Highlighted
Honored Contributor.
Honored Contributor.
1479 views

DirXML-EntitlementResult attribute with >11,000 values

Hi,
after adding a new eDirectory server on a tree I got synchronisation errors

  • ndsrepair -E -> -603 and -625
  • ndstrace -> -4999


I was able to fix this by setting

NCPCLIENT_REQ_TIMEOUT=300
export NCPCLIENT_REQ_TIMEOUT

in pre_ndsd_start (or pre_ndsd_start_custom).

It looks like the synchronisation of a single user took more time than the default NCPCLIENT_REQ_TIMEOUT value. Thus the NCP reply of the new server got the -4999 error. Looking at the user I noticed that the DirXML-EntitlementResult attribute has more than 11,000 entries. Is there a way to clear the attribute values? Or can I just delete the whole attribute and all of its values? I would like to clean up the user to prevent further synchronisation problems.

What is the attribute DirXML-EntitlementResult used for?

regards
Daniel
Labels (1)
22 Replies
Highlighted
Knowledge Partner
Knowledge Partner

RRSD does it, if configured to do so. But you can clean them up manually or e.g. through a custom NULL driver as well. Take a look at the RRSD driver‘s event transform how it‘a done.
______________________________________________
https://www.is4it.de/identity-access-management
Highlighted
Knowledge Partner
Knowledge Partner

Lothar is "them" that RRSD cleans up the ResourceHistory or the EntitlementResult?  Unclear from context.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

I can answer my Q to Lothar...  RRSD and nrfResourceHistory, and is described in this TID.

https://support.microfocus.com/kb/doc.php?id=7023325

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

The problem with our installation is all the resources are created via User App and have <src>UA<src>, whereas the RRSD rule only deletes <src>NRF<src>

I've been over this with the operations team that are creating the roles & resources, couldnt find any option or reference to UA vs NRF

Any idea if UA is a valid src ? 

Highlighted
Knowledge Partner
Knowledge Partner

Alas, the various 'agents' that use those tags were never really documented or well defined.

Short answer, to fix it now, get Console2 from Alekz (http://sneakycat.biz) and use the Value Count Report. It returns an LDIF of all the users with the values over the number you specify and you can remove them using that LDIF.

Step 1: Find them.

Step 2: User LDIF to delete them.

Going forward is a different question.

 

Highlighted
Respected Contributor.
Respected Contributor.

Hoping to see an option to turn both off (nrfResourceHistory and DirXML-EntitlementResult) - it's just more sync traffic we dont need 🙂

I would only turn those on for troubleshooting 

Highlighted
Micro Focus Expert
Micro Focus Expert

You can grant an entitlement directly from a workflow with the Entitlement activity (that's where the entitlement granting agent type "UA" came from). The UserApp driver would then take the EntitlementResult and post it to the WebApp to add a note to the process. After that it would delete the value from the user object.

In older versions that deletion sometimes failed: The engine automatically parses the value into a DOM before sending it down the subscriber channel. To remove a value, your remove-value operation must have the exact same bytes as are currently on the user object. So you have to serialize the result element again. Due to the nature of whitespace in XML, this might lead to a different octet string value and the remove-value opeartion would fail - accumulating many, many results.

--
Norbert
Highlighted
Knowledge Partner
Knowledge Partner

If you look at the policies in the RRSD Sub Event as you pointed me at the other days, they simply clone the data value instead of trying to set the XML nodes/text() with the value read. Instead it copies the nodeset to as you suggest keep the bytes exactly right.

path.xml in Path syntax is tricky!

 

Highlighted
Respected Contributor.
Respected Contributor.

What is the purpose of nrfAssignedResources and DirXML-EntitlementRef attributes ? I ask because it ads a *ton* of data to our user objects (azure licensing). The appear to hold all the information pertaining to each users role and resource assignments.

Are they also stored in the UAP DB?  

As a test, I've deleted all the attributes from my own user account to see what happens 🙂

 

 

 

 

 

Highlighted
Knowledge Partner
Knowledge Partner

DirXML-EntitlementRef is the attribute that drivers react to, to grant or revoke an entitlemet.  Deleteing those would be bad.

nrfAssignedResouorces is written by RRSD when a Resource is granted, with XML of the start and end date (If available) and then RRSD clones the Resource objects nrfEntitlementRef attribute to the user as DirXML-EntitlementRef.

Do not delete that one either.

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

thanks Geoff. I figured that out soon after 😛

Was more asking from a devil's advocate point of view - and with context to our installation here where those values are fairly static after they've signalled respective drivers

But yes, deleting them would be bad lol

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.