Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


Can you point me to some documentation about creating mapping tables?


--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD

The base doc is pretty good for this:
http://www.novell.com/documentation/idm401/policy_designer/data/tokenmap.html

And a Geoff reference of course:
http://www.novell.com/communities/node/4844/mapping-tables-and-render-browsed-dn-relative-policy-option

Mapping tables are easy. The thing to do after you get a base one working is to put it's DN in a
GCV on the driver so that it is more portable and then use variable expansion in the map token for
the DN. Not required but a good habit to be in.

On 3/20/2012 10:46 AM, pgold wrote:
>
> Can you point me to some documentation about creating mapping tables?
>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/20/2012 12:44 PM, Will Schneider wrote:
> The base doc is pretty good for this:
> http://www.novell.com/documentation/idm401/policy_designer/data/tokenmap.html
>
>
> And a Geoff reference of course:
> http://www.novell.com/communities/node/4844/mapping-tables-and-render-browsed-dn-relative-policy-option


The hardest part of a mapping table is that it is a Verb token. That
means you need to nest (indented, on the line below) a noun token to
provide input data.

I.e. Map says, take the input, stick it into the src-column in the table
are return the dest-column from the table. Well, what provides that
input? Maybe local variable VAL? Maybe op-attr token? Maybe parse DN
chopping up a DN? And so on.

Now this does bring up an important consideration, comparing DN's. Do
you need the tree name in there or not? Well it depends. Probably
easiest if your mapping table is \TREE\o\ou\ou\ou since eDir will always
return the tree name in the DN.

On a side note, consider perusing this series for good tips about IDM
that will bite you along the way, and spending a bit of time, might save
you pain in the near future...

http://www.novell.com/communities/node/13053/common-mistakes-newcomers-idm-make-part-1
http://www.novell.com/communities/node/13057/common-mistakes-newcomers-idm-make-part-2
http://www.novell.com/communities/node/13058/common-mistakes-newcomers-idm-make-part-3
http://www.novell.com/communities/node/13125/common-mistakes-newcomers-idm-make-part-4
http://www.novell.com/communities/node/13126/common-mistakes-newcomers-idm-make-part-5
http://www.novell.com/communities/node/13302/common-mistakes-newcomers-idm-make-part-6
http://www.novell.com/communities/node/13316/common-mistakes-newcomers-idm-make-part-7
http://www.novell.com/communities/node/13347/common-mistakes-newcomers-idm-make-part-8
http://www.novell.com/communities/node/13383/common-mistakes-newcomers-idm-make-part-9
http://www.novell.com/communities/node/13486/common-mistakes-newcomers-idm-make-part-10
http://www.novell.com/communities/node/13493/common-mistakes-newcomers-idm-make-part-11

(I think #11 is not public yet, should be within a few weeks at the latest).

I tried to cover as many different things I have seen newcomers do
because they did not understand or know. My attempt to help. 🙂

> Mapping tables are easy. The thing to do after you get a base one
> working is to put it's DN in a GCV on the driver so that it is more
> portable and then use variable expansion in the map token for the DN.
> Not required but a good habit to be in.


Clever. I rarely bother to do it that way, but clever.

> On 3/20/2012 10:46 AM, pgold wrote:
>>
>> Can you point me to some documentation about creating mapping tables?
>>
>>

>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD

Whoops, I missed the obvious.
You create the mapping table in Designer. In the outline view on the left select a place either in
the AD driver or in a common library (style points is the only difference). The mapping table is
essentially a spreadsheet and very intuitive. Populate data, don't forget to deploy it to the tree,
add your map tokens as necessary in your placement rule.

On 3/20/2012 10:46 AM, pgold wrote:
>
> Can you point me to some documentation about creating mapping tables?
>
>


0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


geoffc;2183673 Wrote:
> On 3/20/2012 10:26 AM, pgold wrote:
>
>
>
> b) This container in eDir goes to that container in AD. Could use a
> rule for each case. Or a mapping table that has a list of containers
> in
> eDir's namespace, mapped to AD container namespace (LDAP format).
>
>
> So a couple more questions. Sorry have totally changed the subject,
> but it was easier than starting a new thread. I went to the driver and
> then clicked the advanced tab and then mapping tables. I clicked insert
> and game the mapping table a name. Then I get a box with two columns.
> I assume the first column is for the eDir side and the second for the AD
> side. You say LDAP format was that just for the AD namespace or for
> both? Somewhere else you talked about the format like this:
> /TREE/OU/OU/OU so for the edir side, for the WAN container, it would be
> /EDIR2ADLAB/fdny/support/btds/wan. In this example, I want the wan
> container off of the fdny container on the AD side. So in the second
> column I would put (in LDAP format)
> ou=wan,ou=fdny,dc=edir2adlab,dc=local. Is that correct?
>
> Finally, a different question, I have the syncing working great now,
> but it is going both ways. I only want to go from edir to AD, not the
> other way. I cannot figure out where to turn that off.
>
> Thanks so much for your help. It has been a Godsend!
>
> Phil Goldwasser
> BTDS LAN Group
> FDNY



--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

>> b) This container in eDir goes to that container in AD. Could use a
>> rule for each case. Or a mapping table that has a list of containers
>> in
>> eDir's namespace, mapped to AD container namespace (LDAP format).
>>
>>
>> So a couple more questions. Sorry have totally changed the subject,
>> but it was easier than starting a new thread. I went to the driver and
>> then clicked the advanced tab and then mapping tables. I clicked insert
>> and game the mapping table a name. Then I get a box with two columns.
>> I assume the first column is for the eDir side and the second for the AD
>> side. You say LDAP format was that just for the AD namespace or for
>> both? Somewhere else you talked about the format like this:
>> /TREE/OU/OU/OU so for the edir side, for the WAN container, it would be


Actually, I said \TREE\O\OU\OU this is how IDM references DN's internally.

So the source column would be the eDir DN
(\EDIR2ADLAB\fdny\support\btds\wan) and as you noted the LDAP
destination, for AD.

>> /EDIR2ADLAB/fdny/support/btds/wan. In this example, I want the wan
>> container off of the fdny container on the AD side. So in the second
>> column I would put (in LDAP format)
>> ou=wan,ou=fdny,dc=edir2adlab,dc=local. Is that correct?


Now you need a rule to handle this...

Here is an example, doing it in multiple steps so it is easier to
understand:

<rule>
<description>[CIS] Testing placement by mapping table</description>
<comment name="author" xml:space="preserve">Geoffrey Carman</comment>
<comment name="version" xml:space="preserve">1</comment>
<comment name="lastchanged" xml:space="preserve">Mar 21, 2012</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-local-variable name="SRC-DN" scope="policy">
<arg-string>
<token-src-dn length="-2"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="DEST-DN" scope="policy">
<arg-string>
<token-map default-value="XXYY" dest="dest-dn" src="src-dn"
table="SomeTableDN ">
<token-local-variable name="SRC-DN"/>
</token-map>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="DEST-DN"
op="equal">XXYY</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message disabled="true">
<arg-string>
<token-text xml:space="preserve">If we get XXYY back then the DN
was not found, either error, or place in a default location. Use a GCV
so you can change it later easily, but I want a simple rule to
demonstrate so I hard code a string value.</token-text>
</arg-string>
</do-trace-message>
<do-set-op-dest-dn>
<arg-dn>
<token-text
xml:space="preserve">cn=some,ou=default,ou=placement,dc=container,dc=local</token-text>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
<arg-actions>
<do-set-op-dest-dn>
<arg-dn>
<token-local-variable name="DEST-DN"/>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
</do-if>
</actions>
</rule>



And then here is an example of how you can do it in one line.

<rule>
<description>[CIS] Testing placement by mapping table</description>
<comment xml:space="preserve">Now all in one line, which is more
confusing.</comment>
<comment name="author" xml:space="preserve">Geoffrey Carman</comment>
<comment name="version" xml:space="preserve">1</comment>
<comment name="lastchanged" xml:space="preserve">Mar 21, 2012</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-op-dest-dn>
<arg-dn>
<token-map
default-value="cn=some,ou=default,ou=placement,dc=container,dc=local"
dest="dest-dn" src="src-dn" table="SomeTableDN ">
<token-src-dn length="-2"/>
</token-map>
</arg-dn>
</do-set-op-dest-dn>
</actions>
</rule>


>> Finally, a different question, I have the syncing working great now,
>> but it is going both ways. I only want to go from edir to AD, not the
>> other way. I cannot figure out where to turn that off.


Two ways.

1) Filter, stop syncing users on the Pub channel.
2) Pub-Match and Create stop it from matching/creating, so changes in AD
like passwords (which #1 will stop) and login disabled can still flow.


>>
>> Thanks so much for your help. It has been a Godsend!
>>
>> Phil Goldwasser
>> BTDS LAN Group
>> FDNY

>
>


0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


Hopefully near the end of my questions. So here is the rules that you
wrote. I need to know where the xml code gets pasted (in the mapping
table?). And to be sure I am getting this, I am edited your code with
my info. Can you let me know if I missed something? I assume I still
enter the source and destination info into the table fields like I asked
in my last message.

<rule>
<description>[CIS] Testing placement by mapping table</description>
<comment name="author" xml:space="preserve">Geoffrey Carman</comment>
<comment name="version" xml:space="preserve">1</comment>
<comment name="lastchanged" xml:space="preserve">Mar 21,
2012</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-local-variable name="SRC-DN" scope="policy">
<arg-string>
<token-src-dn length="-2"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="DEST-DN" scope="policy">
<arg-string>
<token-map default-value="XXYY" dest="dest-dn" src="src-dn" *<<< Not
sure what goes in that default value*
table="*Test.Active Directory.AD-TEST.fdny* ">
<token-local-variable name="SRC-DN"/>
</token-map>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="DEST-DN"
op="equal">XXYY</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message disabled="true">
<arg-string>
<token-text xml:space="preserve">If we get XXYY back then the DN
was not found, either error, or place in a default location. Use a
GCV
so you can change it later easily, but I want a simple rule to
demonstrate so I hard code a string value.</token-text>
*<<<Forgive my ignorance, but what is GCV?*
</arg-string>
</do-trace-message>
<do-set-op-dest-dn>
<arg-dn>
<token-text
xml:space="preserve">cn=some,ou=default,ou=placement,dc=container,dc=local</token-text>
*<<<This would be the destination in AD?*
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
<arg-actions>
<do-set-op-dest-dn>
<arg-dn>
<token-local-variable name="DEST-DN"/>
</arg-dn>
</do-set-op-dest-dn>
</arg-actions>
</do-if>
</actions>
</rule>



And then here is an example of how you can do it in one line.

<rule>
<description>[CIS] Testing placement by mapping table</description>
<comment xml:space="preserve">Now all in one line, which is more
confusing.</comment>
<comment name="author" xml:space="preserve">Geoffrey Carman</comment>
<comment name="version" xml:space="preserve">1</comment>
<comment name="lastchanged" xml:space="preserve">Mar 21,
2012</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-op-dest-dn>
<arg-dn>
<token-map
default-value="cn=some,ou=default,ou=placement,dc=container,dc=local"
dest="dest-dn" src="src-dn" table="SomeTableDN ">
<token-src-dn length="-2"/>
</token-map>
</arg-dn>
</do-set-op-dest-dn>
</actions>
</rule>


>> Finally, a different question, I have the syncing working great

now,
>> but it is going both ways. I only want to go from edir to AD, not

the
>> other way. I cannot figure out where to turn that off.


Two ways.

1) Filter, stop syncing users on the Pub channel.
2) Pub-Match and Create stop it from matching/creating, so changes in
AD
like passwords (which #1 will stop) and login disabled can still flow.


>>
>> Thanks so much for your help. It has been a Godsend!
>>
>> Phil Goldwasser
>> BTDS LAN Group
>> FDNY

>
>



--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD

The block of XML from <rule> to </rule> would go into your placement policy.
There is other XML in that policy but if you create just an empty rule in the GUI, then go to the
XML you can paste this over your empty rule and it will maintain the parent nodes and be pretty.

Then when you switch back to the GUI it will validate this rule for typos and errors.

On 3/21/2012 7:56 AM, pgold wrote:
>
> Hopefully near the end of my questions. So here is the rules that you
> wrote. I need to know where the xml code gets pasted (in the mapping
> table?). And to be sure I am getting this, I am edited your code with
> my info. Can you let me know if I missed something? I assume I still
> enter the source and destination info into the table fields like I asked
> in my last message.
>
> <rule>
> <description>[CIS] Testing placement by mapping table</description>
> <comment name="author" xml:space="preserve">Geoffrey Carman</comment>
> <comment name="version" xml:space="preserve">1</comment>
> <comment name="lastchanged" xml:space="preserve">Mar 21,
> 2012</comment>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> </and>
> </conditions>
> <actions>
> <do-set-local-variable name="SRC-DN" scope="policy">
> <arg-string>
> <token-src-dn length="-2"/>
> </arg-string>
> </do-set-local-variable>
> <do-set-local-variable name="DEST-DN" scope="policy">
> <arg-string>
> <token-map default-value="XXYY" dest="dest-dn" src="src-dn" *<<< Not
> sure what goes in that default value*
> table="*Test.Active Directory.AD-TEST.fdny* ">
> <token-local-variable name="SRC-DN"/>
> </token-map>
> </arg-string>
> </do-set-local-variable>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable mode="nocase" name="DEST-DN"
> op="equal">XXYY</if-local-variable>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-trace-message disabled="true">
> <arg-string>
> <token-text xml:space="preserve">If we get XXYY back then the DN
> was not found, either error, or place in a default location. Use a
> GCV
> so you can change it later easily, but I want a simple rule to
> demonstrate so I hard code a string value.</token-text>
> *<<<Forgive my ignorance, but what is GCV?*
> </arg-string>
> </do-trace-message>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-text
> xml:space="preserve">cn=some,ou=default,ou=placement,dc=container,dc=local</token-text>
> *<<<This would be the destination in AD?*
> </arg-dn>
> </do-set-op-dest-dn>
> </arg-actions>
> <arg-actions>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-local-variable name="DEST-DN"/>
> </arg-dn>
> </do-set-op-dest-dn>
> </arg-actions>
> </do-if>
> </actions>
> </rule>
>
>
>
> And then here is an example of how you can do it in one line.
>
> <rule>
> <description>[CIS] Testing placement by mapping table</description>
> <comment xml:space="preserve">Now all in one line, which is more
> confusing.</comment>
> <comment name="author" xml:space="preserve">Geoffrey Carman</comment>
> <comment name="version" xml:space="preserve">1</comment>
> <comment name="lastchanged" xml:space="preserve">Mar 21,
> 2012</comment>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> </and>
> </conditions>
> <actions>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-map
> default-value="cn=some,ou=default,ou=placement,dc=container,dc=local"
> dest="dest-dn" src="src-dn" table="SomeTableDN ">
> <token-src-dn length="-2"/>
> </token-map>
> </arg-dn>
> </do-set-op-dest-dn>
> </actions>
> </rule>
>
>
>>> Finally, a different question, I have the syncing working great

> now,
>>> but it is going both ways. I only want to go from edir to AD, not

> the
>>> other way. I cannot figure out where to turn that off.

>
> Two ways.
>
> 1) Filter, stop syncing users on the Pub channel.
> 2) Pub-Match and Create stop it from matching/creating, so changes in
> AD
> like passwords (which #1 will stop) and login disabled can still flow.
>
>
>>>
>>> Thanks so much for your help. It has been a Godsend!
>>>
>>> Phil Goldwasser
>>> BTDS LAN Group
>>> FDNY

>>
>>

>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

The Map token needs a DN to reference. I would just open the rule, once
you have it pasted in (per Will's advice, even if he did cut out one of
my precious, precious comments! The Noive! The Noive I say... Why, I
otter...), drill down to the Map token, and use the browser to pick the
mapping table so you get your DN right.

I gave two approaches. One is simpler than the other, but harder to
understand. The first does it the hard way, (time wise, minor
performance difference) so you can see it step by step.



On 3/21/2012 8:56 AM, pgold wrote:
>
> Hopefully near the end of my questions. So here is the rules that you
> wrote. I need to know where the xml code gets pasted (in the mapping
> table?). And to be sure I am getting this, I am edited your code with
> my info. Can you let me know if I missed something? I assume I still
> enter the source and destination info into the table fields like I asked
> in my last message.
>
> <rule>
> <description>[CIS] Testing placement by mapping table</description>
> <comment name="author" xml:space="preserve">Geoffrey Carman</comment>
> <comment name="version" xml:space="preserve">1</comment>
> <comment name="lastchanged" xml:space="preserve">Mar 21,
> 2012</comment>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> </and>
> </conditions>
> <actions>
> <do-set-local-variable name="SRC-DN" scope="policy">
> <arg-string>
> <token-src-dn length="-2"/>
> </arg-string>
> </do-set-local-variable>
> <do-set-local-variable name="DEST-DN" scope="policy">
> <arg-string>
> <token-map default-value="XXYY" dest="dest-dn" src="src-dn" *<<< Not
> sure what goes in that default value*
> table="*Test.Active Directory.AD-TEST.fdny* ">
> <token-local-variable name="SRC-DN"/>
> </token-map>
> </arg-string>
> </do-set-local-variable>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable mode="nocase" name="DEST-DN"
> op="equal">XXYY</if-local-variable>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-trace-message disabled="true">
> <arg-string>
> <token-text xml:space="preserve">If we get XXYY back then the DN
> was not found, either error, or place in a default location. Use a
> GCV
> so you can change it later easily, but I want a simple rule to
> demonstrate so I hard code a string value.</token-text>
> *<<<Forgive my ignorance, but what is GCV?*
> </arg-string>
> </do-trace-message>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-text
> xml:space="preserve">cn=some,ou=default,ou=placement,dc=container,dc=local</token-text>
> *<<<This would be the destination in AD?*
> </arg-dn>
> </do-set-op-dest-dn>
> </arg-actions>
> <arg-actions>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-local-variable name="DEST-DN"/>
> </arg-dn>
> </do-set-op-dest-dn>
> </arg-actions>
> </do-if>
> </actions>
> </rule>
>
>
>
> And then here is an example of how you can do it in one line.
>
> <rule>
> <description>[CIS] Testing placement by mapping table</description>
> <comment xml:space="preserve">Now all in one line, which is more
> confusing.</comment>
> <comment name="author" xml:space="preserve">Geoffrey Carman</comment>
> <comment name="version" xml:space="preserve">1</comment>
> <comment name="lastchanged" xml:space="preserve">Mar 21,
> 2012</comment>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> </and>
> </conditions>
> <actions>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-map
> default-value="cn=some,ou=default,ou=placement,dc=container,dc=local"
> dest="dest-dn" src="src-dn" table="SomeTableDN ">
> <token-src-dn length="-2"/>
> </token-map>
> </arg-dn>
> </do-set-op-dest-dn>
> </actions>
> </rule>
>
>
>>> Finally, a different question, I have the syncing working great

> now,
>>> but it is going both ways. I only want to go from edir to AD, not

> the
>>> other way. I cannot figure out where to turn that off.

>
> Two ways.
>
> 1) Filter, stop syncing users on the Pub channel.
> 2) Pub-Match and Create stop it from matching/creating, so changes in
> AD
> like passwords (which #1 will stop) and login disabled can still flow.
>
>
>>>
>>> Thanks so much for your help. It has been a Godsend!
>>>
>>> Phil Goldwasser
>>> BTDS LAN Group
>>> FDNY

>>
>>

>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD

It wasn't your comments I cut out, it was ones from the post that were mixed in 🙂
I would never cut out your documentation 🙂

On 3/21/2012 12:24 PM, Geoffrey Carman wrote:
> The Map token needs a DN to reference. I would just open the rule, once you have it pasted in (per
> Will's advice, even if he did cut out one of my precious, precious comments! The Noive! The Noive I
> say... Why, I otter...), drill down to the Map token, and use the browser to pick the mapping table
> so you get your DN right.

0 Likes
pgold Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


geoffc;2184133 Wrote:
> The Map token needs a DN to reference. I would just open the rule,
> once
> you have it pasted in (per Will's advice, even if he did cut out one
> of
> my precious, precious comments! The Noive! The Noive I say... Why, I
> otter...), drill down to the Map token, and use the browser to pick
> the
> mapping table so you get your DN right.
>
> I gave two approaches. One is simpler than the other, but harder to
> understand. The first does it the hard way, (time wise, minor
> performance difference) so you can see it step by step.
>
> OK. I got your other message too. So I am pasting exactly what I am
> putting into the placement policy here. I think I have it correct as
> the Mapping Table DN is Test.Active Directory.AD-TEST.fdny. Also you
> have a place in there where you put in some default dn etc. I assume I
> need to edit that to be a vaid dn.
>
> Now in the mapping table, I want to make sure I create it correct as
> well. I have two columns. The top fields I assume are to name the
> fields. Do I need to use names that are in the rule below? So that
> would be SCR-DN and DEST-DN? If so, then in the SCR-DN I would put
> /EDIR2ADLAB/fdny/support/btds/engineering and in the DEST-DN I would put
> ou=engineering,ou=fdny,dc=edir2adlab,dc=local. Is that correct?
>
> <rule>
> <description>[CIS] Testing placement by mapping table</description>
> <comment name="author" xml:space="preserve">Geoffrey Carman</comment>
> <comment name="version" xml:space="preserve">1</comment>
> <comment name="lastchanged" xml:space="preserve">Mar 21,
> 2012</comment>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> </and>
> </conditions>
> <actions>
> <do-set-local-variable name="SRC-DN" scope="policy">
> <arg-string>
> <token-src-dn length="-2"/>
> </arg-string>
> </do-set-local-variable>
> <do-set-local-variable name="DEST-DN" scope="policy">
> <arg-string>
> <token-map default-value="XXYY" dest="dest-dn" src="src-dn"
> table="Test.Active
> Directory.AD-TEST.fdny">
> <token-local-variable name="SRC-DN"/>
> </token-map>
> </arg-string>
> </do-set-local-variable>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable mode="nocase" name="DEST-DN"
> op="equal">XXYY</if-local-variable>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-trace-message disabled="true">
> <arg-string>
> <token-text xml:space="preserve">If we get XXYY back then the DN
> was not found, either error, or place in a default location. Use a
> GCV so you can change it later easily, but I want a simple rule to
> demonstrate so I hard code a string value.</token-text>
> </arg-string>
> </do-trace-message>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-text
> xml:space="preserve">cn=fdny,dc=edir2adlab,dc=local</token-text>
> </arg-dn>
> </do-set-op-dest-dn>
> </arg-actions>
> <arg-actions>
> <do-set-op-dest-dn>
> <arg-dn>
> <token-local-variable name="DEST-DN"/>
> </arg-dn>
> </do-set-op-dest-dn>
> </arg-actions>
> </do-if>
> </actions>
> </rule>



--
pgold
------------------------------------------------------------------------
pgold's Profile: http://forums.novell.com/member.php?userid=114234
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

>> OK. I got your other message too. So I am pasting exactly what I am
>> putting into the placement policy here. I think I have it correct as
>> the Mapping Table DN is Test.Active Directory.AD-TEST.fdny. Also you
>> have a place in there where you put in some default dn etc. I assume I
>> need to edit that to be a vaid dn.


Format for the value in Mapping table is fdny\AD-Test\Active Directory\Test

Backslash notation.

As for the default value in the second example, yes, needs to be an LDAP
formatted real DN in AD. So ou=sometihng, dc=edir2lab,dc=local or where
ever you want them to go.

(Or not? Maybe veto if they do not come from a proper container? Both
are options).

Give me an email offline (geoffreycarman@Gmail.com) if you would like.

>>
>> Now in the mapping table, I want to make sure I create it correct as
>> well. I have two columns. The top fields I assume are to name the
>> fields. Do I need to use names that are in the rule below? So that
>> would be SCR-DN and DEST-DN? If so, then in the SCR-DN I would put
>> /EDIR2ADLAB/fdny/support/btds/engineering and in the DEST-DN I would put
>> ou=engineering,ou=fdny,dc=edir2adlab,dc=local. Is that correct?


Almost. Backslashes, not forward slashes.

Thus NOT:
/EDIR2ADLAB/fdny/support/btds/engineering

Rather
\EDIR2ADLAB\fdny\support\btds\engineering

Dest looks good.
>>
>> <rule>
>> <description>[CIS] Testing placement by mapping table</description>
>> <comment name="author" xml:space="preserve">Geoffrey Carman</comment>
>> <comment name="version" xml:space="preserve">1</comment>
>> <comment name="lastchanged" xml:space="preserve">Mar 21,
>> 2012</comment>
>> <conditions>
>> <and>
>> <if-class-name mode="nocase" op="equal">User</if-class-name>
>> </and>
>> </conditions>
>> <actions>
>> <do-set-local-variable name="SRC-DN" scope="policy">
>> <arg-string>
>> <token-src-dn length="-2"/>
>> </arg-string>
>> </do-set-local-variable>
>> <do-set-local-variable name="DEST-DN" scope="policy">
>> <arg-string>
>> <token-map default-value="XXYY" dest="dest-dn" src="src-dn"
>> table="Test.Active
>> Directory.AD-TEST.fdny">
>> <token-local-variable name="SRC-DN"/>
>> </token-map>
>> </arg-string>
>> </do-set-local-variable>
>> <do-if>
>> <arg-conditions>
>> <and>
>> <if-local-variable mode="nocase" name="DEST-DN"
>> op="equal">XXYY</if-local-variable>
>> </and>
>> </arg-conditions>
>> <arg-actions>
>> <do-trace-message disabled="true">
>> <arg-string>
>> <token-text xml:space="preserve">If we get XXYY back then the DN
>> was not found, either error, or place in a default location. Use a
>> GCV so you can change it later easily, but I want a simple rule to
>> demonstrate so I hard code a string value.</token-text>
>> </arg-string>
>> </do-trace-message>
>> <do-set-op-dest-dn>
>> <arg-dn>
>> <token-text
>> xml:space="preserve">cn=fdny,dc=edir2adlab,dc=local</token-text>
>> </arg-dn>
>> </do-set-op-dest-dn>
>> </arg-actions>
>> <arg-actions>
>> <do-set-op-dest-dn>
>> <arg-dn>
>> <token-local-variable name="DEST-DN"/>
>> </arg-dn>
>> </do-set-op-dest-dn>
>> </arg-actions>
>> </do-if>
>> </actions>
>> </rule>

>
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On Tue, 20 Mar 2012 12:28:56 +0000, Geoffrey Carman wrote:

> [03/20/12 07:50:28.014]:Active Directory ST: DirXML Log Event
> -------------------
> Driver: \EDIR2ADLAB\fdny\AD-TEST\Active Directory Channel:
> Subscriber
> Object: \EDIR2ADLAB\fdny\Support\BTDS\LAN\goldwap Status:
> Error
> Message: Code(-9010) An exception occurred:
> novell.jclient.JCException: modifyEntry -672 ERR_NO_ACCESS


If the driver can't write to eDir, it may lack sufficient rights to read
the distribution password, even if it exists.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
albertjansteven Absent Member.
Absent Member.

Re: Error syncing objects from edir to AD


If you go to driver properties, you will see an option trace there you
can set the driver trace file and trace level options. This could be a
nice guide for you: 'Important Notice'
(http://www.novell.com/communities/node/9677/comprehending-idm-traces-part-1)


--
albertjanstevens
------------------------------------------------------------------------
albertjanstevens's Profile: http://forums.novell.com/member.php?userid=84836
View this thread: http://forums.novell.com/showthread.php?t=453618

0 Likes
Knowledge Partner
Knowledge Partner

Re: Error syncing objects from edir to AD

On 3/19/2012 1:56 PM, albertjanstevens wrote:
>
> If you go to driver properties, you will see an option trace there you
> can set the driver trace file and trace level options. This could be a
> nice guide for you: 'Important Notice'
> (http://www.novell.com/communities/node/9677/comprehending-idm-traces-part-1)


Totally agree! Fernando's series was so much better than my attempt at
this, that I stopped on the topic! He has several articles in this
series, let me suggest all of them since you will learn important things
you need to know for certain from them.

http://www.novell.com/communities/node/5681/capturing-and-reading-novell-identity-manager-traces
http://www.novell.com/communities/node/9677/comprehending-idm-traces-part-1
http://www.novell.com/communities/node/11166/comprehending-idm-traces-part-2

Quick Summary: In Designer, look at the Driver Properties, (Double
clcik the line in Modeler view, right click properties, or in OUtline
view). Then the side tab of Trace. The file path is platform specific,
where the engine is running, so if you are on Netware it would look like
sys:\log\ADDriver.log on linux more like /var/log/idmtrace/addriver.log
and Winders would be more like d:\logs\addriver.log. (If you are on
Linux and try the other formats, it will show up in the eDir DIB
directory as a crazy named file, like sys:\logs\Addriver.log which on
Linux looks really crazy.).

In iManager, edit driver properties, Misc tab.



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.