Anonymous_User Absent Member.
Absent Member.
401 views

How to remove values from multi-value attribute of AD?


Hi,

Using IDM4.0.2
runs on Suse 11sp2 x64

I set the AD attribute otherPager to carry OU (department) info

One staff can belong to several departments, say, one can be a staff of
department ISO and ITS

then the value in NDS is

ou = ITS
ou = ISO

if the value sync to AD by AD driver, then the value are

otherPager = ITS
otherPager = ISO

It is ok for my coding to sync the values from NDS to AD, however, I
have to clear the otherPager values if there is any change for OU

My coding is

clear destination attribute value ("otherPager", class name="User")

if (conditions (and (if source attribute 'ou' not available) ) , actions
(break () ) )

set local variable ("lv.ou", nodeset (Source Attribute ("OU") ) )

for each (nodeset (Local Variable ("lv.ou") ) , actions (add destination
attribute value ("otherPager", Local Variable ("current-node") ) ) )


The clear destination attribute value can only clear single value
attribute, but cannot do it for multi-value attribute, how can I do it?

Thanks & Regards,

Agnes


--
ayeungied
------------------------------------------------------------------------
ayeungied's Profile: https://forums.netiq.com/member.php?userid=548
View this thread: https://forums.netiq.com/showthread.php?t=47813

Labels (1)
0 Likes
13 Replies
Anonymous_User Absent Member.
Absent Member.

Re: How to remove values from multi-value attribute of AD?

On 23.05.2013 11:04, ayeungied wrote:
> I set the AD attribute otherPager to carry OU (department) info
>
> One staff can belong to several departments, say, one can be a staff of
> department ISO and ITS
>
> then the value in NDS is
>
> ou = ITS
> ou = ISO
>
> if the value sync to AD by AD driver, then the value are
>
> otherPager = ITS
> otherPager = ISO
>
> It is ok for my coding to sync the values from NDS to AD, however, I
> have to clear the otherPager values if there is any change for OU


Maybe I've misunderstood what you are trying to achieve but:

Why not just schema map OU to otherPager and configure the driver filter
to subscriber=sync and publisher=reset for the OU attribute?

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to remove values from multi-value attribute of AD?


Thanks Alex,

Can get your point from

configure the driver filter
to subscriber=sync

But for

publisher=reset for the OU attribute, I actually don't want to reset the
OU attribute, as it is in NDS, NDS should keep the values, I only want
to reset those values have already sync to AD, that means reset the
values in otherPager.

Thanks,

Agnes


--
ayeungied
------------------------------------------------------------------------
ayeungied's Profile: https://forums.netiq.com/member.php?userid=548
View this thread: https://forums.netiq.com/showthread.php?t=47813

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to remove values from multi-value attribute of AD?


That is exactly what reset means !!!!

Publisher reset means that if anyone changes the "otherPager" attribute
in AD the driver will go to eDir and read the OU values and reset the
otherPager from OU.

That way it will not be possible to change the values in AD, only from
eDir.


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=47813

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to remove values from multi-value attribute of AD?

On Thu, 23 May 2013 09:04:02 +0000, ayeungied wrote:

> clear destination attribute value ("otherPager", class name="User")


I think Alex is right, but if you use "clear destination attribute", it
removes all values from multivalued attributes.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to remove values from multi-value attribute of AD?


Thanks David,

I've used the

clear destination attribute value ("otherPager", class name="User") in
my script, but nothing happen.

Regards,

Agnes


--
ayeungied
------------------------------------------------------------------------
ayeungied's Profile: https://forums.netiq.com/member.php?userid=548
View this thread: https://forums.netiq.com/showthread.php?t=47813

0 Likes
Knowledge Partner
Knowledge Partner

Re: How to remove values from multi-value attribute of AD?

On 5/23/2013 12:24 PM, ayeungied wrote:
>
> Thanks David,
>
> I've used the
>
> clear destination attribute value ("otherPager", class name="User") in
> my script, but nothing happen.


As always, trace is the trick to understand what is going on here.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to remove values from multi-value attribute of AD?

On Thu, 23 May 2013 16:24:02 +0000, ayeungied wrote:

> I've used the
>
> clear destination attribute value ("otherPager", class name="User") in
> my script, but nothing happen.


Trace?

--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to remove values from multi-value attribute of AD?


Thanks David and Geoffc,

I've upload the AD driver and IDM logs to

http://tinyurl.com/pjb2ngx

The user name is idmp3user1

1. I've tried to update the OU in nds as ITS and ISO
2. the otherPager can be updated correctly and shown as

otherPager=ITS
otherPager=ISO

2 other attributes , one named department and extensionAttribute5 will
be updated as
department=ITS;ISO
extensionAttribute5=ITS;ISO

When I remove the value of ITS and ISO in NDS,

both department and extensionAttribute5 attributes are no show while
nothing change for the values of otherPager

Many thanks & Regards,

Agnes


--
ayeungied
------------------------------------------------------------------------
ayeungied's Profile: https://forums.netiq.com/member.php?userid=548
View this thread: https://forums.netiq.com/showthread.php?t=47813

0 Likes
Knowledge Partner
Knowledge Partner

Re: How to remove values from multi-value attribute of AD?

On 5/24/2013 2:44 AM, ayeungied wrote:
>
> Thanks David and Geoffc,
>
> I've upload the AD driver and IDM logs to
>
> http://tinyurl.com/pjb2ngx
>
> The user name is idmp3user1
>
> 1. I've tried to update the OU in nds as ITS and ISO
> 2. the otherPager can be updated correctly and shown as
>
> otherPager=ITS
> otherPager=ISO
>
> 2 other attributes , one named department and extensionAttribute5 will
> be updated as
> department=ITS;ISO
> extensionAttribute5=ITS;ISO
>
> When I remove the value of ITS and ISO in NDS,
>
> both department and extensionAttribute5 attributes are no show while
> nothing change for the values of otherPager


The specific error you are getting is this, at the end:

<status
event-id="abcp3#20130524042748#2#1:fda10b7a-7441-42d1-a299-7a0ba1fd4174"
level="error" type="driver-general">
<ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21"
ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090A85, comment: Error in
attribute conversion operation, data 0, vece</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
<operation-data AccountTracking-AppAccountStatus="-"
AccountTracking-IdvAccountStatus="-"
AccountTracking-ObjectDN="\IDM_TREE\abc\users\idmp3user1"
AccountTracking-Operation="modify"
AccountTracking-association="40a4fca68c6f3c4faecf0082e9d14c26"/>
</status>
<status
event-id="abcp3#20130524042748#2#1:fda10b7a-7441-42d1-a299-7a0ba1fd4174"
level="success">
<operation-data AccountTracking-Operation="modify"
AccountTracking-association="40a4fca68c6f3c4faecf0082e9d14c26"/>
</status>
<status
event-id="abcp3#20130524042748#2#1:fda10b7a-7441-42d1-a299-7a0ba1fd4174"
level="error" type="driver-general">
<ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21"
ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090A85, comment: Error in
attribute conversion operation, data 0, vece</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>


The error win32-rc 87 can be looked up at this set of pages from Microsoft:
http://msdn.microsoft.com/en-us/library/ms681382%28v=vs.85%29.aspx

Where 87 is: ERROR_INVALID_PARAMETER

Which is almost certainly related to any of the MANY attributes you are
setting to empty strings:

[05/24/13 12:27:49.398]:NDStoAD ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="user"
event-id="abcp3#20130524042748#2#1:fda10b7a-7441-42d1-a299-7a0ba1fd4174"
qualifabc-src-dn="O=abc\OU=users\CN=idmp3user1"
src-dn="\IDM_TREE\abc\users\idmp3user1" src-entry-id="33243">
<association>40a4fca68c6f3c4faecf0082e9d14c26</association>
<modify-attr attr-name="otherPager">
<remove-all-values/>
</modify-attr>
</modify>
<modify class-name="user"
event-id="abcp3#20130524042748#2#1:fda10b7a-7441-42d1-a299-7a0ba1fd4174_opData0"
qualifabc-src-dn="O=abc\OU=users\CN=idmp3user1"
src-dn="\IDM_TREE\abc\users\idmp3user1" src-entry-id="33243">
<association>40a4fca68c6f3c4faecf0082e9d14c26</association>
<modify-attr attr-name="extensionAttribute11">
<remove-all-values/>
<add-value>
<value type="string"/>
</add-value>
</modify-attr>
<modify-attr attr-name="extensionAttribute10">
<remove-all-values/>
<add-value>
<value type="string"/>
</add-value>
</modify-attr>
<modify-attr attr-name="facsimileTelephoneNumber">
<remove-all-values/>
<add-value>
<value type="string"/>
</add-value>
</modify-attr>
<modify-attr attr-name="givenName">
<remove-all-values/>
<add-value>
<value type="string"/>
</add-value>
</modify-attr>
<modify-attr attr-name="description">
<remove-all-values/>
<add-value>
<value type="string"/>
</add-value>
</modify-attr>


If the attribute is sized, as 1-64 or whatever, a length of 0 is illegal.

Thus it is not the remove OU code part, but the rest of it.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to remove values from multi-value attribute of AD?


Thanks Geoffc,

Yes, the values are waiting to pass in from my boss's database, the
related errors are expected.

Sorry, I forget to mentioned the policy for sync the OU value to
otherPager is named

"Set OtherPager"

It should be in the logs I updated.

Would you mind to help again?

Thousands of thanks,

Agnes


--
ayeungied
------------------------------------------------------------------------
ayeungied's Profile: https://forums.netiq.com/member.php?userid=548
View this thread: https://forums.netiq.com/showthread.php?t=47813

0 Likes
Knowledge Partner
Knowledge Partner

Re: How to remove values from multi-value attribute of AD?

On 5/26/2013 10:34 PM, ayeungied wrote:
>
> Thanks Geoffc,
>
> Yes, the values are waiting to pass in from my boss's database, the
> related errors are expected.


While the errors might be expected, the entire event must succeed in its
entirety, or else the whole thing fails.

So if you send in 10 attributes, and any one of them has an error, all
of them fail.


> Sorry, I forget to mentioned the policy for sync the OU value to
> otherPager is named
>
> "Set OtherPager"
>
> It should be in the logs I updated.
>
> Would you mind to help again?


So that policy shows:
[05/24/13 12:27:48.355]:NDStoAD ST: Applying rule 'Set OtherPager'.
[05/24/13 12:27:48.355]:NDStoAD ST: Action:
do-clear-dest-attr-value("otherPager",class-name="User",when="before").
[05/24/13 12:27:48.355]:NDStoAD ST: Action: do-if().
[05/24/13 12:27:48.355]:NDStoAD ST: Evaluating conditions.
[05/24/13 12:27:48.356]:NDStoAD ST: (if-src-attr 'ou'
not-available) = FALSE.
[05/24/13 12:27:48.356]:NDStoAD ST: Action:
do-set-local-variable("lv.ou",arg-node-set(token-src-attr("OU"))).
[05/24/13 12:27:48.356]:NDStoAD ST:
arg-node-set(token-src-attr("OU"))
[05/24/13 12:27:48.357]:NDStoAD ST: token-src-attr("OU")
[05/24/13 12:27:48.357]:NDStoAD ST: Token Value: {<value>
@timestamp = "1369369668#1" @type = "string",<value> @timestamp =
"1369369668#2" @type = "string"}.
[05/24/13 12:27:48.358]:NDStoAD ST: Arg Value: {<value>
@timestamp = "1369369668#1" @type = "string",<value> @timestamp =
"1369369668#2" @type = "string"}.
[05/24/13 12:27:48.358]:NDStoAD ST: Action:
do-for-each(arg-node-set(token-local-variable("lv.ou"))).
[05/24/13 12:27:48.358]:NDStoAD ST:
arg-node-set(token-local-variable("lv.ou"))
[05/24/13 12:27:48.359]:NDStoAD ST: token-local-variable("lv.ou")
[05/24/13 12:27:48.359]:NDStoAD ST: Token Value: {<value>
@timestamp = "1369369668#1" @type = "string",<value> @timestamp =
"1369369668#2" @type = "string"}.
[05/24/13 12:27:48.362]:NDStoAD ST: Arg Value: {<value>
@timestamp = "1369369668#1" @type = "string",<value> @timestamp =
"1369369668#2" @type = "string"}.
[05/24/13 12:27:48.363]:NDStoAD ST: Performing actions for
local-variable(current-node) = <value> @timestamp = "1369369668#1" @type
= "string".
[05/24/13 12:27:48.363]:NDStoAD ST: Action:
do-add-dest-attr-value("otherPager",token-local-variable("current-node")).
[05/24/13 12:27:48.364]:NDStoAD ST:
arg-string(token-local-variable("current-node"))
[05/24/13 12:27:48.364]:NDStoAD ST:
token-local-variable("current-node")
[05/24/13 12:27:48.364]:NDStoAD ST: Token Value: "ISO".
[05/24/13 12:27:48.365]:NDStoAD ST: Arg Value: "ISO".
[05/24/13 12:27:48.365]:NDStoAD ST: Performing actions for
local-variable(current-node) = <value> @timestamp = "1369369668#2" @type
= "string".
[05/24/13 12:27:48.365]:NDStoAD ST: Action:
do-add-dest-attr-value("otherPager",token-local-variable("current-node")).
[05/24/13 12:27:48.366]:NDStoAD ST:
arg-string(token-local-variable("current-node"))
[05/24/13 12:27:48.366]:NDStoAD ST:
token-local-variable("current-node")
[05/24/13 12:27:48.366]:NDStoAD ST: Token Value: "ITS".
[05/24/13 12:27:48.367]:NDStoAD ST: Arg Value: "ITS".


So that generates two separate events:

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User"
event-id="abcp3#20130524042748#2#1:fda10b7a-7441-42d1-a299-7a0ba1fd4174"
qualifabc-src-dn="O=abc\OU=users\CN=idmp3user1"
src-dn="\IDM_TREE\abc\users\idmp3user1" src-entry-id="33243">
<association>40a4fca68c6f3c4faecf0082e9d14c26</association>
<modify-attr attr-name="otherPager">
<remove-all-values/>
</modify-attr>
</modify>
<modify cached-time="20130524042748.221Z" class-name="User"
event-id="abcp3#20130524042748#2#1:fda10b7a-7441-42d1-a299-7a0ba1fd4174"
qualifabc-src-dn="O=abc\OU=users\CN=idmp3user1"
src-dn="\IDM_TREE\abc\users\idmp3user1" src-entry-id="33243"
timestamp="1369369668#2">
<association
state="associated">40a4fca68c6f3c4faecf0082e9d14c26</association>
<modify-attr attr-name="OU">
<add-value>
<value timestamp="1369369668#1" type="string">ISO</value>
</add-value>
<add-value>
<value timestamp="1369369668#2" type="string">ITS</value>
</add-value>
</modify-attr>
<modify-attr attr-name="department">
<remove-all-values/>
</modify-attr>
<modify-attr attr-name="extensionAttribute5">
<remove-all-values/>
</modify-attr>
<modify-attr attr-name="department">
<remove-all-values/>
<add-value>
<value type="string">ISO;ITS</value>
</add-value>
</modify-attr>
<modify-attr attr-name="extensionAttribute5">
<remove-all-values/>
<add-value>
<value type="string">ISO;ITS</value>
</add-value>
</modify-attr>
<modify-attr attr-name="otherPager">
<add-value>
<value type="string">ISO</value>
</add-value>
</modify-attr>
<modify-attr attr-name="otherPager">
<add-value>
<value type="string">ITS</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>


The first is a <modify> just for the clear dest attr and since you set
when=before, it is thus before.

Then the add attrs are appended to the end of the existing <modify>.

So far so good.

Then you do a bunch of set values to nulls before the final event is
submitted.

I did not bother reading why, but there is something pretty wrong in
that code, since it is replicating the entire event twice. And now you
actually have 4 different modify events.

So after submitting to AD, you have 4 status events returned.

<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20120330_120000"
instance="\IDM_TREE\abc\adm\nds\IDM-DriverSet on abcp3\NDStoAD"
version="4.0.0.0">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status
event-id="abcp3#20130524042748#2#1:fda10b7a-7441-42d1-a299-7a0ba1fd4174"
level="success">
<operation-data AccountTracking-AppAccountStatus="-"
AccountTracking-IdvAccountStatus="-"
AccountTracking-ObjectDN="\IDM_TREE\abc\users\idmp3user1"
AccountTracking-Operation="modify"
AccountTracking-association="40a4fca68c6f3c4faecf0082e9d14c26"/>
</status>
<status
event-id="abcp3#20130524042748#2#1:fda10b7a-7441-42d1-a299-7a0ba1fd4174"
level="error" type="driver-general">
<ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21"
ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090A85, comment: Error in
attribute conversion operation, data 0, vece</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
<operation-data AccountTracking-AppAccountStatus="-"
AccountTracking-IdvAccountStatus="-"
AccountTracking-ObjectDN="\IDM_TREE\abc\users\idmp3user1"
AccountTracking-Operation="modify"
AccountTracking-association="40a4fca68c6f3c4faecf0082e9d14c26"/>
</status>
<status
event-id="abcp3#20130524042748#2#1:fda10b7a-7441-42d1-a299-7a0ba1fd4174"
level="success">
<operation-data AccountTracking-AppAccountStatus="-"
AccountTracking-IdvAccountStatus="-"
AccountTracking-ObjectDN="\IDM_TREE\abc\users\idmp3user1"
AccountTracking-Operation="modify"
AccountTracking-association="40a4fca68c6f3c4faecf0082e9d14c26"/>
</status>
<status
event-id="abcp3#20130524042748#2#1:fda10b7a-7441-42d1-a299-7a0ba1fd4174"
level="error" type="driver-general">
<ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21"
ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090A85, comment: Error in
attribute conversion operation, data 0, vece</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
<operation-data AccountTracking-AppAccountStatus="-"
AccountTracking-IdvAccountStatus="-"
AccountTracking-ObjectDN="\IDM_TREE\abc\users\idmp3user1"
AccountTracking-Operation="modify"
AccountTracking-association="40a4fca68c6f3c4faecf0082e9d14c26"/>
</status>
</output>
</nds>

First one, the success, is for the clear OtherPager attribute. yay.

The Second has an error 87 as I explained before, likely setting NULLs
in non-nillable attributes.

Third succeeds, fourth fails like #2. What is in modify #3? Lets see,
its:

<modify cached-time="20130524042748.221Z" class-name="user"
event-id="abcp3#20130524042748#2#1:fda10b7a-7441-42d1-a299-7a0ba1fd4174_opData1"
qualifabc-src-dn="O=abc\OU=users\CN=idmp3user1"
src-dn="\IDM_TREE\abc\users\idmp3user1" src-entry-id="33243"
timestamp="1369369668#2">
<association
state="associated">40a4fca68c6f3c4faecf0082e9d14c26</association>
<modify-attr attr-name="department">
<add-value>
<value timestamp="1369369668#1" type="string">ISO</value>
</add-value>
<add-value>
<value timestamp="1369369668#2" type="string">ITS</value>
</add-value>
</modify-attr>
<modify-attr attr-name="department">
<remove-all-values/>
</modify-attr>
<modify-attr attr-name="extensionAttribute5">
<remove-all-values/>
</modify-attr>
<modify-attr attr-name="department">
<remove-all-values/>
<add-value>
<value type="string">ISO;ITS</value>
</add-value>
</modify-attr>
<modify-attr attr-name="extensionAttribute5">
<remove-all-values/>
<add-value>
<value type="string">ISO;ITS</value>
</add-value>
</modify-attr>
<modify-attr attr-name="otherPager">
<add-value>
<value type="string">ISO</value>
</add-value>
</modify-attr>
<modify-attr attr-name="otherPager">
<add-value>
<value type="string">ITS</value>
</add-value>
</modify-attr>
</modify>


Which is vaguely what you wanted.

So I would expect the end result of otherPager should have the two
values at this point. I have lost track of what you actually get in AD.

PS: Do fix the other policies that cause event #2 and #4 to fail, and
fix why you even get the duplications.





0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to remove values from multi-value attribute of AD?


Thanks Geoffc,

I'll study the log and check for the errors.

Many thanks for your guidance!

Regards,

Agnes


--
ayeungied
------------------------------------------------------------------------
ayeungied's Profile: https://forums.netiq.com/member.php?userid=548
View this thread: https://forums.netiq.com/showthread.php?t=47813

0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: How to remove values from multi-value attribute of AD?


Hi Geoffc,

I finally find that the OU of Organization Unit blocked the related
action.

After I removed the OU of Organization Unit from the filter, then with
the already added OU in the user object, and schema mapping , it works
fine now.

Our corp is not use the OU of Organization Unit in the IDM environment.

Thank you very much for you help.

Regards,

Agnes


--
ayeungied
------------------------------------------------------------------------
ayeungied's Profile: https://forums.netiq.com/member.php?userid=548
View this thread: https://forums.netiq.com/showthread.php?t=47813

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.