DirXML-EntitlementResult attribute with >11,000 values
after adding a new eDirectory server on a tree I got synchronisation errors
- ndsrepair -E -> -603 and -625
- ndstrace -> -4999
I was able to fix this by setting
in pre_ndsd_start (or pre_ndsd_start_custom).
It looks like the synchronisation of a single user took more time than the default NCPCLIENT_REQ_TIMEOUT value. Thus the NCP reply of the new server got the -4999 error. Looking at the user I noticed that the DirXML-EntitlementResult attribute has more than 11,000 entries. Is there a way to clear the attribute values? Or can I just delete the whole attribute and all of its values? I would like to clean up the user to prevent further synchronisation problems.
What is the attribute DirXML-EntitlementResult used for?
The problem with our installation is all the resources are created via User App and have <src>UA<src>, whereas the RRSD rule only deletes <src>NRF<src>
I've been over this with the operations team that are creating the roles & resources, couldnt find any option or reference to UA vs NRF
Any idea if UA is a valid src ?
Alas, the various 'agents' that use those tags were never really documented or well defined.
Short answer, to fix it now, get Console2 from Alekz (http://sneakycat.biz) and use the Value Count Report. It returns an LDIF of all the users with the values over the number you specify and you can remove them using that LDIF.
Step 1: Find them.
Step 2: User LDIF to delete them.
Going forward is a different question.
Hoping to see an option to turn both off (nrfResourceHistory and DirXML-EntitlementResult) - it's just more sync traffic we dont need 🙂
I would only turn those on for troubleshooting
You can grant an entitlement directly from a workflow with the Entitlement activity (that's where the entitlement granting agent type "UA" came from). The UserApp driver would then take the EntitlementResult and post it to the WebApp to add a note to the process. After that it would delete the value from the user object.
In older versions that deletion sometimes failed: The engine automatically parses the value into a DOM before sending it down the subscriber channel. To remove a value, your remove-value operation must have the exact same bytes as are currently on the user object. So you have to serialize the result element again. Due to the nature of whitespace in XML, this might lead to a different octet string value and the remove-value opeartion would fail - accumulating many, many results.
If you look at the policies in the RRSD Sub Event as you pointed me at the other days, they simply clone the data value instead of trying to set the XML nodes/text() with the value read. Instead it copies the nodeset to as you suggest keep the bytes exactly right.
path.xml in Path syntax is tricky!
What is the purpose of nrfAssignedResources and DirXML-EntitlementRef attributes ? I ask because it ads a *ton* of data to our user objects (azure licensing). The appear to hold all the information pertaining to each users role and resource assignments.
Are they also stored in the UAP DB?
As a test, I've deleted all the attributes from my own user account to see what happens 🙂
DirXML-EntitlementRef is the attribute that drivers react to, to grant or revoke an entitlemet. Deleteing those would be bad.
nrfAssignedResouorces is written by RRSD when a Resource is granted, with XML of the start and end date (If available) and then RRSD clones the Resource objects nrfEntitlementRef attribute to the user as DirXML-EntitlementRef.
Do not delete that one either.
thanks Geoff. I figured that out soon after 😛
Was more asking from a devil's advocate point of view - and with context to our installation here where those values are fairly static after they've signalled respective drivers
But yes, deleting them would be bad lol