Highlighted
Honored Contributor.
Honored Contributor.
1481 views

DirXML-EntitlementResult attribute with >11,000 values

Hi,
after adding a new eDirectory server on a tree I got synchronisation errors

  • ndsrepair -E -> -603 and -625
  • ndstrace -> -4999


I was able to fix this by setting

NCPCLIENT_REQ_TIMEOUT=300
export NCPCLIENT_REQ_TIMEOUT

in pre_ndsd_start (or pre_ndsd_start_custom).

It looks like the synchronisation of a single user took more time than the default NCPCLIENT_REQ_TIMEOUT value. Thus the NCP reply of the new server got the -4999 error. Looking at the user I noticed that the DirXML-EntitlementResult attribute has more than 11,000 entries. Is there a way to clear the attribute values? Or can I just delete the whole attribute and all of its values? I would like to clean up the user to prevent further synchronisation problems.

What is the attribute DirXML-EntitlementResult used for?

regards
Daniel
Labels (1)
22 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Most of the values are probably bogus; this seems to happen regularly when
the RRSD (as I recall; somebody will correct me shortly) gets in a loop
for one reason or another, perhaps because of a bad connection to
eDirectory, and a bug that causes these to be built up causing exactly
what you saw.

I think IDM 4.7 may have changed this to prevent silliness here, but don't
quote me on it.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
Highlighted
Micro Focus Expert
Micro Focus Expert

Hi Daniel,

On 2018-04-09 18:14, dbuschke wrote:
>
> Hi,
> after adding a new eDirectory server on a tree I got synchronisation
> errors
>
> - ndsrepair -E -> -603 and -625
> - ndstrace -> -4999
>
>
> I was able to fix this by setting
>
> Code:
> --------------------
>
> NCPCLIENT_REQ_TIMEOUT=300
> export NCPCLIENT_REQ_TIMEOUT
>
> --------------------
>
> in pre_ndsd_start (or pre_ndsd_start_custom).
>
> It looks like the synchronisation of a single user took more time than
> the default NCPCLIENT_REQ_TIMEOUT value. Thus the NCP reply of the new
> server got the -4999 error. Looking at the user I noticed that the
> DirXML-EntitlementResult attribute has more than 11,000 entries. Is
> there a way to clear the attribute values? Or can I just delete the
> whole attribute and all of its values? I would like to clean up the user
> to prevent further synchronisation problems.


You can delete this attribute. You might also want the "high values"
report from iMonitor to check if other users have the same problem.

> What is the attribute DirXML-EntitlementResult used for?


See
https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/dirxmlentitlements/

The entitlement granting agent uses this info to update the requests
status and then is responsible for cleaning up these values. Normally
this would be the UserApp driver. There have been some issues with
certain values that contained special characters like "<" or multiple
consecutive whitespaces. Which versions are you running?

--
Norbert
--
Norbert
Highlighted
Honored Contributor.
Honored Contributor.

klasen;2478830 wrote:

You can delete this attribute. You might also want the "high values"
report from iMonitor to check if other users have the same problem.t


Ahhh... nice report. There are ~20 accounts with more than 1000 values in DirXML-Ent..Res...

(for those ending up here from a google search: https://www.novell.com/support/kb/doc.php?id=7003410 🙂 )

I guess later I have to look at the UserApplication driver as you and alexmchugh suggest.

Thanks for all your responses.

regards
Daniel
Highlighted
Knowledge Partner
Knowledge Partner

dbuschke <dbuschke@no-mx.forums.microfocus.com> wrote:
>
> It looks like the synchronisation of a single user took more time than

the default NCPCLIENT_REQ_TIMEOUT value. Thus the NCP reply of the new
server got the -4999 error. Looking at the user I noticed that the
DirXML-EntitlementResult attribute has more than 11,000 entries. Is
there a way to clear the attribute values? Or can I just delete the
whole attribute and all of its values? I would like to clean up the user
to prevent further synchronisation problems.
>


Is your user app driver running and working properly? It should process
these and remove them after a period of time IIRC.

> What is the attribute DirXML-EntitlementResult used for?
>


To store the result of your entitlement

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Highlighted
Visitor.

When UA is granting/revoking Entitlements.... What is UA supposed to do with Entitlement Result?

On "success" status, I guess just delete. (And this is what often fails, at least still in IDM 4.5.5)

But what is UA supposed to do on "Error"? Just keep the result stored? Does UA try to trigger a retry?

thanks
Highlighted
Respected Contributor.
Respected Contributor.

Having a similar issue with loads of DirXML-EntitlementResult attributes.

When does UA remove them ? 

The driver has a GCV "Entitlement Result Purge Type" with options of Current, None, Previous and Notnewer

Trying to find any MicroFocus doco on these options...

 

 

 

Highlighted
Knowledge Partner
Knowledge Partner

If you look at the UA Driver, it is a Composer shim, which uses an XML language to describe stuff in Composers internal format.  (I miss Composer, it was super cool, the best part of SilverStream, and alas abandoned... It was a driver building tool...  UA Is still built with it).

Anyway basically when DirXMl-EntitlementResult is sent to the shim, it either keeps the current one (Deletes the rest).  Keeps this one and the one before (Previous) and Not Newer (anything old, but if there are future ones, leave them to process as theye vent)

Basically Current seems to not work, and it is the default value.  So set it to None or Previous and it cleans up any users who get a new value added.

I.e. You need an event on that attribute to trigger the clean up per user.

So use Alekz' awesome Console2 tool (sneakycat.biz) and use the Value Count Report tool to find all instances of DirXMlEntitlementResult with more than 5 values (or 2 if you like).  This will generate an LDIF of all of them you can use to bulk delete them.

They serve no value. And should be deleted and cause Sync issues.

(Check that your UA driver filter has DirXML-EntitlemetResult is Sub-Sync).

We had a customer who had 11 million values on one user, which killed eDir replication. 

Highlighted
Respected Contributor.
Respected Contributor.

Thanks Geoff, I've been chasing this issue down for days.

Many users were having 1000s of DirXML-EntitlementResult values bloating our directory, not to mention sync.

Our UAP was set to Current 😛 

Will change to previous and monitor 

 

Cheers

 

Highlighted
Respected Contributor.
Respected Contributor.

Next on the chopping block is nrfResourceHistory - we found a user with 28,000 values

Highlighted
Respected Contributor.
Respected Contributor.

I'm old enough to remember when SilverStream was the way of the future !
Highlighted
Respected Contributor.
Respected Contributor.

Further question, what happens if 50 DirXML-EntitlementResult values come in the one event, and Purge is set to Previous, and, no more events follow ?

Will the shim consider the 50 as the 'current' ones ?

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.