Anonymous_User Absent Member.
Absent Member.
296 views

Exchange 2012 create mailbox problem


Hi,

Have ran into a problem with creating exchange mailboxes. It works ok
for all accounts except when the user has a ' in the name part of the
DN. Obvoiusly we create the AD account in the following form:

cn=Joanne d'Arc,ou=,ou=... etc. this works great.

when we later should mailbox enable this mailbox the cmdlet bombs out:


Code:
--------------------
DirXML Log Event -------------------
Driver: \IDV\res\DriverSet\AD-Org
Channel: Subscriber
Object: \IDV\Active\Users\chrdar
Status: Error
Message: Exchange 2010 Exception. code:0x00000380 Error completing exchange 2010 command. ERROR: The string starting:
At line:1 char:363
+ Enable-Mailbox
-Identity 'CN=Joanne D'Arc,OU=Employees,DC=blah,DC=domain,DC=com'
-Database 'CN=US-MDB7,CN=Databases,CN=Exchange Administrative Group ,
CN=Administrative Groups,CN=blah,CN=Microsoft Exchange,CN=Services,
CN=Configuration,DC=blah,DC=domain,DC=com'
-DomainController 'bigserver.blah.domain.com <<<< '
is missing the terminator: '.
--------------------


obviously due to the ' in the DN.
Question: Can the ' as string delimiter be replaced by " or is the
solution to actually strip out the ' form fullname (that we user in the
DN)?

br
//anders


--
abergvall
------------------------------------------------------------------------
abergvall's Profile: https://forums.netiq.com/member.php?userid=278
View this thread: https://forums.netiq.com/showthread.php?t=47935

Labels (1)
0 Likes
22 Replies
Knowledge Partner
Knowledge Partner

Re: Exchange 2012 create mailbox problem

Or escape it with a backslash.

You could try the Escape Destination DN() token in the Argument Builder,
verb section.

Bet commas have the same issue for you as well.



> Have ran into a problem with creating exchange mailboxes. It works ok
> for all accounts except when the user has a ' in the name part of the
> DN. Obvoiusly we create the AD account in the following form:
>
> cn=Joanne d'Arc,ou=,ou=... etc. this works great.
>
> when we later should mailbox enable this mailbox the cmdlet bombs out:
>
>
> Code:
> --------------------
> DirXML Log Event -------------------
> Driver: \IDV\res\DriverSet\AD-Org
> Channel: Subscriber
> Object: \IDV\Active\Users\chrdar
> Status: Error
> Message: Exchange 2010 Exception. code:0x00000380 Error completing exchange 2010 command. ERROR: The string starting:
> At line:1 char:363
> + Enable-Mailbox
> -Identity 'CN=Joanne D'Arc,OU=Employees,DC=blah,DC=domain,DC=com'
> -Database 'CN=US-MDB7,CN=Databases,CN=Exchange Administrative Group ,
> CN=Administrative Groups,CN=blah,CN=Microsoft Exchange,CN=Services,
> CN=Configuration,DC=blah,DC=domain,DC=com'
> -DomainController 'bigserver.blah.domain.com <<<< '
> is missing the terminator: '.
> --------------------
>
>
> obviously due to the ' in the DN.
> Question: Can the ' as string delimiter be replaced by " or is the
> solution to actually strip out the ' form fullname (that we user in the
> DN)?
>
> br
> //anders
>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Exchange 2012 create mailbox problem


Exhcange 2010 it should state. Nothing else.


--
abergvall
------------------------------------------------------------------------
abergvall's Profile: https://forums.netiq.com/member.php?userid=278
View this thread: https://forums.netiq.com/showthread.php?t=47935

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Exchange 2012 create mailbox problem

On Tue, 11 Jun 2013 15:24:03 +0000, abergvall wrote:

> Have ran into a problem with creating exchange mailboxes. It works ok
> for all accounts except when the user has a ' in the name part of the
> DN.


What happens if you escape the embedded single quote, like Joanne d\'Arc


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Exchange 2012 create mailbox problem

On 11/06/2013 17:24, abergvall wrote:
>
> Hi,
>
> Have ran into a problem with creating exchange mailboxes. It works ok
> for all accounts except when the user has a ' in the name part of the
> DN. Obvoiusly we create the AD account in the following form:
>
> cn=Joanne d'Arc,ou=,ou=... etc. this works great.
>
> when we later should mailbox enable this mailbox the cmdlet bombs out:
>
>
> Code:
> --------------------
> DirXML Log Event -------------------
> Driver: \IDV\res\DriverSet\AD-Org
> Channel: Subscriber
> Object: \IDV\Active\Users\chrdar
> Status: Error
> Message: Exchange 2010 Exception. code:0x00000380 Error completing exchange 2010 command. ERROR: The string starting:
> At line:1 char:363
> + Enable-Mailbox
> -Identity 'CN=Joanne D'Arc,OU=Employees,DC=blah,DC=domain,DC=com'
> -Database 'CN=US-MDB7,CN=Databases,CN=Exchange Administrative Group ,
> CN=Administrative Groups,CN=blah,CN=Microsoft Exchange,CN=Services,
> CN=Configuration,DC=blah,DC=domain,DC=com'
> -DomainController 'bigserver.blah.domain.com <<<< '
> is missing the terminator: '.
> --------------------
>
>
> obviously due to the ' in the DN.
> Question: Can the ' as string delimiter be replaced by " or is the
> solution to actually strip out the ' form fullname (that we user in the
> DN)?
>
> br
> //anders
>
>

There is no need to use the DN
(http://technet.microsoft.com/en-us/library/jj614576.aspx).
You can use the following instead:

ADObjectID
GUID
Distinguished name (DN)
Domain\SamAccountName
User principal name (UPN)
LegacyExchangeDN
Email Address
User alias
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Exchange 2012 create mailbox problem

> On 11/06/2013 17:24, abergvall wrote:
>> Have ran into a problem with creating exchange mailboxes. It works ok
>> for all accounts except when the user has a ' in the name part of the
>> DN. Obvoiusly we create the AD account in the following form:
>>
>> cn=Joanne d'Arc,ou=,ou=... etc. this works great.
>>
>> when we later should mailbox enable this mailbox the cmdlet bombs out:
>>


As plenty of other people have said, you must escape the DN (see my
reply to a near-identical problem last year which includes example code)
https://forums.netiq.com/showthread.php?42640-Issue-with-homeMDB-creation-on-Active-directory-driver&p=201903#post201903

On 11.06.2013 23:21, alekz wrote:
> There is no need to use the DN
> (http://technet.microsoft.com/en-us/library/jj614576.aspx).
> You can use the following instead:
> ADObjectID
> GUID
> Distinguished name (DN)
> Domain\SamAccountName
> User principal name (UPN)
> LegacyExchangeDN
> Email Address
> User alias


This is true (in theory), but when using the IDM MAD driver shim's
Exchange Integration (as in this example), the PowerShell command line
is constructed by the driver shim and you can't force it to use a more
sensible default than DN for the Identity. So you have to ensure that
IDM has a correctly escaped DN.

In my opinion this should be an enhancement request (or maybe even a
bug) as using ObjectGUID (the default association value) is a far more
resilient (albeit slightly less friendly) solution.

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Exchange 2012 create mailbox problem


Hello,

checked your link, and found that we are indeed using the fullNameMap
setting on the driver, and the rule for escaping is in place.
It's just not working 😞
engine and RL is 4.02 AD driver shim is... the one that came with 4.02.

Time for testing.
br
/A


--
abergvall
------------------------------------------------------------------------
abergvall's Profile: https://forums.netiq.com/member.php?userid=278
View this thread: https://forums.netiq.com/showthread.php?t=47935

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Exchange 2012 create mailbox problem


Created a test user for the fun of it:


Code:
--------------------
[06/12/13 09:56:57.190]:ad-org ST: Evaluating selection criteria for rule 'Use Full Name for naming user objects'.
[06/12/13 09:56:57.190]:ad-org ST: (if-class-name equal "User") = TRUE.
[06/12/13 09:56:57.191]:ad-org ST: (if-global-variable 'FullNameMap' equal "true") = TRUE.
[06/12/13 09:56:57.191]:ad-org ST: Rule selected.
[06/12/13 09:56:57.191]:ad-org ST: Applying rule 'Use Full Name for naming user objects'.
[06/12/13 09:56:57.191]:ad-org ST: Action: do-set-op-dest-dn(arg-dn("CN="+token-escape-for-dest-dn(token-attr("Full Name"))+","+token-dest-dn(length="-2"))).
[06/12/13 09:56:57.191]:ad-org ST: arg-dn("CN="+token-escape-for-dest-dn(token-attr("Full Name"))+","+token-dest-dn(length="-2"))
[06/12/13 09:56:57.192]:ad-org ST: token-text("CN=")
[06/12/13 09:56:57.192]:ad-org ST: token-escape-for-dest-dn(token-attr("Full Name"))
[06/12/13 09:56:57.192]:ad-org ST: token-escape-for-dest-dn(token-attr("Full Name"))
[06/12/13 09:56:57.192]:ad-org ST: token-attr("Full Name")
[06/12/13 09:56:57.192]:ad-org ST: Token Value: "Jean O D'Arc".
[06/12/13 09:56:57.192]:ad-org ST: Arg Value: "Jean O D'Arc".
[06/12/13 09:56:57.192]:ad-org ST: Token Value: "Jean O D'Arc".
[06/12/13 09:56:57.192]:ad-org ST: token-text(",")
[06/12/13 09:56:57.193]:ad-org ST: token-dest-dn(length="-2")
[06/12/13 09:56:57.193]:ad-org ST: Token Value: "OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=blah,DC=domain,DC=com".
[06/12/13 09:56:57.193]:ad-org ST: Arg Value: "CN=Jean O D'Arc,OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=blah,DC=domain,DC=com".
[06/12/13 09:56:57.193]:ad-org ST:Policy returned:
[06/12/13 09:56:57.194]:ad-org ST:
[06/12/13 09:56:57.194]:ad-org ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.1">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add cached-time="20130612075656.919Z" class-name="User" dest-dn="CN=Jean O D'Arc,OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=Blah,DC=domain,DC=com" event-id="se10offedir01#20130612075656#6#1:20b029e9-c0bd-4a44-fe85-e929b020bdc0" qualified-src-dn="O=Active\OU=Users\CN=jeadar" src-dn="\IDV\Active\Users\jeadar" src-entry-id="164065" timestamp="1371023812#27">
<add-attr attr-name="CN">
<value naming="true" timestamp="1371023809#74" type="string">jeadar</value>


--------------------


Looks like the *token-escape-for-dest-dn* isn't really doing anything 😞


--
abergvall
------------------------------------------------------------------------
abergvall's Profile: https://forums.netiq.com/member.php?userid=278
View this thread: https://forums.netiq.com/showthread.php?t=47935

0 Likes
Knowledge Partner
Knowledge Partner

Re: Exchange 2012 create mailbox problem

On 6/12/2013 4:14 AM, abergvall wrote:
>
> Created a test user for the fun of it:
>
>
> Code:
> --------------------
> [06/12/13 09:56:57.190]:ad-org ST: Evaluating selection criteria for rule 'Use Full Name for naming user objects'.
> [06/12/13 09:56:57.190]:ad-org ST: (if-class-name equal "User") = TRUE.
> [06/12/13 09:56:57.191]:ad-org ST: (if-global-variable 'FullNameMap' equal "true") = TRUE.
> [06/12/13 09:56:57.191]:ad-org ST: Rule selected.
> [06/12/13 09:56:57.191]:ad-org ST: Applying rule 'Use Full Name for naming user objects'.
> [06/12/13 09:56:57.191]:ad-org ST: Action: do-set-op-dest-dn(arg-dn("CN="+token-escape-for-dest-dn(token-attr("Full Name"))+","+token-dest-dn(length="-2"))).
> [06/12/13 09:56:57.191]:ad-org ST: arg-dn("CN="+token-escape-for-dest-dn(token-attr("Full Name"))+","+token-dest-dn(length="-2"))
> [06/12/13 09:56:57.192]:ad-org ST: token-text("CN=")
> [06/12/13 09:56:57.192]:ad-org ST: token-escape-for-dest-dn(token-attr("Full Name"))
> [06/12/13 09:56:57.192]:ad-org ST: token-escape-for-dest-dn(token-attr("Full Name"))
> [06/12/13 09:56:57.192]:ad-org ST: token-attr("Full Name")
> [06/12/13 09:56:57.192]:ad-org ST: Token Value: "Jean O D'Arc".
> [06/12/13 09:56:57.192]:ad-org ST: Arg Value: "Jean O D'Arc".
> [06/12/13 09:56:57.192]:ad-org ST: Token Value: "Jean O D'Arc".
> [06/12/13 09:56:57.192]:ad-org ST: token-text(",")
> [06/12/13 09:56:57.193]:ad-org ST: token-dest-dn(length="-2")
> [06/12/13 09:56:57.193]:ad-org ST: Token Value: "OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=blah,DC=domain,DC=com".
> [06/12/13 09:56:57.193]:ad-org ST: Arg Value: "CN=Jean O D'Arc,OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=blah,DC=domain,DC=com".
> [06/12/13 09:56:57.193]:ad-org ST:Policy returned:
> [06/12/13 09:56:57.194]:ad-org ST:
> [06/12/13 09:56:57.194]:ad-org ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.2.1">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add cached-time="20130612075656.919Z" class-name="User" dest-dn="CN=Jean O D'Arc,OU=Consultants,OU=Users,OU=SE,OU=Corporate,DC=Blah,DC=domain,DC=com" event-id="se10offedir01#20130612075656#6#1:20b029e9-c0bd-4a44-fe85-e929b020bdc0" qualified-src-dn="O=Active\OU=Users\CN=jeadar" src-dn="\IDV\Active\Users\jeadar" src-entry-id="164065" timestamp="1371023812#27">
> <add-attr attr-name="CN">
> <value naming="true" timestamp="1371023809#74" type="string">jeadar</value>
>
>
> --------------------
>
>
> Looks like the *token-escape-for-dest-dn* isn't really doing anything 😞


Ya, I have seen that happen as well.

You can manually fix this with Replace All tokens, just remember the
fields are Regex's, so it is replace all \' with \\\' or the like.
Should also do commas while you are there, as \, with \\\, or somesuch.

Simulator will let you test this quick.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Exchange 2012 create mailbox problem

On 12.06.2013 11:51, Geoffrey Carman wrote:
> On 6/12/2013 4:14 AM, abergvall wrote:
>> Looks like the *token-escape-for-dest-dn* isn't really doing anything 😞

>
> Ya, I have seen that happen as well.
>
> You can manually fix this with Replace All tokens, just remember the
> fields are Regex's, so it is replace all \' with \\\' or the like.
> Should also do commas while you are there, as \, with \\\, or somesuch.
>
> Simulator will let you test this quick.


The RFC says that implementations MAY escape other characters, but this
seems quite excessive. Also I'm not sure if it would work in all scenarios.

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Exchange 2012 create mailbox problem

On 6/12/2013 6:04 AM, Alex McHugh wrote:
> On 12.06.2013 11:51, Geoffrey Carman wrote:
>> On 6/12/2013 4:14 AM, abergvall wrote:
>>> Looks like the *token-escape-for-dest-dn* isn't really doing anything 😞

>>
>> Ya, I have seen that happen as well.
>>
>> You can manually fix this with Replace All tokens, just remember the
>> fields are Regex's, so it is replace all \' with \\\' or the like.
>> Should also do commas while you are there, as \, with \\\, or somesuch.
>>
>> Simulator will let you test this quick.

>
> The RFC says that implementations MAY escape other characters, but this
> seems quite excessive. Also I'm not sure if it would work in all scenarios.


RFC for Exchange calls, or Escape Destination DN?

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Exchange 2012 create mailbox problem

On 12.06.2013 15:06, Geoffrey Carman wrote:
> On 6/12/2013 6:04 AM, Alex McHugh wrote:
>> On 12.06.2013 11:51, Geoffrey Carman wrote:
>>> On 6/12/2013 4:14 AM, abergvall wrote:
>>>> Looks like the *token-escape-for-dest-dn* isn't really doing
>>>> anything 😞
>>>
>>> Ya, I have seen that happen as well.
>>>
>>> You can manually fix this with Replace All tokens, just remember the
>>> fields are Regex's, so it is replace all \' with \\\' or the like.
>>> Should also do commas while you are there, as \, with \\\, or somesuch.
>>>
>>> Simulator will let you test this quick.

>>
>> The RFC says that implementations MAY escape other characters, but this
>> seems quite excessive. Also I'm not sure if it would work in all
>> scenarios.

>
> RFC for Exchange calls, or Escape Destination DN?



This thread mixes up two very distinct problems:

1. Escape Destination DN supposedly not working properly.

In this case it appears to be working as per the documentation.

https://www.netiq.com/documentation/idm402/policy_dtd/data/dtddirxmltokenescapedordestdn.html

"Expands to a version of the expansion of the concatenation of the
enclosed tokens, which has been escaped for use in a DN according to the
rules of the destination DN format."

They don't go into specifics of the Destination DN format as it can vary
from driver shim to shim.

In this case, the driver shim is AD and the destination DN format is the
Active Directory LDAP DN which is based on the LDAPv3 Distinguished Name
standard.

The RFC I was referring to is:
RFC 2253

There is also a draft 4514 which may eventually obsolete 2253

http://www.ietf.org/rfc/rfc2253.txt
and
http://www.ietf.org/rfc/rfc4514.txt

Microsoft's documentation, also references this RFC 2253
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366101(v=vs.85).aspx

There are no references in these RFCs or Microsoft's LDAP DN
documentation that says a single quote within a DN MUST be escaped.

The original poster said that the user could be created in AD with a
unescaped single quote in the DN, this is further evidence that such
escaping is unnecessary with respect to IDM creating and managing users
named like this in AD.

2. PowerShell has it's own character escaping/quoting rules (nothing to
do with LDAP DNs)

The Powershell Cmdlet generated by AD Driver shim when it parses out the
Exchange trigger attributes is:

Enable-Mailbox -Identity 'CN=Joanne
D'Arc,OU=Employees,DC=blah,DC=domain,DC=com' -Database
'CN=US-MDB7,CN=Databases,CN=Exchange Administrative
Group,CN=Administrative Groups,CN=blah,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=blah,DC=domain,DC=com'
-DomainController 'bigserver.blah.domain.com

The Driver shim should properly escape the strings values it uses to
construct the PowerShell cmdlet.

The end result should be:

Enable-Mailbox -Identity 'CN=Joanne
D''Arc,OU=Employees,DC=blah,DC=domain,DC=com' -Database
'CN=US-MDB7,CN=Databases,CN=Exchange Administrative
Group,CN=Administrative Groups,CN=blah,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=blah,DC=domain,DC=com'
-DomainController 'bigserver.blah.domain.com

If there was a way to force the AD driver shim to switch to using double
quotes as the quote delimiter would also appear to work for this
particular scenario (but is an extremely bad idea as it will lead to new
problems)



--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Exchange 2012 create mailbox problem

>> RFC for Exchange calls, or Escape Destination DN?
>
>
> This thread mixes up two very distinct problems:
>
> 1. Escape Destination DN supposedly not working properly.
>
> In this case it appears to be working as per the documentation.
>
> https://www.netiq.com/documentation/idm402/policy_dtd/data/dtddirxmltokenescapedordestdn.html
>
>
> "Expands to a version of the expansion of the concatenation of the
> enclosed tokens, which has been escaped for use in a DN according to the
> rules of the destination DN format."
>
> They don't go into specifics of the Destination DN format as it can vary
> from driver shim to shim.


Nor do they explain where/how it is defined. I think that would be
interesting to know. Similarly how are Dest-Dn and Source-DN formatting
defined in a driver? I.e. The shim somehow informs the driver of its
format requirements. I would be interested in understanding how that is
configured.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Exchange 2012 create mailbox problem

On 12.06.2013 19:03, Geoffrey Carman wrote:
>>> RFC for Exchange calls, or Escape Destination DN?

>>
>>
>> This thread mixes up two very distinct problems:
>>
>> 1. Escape Destination DN supposedly not working properly.
>>
>> In this case it appears to be working as per the documentation.
>>
>> https://www.netiq.com/documentation/idm402/policy_dtd/data/dtddirxmltokenescapedordestdn.html
>>
>>
>>
>> "Expands to a version of the expansion of the concatenation of the
>> enclosed tokens, which has been escaped for use in a DN according to the
>> rules of the destination DN format."
>>
>> They don't go into specifics of the Destination DN format as it can vary
>> from driver shim to shim.

>
> Nor do they explain where/how it is defined. I think that would be
> interesting to know. Similarly how are Dest-Dn and Source-DN formatting
> defined in a driver? I.e. The shim somehow informs the driver of its
> format requirements. I would be interested in understanding how that is
> configured.


This is a good question, I would like to know how to define this for
drivers that don't have a normal shim (like the Scripting Driver).

I've not written any actual driver shims, maybe it's in the skeleton
code for a generic shim.

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Exchange 2012 create mailbox problem

> This is a good question, I would like to know how to define this for
> drivers that don't have a normal shim (like the Scripting Driver).
>
> I've not written any actual driver shims, maybe it's in the skeleton
> code for a generic shim.


That is a good thought.

I guess in some ways, that is why there is a ParseDN Custom format,
since that is how you define a format, and I guess you must provide it
in code somewhere in the driver shims.

(This would be a great moment for Shon to pop his head in and just
answer the question for us...) 🙂


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.