Highlighted
Absent Member.
Absent Member.
736 views

IDM ceased to create and change objects in AD


IDM361.
In the Win2003 Srv with AD and dirxmldriver i see this errors (And the
driver is permanently switched off):
...
DirXML: [02/17/13 10:44:08.20]:
DirXML Log Event -------------------
Driver = \AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek
Thread = Subscriber Channel
Object = \AMI\ami\dntsk\buh\tbuh02
(CN=tbuh02,OU=buh,OU=dntsk,DC=alibek,DC=ami,DC=ua)
Level = fatal
Message = Exception caused by SubscriptionShim->execute()
DirXML: [02/17/13 10:44:08.20]: Loader: Calling driverShim->shutdown()
because of error
DirXML: [02/17/13 10:44:08.20]: ADDriver: Shutdown 1
DirXML: [02/17/13 10:44:08.20]: Loader: Waiting for publisher thread to
exit...
DirXML: [02/17/13 10:44:08.20]:
DirXML Log Event -------------------
Thread = Connection Receiver
Level = warning
Message = SSL protocol failure: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
DirXML: [02/17/13 10:44:08.33]: Loader: Stopping driver
DirXML: [02/17/13 10:44:08.33]: Loader: Waiting for DirXML to connect on
'TCP server socket, port 8090, address localhost, using SSL'...
DirXML: [02/17/13 10:44:35.26]: Loader: Waiting for driver thread to
exit...
DirXML: [02/17/13 10:44:38.48]: Loader: Verifying command port...
DirXML: [02/17/13 10:44:39.58]: Loader: Verifying driver can be
loaded...
DirXML: [02/17/13 10:44:39.59]: Loader: Initializing SSL encryption...
DirXML: [02/17/13 10:44:57.42]: Loader: Waiting for DirXML to connect on
'TCP server socket, port 8090, address localhost, using SSL'...
DirXML: [02/17/13 10:45:10.60]: Loader: Connected.
DirXML: [02/17/13 10:45:10.62]: Loader: Reading driver state from file
DirXML: [02/17/13 10:45:10.62]: Loader: Starting driver...
DirXML: [02/17/13 10:45:10.62]: Loader: Calling driverShim->init()
DirXML: [02/17/13 10:45:10.62]: ADDriver: Driver::init
DirXML: [02/17/13 10:45:10.62]: Loader: Calling
subscriptionShim->init()
DirXML: [02/17/13 10:45:10.62]: Loader: Calling publicationShim->init()
DirXML: [02/17/13 10:45:10.62]:
DirXML Log Event -------------------
Driver = \AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek
Thread = Publisher Channel
Level = warning
Message = Publisher Heartbeat is DISABLED
DirXML: [02/17/13 10:45:10.62]:
DirXML Log Event -------------------
Driver = \AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek
Thread = Subscriber Channel
Level = success
Message = Remote driver successfully started.
DirXML: [02/17/13 10:45:10.62]: Loader: Calling
publicationShim->start()
DirXML: [02/17/13 10:45:10.62]: Loader: Received document from
publicationShim
DirXML: [02/17/13 10:45:10.62]: Loader: Writing driver state to file
DirXML: [02/17/13 10:45:10.62]: Loader: Document consists only of state;
not sending to remote side
DirXML: [02/17/13 10:45:10.68]: ADDriver: [PWD 2784] lpszDCName =
compad1.alibek.ami.ua status = 0x000006D9
DirXML: [02/17/13 10:45:10.68]: ADDriver: [PWD 2784] - Password Sync is
not installed on domain controller compad1.alibek.ami.ua
DirXML: [02/17/13 10:45:10.73]: ADDriver: [PWD 2784] lpszDCName =
B04WINAD008.alibek.ami.ua status = 0x000006D9
DirXML: [02/17/13 10:45:10.73]: ADDriver: [PWD 2784] - Password Sync is
not installed on domain controller B04WINAD008.alibek.ami.ua
DirXML: [02/17/13 10:45:26.40]: Loader: Calling
subscriptionShim->execute()
DirXML: [02/17/13 10:45:26.40]:
DirXML Log Event -------------------
Driver = \AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek
Thread = Subscriber Channel
Level = success
DirXML: [02/17/13 10:45:26.42]: Loader: Calling
subscriptionShim->execute()
DirXML: [02/17/13 10:45:26.42]:
DirXML Log Event -------------------
Driver = \AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek
Thread = Subscriber Channel
Level = success
DirXML: [02/17/13 10:45:26.42]: Loader: Calling
subscriptionShim->execute()
DirXML: [02/17/13 10:45:26.42]:
DirXML Log Event -------------------
Driver = \AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek
Thread = Subscriber Channel
Level = success
DirXML: [02/17/13 10:45:26.43]: Loader: Calling
subscriptionShim->execute()
DirXML: [02/17/13 10:45:26.43]:
DirXML Log Event -------------------
Driver = \AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek
Thread = Subscriber Channel
Object = \AMI\ami\dntsk\buh\tbuh02
(CN=tbuh02,OU=buh,OU=dntsk,DC=alibek,DC=ami,DC=ua)
Level = error
Message = Exception caused by SubscriptionShim->execute()
DirXML: [02/17/13 10:45:26.43]:
DirXML Log Event -------------------
Driver = \AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek
Thread = Subscriber Channel
Object = \AMI\ami\dntsk\buh\tbuh02
(CN=tbuh02,OU=buh,OU=dntsk,DC=alibek,DC=ami,DC=ua)
Level = fatal
Message = Exception caused by SubscriptionShim->execute()
DirXML: [02/17/13 10:45:26.43]: Loader: Calling driverShim->shutdown()
because of error
DirXML: [02/17/13 10:45:26.43]: ADDriver: Shutdown 1
DirXML: [02/17/13 10:45:26.43]: Loader: Waiting for publisher thread to
exit...
DirXML: [02/17/13 10:45:26.54]:
DirXML Log Event -------------------
Thread = Connection Receiver
Level = warning
Message = SSL protocol failure: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
DirXML: [02/17/13 10:45:26.67]: Loader: Stopping driver
DirXML: [02/17/13 10:45:26.67]: Loader: Waiting for DirXML to connect on
'TCP server socket, port 8090, address localhost, using SSL'...
DirXML: [02/17/13 10:58:28.53]: Loader: Waiting for driver thread to
exit...
.....

Plaease, Help me.

Serg


--
skoltogyan
------------------------------------------------------------------------
skoltogyan's Profile: https://forums.netiq.com/member.php?userid=4390
View this thread: https://forums.netiq.com/showthread.php?t=46859

Labels (1)
0 Likes
23 Replies
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD

On 18.02.2013 10:24, skoltogyan wrote:
>
> IDM361.
> In the Win2003 Srv with AD and dirxmldriver i see this errors (And the
> driver is permanently switched off):


You need a level 3 trace to really know what is wrong.

Set trace level to 3, then restart the driver on the engine side.

Post your trace on pastebin or suspaste and we can try and help you.


--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD


The user "U2" in AD didn't receive changes...

DirXML: [02/18/13 15:13:10.25]: Loader: Received 'subscriber execute'
document
DirXML: [02/18/13 15:13:10.25]: Loader: XML Document:
DirXML: [02/18/13 15:13:10.25]: <nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.11.20080307 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20130218131310.223Z" class-name="time"
event-id="srv6#20130218131310#2#1"
qualified-src-dn="O=ami\OU=dntsk\OU=itdep\CN=u2"
src-dn="\AMI\ami\dntsk\itdep\u2" src-entry-id="45318"
timestamp="1361193185#2">
<association
state="associated">f260469feff2994e946c2520e3430066</association>
<modify-attr attr-name="department">
<remove-value>
<value timestamp="1361086982#2"
type="string">dd222222222200</value>
</remove-value>
<add-value>
<value timestamp="1361193185#2"
type="string">department0081</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [02/18/13 15:13:10.25]: Loader: Calling
subscriptionShim->execute()
DirXML: [02/18/13 15:13:10.25]: Loader: XML Document:
DirXML: [02/18/13 15:13:10.25]: <nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.11.20080307 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20130218131310.223Z" class-name="time"
event-id="srv6#20130218131310#2#1"
qualified-src-dn="O=ami\OU=dntsk\OU=itdep\CN=u2"
src-dn="\AMI\ami\dntsk\itdep\u2" src-entry-id="45318"
timestamp="1361193185#2">
<association
state="associated">f260469feff2994e946c2520e3430066</association>
<modify-attr attr-name="department">
<remove-value>
<value timestamp="1361086982#2"
type="string">dd222222222200</value>
</remove-value>
<add-value>
<value timestamp="1361193185#2"
type="string">department0081</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [02/18/13 15:13:10.25]: ADDriver: parse command

className time
destDN
eventId srv6#20130218131310#2#1
association f260469feff2994e946c2520e3430066
DirXML: [02/18/13 15:13:10.25]: ADDriver: parse modify class = time
DirXML: [02/18/13 15:13:10.25]: Loader: subscriptionShim->execute()
returned:
DirXML: [02/18/13 15:13:10.25]: Loader: XML Document:
DirXML: [02/18/13 15:13:10.25]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="3.5.8" asn1id="" build="20100203_120000"
instance="\AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status level="success" event-id="srv6#20130218131310#2#1"/>
</output>
</nds>
DirXML: [02/18/13 15:13:10.25]:
DirXML Log Event -------------------
Driver = \AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek
Thread = Subscriber Channel
Object = \AMI\ami\dntsk\itdep\u2
Level = success
DirXML: [02/18/13 15:13:51.09]: ADDriver: get object changes - 0x0000
DirXML: [02/18/13 15:13:51.09]: ADDriver: object changes complete
DirXML: [02/18/13 15:14:17.22]: Loader: Waiting for driver thread to
exit...
DirXML: [02/18/13 15:14:17.22]: Loader: Calling driverShim->shutdown()
DirXML: [02/18/13 15:14:17.22]: Loader: null document
DirXML: [02/18/13 15:14:17.22]: ADDriver: Driver::shutdown
DirXML: [02/18/13 15:14:17.22]: ADDriver: shutdown subscriber
DirXML: [02/18/13 15:14:17.22]: ADDriver: shutdown publisher
DirXML: [02/18/13 15:14:17.22]: ADDriver: Shutdown 1
DirXML: [02/18/13 15:14:17.22]: ADDriver: shutdown notification
complete
DirXML: [02/18/13 15:14:17.22]: Loader: driverShim->shutdown()
returned:
DirXML: [02/18/13 15:14:17.22]: Loader: XML Document:
DirXML: [02/18/13 15:14:17.22]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="3.5.8" asn1id="" build="20100203_120000"
instance="\AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status level="success"/>
</output>
</nds>
DirXML: [02/18/13 15:14:17.22]: Loader: Waiting for publisher thread to
exit...
DirXML: [02/18/13 15:14:17.33]: ADDriver: publisher shutdown complete
DirXML: [02/18/13 15:14:17.33]: Loader: publicationShim->start()
returned:
DirXML: [02/18/13 15:14:17.33]: Loader: XML Document:
DirXML: [02/18/13 15:14:17.33]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="3.5.8" asn1id="" build="20100203_120000"
instance="\AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status level="success">MadPublisher Shutdown Event Received</status>
</output>
</nds>
DirXML: [02/18/13 15:14:17.33]:
DirXML Log Event -------------------
Driver = \AMI\ami\dntsk\srvidm\driversidm\drv1test\edir2alibek
Thread = Subscriber Channel
Level = warning
Message = Remote driver stopped
DirXML: [02/18/13 15:14:17.45]: Loader: Stopping driver
DirXML: [02/18/13 15:14:17.45]: ADDriver: Driver::destroy
DirXML: [02/18/13 15:14:17.45]: ADDriver: driver destroy
DirXML: [02/18/13 15:14:17.45]: ADDriver: Driver::~Driver()


--
skoltogyan
------------------------------------------------------------------------
skoltogyan's Profile: https://forums.netiq.com/member.php?userid=4390
View this thread: https://forums.netiq.com/showthread.php?t=46859

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD

On 18.02.2013 14:34, skoltogyan wrote:
>
> The user "U2" in AD didn't receive changes...


1. Is "time" a valid object class in Active Directory?
2. is "department" a valid attribute for the object class "time"

From the trace, it looks like at least one of these items aren't true
in your Active Directory.

I'm unsure how this can relate to the fatal error you posted in the
earlier level 0 trace though.

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD


post a trace from the remoteloader side (lvl3). assumingly there is
something like: LDAP_INVALID_CREDENTIALS.

if that´s the case: check if the user referenced in your driver config
(authentication ID) is locked or disabled. furthermore that users
password might be no longer valid (driver configuration > driver object
password).

florian


--
florianz
------------------------------------------------------------------------
florianz's Profile: https://forums.netiq.com/member.php?userid=309
View this thread: https://forums.netiq.com/showthread.php?t=46859

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD


At this morning recheck:
- for "Remote Loader": "Driver Object Password" and "Remote Loader
Password"
- for "Driver": "Driver Object Password", "Authentication ID",
"Application password" and "Remote loader password"

In the eDir change field: "Full Name" for user U2.
In the "Remote Loader"-log file i see: =All Ok.
But in the AD account U2 - without any changes..

This is log-file from the "REmote Loader": ftp://ftp1.ami.ua/1.log

Serg


--
skoltogyan
------------------------------------------------------------------------
skoltogyan's Profile: https://forums.netiq.com/member.php?userid=4390
View this thread: https://forums.netiq.com/showthread.php?t=46859

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD

On 19.02.2013 10:14, skoltogyan wrote:
>
> At this morning recheck:
> - for "Remote Loader": "Driver Object Password" and "Remote Loader
> Password"
> - for "Driver": "Driver Object Password", "Authentication ID",
> "Application password" and "Remote loader password"
>
> In the eDir change field: "Full Name" for user U2.
> In the "Remote Loader"-log file i see: =All Ok.
> But in the AD account U2 - without any changes..
>
> This is log-file from the "REmote Loader": ftp://ftp1.ami.ua/1.log


In designer, right click the line that connects the AD driver icon and
the driver set.

Choose "live" -> "Refresh Application Schema"

Then post the level 3 driver trace from this.

I really do suspect your issue is with this class-name="time" - this
task will verify if this is the case or not.

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD


In the my Novell Imanager can not found "designed". I see only:
1) "Novell iMnagaer" | " Identity Namager" | "Identity Manager
Overview"
2) "Novell iMnagaer" | " Identity Namager Utilities"
2.1) "Novell iMnagaer" | " Identity Namager Utilities" | "Versions
Discovery"
2.2) "Novell iMnagaer" | " Identity Namager Utilities" | "Import
Multipie drivers"
2.3) "Novell iMnagaer" | " Identity Namager Utilities" | "Import
Configuration"
2.4) "Novell iMnagaer" | " Identity Namager Utilities" | "Export
Configuration"
2.5) "Novell iMnagaer" | " Identity Namager Utilities" | "Data Flow:
2.6) "Novell iMnagaer" | " Identity Namager Utilities" | "Data Flow
(Table view)"
2.7) "Novell iMnagaer" | " Identity Namager Utilities" | "NDS-to-NDS
Driver Certificates"


--
skoltogyan
------------------------------------------------------------------------
skoltogyan's Profile: https://forums.netiq.com/member.php?userid=4390
View this thread: https://forums.netiq.com/showthread.php?t=46859

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD


at this time download and install IDM Designer. Live.. Refersh schema.
All Retsart. Problem not resolved.
About STOP DRIVER - when create NEW User in the eDir - my "edir2alibek"
driver - STOP !...


--
skoltogyan
------------------------------------------------------------------------
skoltogyan's Profile: https://forums.netiq.com/member.php?userid=4390
View this thread: https://forums.netiq.com/showthread.php?t=46859

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD

On 19.02.2013 13:14, skoltogyan wrote:
>
> at this time download and install IDM Designer. Live.. Refersh schema.
> All Retsart. Problem not resolved.


I didn't say that problem would be resolved by doing this. I said that
this might help us understand WHY the user isn't updated

Do you have a level 3 trace of the refresh application schema?

> About STOP DRIVER - when create NEW User in the eDir - my "edir2alibek"
> driver - STOP !...


Do you have a level 3 trace of this? If it is each time you create a new
user in your eDir that the AD driver stop - then you can replicate the
issue and generate the level 3 trace required to troubleshoot the problem.


--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD


Done.
Yes, When Create New user - Driver go to STOP.
This is log-file from-the remote-loader: ftp://ftp1.ami.ua/3.log

Serg


--
skoltogyan
------------------------------------------------------------------------
skoltogyan's Profile: https://forums.netiq.com/member.php?userid=4390
View this thread: https://forums.netiq.com/showthread.php?t=46859

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD

To me this just looks like the schema mapping policy is mapping eDir's
User class to something random like 'time' which will probably never work.
I'm a little surprised it causes a FATAL, but it is probably better that
this happens than events be discarded because of a bad configuration.

Does the Schema Mapping policy map User to 'time'? The engine-side's
level three trace would show during startup, or even during this event.

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.