Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD

On 19.02.2013 14:47, ab wrote:
> To me this just looks like the schema mapping policy is mapping eDir's
> User class to something random like 'time' which will probably never work.
> I'm a little surprised it causes a FATAL, but it is probably better that
> this happens than events be discarded because of a bad configuration.
>
> Does the Schema Mapping policy map User to 'time'? The engine-side's
> level three trace would show during startup, or even during this event.


This is exactly what I said yesterday (worded slightly differently though)

As I didn't want to make any assumptions, it was possible that the
object-class "time" existed in AD and this schema mapping was
intentional. However, this doesn't appear to be likely.

Yes we need an engine side level 3 trace rather than a driver side trace
(as has been provided so far) to troubleshoot further.

Shouldn't the AD driver shim provide a bit more feedback (something like
object-class not found) rather than just reporting success on a modify
that didn't actually do anything because the object class was wrong?

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: IDM ceased to create and change objects in AD

> Shouldn't the AD driver shim provide a bit more feedback (something like
> object-class not found) rather than just reporting success on a modify
> that didn't actually do anything because the object class was wrong?


You would think. But if you skip an object class entirely it will often
do nothing and report success as well.


0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD

On 19.02.2013 14:58, Geoffrey Carman wrote:
>> Shouldn't the AD driver shim provide a bit more feedback (something like
>> object-class not found) rather than just reporting success on a modify
>> that didn't actually do anything because the object class was wrong?

>
> You would think. But if you skip an object class entirely it will often
> do nothing and report success as well.


Yes I've seen that too. However that is a different situation (assuming
you supply a DN or association), it shouldn't matter so much that you
don't supply an object class on a modify as it can just derive this by
querying the object identifier (DN /assoc)

However supplying an incorrect object class on modify should cause an
error (IMHO). One wonders if this is more a limitation of the LDAP
interface in AD that AD itself doesn't return an error so the driver
shim assumes the modify was successful.

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: IDM ceased to create and change objects in AD

On 2/19/2013 9:15 AM, Alex McHugh wrote:
> On 19.02.2013 14:58, Geoffrey Carman wrote:
>>> Shouldn't the AD driver shim provide a bit more feedback (something like
>>> object-class not found) rather than just reporting success on a modify
>>> that didn't actually do anything because the object class was wrong?

>>
>> You would think. But if you skip an object class entirely it will often
>> do nothing and report success as well.

>
> Yes I've seen that too. However that is a different situation (assuming
> you supply a DN or association), it shouldn't matter so much that you
> don't supply an object class on a modify as it can just derive this by
> querying the object identifier (DN /assoc)


True enough. Be nice if it did that.

> However supplying an incorrect object class on modify should cause an
> error (IMHO). One wonders if this is more a limitation of the LDAP
> interface in AD that AD itself doesn't return an error so the driver
> shim assumes the modify was successful.


Yes it should.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD


geoffc;225647 Wrote:
> On 2/19/2013 9:15 AM, Alex McHugh wrote:
> > On 19.02.2013 14:58, Geoffrey Carman wrote:
> >>> Shouldn't the AD driver shim provide a bit more feedback (something

> like
> >>> object-class not found) rather than just reporting success on a

> modify
> >>> that didn't actually do anything because the object class was

> wrong?
> >>
> >> You would think. But if you skip an object class entirely it will

> often
> >> do nothing and report success as well.

> >
> > Yes I've seen that too. However that is a different situation

> (assuming
> > you supply a DN or association), it shouldn't matter so much that you
> > don't supply an object class on a modify as it can just derive this

> by
> > querying the object identifier (DN /assoc)

>
> True enough. Be nice if it did that.
>
> > However supplying an incorrect object class on modify should cause an
> > error (IMHO). One wonders if this is more a limitation of the LDAP
> > interface in AD that AD itself doesn't return an error so the driver
> > shim assumes the modify was successful.

>
> Yes it should.


I am sorry
Which recommendations? (Not so well I understand English as it is
necessary)

Serg


--
skoltogyan
------------------------------------------------------------------------
skoltogyan's Profile: https://forums.netiq.com/member.php?userid=4390
View this thread: https://forums.netiq.com/showthread.php?t=46859

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD

On 20.02.2013 07:44, skoltogyan wrote:
>
> geoffc;225647 Wrote:
>> On 2/19/2013 9:15 AM, Alex McHugh wrote:
>>> On 19.02.2013 14:58, Geoffrey Carman wrote:
>>>>> Shouldn't the AD driver shim provide a bit more feedback (something

>> like
>>>>> object-class not found) rather than just reporting success on a

>> modify
>>>>> that didn't actually do anything because the object class was

>> wrong?
>>>>
>>>> You would think. But if you skip an object class entirely it will

>> often
>>>> do nothing and report success as well.
>>>
>>> Yes I've seen that too. However that is a different situation

>> (assuming
>>> you supply a DN or association), it shouldn't matter so much that you
>>> don't supply an object class on a modify as it can just derive this

>> by
>>> querying the object identifier (DN /assoc)

>>
>> True enough. Be nice if it did that.
>>
>>> However supplying an incorrect object class on modify should cause an
>>> error (IMHO). One wonders if this is more a limitation of the LDAP
>>> interface in AD that AD itself doesn't return an error so the driver
>>> shim assumes the modify was successful.

>>
>> Yes it should.

>
> I am sorry
> Which recommendations? (Not so well I understand English as it is
> necessary)


That discussion between Geoffrey and I should have been moved to a
separate thread.

The recommendation (from both Aaron and I) is that you post an
engine-side level 3 trace that shows the problem.

We think that the problem is caused by incorrect schema mapping - this
is only shown in the engine side trace (until now you have posted only
traces from the remote loader side).

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD


alexmchugh;225720 Wrote:
> On 20.02.2013 07:44, skoltogyan wrote:
> >
> > geoffc;225647 Wrote:
> >> On 2/19/2013 9:15 AM, Alex McHugh wrote:
> >>> On 19.02.2013 14:58, Geoffrey Carman wrote:
> >>>>> Shouldn't the AD driver shim provide a bit more feedback

> (something
> >> like
> >>>>> object-class not found) rather than just reporting success on a
> >> modify
> >>>>> that didn't actually do anything because the object class was
> >> wrong?
> >>>>
> >>>> You would think. But if you skip an object class entirely it will
> >> often
> >>>> do nothing and report success as well.
> >>>
> >>> Yes I've seen that too. However that is a different situation
> >> (assuming
> >>> you supply a DN or association), it shouldn't matter so much that

> you
> >>> don't supply an object class on a modify as it can just derive this
> >> by
> >>> querying the object identifier (DN /assoc)
> >>
> >> True enough. Be nice if it did that.
> >>
> >>> However supplying an incorrect object class on modify should cause

> an
> >>> error (IMHO). One wonders if this is more a limitation of the LDAP
> >>> interface in AD that AD itself doesn't return an error so the

> driver
> >>> shim assumes the modify was successful.
> >>
> >> Yes it should.

> >
> > I am sorry
> > Which recommendations? (Not so well I understand English as it is
> > necessary)

>
> That discussion between Geoffrey and I should have been moved to a
> separate thread.
>
> The recommendation (from both Aaron and I) is that you post an
> engine-side level 3 trace that shows the problem.
>
> We think that the problem is caused by incorrect schema mapping - this
> is only shown in the engine side trace (until now you have posted only
> traces from the remote loader side).
>
> --
> ----------------------------------------------------------------------
> Alex McHugh
> NetIQ Knowledge Partner http://forums.netiq.com
>
> Please post questions in the forums. No support is provided via email.



Ok... in the iManager for driver edir2alibek i see only:
( * ) Log errors and warnings

How( where ) i can change trace-level for driver engine ?

Serg


--
skoltogyan
------------------------------------------------------------------------
skoltogyan's Profile: https://forums.netiq.com/member.php?userid=4390
View this thread: https://forums.netiq.com/showthread.php?t=46859

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD

Under the 'Misc' section, not the 'Log' section. Trace level: 3 - Max
trace size: 100 MB. Trace file: /path/to/somet/existing/directory/
driver.trace Trace name: leave blank always.

Good luck.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD


Done.

ftp://ftp1.ami.ua/mytr.log


--
skoltogyan
------------------------------------------------------------------------
skoltogyan's Profile: https://forums.netiq.com/member.php?userid=4390
View this thread: https://forums.netiq.com/showthread.php?t=46859

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD

Perfect, and here is what we are talking about:

[02/20/13 16:44:13.613]:myrace ST: Mapping class-name 'User' to 'time'.

Your driver config has somehow changed to map from eDirectory's 'User'
class to a class of 'time' (in MAD) which is almost certainly wrong. Go
into your Schema Mapping policyset, choose the policy in there named
'SchemaMapping', and find where that class mapping is set. Change it back
to the default, which is probably 'user' (lower case 'User') and see if
that works when restarting the driver config object in iManager/Designer.

Good luck.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD


ab;225756 Wrote:
> Perfect, and here is what we are talking about:
>
> [02/20/13 16:44:13.613]:myrace ST: Mapping class-name 'User' to
> 'time'.
>
> Your driver config has somehow changed to map from eDirectory's 'User'
> class to a class of 'time' (in MAD) which is almost certainly wrong.
> Go
> into your Schema Mapping policyset, choose the policy in there named
> 'SchemaMapping', and find where that class mapping is set. Change it
> back
> to the default, which is probably 'user' (lower case 'User') and see if
> that works when restarting the driver config object in
> iManager/Designer.
>
> Good luck.


Thank your !
This i shelp me.
At this time:
eDir[User]<->ApplClass[user]
eDir[Group]<->ApplClass[group]
eDir[Organizational Unit]<->ApplClass[organizationalUnit]
eDir[Organization]<->ApplClass[organization]
eDir[Locality]<->ApplClass[locality]

And eDir-->AD work again.

Serg


--
skoltogyan
------------------------------------------------------------------------
skoltogyan's Profile: https://forums.netiq.com/member.php?userid=4390
View this thread: https://forums.netiq.com/showthread.php?t=46859

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IDM ceased to create and change objects in AD

Good to hear; thank-you for posting back your results, and thanks to Alex
for working through all of the hard details involved with refreshing
application schema.

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.