Anonymous_User Absent Member.
Absent Member.
216 views

Disappearing Associations


Associations to a driver keep disappearing... I am sure it is not the
driver doing the removal of this association as there is no trace of it
happening in the driver logs...
We also have Sentinel log manager installed and monitoring adding and
removing associations, but these removals are not showing up...
The modify of the attribute does not show up either.

The problem with these associations disappearing is that when there is a
change of entitlement on the object (remove entitlement) the driver sees
the event, but then sees that the object is not associated and strips
the remove entitlement and changes the modify event to an add event...
This then causes the granted entitlement value to remain in the target
DB and adds the new entitlement value, even though the rule applied says
that a person can only have one entitlement for that system.

We are using IDM 4.0.1.

Has anyone heard or seen this happen? Is there another way for us to
monitor why this is happening?

At one stage I had 12 objects with the association, I checked again 5
minutes later and they were all gone. Again, no trace of why or how...
And the users still has the same entitlements and no modify event
happened from when the associations existed to when they were
deleted...

Could the value of the entitlement be an issue? Because these objects
are not related to a table in the DB I have given the association the
value of "AnAssociation" when I grant the association.

But this cant be the issue as I have done a similar thing on another
driver (same version and everything) and this problem does not
happen...

Help would be much appreciated.

Regards,
Craig Cikara


--
ccikara
------------------------------------------------------------------------
ccikara's Profile: https://forums.netiq.com/member.php?userid=506
View this thread: https://forums.netiq.com/showthread.php?t=47537

Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Disappearing Associations

> Associations to a driver keep disappearing... I am sure it is not the
> driver doing the removal of this association as there is no trace of it
> happening in the driver logs...
> We also have Sentinel log manager installed and monitoring adding and
> removing associations, but these removals are not showing up...
> The modify of the attribute does not show up either.


So Log Manager does pick up association changes? From which application
(eDir, IDM, etc.) and for which type of event exactly? Are you auditing
all eDirectory servers individually or just one server (meaning changes
from any other server could be missed)?

> The problem with these associations disappearing is that when there is a
> change of entitlement on the object (remove entitlement) the driver sees
> the event, but then sees that the object is not associated and strips
> the remove entitlement and changes the modify event to an add event...
> This then causes the granted entitlement value to remain in the target
> DB and adds the new entitlement value, even though the rule applied says
> that a person can only have one entitlement for that system.


A trace would be nice.

> We are using IDM 4.0.1.


Using the latest SP is always recommended; worst case, it shouldn't hurt
as it is only a set of patches.

> Has anyone heard or seen this happen? Is there another way for us to
> monitor why this is happening?
>
> At one stage I had 12 objects with the association, I checked again 5
> minutes later and they were all gone. Again, no trace of why or how...
> And the users still has the same entitlements and no modify event
> happened from when the associations existed to when they were
> deleted...


What happened to make you check five minutes later?

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Disappearing Associations


Hi AB,

Yup, Log manager does pick up association changes... But it only picks
up association changes because I set it on the driver-set I believe it
is the Identity Manager collector that picks this up? I would have
expected association attribute modifies / deletes etc. to also be picked
up by the eDir collector as it is an attribute that is changing... But
no association attribute modifies show up.

At the moment I am monitoring our SIT environment that only has 1 eDir
instance, so I should be picking up everything, this issue is happening
throughout our environments (Dev, SIT, UAT, LOAD, Prod)

There was no event that made me decide to look again, it was just me
monitoring the system manually... But I didn't pickup anything from the
logs...

Here is the trace file: http://pastebin.com/bE1FUUn2

Thanks


--
ccikara
------------------------------------------------------------------------
ccikara's Profile: https://forums.netiq.com/member.php?userid=506
View this thread: https://forums.netiq.com/showthread.php?t=47537

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Disappearing Associations


at 9:00 this morning there were 18 associated objects

at 9:11 there were only 3... And these 3 are new associations (i.e. did
not exist at 9:00)

So somewhere in those 11 minutes something happened to remove all
associations, but again, Sentinel does not show these associations being
removed... And neither does the driver log. Will post this trace when I
get it from the ops people.

The only time this association is removed in the driver is when the
object has no more entitlements for the app...

Regards,
Craig Cikara


--
ccikara
------------------------------------------------------------------------
ccikara's Profile: https://forums.netiq.com/member.php?userid=506
View this thread: https://forums.netiq.com/showthread.php?t=47537

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Disappearing Associations

When all else fails there is always the hard way to narrow down the
problem. If you have other driver objects running, trace all of them. If
that doesn't show you a problem, turn half of them off and see if the
problem still happens. If so, turn half of the remaining drivers objects
off and test again. Continue until the driver (if indeed it is a driver)
at fault is identified, then find the problem there. Cutting the problem
down by halves should make it pretty clear relatively quickly. If turning
off all drivers doesn't do it, be sure you do not have any jobs that could
affect things, and then you're down to eDirectory.

I see no reason why eDir auditing, if configured correctly, would audit
some attributes but not the association attributes, but I've never looked
for association attributes specifically in the past. Are you using the
Novell Audit type of auditing (vs. XDAS), and if so, have you configured
ay filters on which attributes or classes should be audited within
eDirectory? Which exact version of eDir are you running, and what is the
full RPM version of the novell-AUDTedirinst package?

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Disappearing Associations


I do not believe there are any filters configured, the ops team would
have just installed and not done much configuration.

If I check through iManager, under "Attributes" everything is ticked.

novell-AUDTedirinst-8.8.5-13

Tree Name: FRGSITIDV
Server Name:
..CN=RBGSITIDV101.OU=services.OU=fnb.O=firstrand.T=FRGSITIDV.
Binary Version: 20601.18
Root Most Entry Depth: 0
Product Version: eDirectory for Linux x86_64 v8.8 SP6 [DS]

I will try your approach of switching off drivers etc and see where that
takes me.

Thanks for the assistance.


--
ccikara
------------------------------------------------------------------------
ccikara's Profile: https://forums.netiq.com/member.php?userid=506
View this thread: https://forums.netiq.com/showthread.php?t=47537

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Disappearing Associations

> novell-AUDTedirinst-8.8.5-13
>
> Tree Name: FRGSITIDV
> Server Name:
> .CN=RBGSITIDV101.OU=services.OU=fnb.O=firstrand.T=FRGSITIDV.
> Binary Version: 20601.18
> Root Most Entry Depth: 0
> Product Version: eDirectory for Linux x86_64 v8.8 SP6 [DS]
>
> I will try your approach of switching off drivers etc and see where that
> takes me.


Before spending too much time there, just be aware you're on an old
version of eDirectory (8.8 SP6) and an even older, mis-matched version of
the eDirectory instrumentation module (8.8 SP5). One of those may be
related... maybe.

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.