Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

Will is right. We need to see the Engine side trace.

Looking at it, I see the queries done in the Matching rule, so it is
starting the process, but no write to AD gets through the engine, so
some rule in the flow vetoed it, and as Will notes it is likely password
(no UP set, so no nspmDistributionPassword attr in the <add> event) or
else no Full Name, the two most common vetos in the AD drivers over the
years.



On 3/19/2012 3:54 PM, Will Schneider wrote:
> Well, the engine side trace will be the gotcha.
> All that is in the remote loader is the queries so you don't see why the
> add event isn't coming through. Likely this is due to a veto on a
> required attribute.
>
> Those rules should be found in the subscriber create rule of the AD
> driver and my guess would be a missing full name attribute.
>
> Engine side trace would tell for sure though.
>
> On 3/19/2012 2:46 PM, pgold wrote:
>>
>> I decided to delete and recreate the driver. This time I set
>> entitlements to false. Now when I try to sync, the user still does not
>> go into AD, BUT I do see the username in the logs on the AD server, so
>> clearly it is passing through at some level. Here is the trace on the
>> AD server.
>>
>> 'DirXML: [03/19/12 15:21:44.56]: Loader: Verifying command port...
>> DirXML: [03/1 - Pastebin.com' (http://pastebin.com/SrS8r2ST)
>>
>> I was going to give you a link to the edir side log, but pastebin seems
>> to be down for the moment.
>>
>> I think this is almost there, but something is still a little off.
>>
>>

>


0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


The users definitely have the full name field entered. Here is the
pastebin link to the engine side trace:

'DirXML: [03/19/12 15:21:44.56]: Loader: Verifying command port...
DirXML: [03/1 - Pastebin.com' (http://pastebin.com/0i9UUBeb)


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD

It still doesn't have the events in it I'm afraid.
Here is what to do.

1. Stop the driver
2. Move or delete all of the existing AD Driver engine side traces from the server.
3. Make sure the engine is set to Level 3 for the trace (iMangler, Driver properties, Misc heading)
4. Start the driver
5. Using iMangler do a migrate on one of the users you want to sync
6. Post the engine trace.

That will definitely get it.

On 3/19/2012 6:56 PM, pgold wrote:
>
> The users definitely have the full name field entered. Here is the
> pastebin link to the engine side trace:
>
> 'DirXML: [03/19/12 15:21:44.56]: Loader: Verifying command port...
> DirXML: [03/1 - Pastebin.com' (http://pastebin.com/0i9UUBeb)
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

Ya, you pasted the Remote Loader trace again, not the engine trace.
Maybe pasted the old link?


On 3/19/2012 8:42 PM, Will Schneider wrote:
> It still doesn't have the events in it I'm afraid.
> Here is what to do.
>
> 1. Stop the driver
> 2. Move or delete all of the existing AD Driver engine side traces from
> the server.
> 3. Make sure the engine is set to Level 3 for the trace (iMangler,
> Driver properties, Misc heading)
> 4. Start the driver
> 5. Using iMangler do a migrate on one of the users you want to sync
> 6. Post the engine trace.
>
> That will definitely get it.
>
> On 3/19/2012 6:56 PM, pgold wrote:
>>
>> The users definitely have the full name field entered. Here is the
>> pastebin link to the engine side trace:
>>
>> 'DirXML: [03/19/12 15:21:44.56]: Loader: Verifying command port...
>> DirXML: [03/1 - Pastebin.com' (http://pastebin.com/0i9UUBeb)
>>
>>

>


0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


I think I got the correct trace now. I had to break it into two because
it is more than 500k.

part 1 - '[03/20/12 07:46:22.442]:Active Directory :Reading named
passwords list. [03/20/ - Pastebin.com' (http://pastebin.com/ZxpPVhTg)
part 2 - '[03/20/12 07:49:45.582]:Active Directory PT: Evaluating
condition - Pastebin.com' (http://pastebin.com/ZJM3euLC)

Thanks for all of your help.


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 20.03.2012 12:56, pgold wrote:
>
> I think I got the correct trace now. I had to break it into two because
> it is more than 500k.
>
> part 1 - '[03/20/12 07:46:22.442]:Active Directory :Reading named
> passwords list. [03/20/ - Pastebin.com' (http://pastebin.com/ZxpPVhTg)
> part 2 - '[03/20/12 07:49:45.582]:Active Directory PT: Evaluating
> condition - Pastebin.com' (http://pastebin.com/ZJM3euLC)
>
> Thanks for all of your help.
>
>



As Geoffrey mentioned: it looks like this is: "no UP set, so no
nspmDistributionPassword attr in the <add> event"

[03/20/12 07:50:28.024]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User"
event-id="edir2adlab-idm361#20120320115027#1#1"
qualified-src-dn="O=fdny\OU=Support\OU=BTDS\OU=LAN\CN=goldwap"
src-dn="\EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap" src-entry-id="32938">
<add-attr attr-name="Given Name">
<value timestamp="1332166853#1" type="string">Philip</value>
</add-attr>
<add-attr attr-name="Surname">
<value timestamp="1332164807#3" type="string">Goldwasser</value>
</add-attr>
<add-attr attr-name="Full Name">
<value>Philip Goldwasser</value>
</add-attr>
<operation-data attempt-to-match="true"
unmatched-src-dn="CN=goldwap,OU=LAN,OU=BTDS,OU=Support"/>
</add>
</input>
</nds>
[03/20/12 07:50:28.025]:Active Directory ST:Applying policy:
%+C%14Csub-cp-Users%-C.
[03/20/12 07:50:28.025]:Active Directory ST: Applying to add #1.
[03/20/12 07:50:28.025]:Active Directory ST: Evaluating selection
criteria for rule 'Break if not a User'.
[03/20/12 07:50:28.025]:Active Directory ST: (if-class-name
not-equal "User") = FALSE.
[03/20/12 07:50:28.025]:Active Directory ST: Rule rejected.
[03/20/12 07:50:28.025]:Active Directory ST: Evaluating selection
criteria for rule 'Veto if nspmDistributionPassword is not available'.
[03/20/12 07:50:28.025]:Active Directory ST: Rule selected.
[03/20/12 07:50:28.025]:Active Directory ST: Applying rule 'Veto if
nspmDistributionPassword is not available'.
[03/20/12 07:50:28.025]:Active Directory ST: Action:
do-veto-if-op-attr-not-available("nspmDistributionPassword").
[03/20/12 07:50:28.026]:Active Directory ST:Policy returned:
[03/20/12 07:50:28.026]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>


There are also some permissions issues, for some reason this driver
doesn't have rights to update/set the full name on the user in the IDV
(there is a rule that synthesises the full name during the add event if
it's not present in the IDV)

[03/20/12 07:50:28.000]:Active Directory ST: Direct command from policy
[03/20/12 07:50:28.000]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User"
dest-dn="\EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap"
dest-entry-id="32938" event-id="edir2adlab-idm361#20120320115027#1#1">
<modify-attr attr-name="Full Name">
<remove-all-values/>
<add-value>
<value>Philip Goldwasser</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[03/20/12 07:50:28.001]:Active Directory ST: Pumping XDS to eDirectory.
[03/20/12 07:50:28.001]:Active Directory ST: Performing operation
modify for \EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap.
[03/20/12 07:50:28.014]:Active Directory ST: Processing returned document.
[03/20/12 07:50:28.014]:Active Directory ST: Processing operation
<status> for .
[03/20/12 07:50:28.014]:Active Directory ST:
DirXML Log Event -------------------
Driver: \EDIR2ADLAB\fdny\AD-TEST\Active Directory
Channel: Subscriber
Object: \EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap
Status: Error
Message: Code(-9010) An exception occurred:
novell.jclient.JCException: modifyEntry -672 ERR_NO_ACCESS
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 20.03.2012 13:08, Alex McHugh wrote:
> On 20.03.2012 12:56, pgold wrote:
> qualified-src-dn="O=fdny\OU=Support\OU=BTDS\OU=LAN\CN=goldwap"
> src-dn="\EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap" src-entry-id="32938">


Regarding universal passwords (which is why your user won't sync), one
common misunderstanding is that universal password policies are not
applied hierarchically to nested OUs. In other words only the users
directly under the OU the universal password policy is linked to will
get the password policy.

If you have created a universal password policy and linked it to an OU,
which OU is it linked to? For the user in your example, the UP policy
would need to be linked to O=fdny\OU=Support\OU=BTDS\OU=LAN

Is your eDirectory a production tree or a standalone IDVault? For an
IDVault, it's generally recommended that you place all users in a flat
structure rather than under a hierarchy.

I suggest you read the following:

http://www.novell.com/documentation/password_management32/pwm_administration/data/allr1ls.html

http://www.novell.com/documentation/idm401/idm_password_management/data/bnorxu3.html
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On Tue, 20 Mar 2012 12:28:27 +0000, Alex McHugh wrote:

> Regarding universal passwords (which is why your user won't sync), one
> common misunderstanding is that universal password policies are not
> applied hierarchically to nested OUs.


Mostly correct. Policies can be applied to Tree (Login Policy object in
the Security container), Partition root (applies to all users in the
partition), Container (applies to all users in the container, but _not_
to users in sub-containers of the assigned container), or a leaf User
object (applies only to this specific user).


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/20/2012 7:56 AM, pgold wrote:
>
> I think I got the correct trace now. I had to break it into two because
> it is more than 500k.
>
> part 1 - '[03/20/12 07:46:22.442]:Active Directory :Reading named
> passwords list. [03/20/ - Pastebin.com' (http://pastebin.com/ZxpPVhTg)
> part 2 - '[03/20/12 07:49:45.582]:Active Directory PT: Evaluating
> condition - Pastebin.com' (http://pastebin.com/ZJM3euLC)
>
> Thanks for all of your help.


So you sent your account through. It generated a full name, since
Source attr Full name was not available. So it actually writes one back.

[03/20/12 07:50:27.754]:Active Directory ST: (if-attr 'Full Name'
not-available) = TRUE.
[03/20/12 07:50:27.754]:Active Directory ST: (if-attr 'Given Name'
available) = TRUE.
[03/20/12 07:50:27.754]:Active Directory ST: Rule selected.
[03/20/12 07:50:27.754]:Active Directory ST: Applying rule 'generate
full name if not in Identity Vault'.

Reads surname and given name, builds full name, and writes it back and
forwards.

Tries to match by sAMAccountname, by Full Name, no joys. I.e. User not
yet in AD. Good so far.

Then the actual write back to eDir of Full Name fails, with a lack of
permissions, 672 error.

[03/20/12 07:50:28.000]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User"
dest-dn="\EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap"
dest-entry-id="32938" event-id="edir2adlab-idm361#20120320115027#1#1">
<modify-attr attr-name="Full Name">
<remove-all-values/>
<add-value>
<value>Philip Goldwasser</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>



[03/20/12 07:50:28.014]:Active Directory ST:
DirXML Log Event -------------------
Driver: \EDIR2ADLAB\fdny\AD-TEST\Active Directory
Channel: Subscriber
Object: \EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap
Status: Error
Message: Code(-9010) An exception occurred:
novell.jclient.JCException: modifyEntry -672 ERR_NO_ACCESS


But the <add> goes on...

[03/20/12 07:50:28.021]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User"
event-id="edir2adlab-idm361#20120320115027#1#1"
qualified-src-dn="O=fdny\OU=Support\OU=BTDS\OU=LAN\CN=goldwap"
src-dn="\EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap" src-entry-id="32938">
<add-attr attr-name="Given Name">
<value timestamp="1332166853#1" type="string">Philip</value>
</add-attr>
<add-attr attr-name="Surname">
<value timestamp="1332164807#3" type="string">Goldwasser</value>
</add-attr>
<add-attr attr-name="Full Name">
<value>Philip Goldwasser</value>
</add-attr>
<operation-data attempt-to-match="true"
unmatched-src-dn="CN=goldwap,OU=LAN,OU=BTDS,OU=Support"/>
</add>
</input>
</nds>

Then it stops due to no UP (Technically DP...)

[03/20/12 07:50:28.025]:Active Directory ST: Applying rule 'Veto if
nspmDistributionPassword is not available'.
[03/20/12 07:50:28.025]:Active Directory ST: Action:
do-veto-if-op-attr-not-available("nspmDistributionPassword").
[03/20/12 07:50:28.026]:Active Directory ST:Policy returned:
[03/20/12 07:50:28.026]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


I am getting some different answers here. First off, the tree is a lab
tree. Although I could put all the users in one OU for the testing, I
want it to be similar to what it will be when I go to production.
Second, the user (my user) has the full name field filled in (with my
full name). I am looking at the universal password thing that Alex
suggested, but I still need a little more direction on what to do next.


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/20/2012 8:56 AM, pgold wrote:
>
> I am getting some different answers here. First off, the tree is a lab
> tree. Although I could put all the users in one OU for the testing, I
> want it to be similar to what it will be when I go to production.
> Second, the user (my user) has the full name field filled in (with my
> full name). I am looking at the universal password thing that Alex
> suggested, but I still need a little more direction on what to do next.


There are two distinct errors in the trace.

1) Your driver does not have permission to write FUll Name back to
eDirectory. Fix this by making the driver Sec Equals some object that
has sufficient rights. It is smart to NOT allow the driver to have
excessive rights, like maybe no delete rights, if you do not intend it
to delete, then an accident in coding cannot cause deletes, since it has
no rights, right? 🙂

That is immaterial to your core issue.

2) Your user, Phil Goldwasser tries to sync from eDir to AD. But there
is a rule in the Sub-Create that says if there is no
nspmDistributionPassword in the current <add> event then veto it. Which
it happily does, since there isn't.

Alex tried to offer ideas why there is no DP.

Things to check.
a) Filter. nspmDistributionPassword should be set to Sub-Notify only.
(Pub should be ignore).
b) In designer, right click the driver line, Password Management. Are
you sending passwords in both directions? (Pub and Sub?) Or just Sub?
c) Do you have a Password Policy, that enables UP and syncs to DP
associated with this user. (Alex was trying to explain reasons you
might think you do, but really do not).

You can get a tool like DumpUP from Jim Willeke at:
http://ldapwiki.willeke.com/Wiki.jsp?page=DumpEdirectoryPasswordInformationTool

This lets you look at a user and see what policy is applying to them, if
the password matches the password complexity, and if you have the policy
allowing it, even show the current password.

If you are using C1 to set the password, and using any version (except
MAYBE the latest build out of GroupWise 802 or 803) you probably have
the broken NMAS client in it. There is a local nmas.dll that overrides
the workstation NMAS client and breaks UP when you set passwords. Short
answer, use iManager to set the password as that sets UP, or else fix C1
which is also easy:
www.novell.com/support/viewContent.do?externalId=3576410




0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


OK. So I went into iManager and created a password policy. I also went
to set universal password and set the password for my user. Then I did
a migrate and no go. Here is the trace (I think I got it all)

'[03/20/12 09:00:46.777]:Active Directory :Remote Interface Driver:
Received. [0 - Pastebin.com' (http://pastebin.com/iBVPyN8H)


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/20/2012 9:06 AM, pgold wrote:
>
> OK. So I went into iManager and created a password policy. I also went
> to set universal password and set the password for my user. Then I did
> a migrate and no go. Here is the trace (I think I got it all)
>
> '[03/20/12 09:00:46.777]:Active Directory :Remote Interface Driver:
> Received. [0 - Pastebin.com' (http://pastebin.com/iBVPyN8H)


So now you clearly have a UP issue. See my previous message about the
filter, etc. Check all that stuff, but the issue is the same:

[03/20/12 09:01:06.202]:Active Directory ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User"
event-id="edir2adlab-idm361#20120320130105#1#1"
qualified-src-dn="O=fdny\OU=Support\OU=BTDS\OU=LAN\CN=goldwap"
src-dn="\EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap" src-entry-id="32938">
<add-attr attr-name="Given Name">
<value timestamp="1332166853#1" type="string">Philip</value>
</add-attr>
<add-attr attr-name="Surname">
<value timestamp="1332164807#3" type="string">Goldwasser</value>
</add-attr>
<add-attr attr-name="Full Name">
<value>Philip Goldwasser</value>
</add-attr>
<operation-data attempt-to-match="true"
unmatched-src-dn="CN=goldwap,OU=LAN,OU=BTDS,OU=Support"/>
</add>
</input>
</nds>
[03/20/12 09:01:06.203]:Active Directory ST:Applying policy:
%+C%14Csub-cp-Users%-C.
[03/20/12 09:01:06.203]:Active Directory ST: Applying to add #1.
[03/20/12 09:01:06.204]:Active Directory ST: Evaluating selection
criteria for rule 'Break if not a User'.
[03/20/12 09:01:06.204]:Active Directory ST: (if-class-name
not-equal "User") = FALSE.
[03/20/12 09:01:06.204]:Active Directory ST: Rule rejected.
[03/20/12 09:01:06.204]:Active Directory ST: Evaluating selection
criteria for rule 'Veto if nspmDistributionPassword is not available'.
[03/20/12 09:01:06.204]:Active Directory ST: Rule selected.
[03/20/12 09:01:06.204]:Active Directory ST: Applying rule 'Veto if
nspmDistributionPassword is not available'.
[03/20/12 09:01:06.204]:Active Directory ST: Action:
do-veto-if-op-attr-not-available("nspmDistributionPassword").

No Distro Pwd in the event doc. If it was set on the user, the filter
would have added it. And in fact, search from the top for Synthetic
add, and look above for the query, it does look for DP and does not find
it on the user.

<query class-name="User"
dest-dn="\EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap"
dest-entry-id="32938" scope="entry">
<read-attr attr-name="Description"/>
<read-attr attr-name="DirXML-EntitlementRef"/>
<read-attr attr-name="Facsimile Telephone Number"/>
<read-attr attr-name="Full Name"/>
<read-attr attr-name="Given Name"/>
<read-attr attr-name="Initials"/>
<read-attr attr-name="Internet EMail Address"/>
<read-attr attr-name="L"/>
<read-attr attr-name="Login Allowed Time Map"/>
<read-attr attr-name="Login Disabled"/>
<read-attr attr-name="Login Expiration Time"/>
<read-attr attr-name="nspmDistributionPassword"/>

So your UP did not apply properly. All sorts of possible reasons, see
Alex's comment explaining its slightly less than obvious inheritance
pattern.



0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


I got it! I edited the password policy. Clicked universal password and
in password syntax, I choose microsoft complexity. The I changed the
password using imanager, and then the user immediately synced over. I
did the same for another user and it went also. So that works. The
only thing I would like to find out is the following:

I have set the driver to mirror the containers in edir. Is there a way
to set each container to sync to a specified container? I know I can
have all the users go into one single container in AD, and I can mirror
them exactly. But what if I want to create a new tree structure in AD?
For example, the LAN container in my production edir tree is off of the
root container. I would prefer to put it under a different container.
Is there a way to do this? I know this is a different topic and I am
not looking for lots of instructions here. I just want to know if this
can be done, and I can learn how later.

Thanks again for all of your help.


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/20/2012 10:26 AM, pgold wrote:
>
> I got it! I edited the password policy. Clicked universal password and
> in password syntax, I choose microsoft complexity. The I changed the
> password using imanager, and then the user immediately synced over. I
> did the same for another user and it went also. So that works. The
> only thing I would like to find out is the following:
>
> I have set the driver to mirror the containers in edir. Is there a way
> to set each container to sync to a specified container? I know I can
> have all the users go into one single container in AD, and I can mirror
> them exactly. But what if I want to create a new tree structure in AD?
> For example, the LAN container in my production edir tree is off of the
> root container. I would prefer to put it under a different container.
> Is there a way to do this? I know this is a different topic and I am
> not looking for lots of instructions here. I just want to know if this
> can be done, and I can learn how later.


Yes. This is all done in the Placement rules. (Though matching has
influence as well).

But it is not out of the box. Novell ships two possibilities. Mirrored
and flat.

You want ad hoc placement. So there are many ways to approach this, and
you can build whatever you want.

For example:
a) What if locationCode in eDir is looked up in a mapping table, and
gets a container in AD to place in?

b) This container in eDir goes to that container in AD. Could use a
rule for each case. Or a mapping table that has a list of containers in
eDir's namespace, mapped to AD container namespace (LDAP format).

c) Multiple conditions need to match to decide placement.

I like mapping tables for this sort of thing. But you can do almost
anything you want.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.