrote:
>
> Hi!
>
> I have a problem with code map refresh. This occurs on all drivers (and
> yes, they are up and running, nothing shows in the driver traces).
>
> IDM 4.7.1
>
> The main error I see in catalina is:
> LDAP: error code 80 - invalid request (-641)]
>
> But I cannot figure out what causes this.
>
> Any ideas to help me is appreciated.
>
>
> Code:
> --------------------
>
> 2019-05-02 16:22:31,257 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataModel] (https-jsse-nio-8443-exec-10) [RBPM] VDM.getEntityDefinition(String, Locale):sys-nrf-entitlement
> 2019-05-02 16:22:31,257 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntity: cn=useraccount,cn=activedirectory,cn=driverset1,o=system
> 2019-05-02 16:22:31,258 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getLdapAttributes Attributes and values
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] Attribute ID: modifyTimestamp
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] 20180419124321Z
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] Attribute ID: objectClass
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] Top
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] DirXML-Entitlement
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] DirXML-PkgItemAux
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] Attribute ID: XmlData
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] <?xml version="1.0" encoding="UTF-8"?><entitlement conflict-resolution="union" description="The User Account entitlement grants or denies an account in Active Directory for the user. When granted, the user is given an enabled logon account. When revoked, the logon account is either disabled or deleted depeding on how the drive is configured." display-name="User Account Entitlement">
> <values multi-valued="false">
> <query-app>
> <query-xml>
> <nds dtdversion="2.0">
> <input>
> <query class-name="ADDomain" scope="subtree">
> <search-class class-name="ADDomain"/>
> <read-attr attr-name="ADDomainValue"/>
> <read-attr attr-name="ADDomainDisplayName"/>
> <read-attr attr-name="ADDomainDescription"/>
> </query>
> </input>
> </nds>
> </query-xml>
> <result-set>
> <display-name>
> <token-attr attr-name="ADDomainDisplayName"/>
> </display-name>
> <description>
> <token-attr attr-name="ADDomainDescription"/>
> </description>
> <ent-value>
> <token-attr attr-name="ADDomainValue"/>
> </ent-value>
> </result-set>
> </query-app>
> </values>
> </entitlement>
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.checking if object instance contains the required objectClass per DAL definition: sys-nrf-entitlement
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.does contain required (search=true or auxilliary=false) objectClass:DirXML-Entitlement
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.object instance is correct type
> 2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntityResultList
> 2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataModel] (https-jsse-nio-8443-exec-10) [RBPM] VDM.getEntityDefinition(String, Locale):sys-nrf-idmresource
> 2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataModel] (https-jsse-nio-8443-exec-10) [RBPM] VDM.getEntityDefinition(String, Locale):sys-nrf-idmresource
> 2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntityResultList query filter: (&(|(objectClass=DirXML-Resource))(DirXML-ContentType=text/vnd.novell.idm.entitlementConfiguration+xml))
> 2019-05-02 16:22:31,514 ERROR [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10) [RBPM] Unable to complete the CODE MAP refresh for entitlement: cn=useraccount,cn=activedirectory,cn=driverset1,o=system.
> com.novell.idm.nrf.exception.NrfException: Error occurred populating code map table(s) for entitlement: cn=useraccount,cn=activedirectory,cn=driverset1,o=system. The most likely cause is that the IDM driver containing the entitlement is not started, or there is a communication issue between the remote loader and driver. Refer to the following stack trace for more details. A NDS trace log may help with driver related issues.
> at com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:394)
> at com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:154)
> at com.novell.idm.nrf.service.ProvisioningCodeMapService.populateCodeMapTablesFromQuery(ProvisioningCodeMapService.java:801)
> at com.novell.idm.nrf.service.ProvisioningCodeMapService.updateViewFromEntitlement(ProvisioningCodeMapService.java:307)
> at com.novell.idm.nrf.service.ProvisioningCodeMapService.refreshViewFromEntitlement(ProvisioningCodeMapService.java:101)
> at com.novell.idm.nrf.service.CodeMapEngine.updateEntitlementToCodeMapView(CodeMapEngine.java:387)
> at com.novell.idm.nrf.service.CodeMapEngine.refreshCodeMap(CodeMapEngine.java:245)
> at com.netiq.idm.rest.catalog.CodeMapRefreshService.entitlementRefresh(CodeMapRefreshService.java:154)
> at sun.reflect.GeneratedMethodAccessor771.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168)
> at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:67)
> at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:259)
> at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:133)
> at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:83)
> at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:133)
> at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:71)
> at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:990)
> at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:941)
> at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:932)
> at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:384)
> at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:451)
> at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:632)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.netiq.idm.rest.catalog.RestAuthFilter.doFilter(RestAuthFilter.java:100)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.common.auth.JAASFilter.doFilter(JAASFilter.java:145)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.common.auth.saml.AuthTokenGeneratorFilter.doFilter(AuthTokenGeneratorFilter.java:108)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:125)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.soa.common.i18n.BestLocaleServletFilter.doFilter(BestLocaleServletFilter.java:241)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.common.ForceNoCacheFilter.doFilter(ForceNoCacheFilter.java:69)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.common.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:53)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.common.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:132)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
> at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:322)
> at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:193)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
> at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
> at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
> at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
> at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: com.novell.idm.nrf.exception.NrfException: Error occurred running the entitlement/nds queries for entitlement Dn: cn=useraccount,cn=activedirectory,cn=driverset1,o=system, Query XML: <?xml version="1.0" encoding="UTF-8"?><nds dtdversion="2.0">
> <input>
> <query class-name="ADDomain" scope="subtree">
> <search-class class-name="ADDomain"/>
> <read-attr attr-name="ADDomainValue"/>
> <read-attr attr-name="ADDomainDisplayName"/>
> <read-attr attr-name="ADDomainDescription"/>
> </query>
> </input>
> </nds>
>
> at com.novell.idm.nrf.persist.PopulateCodeMap.queryDriver(PopulateCodeMap.java:2018)
> at com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:262)
> ... 75 more
> Caused by: javax.naming.NamingException: [LDAP: error code 80 - invalid request (-641)]; remaining name ''
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3198)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
> at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3279)
> at sun.reflect.GeneratedMethodAccessor699.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at com.sssw.fw.directory.realm.impl.jndildap.EboLdapContextProxyHandler.invokeMethod(EboLdapContextProxyHandler.java:145)
> at com.sssw.fw.directory.realm.impl.jndildap.EboLdapContextProxyHandler.invoke(EboLdapContextProxyHandler.java:86)
> at com.sun.proxy.$Proxy27.extendedOperation(Unknown Source)
> at com.novell.idm.nrf.persist.PopulateCodeMap.queryDriver(PopulateCodeMap.java:2009)
> ... 76 more
> 2019-05-02 16:22:31,526 INFO [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10) [RBPM] CODE MAP refresh on entitlement: [cn=useraccount,cn=activedirectory,cn=driverset1,o=system] failed.
> 2019-05-02 16:22:31,526 DEBUG [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10) [RBPM] Setting m_refreshInProgress to false after refresh.


641 means, you tried a DirXML related action that is 'illegal' or not
allowed at this time.

So on the first hand you would expect the AD driver to not be running,
which is needed to Inject XDS driver to driver which is how the query is
injected.

Silly question, is your User App driver running? It is injected via the
UA driver into the AD driver, and both need to be running. This is one
of the few actual uses of the UA driver in terms of actual 'work'.


0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: Code map refresh - invalid request 641

geoffc;2499156 wrote:
On 5/2/2019 10:34 AM, marcus jonsson wrote:
>
> Hi!
>
> I have a problem with code map refresh. This occurs on all drivers (and
> yes, they are up and running, nothing shows in the driver traces).
>
> IDM 4.7.1
>
> The main error I see in catalina is:
> LDAP: error code 80 - invalid request (-641)]
>
> But I cannot figure out what causes this.
>
> Any ideas to help me is appreciated.
>
>
> Code:
> --------------------
>
> 2019-05-02 16:22:31,257 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataModel] (https-jsse-nio-8443-exec-10) [RBPM] VDM.getEntityDefinition(String, Locale):sys-nrf-entitlement
> 2019-05-02 16:22:31,257 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntity: cn=useraccount,cn=activedirectory,cn=driverset1,o=system
> 2019-05-02 16:22:31,258 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getLdapAttributes Attributes and values
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] Attribute ID: modifyTimestamp
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] 20180419124321Z
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] Attribute ID: objectClass
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] Top
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] DirXML-Entitlement
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] DirXML-PkgItemAux
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] Attribute ID: XmlData
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] <?xml version="1.0" encoding="UTF-8"?><entitlement conflict-resolution="union" description="The User Account entitlement grants or denies an account in Active Directory for the user. When granted, the user is given an enabled logon account. When revoked, the logon account is either disabled or deleted depeding on how the drive is configured." display-name="User Account Entitlement">
> <values multi-valued="false">
> <query-app>
> <query-xml>
> <nds dtdversion="2.0">
> <input>
> <query class-name="ADDomain" scope="subtree">
> <search-class class-name="ADDomain"/>
> <read-attr attr-name="ADDomainValue"/>
> <read-attr attr-name="ADDomainDisplayName"/>
> <read-attr attr-name="ADDomainDescription"/>
> </query>
> </input>
> </nds>
> </query-xml>
> <result-set>
> <display-name>
> <token-attr attr-name="ADDomainDisplayName"/>
> </display-name>
> <description>
> <token-attr attr-name="ADDomainDescription"/>
> </description>
> <ent-value>
> <token-attr attr-name="ADDomainValue"/>
> </ent-value>
> </result-set>
> </query-app>
> </values>
> </entitlement>
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.checking if object instance contains the required objectClass per DAL definition: sys-nrf-entitlement
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.does contain required (search=true or auxilliary=false) objectClass:DirXML-Entitlement
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.object instance is correct type
> 2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntityResultList
> 2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataModel] (https-jsse-nio-8443-exec-10) [RBPM] VDM.getEntityDefinition(String, Locale):sys-nrf-idmresource
> 2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataModel] (https-jsse-nio-8443-exec-10) [RBPM] VDM.getEntityDefinition(String, Locale):sys-nrf-idmresource
> 2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAccess] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntityResultList query filter: (&(|(objectClass=DirXML-Resource))(DirXML-ContentType=text/vnd.novell.idm.entitlementConfiguration+xml))
> 2019-05-02 16:22:31,514 ERROR [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10) [RBPM] Unable to complete the CODE MAP refresh for entitlement: cn=useraccount,cn=activedirectory,cn=driverset1,o=system.
> com.novell.idm.nrf.exception.NrfException: Error occurred populating code map table(s) for entitlement: cn=useraccount,cn=activedirectory,cn=driverset1,o=system. The most likely cause is that the IDM driver containing the entitlement is not started, or there is a communication issue between the remote loader and driver. Refer to the following stack trace for more details. A NDS trace log may help with driver related issues.
> at com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:394)
> at com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:154)
> at com.novell.idm.nrf.service.ProvisioningCodeMapService.populateCodeMapTablesFromQuery(ProvisioningCodeMapService.java:801)
> at com.novell.idm.nrf.service.ProvisioningCodeMapService.updateViewFromEntitlement(ProvisioningCodeMapService.java:307)
> at com.novell.idm.nrf.service.ProvisioningCodeMapService.refreshViewFromEntitlement(ProvisioningCodeMapService.java:101)
> at com.novell.idm.nrf.service.CodeMapEngine.updateEntitlementToCodeMapView(CodeMapEngine.java:387)
> at com.novell.idm.nrf.service.CodeMapEngine.refreshCodeMap(CodeMapEngine.java:245)
> at com.netiq.idm.rest.catalog.CodeMapRefreshService.entitlementRefresh(CodeMapRefreshService.java:154)
> at sun.reflect.GeneratedMethodAccessor771.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168)
> at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:67)
> at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:259)
> at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:133)
> at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:83)
> at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:133)
> at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:71)
> at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:990)
> at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:941)
> at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:932)
> at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:384)
> at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:451)
> at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:632)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.netiq.idm.rest.catalog.RestAuthFilter.doFilter(RestAuthFilter.java:100)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.common.auth.JAASFilter.doFilter(JAASFilter.java:145)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.common.auth.saml.AuthTokenGeneratorFilter.doFilter(AuthTokenGeneratorFilter.java:108)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:125)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.soa.common.i18n.BestLocaleServletFilter.doFilter(BestLocaleServletFilter.java:241)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.common.ForceNoCacheFilter.doFilter(ForceNoCacheFilter.java:69)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.common.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:53)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at com.novell.common.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:132)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
> at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:322)
> at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:193)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
> at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
> at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
> at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
> at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: com.novell.idm.nrf.exception.NrfException: Error occurred running the entitlement/nds queries for entitlement Dn: cn=useraccount,cn=activedirectory,cn=driverset1,o=system, Query XML: <?xml version="1.0" encoding="UTF-8"?><nds dtdversion="2.0">
> <input>
> <query class-name="ADDomain" scope="subtree">
> <search-class class-name="ADDomain"/>
> <read-attr attr-name="ADDomainValue"/>
> <read-attr attr-name="ADDomainDisplayName"/>
> <read-attr attr-name="ADDomainDescription"/>
> </query>
> </input>
> </nds>
>
> at com.novell.idm.nrf.persist.PopulateCodeMap.queryDriver(PopulateCodeMap.java:2018)
> at com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:262)
> ... 75 more
> Caused by: javax.naming.NamingException: [LDAP: error code 80 - invalid request (-641)]; remaining name ''
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3198)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
> at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3279)
> at sun.reflect.GeneratedMethodAccessor699.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at com.sssw.fw.directory.realm.impl.jndildap.EboLdapContextProxyHandler.invokeMethod(EboLdapContextProxyHandler.java:145)
> at com.sssw.fw.directory.realm.impl.jndildap.EboLdapContextProxyHandler.invoke(EboLdapContextProxyHandler.java:86)
> at com.sun.proxy.$Proxy27.extendedOperation(Unknown Source)
> at com.novell.idm.nrf.persist.PopulateCodeMap.queryDriver(PopulateCodeMap.java:2009)
> ... 76 more
> 2019-05-02 16:22:31,526 INFO [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10) [RBPM] CODE MAP refresh on entitlement: [cn=useraccount,cn=activedirectory,cn=driverset1,o=system] failed.
> 2019-05-02 16:22:31,526 DEBUG [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10) [RBPM] Setting m_refreshInProgress to false after refresh.


641 means, you tried a DirXML related action that is 'illegal' or not
allowed at this time.

So on the first hand you would expect the AD driver to not be running,
which is needed to Inject XDS driver to driver which is how the query is
injected.

Silly question, is your User App driver running? It is injected via the
UA driver into the AD driver, and both need to be running. This is one
of the few actual uses of the UA driver in terms of actual 'work'.


Hi Geoff!

There is no such thing as a silly question 🙂

Yes, User App driver is running and the AD driver is running. I see no activity on User App driver (trace lvl 10) when I try code map refresh (maybe not expected?), and no activity on the AD driver either.

The error does seem to imply an error returned on the LDAP-call, is that routed somehow to the User App driver witch in turn sends the query to the connected system driver (AD driver in this case)?

I also verified that the AD driver is fully up by changing an attribute in IDV and verify in AD, and it is all good.

As this is a test environment I have also tried restarting all services (eDir and Identity Applications) and also clearing out work and temp in Tomcat. Should probably not make a difference, but worth a try.

Any other ideas?

Best regards
Marcus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Code map refresh - invalid request 641

>> (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntityResultList query
>> filter:
>> (&(|(objectClass=DirXML-Resource))(DirXML-ContentType=text/vnd.novell.idm.entitlementConfiguration+xml))
>>> 2019-05-02 16:22:31,514 ERROR

>> [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10)
>> [RBPM] Unable to complete the CODE MAP refresh for entitlement:
>> cn=useraccount,cn=activedirectory,cn=driverset1,o=system.
>>> com.novell.idm.nrf.exception.NrfException: Error occurred

>> populating code map table(s) for entitlement:
>> cn=useraccount,cn=activedirectory,cn=driverset1,o=system. The most
>> likely cause is that the IDM driver containing the entitlement is not
>> started, or there is a communication issue between the remote loader and
>> driver. Refer to the following stack trace for more details. A NDS trace
>> log may help with driver related issues.
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:394)
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:154)
>>> at

>> com.novell.idm.nrf.service.ProvisioningCodeMapService.populateCodeMapTablesFromQuery(ProvisioningCodeMapService.java:801)
>>> at

>> com.novell.idm.nrf.service.ProvisioningCodeMapService.updateViewFromEntitlement(ProvisioningCodeMapService.java:307)
>>> at

>> com.novell.idm.nrf.service.ProvisioningCodeMapService.refreshViewFromEntitlement(ProvisioningCodeMapService.java:101)
>>> at

>> com.novell.idm.nrf.service.CodeMapEngine.updateEntitlementToCodeMapView(CodeMapEngine.java:387)
>>> at

>> com.novell.idm.nrf.service.CodeMapEngine.refreshCodeMap(CodeMapEngine.java:245)
>>> at

>> com.netiq.idm.rest.catalog.CodeMapRefreshService.entitlementRefresh(CodeMapRefreshService.java:154)
>>> at sun.reflect.GeneratedMethodAccessor771.invoke(Unknown Source)
>>> at

>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at

>> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168)
>>> at

>> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:67)
>>> at

>> com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:259)
>>> at

>> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:133)
>>> at

>> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:83)
>>> at

>> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:133)
>>> at

>> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:71)
>>> at

>> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:990)
>>> at

>> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:941)
>>> at

>> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:932)
>>> at

>> com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:384)
>>> at

>> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:451)
>>> at

>> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:632)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.netiq.idm.rest.catalog.RestAuthFilter.doFilter(RestAuthFilter.java:100)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at com.novell.common.auth.JAASFilter.doFilter(JAASFilter.java:145)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.auth.saml.AuthTokenGeneratorFilter.doFilter(AuthTokenGeneratorFilter.java:108)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:125)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.soa.common.i18n.BestLocaleServletFilter.doFilter(BestLocaleServletFilter.java:241)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.ForceNoCacheFilter.doFilter(ForceNoCacheFilter.java:69)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:53)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:132)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
>>> at

>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
>>> at

>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
>>> at

>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
>>> at

>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
>>> at

>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
>>> at

>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
>>> at

>> org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:322)
>>> at

>> org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:193)
>>> at

>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
>>> at

>> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
>>> at

>> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
>>> at

>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
>>> at

>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
>>> at

>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>>> at

>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>>> at

>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>>> at

>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>> at java.lang.Thread.run(Thread.java:748)
>>> Caused by: com.novell.idm.nrf.exception.NrfException: Error

>> occurred running the entitlement/nds queries for entitlement Dn:
>> cn=useraccount,cn=activedirectory,cn=driverset1,o=system, Query XML:
>> <?xml version="1.0" encoding="UTF-8"?><nds dtdversion="2.0">
>>> <input>
>>> <query class-name="ADDomain" scope="subtree">
>>> <search-class class-name="ADDomain"/>
>>> <read-attr attr-name="ADDomainValue"/>
>>> <read-attr attr-name="ADDomainDisplayName"/>
>>> <read-attr attr-name="ADDomainDescription"/>
>>> </query>
>>> </input>
>>> </nds>
>>>
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.queryDriver(PopulateCodeMap.java:2018)
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:262)
>>> ... 75 more
>>> Caused by: javax.naming.NamingException: [LDAP: error code 80 -

>> invalid request (-641)]; remaining name ''
>>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3198)
>>> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
>>> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
>>> at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3279)
>>> at sun.reflect.GeneratedMethodAccessor699.invoke(Unknown Source)
>>> at

>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at

>> com.sssw.fw.directory.realm.impl.jndildap.EboLdapContextProxyHandler.invokeMethod(EboLdapContextProxyHandler.java:145)
>>> at

>> com.sssw.fw.directory.realm.impl.jndildap.EboLdapContextProxyHandler.invoke(EboLdapContextProxyHandler.java:86)
>>> at com.sun.proxy.$Proxy27.extendedOperation(Unknown Source)
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.queryDriver(PopulateCodeMap.java:2009)
>>> ... 76 more
>>> 2019-05-02 16:22:31,526 INFO

>> [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10)
>> [RBPM] CODE MAP refresh on entitlement:
>> [cn=useraccount,cn=activedirectory,cn=driverset1,o=system] failed.
>>> 2019-05-02 16:22:31,526 DEBUG

>> [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10)
>> [RBPM] Setting m_refreshInProgress to false after refresh.
>>
>> 641 means, you tried a DirXML related action that is 'illegal' or not
>> allowed at this time.
>>
>> So on the first hand you would expect the AD driver to not be running,
>> which is needed to Inject XDS driver to driver which is how the query
>> is
>> injected.
>>
>> Silly question, is your User App driver running? It is injected via
>> the
>> UA driver into the AD driver, and both need to be running. This is one
>> of the few actual uses of the UA driver in terms of actual 'work'.

>
> Hi Geoff!
>
> There is no such thing as a silly question 🙂
>
> Yes, User App driver is running and the AD driver is running. I see no
> activity on User App driver (trace lvl 10) when I try code map refresh
> (maybe not expected?), and no activity on the AD driver either.
>
> The error does seem to imply an error returned on the LDAP-call, is that
> routed somehow to the User App driver witch in turn sends the query to
> the connected system driver (AD driver in this case)?
>
> I also verified that the AD driver is fully up by changing an attribute
> in IDV and verify in AD, and it is all good.
>
> As this is a test environment I have also tried restarting all services
> (eDir and Identity Applications) and also clearing out work and temp in
> Tomcat. Should probably not make a difference, but worth a try.


So in the AD trace if it worked, you would see Injecting XDS... and then
the query. Do you have any other entitlements in other drivers, and are
they working?



0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: Code map refresh - invalid request 641

geoffc;2499188 wrote:
>> (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntityResultList query
>> filter:
>> (&(|(objectClass=DirXML-Resource))(DirXML-ContentType=text/vnd.novell.idm.entitlementConfiguration+xml))
>>> 2019-05-02 16:22:31,514 ERROR

>> [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10)
>> [RBPM] Unable to complete the CODE MAP refresh for entitlement:
>> cn=useraccount,cn=activedirectory,cn=driverset1,o=system.
>>> com.novell.idm.nrf.exception.NrfException: Error occurred

>> populating code map table(s) for entitlement:
>> cn=useraccount,cn=activedirectory,cn=driverset1,o=system. The most
>> likely cause is that the IDM driver containing the entitlement is not
>> started, or there is a communication issue between the remote loader and
>> driver. Refer to the following stack trace for more details. A NDS trace
>> log may help with driver related issues.
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:394)
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:154)
>>> at

>> com.novell.idm.nrf.service.ProvisioningCodeMapService.populateCodeMapTablesFromQuery(ProvisioningCodeMapService.java:801)
>>> at

>> com.novell.idm.nrf.service.ProvisioningCodeMapService.updateViewFromEntitlement(ProvisioningCodeMapService.java:307)
>>> at

>> com.novell.idm.nrf.service.ProvisioningCodeMapService.refreshViewFromEntitlement(ProvisioningCodeMapService.java:101)
>>> at

>> com.novell.idm.nrf.service.CodeMapEngine.updateEntitlementToCodeMapView(CodeMapEngine.java:387)
>>> at

>> com.novell.idm.nrf.service.CodeMapEngine.refreshCodeMap(CodeMapEngine.java:245)
>>> at

>> com.netiq.idm.rest.catalog.CodeMapRefreshService.entitlementRefresh(CodeMapRefreshService.java:154)
>>> at sun.reflect.GeneratedMethodAccessor771.invoke(Unknown Source)
>>> at

>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at

>> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:168)
>>> at

>> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:67)
>>> at

>> com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:259)
>>> at

>> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:133)
>>> at

>> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:83)
>>> at

>> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:133)
>>> at

>> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:71)
>>> at

>> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:990)
>>> at

>> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:941)
>>> at

>> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:932)
>>> at

>> com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:384)
>>> at

>> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:451)
>>> at

>> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:632)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.netiq.idm.rest.catalog.RestAuthFilter.doFilter(RestAuthFilter.java:100)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at com.novell.common.auth.JAASFilter.doFilter(JAASFilter.java:145)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.auth.saml.AuthTokenGeneratorFilter.doFilter(AuthTokenGeneratorFilter.java:108)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:125)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.soa.common.i18n.BestLocaleServletFilter.doFilter(BestLocaleServletFilter.java:241)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.ForceNoCacheFilter.doFilter(ForceNoCacheFilter.java:69)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:53)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:132)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
>>> at

>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
>>> at

>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
>>> at

>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
>>> at

>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
>>> at

>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
>>> at

>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
>>> at

>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
>>> at

>> org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:322)
>>> at

>> org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:193)
>>> at

>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
>>> at

>> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
>>> at

>> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
>>> at

>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
>>> at

>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
>>> at

>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>>> at

>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>>> at

>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>>> at

>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>> at java.lang.Thread.run(Thread.java:748)
>>> Caused by: com.novell.idm.nrf.exception.NrfException: Error

>> occurred running the entitlement/nds queries for entitlement Dn:
>> cn=useraccount,cn=activedirectory,cn=driverset1,o=system, Query XML:
>> <?xml version="1.0" encoding="UTF-8"?><nds dtdversion="2.0">
>>> <input>
>>> <query class-name="ADDomain" scope="subtree">
>>> <search-class class-name="ADDomain"/>
>>> <read-attr attr-name="ADDomainValue"/>
>>> <read-attr attr-name="ADDomainDisplayName"/>
>>> <read-attr attr-name="ADDomainDescription"/>
>>> </query>
>>> </input>
>>> </nds>
>>>
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.queryDriver(PopulateCodeMap.java:2018)
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.populateFromEntitlementQuery(PopulateCodeMap.java:262)
>>> ... 75 more
>>> Caused by: javax.naming.NamingException: [LDAP: error code 80 -

>> invalid request (-641)]; remaining name ''
>>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3198)
>>> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
>>> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891)
>>> at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3279)
>>> at sun.reflect.GeneratedMethodAccessor699.invoke(Unknown Source)
>>> at

>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at

>> com.sssw.fw.directory.realm.impl.jndildap.EboLdapContextProxyHandler.invokeMethod(EboLdapContextProxyHandler.java:145)
>>> at

>> com.sssw.fw.directory.realm.impl.jndildap.EboLdapContextProxyHandler.invoke(EboLdapContextProxyHandler.java:86)
>>> at com.sun.proxy.$Proxy27.extendedOperation(Unknown Source)
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.queryDriver(PopulateCodeMap.java:2009)
>>> ... 76 more
>>> 2019-05-02 16:22:31,526 INFO

>> [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10)
>> [RBPM] CODE MAP refresh on entitlement:
>> [cn=useraccount,cn=activedirectory,cn=driverset1,o=system] failed.
>>> 2019-05-02 16:22:31,526 DEBUG

>> [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10)
>> [RBPM] Setting m_refreshInProgress to false after refresh.
>>
>> 641 means, you tried a DirXML related action that is 'illegal' or not
>> allowed at this time.
>>
>> So on the first hand you would expect the AD driver to not be running,
>> which is needed to Inject XDS driver to driver which is how the query
>> is
>> injected.
>>
>> Silly question, is your User App driver running? It is injected via
>> the
>> UA driver into the AD driver, and both need to be running. This is one
>> of the few actual uses of the UA driver in terms of actual 'work'.

>
> Hi Geoff!
>
> There is no such thing as a silly question 🙂
>
> Yes, User App driver is running and the AD driver is running. I see no
> activity on User App driver (trace lvl 10) when I try code map refresh
> (maybe not expected?), and no activity on the AD driver either.
>
> The error does seem to imply an error returned on the LDAP-call, is that
> routed somehow to the User App driver witch in turn sends the query to
> the connected system driver (AD driver in this case)?
>
> I also verified that the AD driver is fully up by changing an attribute
> in IDV and verify in AD, and it is all good.
>
> As this is a test environment I have also tried restarting all services
> (eDir and Identity Applications) and also clearing out work and temp in
> Tomcat. Should probably not make a difference, but worth a try.


So in the AD trace if it worked, you would see Injecting XDS... and then
the query. Do you have any other entitlements in other drivers, and are
they working?


Hi.

Yes, there are about 15 entitlements in this environment, and 5 of them are actually working. The other has worked before, but I have no clue on what has caused them to stop working.

Also, this is the test environment, and the same drivers/entitlements are working in production. It is the same version of IDM also.

I have compared between production and test, but I cannot find any odd difference (GCV's and such diffs of course) on the driver level.

I have also verified that Identity Applications is using the same IDVault server as the User App driver is running. It makes no difference if the AD-driver is running on the same server as the User App driver or not.

Best regards
Marcus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Code map refresh - invalid request 641

>> So in the AD trace if it worked, you would see Injecting XDS... and >> then>> the query. Do you have any other entitlements in other
drivers, and are>> they working?
> Yes, there are about 15 entitlements in this environment, and 5 of them
> are actually working. The other has worked before, but I have no clue on
> what has caused them to stop working.


so can you see the query for ADDomain in your AD driver? This is the
User Account entitlement and there is policy to convert it to a
__driver__identification__ object class response, since we do not really
need an answer, just any answer and that is harmless.


15 entitlements in the environment, how about on the AD driver?

Also, look at your entitlementConfiguration for your AD driver, and see
if the XML there looks any different from the others. UA queries that
object to parse the XML to understand the Entitlement Queries it needs
to submit,



0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: Code map refresh - invalid request 641

geoffc;2499200 wrote:
>> So in the AD trace if it worked, you would see Injecting XDS... and >> then>> the query. Do you have any other entitlements in other
drivers, and are>> they working?
> Yes, there are about 15 entitlements in this environment, and 5 of them
> are actually working. The other has worked before, but I have no clue on
> what has caused them to stop working.


so can you see the query for ADDomain in your AD driver? This is the
User Account entitlement and there is policy to convert it to a
__driver__identification__ object class response, since we do not really
need an answer, just any answer and that is harmless.


15 entitlements in the environment, how about on the AD driver?

Also, look at your entitlementConfiguration for your AD driver, and see
if the XML there looks any different from the others. UA queries that
object to parse the XML to understand the Entitlement Queries it needs
to submit,


Hi!

No, there is nothing logged in the AD-driver upon code refresh. Nada, zip, zero 😉

If I had a query that is not working, it would be easy, but there is nothing being sent on the AD-driver.

AD driver has 5 entitlements, all not working.

The entitlementConfiguration object is identical to the AD-driver in production where it is working. As I understand it, the entitlementConfiguration object points to the entitlement object, and that object contains the actual query. Both entitlementConfiguration and the entitlement it self is identical to prod.

Time to open an SR? 😞

Best regards
Marcus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Code map refresh - invalid request 641

On 5/3/2019 9:56 AM, marcus jonsson wrote:
>
> geoffc;2499200 Wrote:
>>>> So in the AD trace if it worked, you would see Injecting XDS... and
>>>> then>> the query. Do you have any other entitlements in other

>> drivers, and are>> they working?
>>> Yes, there are about 15 entitlements in this environment, and 5 of

>> them
>>> are actually working. The other has worked before, but I have no clue

>> on
>>> what has caused them to stop working.

>>
>> so can you see the query for ADDomain in your AD driver? This is the
>> User Account entitlement and there is policy to convert it to a
>> __driver__identification__ object class response, since we do not
>> really
>> need an answer, just any answer and that is harmless.
>>
>>
>> 15 entitlements in the environment, how about on the AD driver?
>>
>> Also, look at your entitlementConfiguration for your AD driver, and see
>> if the XML there looks any different from the others. UA queries that
>> object to parse the XML to understand the Entitlement Queries it needs
>> to submit,

>
> Hi!
>
> No, there is nothing logged in the AD-driver upon code refresh. Nada,
> zip, zero 😉
>
> If I had a query that is not working, it would be easy, but there is
> nothing being sent on the AD-driver.
>
> AD driver has 5 entitlements, all not working.
>
> The entitlementConfiguration object is identical to the AD-driver in
> production where it is working. As I understand it, the
> entitlementConfiguration object points to the entitlement object, and
> that object contains the actual query. Both entitlementConfiguration and
> the entitlement it self is identical to prod.


Post the object XML from entitlementConfiguration for the UserAccount
entitlement? (Edit out the other 4 but leave the header node).

Do you have Console2? It has a GUI to inject XDS into a driver via LDAP.
Be interestsing to try it against AD and a working driver, see if that
has any issues. I.e. Is it specific to AD shim/driver/policies or not.


0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: Code map refresh - invalid request 641

geoffc;2499203 wrote:
On 5/3/2019 9:56 AM, marcus jonsson wrote:
>
> geoffc;2499200 Wrote:
>>>> So in the AD trace if it worked, you would see Injecting XDS... and
>>>> then>> the query. Do you have any other entitlements in other

>> drivers, and are>> they working?
>>> Yes, there are about 15 entitlements in this environment, and 5 of

>> them
>>> are actually working. The other has worked before, but I have no clue

>> on
>>> what has caused them to stop working.

>>
>> so can you see the query for ADDomain in your AD driver? This is the
>> User Account entitlement and there is policy to convert it to a
>> __driver__identification__ object class response, since we do not
>> really
>> need an answer, just any answer and that is harmless.
>>
>>
>> 15 entitlements in the environment, how about on the AD driver?
>>
>> Also, look at your entitlementConfiguration for your AD driver, and see
>> if the XML there looks any different from the others. UA queries that
>> object to parse the XML to understand the Entitlement Queries it needs
>> to submit,

>
> Hi!
>
> No, there is nothing logged in the AD-driver upon code refresh. Nada,
> zip, zero 😉
>
> If I had a query that is not working, it would be easy, but there is
> nothing being sent on the AD-driver.
>
> AD driver has 5 entitlements, all not working.
>
> The entitlementConfiguration object is identical to the AD-driver in
> production where it is working. As I understand it, the
> entitlementConfiguration object points to the entitlement object, and
> that object contains the actual query. Both entitlementConfiguration and
> the entitlement it self is identical to prod.


Post the object XML from entitlementConfiguration for the UserAccount
entitlement? (Edit out the other 4 but leave the header node).

Do you have Console2? It has a GUI to inject XDS into a driver via LDAP.
Be interestsing to try it against AD and a working driver, see if that
has any issues. I.e. Is it specific to AD shim/driver/policies or not.


Hi.

Sorry for the late response, I was on vacation last week.

Using C2 and the option to "Submit command to IDM, bypass cache (starts at subscriber command transformation) - direct mode - Driver must be running" and injecting:
<nds dtdversion="2.0">
<input>
<query class-name="ADDomain" scope="subtree">
<search-class class-name="ADDomain"/>
<read-attr attr-name="ADDomainValue"/>
<read-attr attr-name="ADDomainDisplayName"/>
<read-attr attr-name="ADDomainDescription"/>
</query>
</input>
</nds>


This works fine, and I can see the query in the driver trace, and I receive the expected output in C2.

Entitlement object:
<?xml version="1.0" encoding="UTF-8"?><entitlement-configuration modified="20180504094235">
<entitlements>
<entitlement cprs-supported="true" data-collection="false" dn="cn=useraccount,cn=activedirectory,cn=driverset1,o=system" parameter-format="idm4" resource-mapping="true" role-mapping="true">
<type category="security account" id="user" name="account">
<display-name>
<value langCode="de">Benutzer</value>
<value langCode="en">User</value>
</display-name>
</type>
<parameters>
<parameter mandatory="true" name="ID" source="read-attr" source-name="ADDomainValue"/>
</parameters>
<member-assignment-query>
<query-xml>
<nds dtdversion="2.0">
<input>
<query class-name="User" scope="subtree">
<search-class class-name="User"/>
<read-attr/>
</query>
</input>
</nds>
</query-xml>
</member-assignment-query>
<query-extensions>
<query-xml>
<read-attr attr-name="dirxml-uACAccountDisable"/>
<read-attr attr-name="userPrincipalName"/>
<read-attr attr-name="sAMAccountName"/>
<operation-data data-collection-query="true"/>
</query-xml>
</query-extensions>
<account>
<account-id source="read-attr" source-name="sAMAccountName"/>
<account-id source="read-attr" source-name="userPrincipalName"/>
<account-id source="src-dn"/>
<account-id source="association"/>
<account-status active="false" inactive="true" source="read-attr" source-name="dirxml-uACAccountDisable"/>
</account>
</entitlement>
</entitlements>
</entitlement-configuration>


Best regards
Marcus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Code map refresh - invalid request 641

>> Do you have Console2? It has a GUI to inject XDS into a driver via
>> LDAP.
>> Be interestsing to try it against AD and a working driver, see if that
>> has any issues. I.e. Is it specific to AD shim/driver/policies or not.

>
> Hi.
>
> Sorry for the late response, I was on vacation last week.
>
> Using C2 and the option to "Submit command to IDM, bypass cache (starts
> at subscriber command transformation) - direct mode - Driver must be
> running" and injecting:
>
> Code:
> --------------------
> <nds dtdversion="2.0">
> <input>
> <query class-name="ADDomain" scope="subtree">
> <search-class class-name="ADDomain"/>
> <read-attr attr-name="ADDomainValue"/>
> <read-attr attr-name="ADDomainDisplayName"/>
> <read-attr attr-name="ADDomainDescription"/>
> </query>
> </input>
> </nds>
> --------------------



So in short, directly submitting to the AD shim is working. But alas,
UA does it with a minor twist, in that it does the submit from the UA
driver to the AD driver which is a tiny bit different, so I wonder if
the issue is there.

Thing is, this is mostly an engine function, not really a Shim JAR
function.

Still not sure but this rules out one possibility. Perhaps an SR is in
order at this point?


>
> This works fine, and I can see the query in the driver trace, and I
> receive the expected output in C2.
>
> Entitlement object:
>
> Code:
> --------------------
> <?xml version="1.0" encoding="UTF-8"?><entitlement-configuration modified="20180504094235">
> <entitlements>
> <entitlement cprs-supported="true" data-collection="false" dn="cn=useraccount,cn=activedirectory,cn=driverset1,o=system" parameter-format="idm4" resource-mapping="true" role-mapping="true">
> <type category="security account" id="user" name="account">
> <display-name>
> <value langCode="de">Benutzer</value>
> <value langCode="en">User</value>
> </display-name>
> </type>
> <parameters>
> <parameter mandatory="true" name="ID" source="read-attr" source-name="ADDomainValue"/>
> </parameters>
> <member-assignment-query>
> <query-xml>
> <nds dtdversion="2.0">
> <input>
> <query class-name="User" scope="subtree">
> <search-class class-name="User"/>
> <read-attr/>
> </query>
> </input>
> </nds>
> </query-xml>
> </member-assignment-query>
> <query-extensions>
> <query-xml>
> <read-attr attr-name="dirxml-uACAccountDisable"/>
> <read-attr attr-name="userPrincipalName"/>
> <read-attr attr-name="sAMAccountName"/>
> <operation-data data-collection-query="true"/>
> </query-xml>
> </query-extensions>
> <account>
> <account-id source="read-attr" source-name="sAMAccountName"/>
> <account-id source="read-attr" source-name="userPrincipalName"/>
> <account-id source="src-dn"/>
> <account-id source="association"/>
> <account-status active="false" inactive="true" source="read-attr" source-name="dirxml-uACAccountDisable"/>
> </account>
> </entitlement>
> </entitlements>
> </entitlement-configuration>
> --------------------
>
>
> Best regards
> Marcus
>
>


0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: Code map refresh - invalid request 641

On 13.05.19 10:26, marcus jonsson wrote:
>
> geoffc;2499203 Wrote:
>> On 5/3/2019 9:56 AM, marcus jonsson wrote:
>>>
>>> geoffc;2499200 Wrote:
>>>>>> So in the AD trace if it worked, you would see Injecting XDS...

>> and
>>>>>> then>> the query. Do you have any other entitlements in other
>>>> drivers, and are>> they working?
>>>>> Yes, there are about 15 entitlements in this environment, and 5 of
>>>> them
>>>>> are actually working. The other has worked before, but I have no

>> clue
>>>> on
>>>>> what has caused them to stop working.
>>>>
>>>> so can you see the query for ADDomain in your AD driver? This is

>> the
>>>> User Account entitlement and there is policy to convert it to a
>>>> __driver__identification__ object class response, since we do not
>>>> really
>>>> need an answer, just any answer and that is harmless.
>>>>
>>>>
>>>> 15 entitlements in the environment, how about on the AD driver?
>>>>
>>>> Also, look at your entitlementConfiguration for your AD driver, and

>> see
>>>> if the XML there looks any different from the others. UA queries

>> that
>>>> object to parse the XML to understand the Entitlement Queries it

>> needs
>>>> to submit,
>>>
>>> Hi!
>>>
>>> No, there is nothing logged in the AD-driver upon code refresh. Nada,
>>> zip, zero 😉
>>>
>>> If I had a query that is not working, it would be easy, but there is
>>> nothing being sent on the AD-driver.
>>>
>>> AD driver has 5 entitlements, all not working.
>>>
>>> The entitlementConfiguration object is identical to the AD-driver in
>>> production where it is working. As I understand it, the
>>> entitlementConfiguration object points to the entitlement object, and
>>> that object contains the actual query. Both entitlementConfiguration

>> and
>>> the entitlement it self is identical to prod.

>>
>> Post the object XML from entitlementConfiguration for the UserAccount
>> entitlement? (Edit out the other 4 but leave the header node).
>>
>> Do you have Console2? It has a GUI to inject XDS into a driver via
>> LDAP.
>> Be interestsing to try it against AD and a working driver, see if that
>> has any issues. I.e. Is it specific to AD shim/driver/policies or not.

>
> Hi.
>
> Sorry for the late response, I was on vacation last week.
>
> Using C2 and the option to "Submit command to IDM, bypass cache (starts
> at subscriber command transformation) - direct mode - Driver must be
> running" and injecting:
>
> Code:
> --------------------
> <nds dtdversion="2.0">
> <input>
> <query class-name="ADDomain" scope="subtree">
> <search-class class-name="ADDomain"/>
> <read-attr attr-name="ADDomainValue"/>
> <read-attr attr-name="ADDomainDisplayName"/>
> <read-attr attr-name="ADDomainDescription"/>
> </query>
> </input>
> </nds>
> --------------------
>
>
> This works fine, and I can see the query in the driver trace, and I
> receive the expected output in C2.
>
> Entitlement object:
>
> Code:
> --------------------
> <?xml version="1.0" encoding="UTF-8"?><entitlement-configuration modified="20180504094235">
> <entitlements>
> <entitlement cprs-supported="true" data-collection="false" dn="cn=useraccount,cn=activedirectory,cn=driverset1,o=system" parameter-format="idm4" resource-mapping="true" role-mapping="true">
> <type category="security account" id="user" name="account">
> <display-name>
> <value langCode="de">Benutzer</value>
> <value langCode="en">User</value>
> </display-name>
> </type>
> <parameters>
> <parameter mandatory="true" name="ID" source="read-attr" source-name="ADDomainValue"/>
> </parameters>
> <member-assignment-query>
> <query-xml>
> <nds dtdversion="2.0">
> <input>
> <query class-name="User" scope="subtree">
> <search-class class-name="User"/>
> <read-attr/>
> </query>
> </input>
> </nds>
> </query-xml>
> </member-assignment-query>
> <query-extensions>
> <query-xml>
> <read-attr attr-name="dirxml-uACAccountDisable"/>
> <read-attr attr-name="userPrincipalName"/>
> <read-attr attr-name="sAMAccountName"/>
> <operation-data data-collection-query="true"/>
> </query-xml>
> </query-extensions>
> <account>
> <account-id source="read-attr" source-name="sAMAccountName"/>
> <account-id source="read-attr" source-name="userPrincipalName"/>
> <account-id source="src-dn"/>
> <account-id source="association"/>
> <account-status active="false" inactive="true" source="read-attr" source-name="dirxml-uACAccountDisable"/>
> </account>
> </entitlement>
> </entitlements>
> </entitlement-configuration>
> --------------------
>
>
> Best regards
> Marcus
>
>


Hi,

As far as I remember the following class should give a bit more
information about this:

* com.novell.idm.nrf.service


The -641 is an LDAP error from the injection of the query into the
driver. Sometimes to see what it going wrong (if it has to do with an
exception) you need to use ndstrace to see the exact error coming from
the driver.


Casper
0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: Code map refresh - invalid request 641

cpedersen;2499711 wrote:
On 13.05.19 10:26, marcus jonsson wrote:
>
> geoffc;2499203 Wrote:
>> On 5/3/2019 9:56 AM, marcus jonsson wrote:
>>>
>>> geoffc;2499200 Wrote:
>>>>>> So in the AD trace if it worked, you would see Injecting XDS...

>> and
>>>>>> then>> the query. Do you have any other entitlements in other
>>>> drivers, and are>> they working?
>>>>> Yes, there are about 15 entitlements in this environment, and 5 of
>>>> them
>>>>> are actually working. The other has worked before, but I have no

>> clue
>>>> on
>>>>> what has caused them to stop working.
>>>>
>>>> so can you see the query for ADDomain in your AD driver? This is

>> the
>>>> User Account entitlement and there is policy to convert it to a
>>>> __driver__identification__ object class response, since we do not
>>>> really
>>>> need an answer, just any answer and that is harmless.
>>>>
>>>>
>>>> 15 entitlements in the environment, how about on the AD driver?
>>>>
>>>> Also, look at your entitlementConfiguration for your AD driver, and

>> see
>>>> if the XML there looks any different from the others. UA queries

>> that
>>>> object to parse the XML to understand the Entitlement Queries it

>> needs
>>>> to submit,
>>>
>>> Hi!
>>>
>>> No, there is nothing logged in the AD-driver upon code refresh. Nada,
>>> zip, zero 😉
>>>
>>> If I had a query that is not working, it would be easy, but there is
>>> nothing being sent on the AD-driver.
>>>
>>> AD driver has 5 entitlements, all not working.
>>>
>>> The entitlementConfiguration object is identical to the AD-driver in
>>> production where it is working. As I understand it, the
>>> entitlementConfiguration object points to the entitlement object, and
>>> that object contains the actual query. Both entitlementConfiguration

>> and
>>> the entitlement it self is identical to prod.

>>
>> Post the object XML from entitlementConfiguration for the UserAccount
>> entitlement? (Edit out the other 4 but leave the header node).
>>
>> Do you have Console2? It has a GUI to inject XDS into a driver via
>> LDAP.
>> Be interestsing to try it against AD and a working driver, see if that
>> has any issues. I.e. Is it specific to AD shim/driver/policies or not.

>
> Hi.
>
> Sorry for the late response, I was on vacation last week.
>
> Using C2 and the option to "Submit command to IDM, bypass cache (starts
> at subscriber command transformation) - direct mode - Driver must be
> running" and injecting:
>
> Code:
> --------------------
> <nds dtdversion="2.0">
> <input>
> <query class-name="ADDomain" scope="subtree">
> <search-class class-name="ADDomain"/>
> <read-attr attr-name="ADDomainValue"/>
> <read-attr attr-name="ADDomainDisplayName"/>
> <read-attr attr-name="ADDomainDescription"/>
> </query>
> </input>
> </nds>
> --------------------
>
>
> This works fine, and I can see the query in the driver trace, and I
> receive the expected output in C2.
>
> Entitlement object:
>
> Code:
> --------------------
> <?xml version="1.0" encoding="UTF-8"?><entitlement-configuration modified="20180504094235">
> <entitlements>
> <entitlement cprs-supported="true" data-collection="false" dn="cn=useraccount,cn=activedirectory,cn=driverset1,o=system" parameter-format="idm4" resource-mapping="true" role-mapping="true">
> <type category="security account" id="user" name="account">
> <display-name>
> <value langCode="de">Benutzer</value>
> <value langCode="en">User</value>
> </display-name>
> </type>
> <parameters>
> <parameter mandatory="true" name="ID" source="read-attr" source-name="ADDomainValue"/>
> </parameters>
> <member-assignment-query>
> <query-xml>
> <nds dtdversion="2.0">
> <input>
> <query class-name="User" scope="subtree">
> <search-class class-name="User"/>
> <read-attr/>
> </query>
> </input>
> </nds>
> </query-xml>
> </member-assignment-query>
> <query-extensions>
> <query-xml>
> <read-attr attr-name="dirxml-uACAccountDisable"/>
> <read-attr attr-name="userPrincipalName"/>
> <read-attr attr-name="sAMAccountName"/>
> <operation-data data-collection-query="true"/>
> </query-xml>
> </query-extensions>
> <account>
> <account-id source="read-attr" source-name="sAMAccountName"/>
> <account-id source="read-attr" source-name="userPrincipalName"/>
> <account-id source="src-dn"/>
> <account-id source="association"/>
> <account-status active="false" inactive="true" source="read-attr" source-name="dirxml-uACAccountDisable"/>
> </account>
> </entitlement>
> </entitlements>
> </entitlement-configuration>
> --------------------
>
>
> Best regards
> Marcus
>
>


Hi,

As far as I remember the following class should give a bit more
information about this:

* com.novell.idm.nrf.service


The -641 is an LDAP error from the injection of the query into the
driver. Sometimes to see what it going wrong (if it has to do with an
exception) you need to use ndstrace to see the exact error coming from
the driver.


Casper


Hi!

I managed to get more information using dstrace with DirXML enabled:
11:19:42 D99EC700 Drvrs: ENG ET:
DirXML Log Event -------------------
Status: Error
Message: Code(-9137) In invalid timeout period value (20) was found in the wire data for the DirXML sub-verb DSVR_OPEN_DRIVER_ACTION.
11:19:42 D99EC700 Drvrs: ENG ET:
DirXML Log Event -------------------
Status: Error
Message: Code(-9140) Error processing DirXML sub-verb DSVR_OPEN_DRIVER_ACTION: com.novell.nds.dhutil.DSErr: invalid request (-641)
***at com.novell.nds.dirxml.engine.verb.OpenDriverAction.processSubVerb(OpenDriverAction.java:97)
***at com.novell.nds.dirxml.engine.verb.DirXMLVerbs$SetVerbHandler.processVerb(DirXMLVerbs.java:658)
***at com.novell.nds.dhutil.VerbProcessor$HandlerThread.run(VerbProcessor.java:507)
***at java.lang.Thread.run(Thread.java:748)


Question is, what is DSVR_OPEN_DRIVER_ACTION and where is it defined? And what should it be set to?

Best regards
Marcus
0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: Code map refresh - invalid request 641

On 14.05.19 11:34, marcus jonsson wrote:
>
> cpedersen;2499711 Wrote:
>> On 13.05.19 10:26, marcus jonsson wrote:
>>>
>>> geoffc;2499203 Wrote:
>>>> On 5/3/2019 9:56 AM, marcus jonsson wrote:
>>>>>
>>>>> geoffc;2499200 Wrote:
>>>>>>>> So in the AD trace if it worked, you would see Injecting XDS...
>>>> and
>>>>>>>> then>> the query. Do you have any other entitlements in other
>>>>>> drivers, and are>> they working?
>>>>>>> Yes, there are about 15 entitlements in this environment, and 5

>> of
>>>>>> them
>>>>>>> are actually working. The other has worked before, but I have no
>>>> clue
>>>>>> on
>>>>>>> what has caused them to stop working.
>>>>>>
>>>>>> so can you see the query for ADDomain in your AD driver? This is
>>>> the
>>>>>> User Account entitlement and there is policy to convert it to a
>>>>>> __driver__identification__ object class response, since we do not
>>>>>> really
>>>>>> need an answer, just any answer and that is harmless.
>>>>>>
>>>>>>
>>>>>> 15 entitlements in the environment, how about on the AD driver?
>>>>>>
>>>>>> Also, look at your entitlementConfiguration for your AD driver,

>> and
>>>> see
>>>>>> if the XML there looks any different from the others. UA queries
>>>> that
>>>>>> object to parse the XML to understand the Entitlement Queries it
>>>> needs
>>>>>> to submit,
>>>>>
>>>>> Hi!
>>>>>
>>>>> No, there is nothing logged in the AD-driver upon code refresh.

>> Nada,
>>>>> zip, zero 😉
>>>>>
>>>>> If I had a query that is not working, it would be easy, but there

>> is
>>>>> nothing being sent on the AD-driver.
>>>>>
>>>>> AD driver has 5 entitlements, all not working.
>>>>>
>>>>> The entitlementConfiguration object is identical to the AD-driver

>> in
>>>>> production where it is working. As I understand it, the
>>>>> entitlementConfiguration object points to the entitlement object,

>> and
>>>>> that object contains the actual query. Both

>> entitlementConfiguration
>>>> and
>>>>> the entitlement it self is identical to prod.
>>>>
>>>> Post the object XML from entitlementConfiguration for the

>> UserAccount
>>>> entitlement? (Edit out the other 4 but leave the header node).
>>>>
>>>> Do you have Console2? It has a GUI to inject XDS into a driver via
>>>> LDAP.
>>>> Be interestsing to try it against AD and a working driver, see if

>> that
>>>> has any issues. I.e. Is it specific to AD shim/driver/policies or

>> not.
>>>
>>> Hi.
>>>
>>> Sorry for the late response, I was on vacation last week.
>>>
>>> Using C2 and the option to "Submit command to IDM, bypass cache

>> (starts
>>> at subscriber command transformation) - direct mode - Driver must be
>>> running" and injecting:
>>>
>>> Code:
>>> --------------------
>>> <nds dtdversion="2.0">
>>> <input>
>>> <query class-name="ADDomain" scope="subtree">
>>> <search-class class-name="ADDomain"/>
>>> <read-attr attr-name="ADDomainValue"/>
>>> <read-attr attr-name="ADDomainDisplayName"/>
>>> <read-attr attr-name="ADDomainDescription"/>
>>> </query>
>>> </input>
>>> </nds>
>>> --------------------
>>>
>>>
>>> This works fine, and I can see the query in the driver trace, and I
>>> receive the expected output in C2.
>>>
>>> Entitlement object:
>>>
>>> Code:
>>> --------------------
>>> <?xml version="1.0" encoding="UTF-8"?><entitlement-configuration

>> modified="20180504094235">
>>> <entitlements>
>>> <entitlement cprs-supported="true" data-collection="false"

>> dn="cn=useraccount,cn=activedirectory,cn=driverset1,o=system"
>> parameter-format="idm4" resource-mapping="true" role-mapping="true">
>>> <type category="security account" id="user" name="account">
>>> <display-name>
>>> <value langCode="de">Benutzer</value>
>>> <value langCode="en">User</value>
>>> </display-name>
>>> </type>
>>> <parameters>
>>> <parameter mandatory="true" name="ID" source="read-attr"

>> source-name="ADDomainValue"/>
>>> </parameters>
>>> <member-assignment-query>
>>> <query-xml>
>>> <nds dtdversion="2.0">
>>> <input>
>>> <query class-name="User" scope="subtree">
>>> <search-class class-name="User"/>
>>> <read-attr/>
>>> </query>
>>> </input>
>>> </nds>
>>> </query-xml>
>>> </member-assignment-query>
>>> <query-extensions>
>>> <query-xml>
>>> <read-attr attr-name="dirxml-uACAccountDisable"/>
>>> <read-attr attr-name="userPrincipalName"/>
>>> <read-attr attr-name="sAMAccountName"/>
>>> <operation-data data-collection-query="true"/>
>>> </query-xml>
>>> </query-extensions>
>>> <account>
>>> <account-id source="read-attr" source-name="sAMAccountName"/>
>>> <account-id source="read-attr"

>> source-name="userPrincipalName"/>
>>> <account-id source="src-dn"/>
>>> <account-id source="association"/>
>>> <account-status active="false" inactive="true"

>> source="read-attr" source-name="dirxml-uACAccountDisable"/>
>>> </account>
>>> </entitlement>
>>> </entitlements>
>>> </entitlement-configuration>
>>> --------------------
>>>
>>>
>>> Best regards
>>> Marcus
>>>
>>>

>>
>> Hi,
>>
>> As far as I remember the following class should give a bit more
>> information about this:
>>
>> * com.novell.idm.nrf.service
>>
>>
>> The -641 is an LDAP error from the injection of the query into the
>> driver. Sometimes to see what it going wrong (if it has to do with an
>> exception) you need to use ndstrace to see the exact error coming from
>> the driver.
>>
>>
>> Casper

>
> Hi!
>
> I managed to get more information using dstrace with DirXML enabled:
>
> Code:
> --------------------
> 11:19:42 D99EC700 Drvrs: ENG ET:
> DirXML Log Event -------------------
> Status: Error
> Message: Code(-9137) In invalid timeout period value (20) was found in the wire data for the DirXML sub-verb DSVR_OPEN_DRIVER_ACTION.
> 11:19:42 D99EC700 Drvrs: ENG ET:
> DirXML Log Event -------------------
> Status: Error
> Message: Code(-9140) Error processing DirXML sub-verb DSVR_OPEN_DRIVER_ACTION: com.novell.nds.dhutil.DSErr: invalid request (-641)
> ***at com.novell.nds.dirxml.engine.verb.OpenDriverAction.processSubVerb(OpenDriverAction.java:97)
> ***at com.novell.nds.dirxml.engine.verb.DirXMLVerbs$SetVerbHandler.processVerb(DirXMLVerbs.java:658)
> ***at com.novell.nds.dhutil.VerbProcessor$HandlerThread.run(VerbProcessor.java:507)
> ***at java.lang.Thread.run(Thread.java:748)
> --------------------
>
>
> Question is, what is DSVR_OPEN_DRIVER_ACTION and where is it defined?
> And what should it be set to?
>
> Best regards
> Marcus
>
>


"DSVR_OPEN_DRIVER_ACTION" is the action of sending the operation to the
Driver which is done via an LDAPExtended Operation.


"Message: Code(-9137) In invalid timeout period value (20) was found in
the wire data for the DirXML sub-verb DSVR_OPEN_DRIVER_ACTION."

Have you reviewed your timeout settings - it could look like something
is wrong in that corner?

-641 FFFFFD7F INVALID REQUEST <== sometime is wrong with the request.



Casper

0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: Code map refresh - invalid request 641

cpedersen;2499719 wrote:
On 14.05.19 11:34, marcus jonsson wrote:
>
> cpedersen;2499711 Wrote:
>> On 13.05.19 10:26, marcus jonsson wrote:
>>>
>>> geoffc;2499203 Wrote:
>>>> On 5/3/2019 9:56 AM, marcus jonsson wrote:
>>>>>
>>>>> geoffc;2499200 Wrote:
>>>>>>>> So in the AD trace if it worked, you would see Injecting XDS...
>>>> and
>>>>>>>> then>> the query. Do you have any other entitlements in other
>>>>>> drivers, and are>> they working?
>>>>>>> Yes, there are about 15 entitlements in this environment, and 5

>> of
>>>>>> them
>>>>>>> are actually working. The other has worked before, but I have no
>>>> clue
>>>>>> on
>>>>>>> what has caused them to stop working.
>>>>>>
>>>>>> so can you see the query for ADDomain in your AD driver? This is
>>>> the
>>>>>> User Account entitlement and there is policy to convert it to a
>>>>>> __driver__identification__ object class response, since we do not
>>>>>> really
>>>>>> need an answer, just any answer and that is harmless.
>>>>>>
>>>>>>
>>>>>> 15 entitlements in the environment, how about on the AD driver?
>>>>>>
>>>>>> Also, look at your entitlementConfiguration for your AD driver,

>> and
>>>> see
>>>>>> if the XML there looks any different from the others. UA queries
>>>> that
>>>>>> object to parse the XML to understand the Entitlement Queries it
>>>> needs
>>>>>> to submit,
>>>>>
>>>>> Hi!
>>>>>
>>>>> No, there is nothing logged in the AD-driver upon code refresh.

>> Nada,
>>>>> zip, zero 😉
>>>>>
>>>>> If I had a query that is not working, it would be easy, but there

>> is
>>>>> nothing being sent on the AD-driver.
>>>>>
>>>>> AD driver has 5 entitlements, all not working.
>>>>>
>>>>> The entitlementConfiguration object is identical to the AD-driver

>> in
>>>>> production where it is working. As I understand it, the
>>>>> entitlementConfiguration object points to the entitlement object,

>> and
>>>>> that object contains the actual query. Both

>> entitlementConfiguration
>>>> and
>>>>> the entitlement it self is identical to prod.
>>>>
>>>> Post the object XML from entitlementConfiguration for the

>> UserAccount
>>>> entitlement? (Edit out the other 4 but leave the header node).
>>>>
>>>> Do you have Console2? It has a GUI to inject XDS into a driver via
>>>> LDAP.
>>>> Be interestsing to try it against AD and a working driver, see if

>> that
>>>> has any issues. I.e. Is it specific to AD shim/driver/policies or

>> not.
>>>
>>> Hi.
>>>
>>> Sorry for the late response, I was on vacation last week.
>>>
>>> Using C2 and the option to "Submit command to IDM, bypass cache

>> (starts
>>> at subscriber command transformation) - direct mode - Driver must be
>>> running" and injecting:
>>>
>>> Code:
>>> --------------------
>>> <nds dtdversion="2.0">
>>> <input>
>>> <query class-name="ADDomain" scope="subtree">
>>> <search-class class-name="ADDomain"/>
>>> <read-attr attr-name="ADDomainValue"/>
>>> <read-attr attr-name="ADDomainDisplayName"/>
>>> <read-attr attr-name="ADDomainDescription"/>
>>> </query>
>>> </input>
>>> </nds>
>>> --------------------
>>>
>>>
>>> This works fine, and I can see the query in the driver trace, and I
>>> receive the expected output in C2.
>>>
>>> Entitlement object:
>>>
>>> Code:
>>> --------------------
>>> <?xml version="1.0" encoding="UTF-8"?><entitlement-configuration

>> modified="20180504094235">
>>> <entitlements>
>>> <entitlement cprs-supported="true" data-collection="false"

>> dn="cn=useraccount,cn=activedirectory,cn=driverset1,o=system"
>> parameter-format="idm4" resource-mapping="true" role-mapping="true">
>>> <type category="security account" id="user" name="account">
>>> <display-name>
>>> <value langCode="de">Benutzer</value>
>>> <value langCode="en">User</value>
>>> </display-name>
>>> </type>
>>> <parameters>
>>> <parameter mandatory="true" name="ID" source="read-attr"

>> source-name="ADDomainValue"/>
>>> </parameters>
>>> <member-assignment-query>
>>> <query-xml>
>>> <nds dtdversion="2.0">
>>> <input>
>>> <query class-name="User" scope="subtree">
>>> <search-class class-name="User"/>
>>> <read-attr/>
>>> </query>
>>> </input>
>>> </nds>
>>> </query-xml>
>>> </member-assignment-query>
>>> <query-extensions>
>>> <query-xml>
>>> <read-attr attr-name="dirxml-uACAccountDisable"/>
>>> <read-attr attr-name="userPrincipalName"/>
>>> <read-attr attr-name="sAMAccountName"/>
>>> <operation-data data-collection-query="true"/>
>>> </query-xml>
>>> </query-extensions>
>>> <account>
>>> <account-id source="read-attr" source-name="sAMAccountName"/>
>>> <account-id source="read-attr"

>> source-name="userPrincipalName"/>
>>> <account-id source="src-dn"/>
>>> <account-id source="association"/>
>>> <account-status active="false" inactive="true"

>> source="read-attr" source-name="dirxml-uACAccountDisable"/>
>>> </account>
>>> </entitlement>
>>> </entitlements>
>>> </entitlement-configuration>
>>> --------------------
>>>
>>>
>>> Best regards
>>> Marcus
>>>
>>>

>>
>> Hi,
>>
>> As far as I remember the following class should give a bit more
>> information about this:
>>
>> * com.novell.idm.nrf.service
>>
>>
>> The -641 is an LDAP error from the injection of the query into the
>> driver. Sometimes to see what it going wrong (if it has to do with an
>> exception) you need to use ndstrace to see the exact error coming from
>> the driver.
>>
>>
>> Casper

>
> Hi!
>
> I managed to get more information using dstrace with DirXML enabled:
>
> Code:
> --------------------
> 11:19:42 D99EC700 Drvrs: ENG ET:
> DirXML Log Event -------------------
> Status: Error
> Message: Code(-9137) In invalid timeout period value (20) was found in the wire data for the DirXML sub-verb DSVR_OPEN_DRIVER_ACTION.
> 11:19:42 D99EC700 Drvrs: ENG ET:
> DirXML Log Event -------------------
> Status: Error
> Message: Code(-9140) Error processing DirXML sub-verb DSVR_OPEN_DRIVER_ACTION: com.novell.nds.dhutil.DSErr: invalid request (-641)
> ***at com.novell.nds.dirxml.engine.verb.OpenDriverAction.processSubVerb(OpenDriverAction.java:97)
> ***at com.novell.nds.dirxml.engine.verb.DirXMLVerbs$SetVerbHandler.processVerb(DirXMLVerbs.java:658)
> ***at com.novell.nds.dhutil.VerbProcessor$HandlerThread.run(VerbProcessor.java:507)
> ***at java.lang.Thread.run(Thread.java:748)
> --------------------
>
>
> Question is, what is DSVR_OPEN_DRIVER_ACTION and where is it defined?
> And what should it be set to?
>
> Best regards
> Marcus
>
>


"DSVR_OPEN_DRIVER_ACTION" is the action of sending the operation to the
Driver which is done via an LDAPExtended Operation.


"Message: Code(-9137) In invalid timeout period value (20) was found in
the wire data for the DirXML sub-verb DSVR_OPEN_DRIVER_ACTION."

Have you reviewed your timeout settings - it could look like something
is wrong in that corner?

-641 FFFFFD7F INVALID REQUEST <== sometime is wrong with the request.



Casper


Hi Casper.

Yes, probably, but what timeout setting is it I should check? Where can I find it?

Thanks.

Best regards
Marcus
0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: Code map refresh - invalid request 641

marcus_jonsson;2499720 wrote:
Hi Casper.

Yes, probably, but what timeout setting is it I should check? Where can I find it?

Thanks.

Best regards
Marcus


Hi again.

Found it, it was right in my face 🙂
Resource Settings > Entitlement Query Settings > Default Query Timeout

This was set to 20, but valid values are from 1 - 10 according to:
https://support.microfocus.com/kb/doc.php?id=7016855

I think that the GUI should not let me specify an invalid value. Also I do not find this limit in values in the product documentation.

Best regards
Marcus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.