Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
pgold Absent Member.
Absent Member.
725 views

Error syncing objects from edir to AD


I just installed IDM 361 in a test environment and I have the remote
loader running on my AD box. There is clearly communication between
edir and AD as I can see error in the Remote Loader screen on AD when I
try to sync. Following other threads here, I have pasted the level 3
trace into pastebin.com and here is the URL: 'DirXML: [03/19/12
08:40:49.65]: Loader: Verifying command port... DirXML: [03/1 -
Pastebin.com' (http://pastebin.com/JXs5cU5E).

This is a brand new install and I am just trying to get a few OUs and
one user to sync over to AD, but I keep getting the error:

ldap-err ldap-rc="32" ldap-re-name="LDAP_NO_SUCH_OBJECT"

I am trying to figure out what I configured wrong, but I am not sure.

Thanks in advance!

Phil Goldwasser
BTDS LAN Group
FDNY


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

Labels (1)
0 Likes
49 Replies
albertjansteven Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


It seems to be going to "
OU=BTDS,OU=Support,cn=FDNY,dc=edir2adlab,dc=local " but the log also
says that 'DC=edir2adlab,DC=local' is the best match. So my guess is
that you should be syncing to OU=FDNY in stead of cn=FDNY. Hope that's
it. Also when your running drivers usually it is best to use a higher
tracelevel so you can read the policy which creates the error.


--
albertjanstevens
------------------------------------------------------------------------
albertjanstevens's Profile: http://forums.novell.com/member.php?userid=84836
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


Was level 3 trace level not high enough? Anyway, that solved part of
the problem. I know have my OUs synced over to AD. The one user that
was in the lowest level OU (in LAN) on the other hand, did not sync
over. Here is the URL for the current pastbin:

'DirXML: [03/19/12 11:45:53.33]: Loader: Verifying command port...
DirXML: [03/1 - Pastebin.com' (http://pastebin.com/nEqcsPSG)

Thanks again for the help.


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD

There doesn't appear to be any events for a user object in that latest trace.
Did you try doing a migrate on the user from iMangler?


On 3/19/2012 10:56 AM, pgold wrote:
>
> Was level 3 trace level not high enough? Anyway, that solved part of
> the problem. I know have my OUs synced over to AD. The one user that
> was in the lowest level OU (in LAN) on the other hand, did not sync
> over. Here is the URL for the current pastbin:
>
> 'DirXML: [03/19/12 11:45:53.33]: Loader: Verifying command port...
> DirXML: [03/1 - Pastebin.com' (http://pastebin.com/nEqcsPSG)
>
> Thanks again for the help.
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/19/2012 11:56 AM, pgold wrote:
>
> Was level 3 trace level not high enough? Anyway, that solved part of
> the problem. I know have my OUs synced over to AD. The one user that
> was in the lowest level OU (in LAN) on the other hand, did not sync
> over. Here is the URL for the current pastbin:
>
> 'DirXML: [03/19/12 11:45:53.33]: Loader: Verifying command port...
> DirXML: [03/1 - Pastebin.com' (http://pastebin.com/nEqcsPSG)
>
> Thanks again for the help.


I see a bunch of OU's and and one Group go through but no Users.

Usually in an AD driver when User's do not create it is missing a Full
name and/or password in eDirectory. The Sub-Create has a couple of Veto
if op attr is not available.



0 Likes
Highlighted
albertjansteven Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


No sorry i meant that your pasting remote-loader trace. We can't see the
sub create policy etc going through this way but only the stuff that
makes i through. My guess is you probably either have no full-name or no
universal password on the user. The trace from edir side on level 3 will
make this clear.


--
albertjanstevens
------------------------------------------------------------------------
albertjanstevens's Profile: http://forums.novell.com/member.php?userid=84836
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


There are actually two users, admin under the root container and goldwap
in the LAN container. Neither go across. The user goldwap definitely
has a Full Name and a password.


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/19/2012 1:06 PM, pgold wrote:
>
> There are actually two users, admin under the root container and goldwap
> in the LAN container. Neither go across. The user goldwap definitely
> has a Full Name and a password.


Can you try a migrate of these objects and show us teh trace of that event?



0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


So after a migrate there is not logging activity on the AD side, and I
do not know how to find the log on the edir side. Perhaps you can let
me know where I will find it and how I can set the logging level.


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


Here is the trace from the edir side when I try to do a migrate from
identity vault (for the one user).

'[03/19/12 14:22:46.429]:Active Directory :Remote Interface Driver:
Received. [0 - Pastebin.com' (http://pastebin.com/gfaYLbwV)


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/19/2012 2:26 PM, pgold wrote:
>
> Here is the trace from the edir side when I try to do a migrate from
> identity vault (for the one user).
>
> '[03/19/12 14:22:46.429]:Active Directory :Remote Interface Driver:
> Received. [0 - Pastebin.com' (http://pastebin.com/gfaYLbwV)


Your driver is configured to use Entitlements, and you do not have an
entitlement on that user, so it correctly vetos the event...

All working as designed. 🙂

[03/19/12 14:22:57.723]:Active Directory ST: Applying rule
'UserAccount entitlement: do not match existing accounts'.
[03/19/12 14:22:57.723]:Active Directory ST: Action:
do-set-op-property("attempt-to-match","false").



0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


So how do I remove the entitlements, or set the user to conform to them
(ie. what needs to change on the user to make it sync)


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/19/2012 2:46 PM, pgold wrote:
>
> So how do I remove the entitlements, or set the user to conform to them
> (ie. what needs to change on the user to make it sync)


I am guessing you are using a nonIDM4 Packaged config of the AD driver?
Do you know how you selected the import config? did you pick it from
Designer or iManager?

The newer configs, from IDM 3.61 V5 or so and higher had a GCV that is
tested. Earlier ones, do not. Therefore you have to find the instances
where a check is done for an entitlement and disable the rule.

So Sub-Match is one location. Possibly also in Sub-Create, and possibly
Sub-Command. You can export your driver to an XML text file. Search on
entitlement to figure out where any such tokens are in use, then find
them, look and see if it makes sense to disable or not.

You can read about some of these tokens here: (I covered all 121 IDM
tokens at that link).

https://idmfolder.ciscony.com/public/Tokens_of_Identity_Manager_Part_1#Added_Entitlement

Actually, these are a better reference i think.

http://www.novell.com/communities/node/12760/talking-about-entitlements-part-1
http://www.novell.com/communities/node/12908/talking-about-entitlements-part-2
http://www.novell.com/communities/node/12909/talking-about-entitlements-part-3
http://www.novell.com/communities/node/13027/talking-about-entitlements-part-4

0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


I decided to delete and recreate the driver. This time I set
entitlements to false. Now when I try to sync, the user still does not
go into AD, BUT I do see the username in the logs on the AD server, so
clearly it is passing through at some level. Here is the trace on the
AD server.

'DirXML: [03/19/12 15:21:44.56]: Loader: Verifying command port...
DirXML: [03/1 - Pastebin.com' (http://pastebin.com/SrS8r2ST)

I was going to give you a link to the edir side log, but pastebin seems
to be down for the moment.

I think this is almost there, but something is still a little off.


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD

Well, the engine side trace will be the gotcha.
All that is in the remote loader is the queries so you don't see why the add event isn't coming
through. Likely this is due to a veto on a required attribute.

Those rules should be found in the subscriber create rule of the AD driver and my guess would be a
missing full name attribute.

Engine side trace would tell for sure though.

On 3/19/2012 2:46 PM, pgold wrote:
>
> I decided to delete and recreate the driver. This time I set
> entitlements to false. Now when I try to sync, the user still does not
> go into AD, BUT I do see the username in the logs on the AD server, so
> clearly it is passing through at some level. Here is the trace on the
> AD server.
>
> 'DirXML: [03/19/12 15:21:44.56]: Loader: Verifying command port...
> DirXML: [03/1 - Pastebin.com' (http://pastebin.com/SrS8r2ST)
>
> I was going to give you a link to the edir side log, but pastebin seems
> to be down for the moment.
>
> I think this is almost there, but something is still a little off.
>
>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.