Highlighted
Honored Contributor.
Honored Contributor.

Re: How to sync extensionAttributes from IDM to Active Direc

Thanks. I did the same and now it throws below error.

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<add class-name="group" dest-dn="CN=testpimsubgrpcont10,OU=Onsite-Access,OU=Prod,OU=PIM,DC=idmtst,DC=BBC,DC=dk" event-id="BBCDBS0015-NDS#20190417131604#2#1:5eeb7f11-b149-4c78-a0d1-036c0a7d2773">
<add-attr attr-name="samAccountName">
<value type="string">testpimsubgrpcont10</value>
</add-attr>
<add-attr attr-name="description">
<value type="string">testpimsubgrpcont10</value>
</add-attr>
<add-attr attr-name="extensionAttribute8">
<value type="string">en~testpimsubgrpcont10|da~testpimsubgrpcont10</value>
</add-attr>
<add-attr attr-name="extensionAttribute9">
<value type="string">en~testpimsubgrpcont10|da~testpimsubgrpcont10</value>
</add-attr>
</add>
</input>
</nds>
[04/17/19 15:16:05.112]:InternalAD ST: Remote Interface Driver: Document sent.
[04/17/19 15:16:05.158]:InternalAD :Remote Interface Driver: Received.
[04/17/19 15:16:05.159]:InternalAD :
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20120330_120000" instance="\BBCIDV\system\driverset1\AD-Internal-BBC" version="4.0.0.0">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="BBCDBS0015-NDS#20190417131604#2#1:5eeb7f11-b149-4c78-a0d1-036c0a7d2773" level="error" type="driver-general">
<ldap-err ldap-rc="65" ldap-rc-name="LDAP_OBJECT_CLASS_VIOLATION">
<client-err ldap-rc="65" ldap-rc-name="LDAP_OBJECT_CLASS_VIOLATION">Object Class Violation</client-err>
<server-err>0000207D: UpdErr: DSID-0315121C, problem 6002 (OBJ_CLASS_VIOLATION), data -1783875980
</server-err>
<server-err-ex win32-rc="8317"/>
</ldap-err>
</status>
</output>
</nds>

Regards
Sivaram T
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: How to sync extensionAttributes from IDM to Active Directory

This error, to me, is still telling me that you cannot have
extensionAttribute8 and/or extensionAttribute9 on a 'group' object in
microsoft active directory (MAD).

On 04/17/2019 07:24 AM, sivaramtm wrote:
> event-id="BBCDBS0015-NDS#20190417131604#2#1:5eeb7f11-b149-4c78-a0d1-036c0a7d2773"
> level="error" type="driver-general">
> <ldap-err ldap-rc="65"
> ldap-rc-name="LDAP_OBJECT_CLASS_VIOLATION">
> <client-err ldap-rc="65"
> ldap-rc-name="LDAP_OBJECT_CLASS_VIOLATION">Object Class
> Violation</client-err>
> <server-err>0000207D: UpdErr: DSID-0315121C, problem 6002
> (OBJ_CLASS_VIOLATION), data -1783875980


What was the result of the LDIF test I posted earlier, using something
like Apache Directory Studio or the ldapmodify command?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: How to sync extensionAttributes from IDM to Active Direc

LDIF test is success. Group object is getting created with extension attributes 8 and 9. I used Apache studio to do the same.

Thanks
Siva ram T
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: How to sync extensionAttributes from IDM to Active Directory

On 4/17/2019 9:24 AM, sivaramtm wrote:
>
> Thanks. I did the same and now it throws below error.
>
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.6.3.0">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <add class-name="group"
> dest-dn="CN=testpimsubgrpcont10,OU=Onsite-Access,OU=Prod,OU=PIM,DC=idmtst,DC=BBC,DC=dk"
> event-id="BBCDBS0015-NDS#20190417131604#2#1:5eeb7f11-b149-4c78-a0d1-036c0a7d2773">
> <add-attr attr-name="samAccountName">
> <value type="string">testpimsubgrpcont10</value>
> </add-attr>
> <add-attr attr-name="description">
> <value type="string">testpimsubgrpcont10</value>
> </add-attr>
> <add-attr attr-name="extensionAttribute8">
> <value
> type="string">en~testpimsubgrpcont10|da~testpimsubgrpcont10</value>
> </add-attr>
> <add-attr attr-name="extensionAttribute9">
> <value
> type="string">en~testpimsubgrpcont10|da~testpimsubgrpcont10</value>
> </add-attr>
> </add>
> </input>
> </nds>
> [04/17/19 15:16:05.112]:InternalAD ST: Remote Interface Driver:
> Document sent.
> [04/17/19 15:16:05.158]:InternalAD :Remote Interface Driver: Received.
> [04/17/19 15:16:05.159]:InternalAD :
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20120330_120000"
> instance="\BBCIDV\system\driverset1\AD-Internal-BBC"
> version="4.0.0.0">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <status
> event-id="BBCDBS0015-NDS#20190417131604#2#1:5eeb7f11-b149-4c78-a0d1-036c0a7d2773"
> level="error" type="driver-general">
> <ldap-err ldap-rc="65"
> ldap-rc-name="LDAP_OBJECT_CLASS_VIOLATION">
> <client-err ldap-rc="65"
> ldap-rc-name="LDAP_OBJECT_CLASS_VIOLATION">Object Class
> Violation</client-err>
> <server-err>0000207D: UpdErr: DSID-0315121C, problem 6002
> (OBJ_CLASS_VIOLATION), data -1783875980
> </server-err>
> <server-err-ex win32-rc="8317"/>
> </ldap-err>
> </status>
> </output>
> </nds>


Haha! And now you have a real error. You can look up the <server-err-ex
win32-rc=""> values here:

https://docs.microsoft.com/en-us/windows/desktop/Debug/system-error-codes--8200-8999-

Which is:

ERROR_DS_ATT_NOT_DEF_FOR_CLASS

8317 (0x207D)

An attempt was made to modify an object to include an attribute
that is not legal for its class.



Aha, a useful error. AD is saying this object class (group) does not
support extensionAttribute8 or 9.

Now perhaps these are part of an Aux class, and you should add a modify
to objectClass and add the value of the missing aux class.

I was trying to quickly find how MS defined those attributes and i do
not have an AD instance handy with Excahneg Schema extensions, but that
is the next place to look.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.