KSEB1 Absent Member.
Absent Member.
1139 views

In Identitiy manager bidirectional driver sync not working

In novell Identity manager bidirectional driver sync not working.can anyone please suggest
Labels (1)
0 Likes
19 Replies
KSEB1 Absent Member.
Absent Member.

Re: In Identitiy manager bidirectional driver sync not worki

In log it is showing - LDAPInterface.doLDAPAdd() Error: LDAPException: Insufficient Access Rights (50) Insu
fficient Access Rights
LDAPException: Server Message: NDS error: no access (-672)
0 Likes
Knowledge Partner
Knowledge Partner

Re: In Identitiy manager bidirectional driver sync not working

If you did not specify a user with sufficient privileges either as the
local security equivalence or with the remote tree, then that would cause
a -672. Where the rights need to be given depends on where the rights are
lacking. Post a level three (3) trace of driver startup and we'll look at it.

If you are in a hurry, you may want to call Micro Focus for official support.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
KSEB1 Absent Member.
Absent Member.

Re: In Identitiy manager bidirectional driver sync not worki

https://drive.google.com/open?id=1PlrYOqBm48jKO0JXCikdyJqiyXFeYtlh

Please find the attached link for IDVto edirectory trace log.
0 Likes
KSEB1 Absent Member.
Absent Member.

Re: In Identitiy manager bidirectional driver sync not worki

0 Likes
Knowledge Partner
Knowledge Partner

Re: In Identitiy manager bidirectional driver sync not working

There are several inconsistencies here.

Your original complaint was about a -672 error, which I do not see
anywhere in the trace. Where is that?

Also, it appears you are using TCP 389, which generally you should not as
there is no guarantee of privacy, unless you happened to use TLS/SSL on
that port instead of 636, which you so far have not done.

Also, for some reason you have your driver config pointing to 127.0.0.1
which is your vault box. Using this as a Null or loopback type of driver
config is not recommended; you should be pointing this to another tree.
Maybe you are, and just have a really odd setup on this box, but I think
it more likely this is a misconfiguration.

It may help if you describe when this worked last, how it broke since
then, and what its purpose is. If you are starting with a new system, you
should do this in a test environment. If you have a consultant or
somebody setting this up for the first time (or if you are that
consultant), you should setup a test environment to understand the
technology before deploying it in Production.

IDM is a wonderful technology, and used properly it will save tons of
mistakes, money, and improve security in an environment. Used
incorrectly, it can do bad things as easily as it can do good things
(maybe more easily). Great power, great responsibility, etc.

A driver config startup trace would still be appreciated, though the GCV
screenshots show some of what was sought.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
KSEB1 Absent Member.
Absent Member.

Re: In Identitiy manager bidirectional driver sync not worki

Your original complaint was about a -672 error, which I do not see
anywhere in the trace. Where is that?

Actually now iam testing in test environment to resolve the issue.Yesterday the trace i was sent is the test environment driver start trace.

Also, it appears you are using TCP 389, which generally you should not as
there is no guarantee of privacy, unless you happened to use TLS/SSL on
that port instead of 636, which you so far have not done.

Also, for some reason you have your driver config pointing to 127.0.0.1
which is your vault box. Using this as a Null or loopback type of driver
config is not recommended; you should be pointing this to another tree.
Maybe you are, and just have a really odd setup on this box, but I think
it more likely this is a misconfiguration.

It may help if you describe when this worked last, how it broke since
then, and what its purpose is. If you are starting with a new system, you
should do this in a test environment. If you have a consultant or
somebody setting this up for the first time (or if you are that
consultant), you should setup a test environment to understand the
technology before deploying it in Production.

I have checked in test environment it was working.I tested in test environment in this also sync is not working.

IDM is a wonderful technology, and used properly it will save tons of
mistakes, money, and improve security in an environment. Used
incorrectly, it can do bad things as easily as it can do good things
(maybe more easily). Great power, great responsibility, etc.

A driver config startup trace would still be appreciated, though the GCV
screenshots show some of what was sought.


Any trace needed to find the issue..Any suggestion ?
0 Likes
KSEB1 Absent Member.
Absent Member.

Re: In Identitiy manager bidirectional driver sync not worki

Please find the attached latest level 3 trace log for the driver
https://drive.google.com/open?id=1quUViLS0brtffjikrMnB9cgYiP1UIPqa
Please suggest
0 Likes
Knowledge Partner
Knowledge Partner

Re: In Identitiy manager bidirectional driver sync not working

On 5/27/2019 1:06 AM, KSEB wrote:
>
> Please find the attached latest level 3 trace log for the driver
> https://drive.google.com/open?id=1quUViLS0brtffjikrMnB9cgYiP1UIPqa


That is a good trace sample.

Again, did you do what Aaron or I suggested? Did you check the
effective rights of the user in the remote eDir that the driver logs in as?

Does it have sufficient permission to write an objct in the container:
dn: CN=0000002,OU=Assistant Engineer,OU=KSEB_Designation,O=kseb

Does it have permissions to write to all the attributes in the event?

05/26/19 16:20:41.782]:IDVtoEdir ST:IDV to Edir: LDAP Add:
dn: CN=0000002,OU=Assistant Engineer,OU=KSEB_Designation,O=kseb
pan: AKTPA5941K
passwordUniqueRequired: <content suppressed>
passwordExpirationTime: <content suppressed>
passwordExpirationInterval: <content suppressed>
designationTypeId: 2
statusStartOn: 2015-09-03
loginDisabled: false
loginGraceLimit: 10
passwordRequired: <content suppressed>
designationId: 182
serviceStatusId: 1
passwordMinimumLength: <content suppressed>
KsebAcessBar: SCM||AESN||4679
KsebAcessBar: HRIS||HRIS_ROLE||4679
KsebAcessBar: SARAS||SARAS_ROLE||4679
KsebAcessBar: ORUMANET||ORUMA_ROLE||4679
KsebAcessBar: CCC-ET||ROLE_ADMIN||4679
KsebAcessBar: CCC-ET||ROLE_ADMIN||4501
KsebAcessBar: CCC-ET||ROLE_ADMIN||4502
KsebAcessBar: CCC-ET||ROLE_ADMIN||5731
KsebAcessBar: CCC-ET||ROLE_ADMIN||5732
KsebAcessBar: CCC-ET||ROLE_ADMIN||5541
designation: Assistant Engineer
serviceStatus: Duty
statusCode: DUTY
statusUpdateOn: 2016-06-01
ACL: 2#entry#[Self]#[All Attributes Rights]
ACL: 6#entry#[Self]#loginScript
ACL: 2#entry#[Public]#messageServer
ACL: 2#entry#[Root]#groupMembership
ACL: 6#entry#[Self]#printJobConfiguration
ACL: 2#entry#[Root]#networkAddress
ACL: 47#entry#[Self]#passwordAllowChange
position: Computer Programmer(NQ)
code: 4679
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: Person
objectclass: ndsLoginProperties
objectclass: Top
birthDate: 1978-04-25
employeeType: Regular
officeName: Poonthura Electrical Section
loginGraceRemaining: 10
passwordAllowChange: <content suppressed>
sn: t f
lastModifiedTimestamp: 2016-05-28 13:19:52
employeeName: TEST T F
employeeCode: 0000002
designationType: Officers
employeeTypeId: 1
userpassword: <content suppressed>
fullName: TEST T F
givenname: test hi
cn: 0000002
retirementDate: 2034-04-30
joinDate: 2006-09-11
employeeStatus: Active
positionId: 32
title: Assistant Engineer

[05/26/19 16:20:41.785]:IDVtoEdir ST:IDV to Edir: OpenLDAPConnection -
Connect to the server
[05/26/19 16:20:41.785]:IDVtoEdir ST:IDV to Edir: Opening clear text
connection
[05/26/19 16:20:41.791]:IDVtoEdir ST:IDV to Edir: WARNING !!!
WARNING !!! WARNING !!!
[05/26/19 16:20:41.791]:IDVtoEdir ST:IDV to Edir: You are using a
clear-text connection.
[05/26/19 16:20:41.791]:IDVtoEdir ST:IDV to Edir: The user password will
be sent in plain-text, which can be sniffed easily.
[05/26/19 16:20:41.791]:IDVtoEdir ST:IDV to Edir: It is recommended to
use SSL to secure the connection.

[05/26/19 16:20:41.793]:IDVtoEdir ST:IDV to Edir: Host name: 10.0.1.32
[05/26/19 16:20:41.793]:IDVtoEdir ST:IDV to Edir: Port: 389
[05/26/19 16:20:41.794]:IDVtoEdir ST:IDV to Edir: DN: null
[05/26/19 16:20:41.794]:IDVtoEdir ST:IDV to Edir: Protocol version=3
[05/26/19 16:20:41.794]:IDVtoEdir ST:IDV to Edir: SDK version=4.5
[05/26/19 16:20:41.799]:IDVtoEdir ST:IDV to Edir:
LDAPInterface.doLDAPAdd() Error: LDAPException: Insufficient Access
Rights (50) Insufficient Access Rights
LDAPException: Server Message: NDS error: no access (-672)
0 Likes
KSEB1 Absent Member.
Absent Member.

Re: In Identitiy manager bidirectional driver sync not worki

what i have done is i deleted the user from edirectory.Then i deleted the association of this user.The i tried manually migrate from identity vault.When trying this the error showing above..
How to check remote edir rights?
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: In Identitiy manager bidirectional driver sync not working

That is not what was asked; have you verified rights of the user being
used to connect to the remote eDirectory tree itself, perhaps by creating
this user manually via something like Apache Directory Studio using the
user you have configured within your driver config object for the remote
tree: cn=admin,o=kseb

That user sounds like a tree administrator, so assuming you do not have
any odd rights setup or restricted within that remote tree my next guess
is that you have forgotten to set the password within the driver
configuration object. Where you see cn=admin,o=kseb there should be a
password field nearby. Set the password for that user in there. It
should not show up in the driver config trace, but it will let the
authentication happen properly.

Why would you get an LDAP error other than an LDAP 49 without a password
set? If you forget to set the password then, per LDAP standard's RFCs,
your connection automatically defaults to be anonymous, which may mean you
can continue interacting with the server, but it means you lack the rights
needed to create/modify.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
KSEB1 Absent Member.
Absent Member.

Re: In Identitiy manager bidirectional driver sync not worki

If we set new password it will affect other user,or we want to set the application password as same password of idm application password or edir application password?
Please suggest?
0 Likes
Knowledge Partner
Knowledge Partner

Re: In Identitiy manager bidirectional driver sync not working

Follow the documentation:
https://www.netiq.com/documentation/identity-manager-47-drivers/bidirect_edirectory/data/creating-the-driver-object-in-designer.html#bfvehvc

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
KSEB1 Absent Member.
Absent Member.

Re: In Identitiy manager bidirectional driver sync not worki

Thankyou AB
0 Likes
Knowledge Partner
Knowledge Partner

Re: In Identitiy manager bidirectional driver sync not working

On 5/27/2019 7:36 AM, KSEB wrote:
>
> what i have done is i deleted the user from edirectory.Then i deleted
> the association of this user.The i tried manually migrate from identity
> vault.When trying this the error showing above..
> How to check remote edir rights?


As I wrote last week:
"
Look at the driver config, find the user specified as the authentication
ID and then in the Remote eDir, if you use iManager, use the Rights,
Rights to other objects, and specify this object to see its permissions.
Make sure it can read and write to the object and attributes in the
filter."

This assumes you understand eDirectory permissions. If you do not,
please find someone there who does.

(Since you are not entirely clear on this, for events coming out of that
Remote Edir, into the IDV, the Publisher channel, the permission to
write/read the IDV, are based on the Driver objects Security Equals
attribute, pointing at some object with permissions to work in the IDV
tree. But that is not your error here, just an informative point, since
the next logical question after how are permissions managed in the
remote tree, should be, how are permissions managed in the IDV).

Short version of Permissions:

There are object level (create, delete, write) permissions. Then there
are attribute level permissions. They are distinct and different.

So you might have permissions to modify an attribute (say Internet EMail
Addres) but not create a User. So some thought is required.

You could post a screen shot of what the Rights to Other objects shows,
if you are confused.



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.