Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/19/2012 2:46 PM, pgold wrote:
>
> So how do I remove the entitlements, or set the user to conform to them
> (ie. what needs to change on the user to make it sync)


I am guessing you are using a nonIDM4 Packaged config of the AD driver?
Do you know how you selected the import config? did you pick it from
Designer or iManager?

The newer configs, from IDM 3.61 V5 or so and higher had a GCV that is
tested. Earlier ones, do not. Therefore you have to find the instances
where a check is done for an entitlement and disable the rule.

So Sub-Match is one location. Possibly also in Sub-Create, and possibly
Sub-Command. You can export your driver to an XML text file. Search on
entitlement to figure out where any such tokens are in use, then find
them, look and see if it makes sense to disable or not.

You can read about some of these tokens here: (I covered all 121 IDM
tokens at that link).

https://idmfolder.ciscony.com/public/Tokens_of_Identity_Manager_Part_1#Added_Entitlement

Actually, these are a better reference i think.

http://www.novell.com/communities/node/12760/talking-about-entitlements-part-1
http://www.novell.com/communities/node/12908/talking-about-entitlements-part-2
http://www.novell.com/communities/node/12909/talking-about-entitlements-part-3
http://www.novell.com/communities/node/13027/talking-about-entitlements-part-4

0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


I decided to delete and recreate the driver. This time I set
entitlements to false. Now when I try to sync, the user still does not
go into AD, BUT I do see the username in the logs on the AD server, so
clearly it is passing through at some level. Here is the trace on the
AD server.

'DirXML: [03/19/12 15:21:44.56]: Loader: Verifying command port...
DirXML: [03/1 - Pastebin.com' (http://pastebin.com/SrS8r2ST)

I was going to give you a link to the edir side log, but pastebin seems
to be down for the moment.

I think this is almost there, but something is still a little off.


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD

Well, the engine side trace will be the gotcha.
All that is in the remote loader is the queries so you don't see why the add event isn't coming
through. Likely this is due to a veto on a required attribute.

Those rules should be found in the subscriber create rule of the AD driver and my guess would be a
missing full name attribute.

Engine side trace would tell for sure though.

On 3/19/2012 2:46 PM, pgold wrote:
>
> I decided to delete and recreate the driver. This time I set
> entitlements to false. Now when I try to sync, the user still does not
> go into AD, BUT I do see the username in the logs on the AD server, so
> clearly it is passing through at some level. Here is the trace on the
> AD server.
>
> 'DirXML: [03/19/12 15:21:44.56]: Loader: Verifying command port...
> DirXML: [03/1 - Pastebin.com' (http://pastebin.com/SrS8r2ST)
>
> I was going to give you a link to the edir side log, but pastebin seems
> to be down for the moment.
>
> I think this is almost there, but something is still a little off.
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

Will is right. We need to see the Engine side trace.

Looking at it, I see the queries done in the Matching rule, so it is
starting the process, but no write to AD gets through the engine, so
some rule in the flow vetoed it, and as Will notes it is likely password
(no UP set, so no nspmDistributionPassword attr in the <add> event) or
else no Full Name, the two most common vetos in the AD drivers over the
years.



On 3/19/2012 3:54 PM, Will Schneider wrote:
> Well, the engine side trace will be the gotcha.
> All that is in the remote loader is the queries so you don't see why the
> add event isn't coming through. Likely this is due to a veto on a
> required attribute.
>
> Those rules should be found in the subscriber create rule of the AD
> driver and my guess would be a missing full name attribute.
>
> Engine side trace would tell for sure though.
>
> On 3/19/2012 2:46 PM, pgold wrote:
>>
>> I decided to delete and recreate the driver. This time I set
>> entitlements to false. Now when I try to sync, the user still does not
>> go into AD, BUT I do see the username in the logs on the AD server, so
>> clearly it is passing through at some level. Here is the trace on the
>> AD server.
>>
>> 'DirXML: [03/19/12 15:21:44.56]: Loader: Verifying command port...
>> DirXML: [03/1 - Pastebin.com' (http://pastebin.com/SrS8r2ST)
>>
>> I was going to give you a link to the edir side log, but pastebin seems
>> to be down for the moment.
>>
>> I think this is almost there, but something is still a little off.
>>
>>

>


0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


The users definitely have the full name field entered. Here is the
pastebin link to the engine side trace:

'DirXML: [03/19/12 15:21:44.56]: Loader: Verifying command port...
DirXML: [03/1 - Pastebin.com' (http://pastebin.com/0i9UUBeb)


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD

It still doesn't have the events in it I'm afraid.
Here is what to do.

1. Stop the driver
2. Move or delete all of the existing AD Driver engine side traces from the server.
3. Make sure the engine is set to Level 3 for the trace (iMangler, Driver properties, Misc heading)
4. Start the driver
5. Using iMangler do a migrate on one of the users you want to sync
6. Post the engine trace.

That will definitely get it.

On 3/19/2012 6:56 PM, pgold wrote:
>
> The users definitely have the full name field entered. Here is the
> pastebin link to the engine side trace:
>
> 'DirXML: [03/19/12 15:21:44.56]: Loader: Verifying command port...
> DirXML: [03/1 - Pastebin.com' (http://pastebin.com/0i9UUBeb)
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

Ya, you pasted the Remote Loader trace again, not the engine trace.
Maybe pasted the old link?


On 3/19/2012 8:42 PM, Will Schneider wrote:
> It still doesn't have the events in it I'm afraid.
> Here is what to do.
>
> 1. Stop the driver
> 2. Move or delete all of the existing AD Driver engine side traces from
> the server.
> 3. Make sure the engine is set to Level 3 for the trace (iMangler,
> Driver properties, Misc heading)
> 4. Start the driver
> 5. Using iMangler do a migrate on one of the users you want to sync
> 6. Post the engine trace.
>
> That will definitely get it.
>
> On 3/19/2012 6:56 PM, pgold wrote:
>>
>> The users definitely have the full name field entered. Here is the
>> pastebin link to the engine side trace:
>>
>> 'DirXML: [03/19/12 15:21:44.56]: Loader: Verifying command port...
>> DirXML: [03/1 - Pastebin.com' (http://pastebin.com/0i9UUBeb)
>>
>>

>


0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


I think I got the correct trace now. I had to break it into two because
it is more than 500k.

part 1 - '[03/20/12 07:46:22.442]:Active Directory :Reading named
passwords list. [03/20/ - Pastebin.com' (http://pastebin.com/ZxpPVhTg)
part 2 - '[03/20/12 07:49:45.582]:Active Directory PT: Evaluating
condition - Pastebin.com' (http://pastebin.com/ZJM3euLC)

Thanks for all of your help.


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 20.03.2012 12:56, pgold wrote:
>
> I think I got the correct trace now. I had to break it into two because
> it is more than 500k.
>
> part 1 - '[03/20/12 07:46:22.442]:Active Directory :Reading named
> passwords list. [03/20/ - Pastebin.com' (http://pastebin.com/ZxpPVhTg)
> part 2 - '[03/20/12 07:49:45.582]:Active Directory PT: Evaluating
> condition - Pastebin.com' (http://pastebin.com/ZJM3euLC)
>
> Thanks for all of your help.
>
>



As Geoffrey mentioned: it looks like this is: "no UP set, so no
nspmDistributionPassword attr in the <add> event"

[03/20/12 07:50:28.024]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User"
event-id="edir2adlab-idm361#20120320115027#1#1"
qualified-src-dn="O=fdny\OU=Support\OU=BTDS\OU=LAN\CN=goldwap"
src-dn="\EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap" src-entry-id="32938">
<add-attr attr-name="Given Name">
<value timestamp="1332166853#1" type="string">Philip</value>
</add-attr>
<add-attr attr-name="Surname">
<value timestamp="1332164807#3" type="string">Goldwasser</value>
</add-attr>
<add-attr attr-name="Full Name">
<value>Philip Goldwasser</value>
</add-attr>
<operation-data attempt-to-match="true"
unmatched-src-dn="CN=goldwap,OU=LAN,OU=BTDS,OU=Support"/>
</add>
</input>
</nds>
[03/20/12 07:50:28.025]:Active Directory ST:Applying policy:
%+C%14Csub-cp-Users%-C.
[03/20/12 07:50:28.025]:Active Directory ST: Applying to add #1.
[03/20/12 07:50:28.025]:Active Directory ST: Evaluating selection
criteria for rule 'Break if not a User'.
[03/20/12 07:50:28.025]:Active Directory ST: (if-class-name
not-equal "User") = FALSE.
[03/20/12 07:50:28.025]:Active Directory ST: Rule rejected.
[03/20/12 07:50:28.025]:Active Directory ST: Evaluating selection
criteria for rule 'Veto if nspmDistributionPassword is not available'.
[03/20/12 07:50:28.025]:Active Directory ST: Rule selected.
[03/20/12 07:50:28.025]:Active Directory ST: Applying rule 'Veto if
nspmDistributionPassword is not available'.
[03/20/12 07:50:28.025]:Active Directory ST: Action:
do-veto-if-op-attr-not-available("nspmDistributionPassword").
[03/20/12 07:50:28.026]:Active Directory ST:Policy returned:
[03/20/12 07:50:28.026]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>


There are also some permissions issues, for some reason this driver
doesn't have rights to update/set the full name on the user in the IDV
(there is a rule that synthesises the full name during the add event if
it's not present in the IDV)

[03/20/12 07:50:28.000]:Active Directory ST: Direct command from policy
[03/20/12 07:50:28.000]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User"
dest-dn="\EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap"
dest-entry-id="32938" event-id="edir2adlab-idm361#20120320115027#1#1">
<modify-attr attr-name="Full Name">
<remove-all-values/>
<add-value>
<value>Philip Goldwasser</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[03/20/12 07:50:28.001]:Active Directory ST: Pumping XDS to eDirectory.
[03/20/12 07:50:28.001]:Active Directory ST: Performing operation
modify for \EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap.
[03/20/12 07:50:28.014]:Active Directory ST: Processing returned document.
[03/20/12 07:50:28.014]:Active Directory ST: Processing operation
<status> for .
[03/20/12 07:50:28.014]:Active Directory ST:
DirXML Log Event -------------------
Driver: \EDIR2ADLAB\fdny\AD-TEST\Active Directory
Channel: Subscriber
Object: \EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap
Status: Error
Message: Code(-9010) An exception occurred:
novell.jclient.JCException: modifyEntry -672 ERR_NO_ACCESS
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 20.03.2012 13:08, Alex McHugh wrote:
> On 20.03.2012 12:56, pgold wrote:
> qualified-src-dn="O=fdny\OU=Support\OU=BTDS\OU=LAN\CN=goldwap"
> src-dn="\EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap" src-entry-id="32938">


Regarding universal passwords (which is why your user won't sync), one
common misunderstanding is that universal password policies are not
applied hierarchically to nested OUs. In other words only the users
directly under the OU the universal password policy is linked to will
get the password policy.

If you have created a universal password policy and linked it to an OU,
which OU is it linked to? For the user in your example, the UP policy
would need to be linked to O=fdny\OU=Support\OU=BTDS\OU=LAN

Is your eDirectory a production tree or a standalone IDVault? For an
IDVault, it's generally recommended that you place all users in a flat
structure rather than under a hierarchy.

I suggest you read the following:

http://www.novell.com/documentation/password_management32/pwm_administration/data/allr1ls.html

http://www.novell.com/documentation/idm401/idm_password_management/data/bnorxu3.html
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On Tue, 20 Mar 2012 12:28:27 +0000, Alex McHugh wrote:

> Regarding universal passwords (which is why your user won't sync), one
> common misunderstanding is that universal password policies are not
> applied hierarchically to nested OUs.


Mostly correct. Policies can be applied to Tree (Login Policy object in
the Security container), Partition root (applies to all users in the
partition), Container (applies to all users in the container, but _not_
to users in sub-containers of the assigned container), or a leaf User
object (applies only to this specific user).


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/20/2012 7:56 AM, pgold wrote:
>
> I think I got the correct trace now. I had to break it into two because
> it is more than 500k.
>
> part 1 - '[03/20/12 07:46:22.442]:Active Directory :Reading named
> passwords list. [03/20/ - Pastebin.com' (http://pastebin.com/ZxpPVhTg)
> part 2 - '[03/20/12 07:49:45.582]:Active Directory PT: Evaluating
> condition - Pastebin.com' (http://pastebin.com/ZJM3euLC)
>
> Thanks for all of your help.


So you sent your account through. It generated a full name, since
Source attr Full name was not available. So it actually writes one back.

[03/20/12 07:50:27.754]:Active Directory ST: (if-attr 'Full Name'
not-available) = TRUE.
[03/20/12 07:50:27.754]:Active Directory ST: (if-attr 'Given Name'
available) = TRUE.
[03/20/12 07:50:27.754]:Active Directory ST: Rule selected.
[03/20/12 07:50:27.754]:Active Directory ST: Applying rule 'generate
full name if not in Identity Vault'.

Reads surname and given name, builds full name, and writes it back and
forwards.

Tries to match by sAMAccountname, by Full Name, no joys. I.e. User not
yet in AD. Good so far.

Then the actual write back to eDir of Full Name fails, with a lack of
permissions, 672 error.

[03/20/12 07:50:28.000]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User"
dest-dn="\EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap"
dest-entry-id="32938" event-id="edir2adlab-idm361#20120320115027#1#1">
<modify-attr attr-name="Full Name">
<remove-all-values/>
<add-value>
<value>Philip Goldwasser</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>



[03/20/12 07:50:28.014]:Active Directory ST:
DirXML Log Event -------------------
Driver: \EDIR2ADLAB\fdny\AD-TEST\Active Directory
Channel: Subscriber
Object: \EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap
Status: Error
Message: Code(-9010) An exception occurred:
novell.jclient.JCException: modifyEntry -672 ERR_NO_ACCESS


But the <add> goes on...

[03/20/12 07:50:28.021]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User"
event-id="edir2adlab-idm361#20120320115027#1#1"
qualified-src-dn="O=fdny\OU=Support\OU=BTDS\OU=LAN\CN=goldwap"
src-dn="\EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap" src-entry-id="32938">
<add-attr attr-name="Given Name">
<value timestamp="1332166853#1" type="string">Philip</value>
</add-attr>
<add-attr attr-name="Surname">
<value timestamp="1332164807#3" type="string">Goldwasser</value>
</add-attr>
<add-attr attr-name="Full Name">
<value>Philip Goldwasser</value>
</add-attr>
<operation-data attempt-to-match="true"
unmatched-src-dn="CN=goldwap,OU=LAN,OU=BTDS,OU=Support"/>
</add>
</input>
</nds>

Then it stops due to no UP (Technically DP...)

[03/20/12 07:50:28.025]:Active Directory ST: Applying rule 'Veto if
nspmDistributionPassword is not available'.
[03/20/12 07:50:28.025]:Active Directory ST: Action:
do-veto-if-op-attr-not-available("nspmDistributionPassword").
[03/20/12 07:50:28.026]:Active Directory ST:Policy returned:
[03/20/12 07:50:28.026]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.