Highlighted
Respected Contributor.
Respected Contributor.
773 views

LDAP errors can't update NetIQ data to AD

Getting errors on RL when trying to update NetIQ data to AD. Most commonly seeing them on title and department. This is severly impacting end users and our customers as if an AD account has expired and it needs to be extended via a form we created for customers, it fails do to the "atomic" modify from RL to AD. Has anyone seen this before I would think the solution would not be too complex but I cannot find from simple googling.

Thanks!
Casey

DirXML: [05/03/18 07:09:07.10]: Loader: Received 'subscriber execute' document
DirXML: [05/03/18 07:09:07.10]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.10]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="user" event-id="0" scope="entry">
<association>b1856054cc99b4478cf8fbac94c78ca4</association>
<read-attr attr-name="displayName"/>
</query>
</input>
</nds>
DirXML: [05/03/18 07:09:07.10]: Loader: Calling subscriptionShim->execute()
DirXML: [05/03/18 07:09:07.10]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.10]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="user" event-id="0" scope="entry">
<association>b1856054cc99b4478cf8fbac94c78ca4</association>
<read-attr attr-name="displayName"/>
</query>
</input>
</nds>
DirXML: [05/03/18 07:09:07.10]: ADDriver: parse command

className user
destDN
eventId 0
association b1856054cc99b4478cf8fbac94c78ca4
DirXML: [05/03/18 07:09:07.10]: ADDriver: query
DirXML: [05/03/18 07:09:07.10]: ADDriver: query constraints
DirXML: [05/03/18 07:09:07.10]: ADDriver: query
base DN: CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org,
filter: (objectClass=*),
return: (attribute values) objectClass, objectGUID, displayName,
DirXML: [05/03/18 07:09:07.10]: ADDriver: query
base DN: CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org,
filter: (objectClass=*),
return: (attribute values) objectClass, objectGUID, displayName,
DirXML: [05/03/18 07:09:07.10]: ADDriver: ldap get next page ( 2147483647)
DirXML: [05/03/18 07:09:07.10]: ADDriver: ldap get next page ( 2147483647)
DirXML: [05/03/18 07:09:07.10]: Loader: subscriptionShim->execute() returned:
DirXML: [05/03/18 07:09:07.10]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.10]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\EXAMPLE\system\Driver Set\AD-domainname">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<instance src-dn="CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org" class-name="user" event-id="0">
<association>b1856054cc99b4478cf8fbac94c78ca4</association>
<attr attr-name="displayName">
<value type="string" naming="true">Desiderato, Erika (STUDENT)</value>
</attr>
</instance>
<status level="success" event-id="0"/>
</output>
</nds>
DirXML: [05/03/18 07:09:07.10]:
DirXML Log Event -------------------
Driver = \EXAMPLE\system\Driver Set\AD-domainname
Thread = Subscriber Channel
Level = success
DirXML: [05/03/18 07:09:07.50]: Loader: Received 'subscriber execute' document
DirXML: [05/03/18 07:09:07.50]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.50]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180503140902.633Z" class-name="user" event-id="My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac" qualified-src-dn="O=data\OU=users\CN=EDESIDERATO" src-dn="\EXAMPLE\data\users\EDESIDERATO" src-entry-id="232674" timestamp="1525356542#83">
<association state="associated">b1856054cc99b4478cf8fbac94c78ca4</association>
<modify-attr attr-name="description">
<add-value>
<value timestamp="1525356542#81" type="string">MCE Student - Organizational Developmnt (719570)</value>
</add-value>
</modify-attr>
<modify-attr attr-name="department">
<remove-value>
<value timestamp="1525356537#32" type="string">Critical Care</value>
</remove-value>
<add-value>
<value timestamp="1525356542#79" type="string">Organizational Developmnt (719570)</value>
</add-value>
</modify-attr>
<modify-attr attr-name="userPrincipalName">
<remove-all-values/>
<add-value>
<value type="string">EDESIDERATO@EXAMPLE.com</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [05/03/18 07:09:07.50]: Loader: Calling subscriptionShim->execute()
DirXML: [05/03/18 07:09:07.50]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.50]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180503140902.633Z" class-name="user" event-id="My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac" qualified-src-dn="O=data\OU=users\CN=EDESIDERATO" src-dn="\EXAMPLE\data\users\EDESIDERATO" src-entry-id="232674" timestamp="1525356542#83">
<association state="associated">b1856054cc99b4478cf8fbac94c78ca4</association>
<modify-attr attr-name="description">
<add-value>
<value timestamp="1525356542#81" type="string">MCE Student - Organizational Developmnt (719570)</value>
</add-value>
</modify-attr>
<modify-attr attr-name="department">
<remove-value>
<value timestamp="1525356537#32" type="string">Critical Care</value>
</remove-value>
<add-value>
<value timestamp="1525356542#79" type="string">Organizational Developmnt (719570)</value>
</add-value>
</modify-attr>
<modify-attr attr-name="userPrincipalName">
<remove-all-values/>
<add-value>
<value type="string">EDESIDERATO@EXAMPLE.com</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [05/03/18 07:09:07.50]: ADDriver: parse command

className user
destDN
eventId My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac
association b1856054cc99b4478cf8fbac94c78ca4
DirXML: [05/03/18 07:09:07.50]: ADDriver: parse modify class = user
DirXML: [05/03/18 07:09:07.50]: ADDriver: association
DirXML: [05/03/18 07:09:07.50]: ADDriver: b1856054cc99b4478cf8fbac94c78ca4
DirXML: [05/03/18 07:09:07.50]: ADDriver: modify-attr
DirXML: [05/03/18 07:09:07.50]: ADDriver: add-value
DirXML: [05/03/18 07:09:07.50]: ADDriver: value
DirXML: [05/03/18 07:09:07.50]: ADDriver: MCE Student - Organizational Developmnt (719570)
DirXML: [05/03/18 07:09:07.50]: ADDriver: modify-attr
DirXML: [05/03/18 07:09:07.50]: ADDriver: remove-value
DirXML: [05/03/18 07:09:07.50]: ADDriver: value
DirXML: [05/03/18 07:09:07.50]: ADDriver: Critical Care
DirXML: [05/03/18 07:09:07.50]: ADDriver: add-value
DirXML: [05/03/18 07:09:07.50]: ADDriver: value
DirXML: [05/03/18 07:09:07.50]: ADDriver: Organizational Developmnt (719570)
DirXML: [05/03/18 07:09:07.50]: ADDriver: modify-attr
DirXML: [05/03/18 07:09:07.50]: ADDriver: remove-all-values
DirXML: [05/03/18 07:09:07.50]: ADDriver: add-value
DirXML: [05/03/18 07:09:07.50]: ADDriver: value
DirXML: [05/03/18 07:09:07.50]: ADDriver: EDESIDERATO@EXAMPLE.com
DirXML: [05/03/18 07:09:07.50]: ADDriver: ldap_modify user CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org
LDAPMod operations:
replace attribute description
>> MCE Student - Organizational Developmnt (719570)
delete attribute department
>> Critical Care
add attribute department
>> Organizational Developmnt (719570)
delete attribute userPrincipalName
add attribute userPrincipalName
>> EDESIDERATO@EXAMPLE.com
DirXML: [05/03/18 07:09:07.50]: Loader: subscriptionShim->execute() returned:
DirXML: [05/03/18 07:09:07.50]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.50]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\EXAMPLE\system\Driver Set\AD-domainname">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="error" type="driver-general" event-id="My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac">
<ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
<client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
<server-err>00002081: AtrErr: DSID-030F18AE, #1:
0: 00002081: DSID-030F18AE, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 2008d (department)
</server-err>
<server-err-ex win32-rc="8321"/>
</ldap-err>
</status>
</output>
</nds>
DirXML: [05/03/18 07:09:07.50]:
DirXML Log Event -------------------
Driver = \EXAMPLE\system\Driver Set\AD-domainname
Thread = Subscriber Channel
Object = \EXAMPLE\data\users\EDESIDERATO
Level = error
Message = <ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
<client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
<server-err>00002081: AtrErr: DSID-030F18AE, #1:
0: 00002081: DSID-030F18AE, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 2008d (department)
</server-err>
<server-err-ex win32-rc="8321"/>
</ldap-err>
Labels (1)
0 Likes
5 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: LDAP errors can't update NetIQ data to AD

It would help if we could see the whole event's trace, and not just from
somewhere n the middle. Also it may help to see it from the perspective
of the engine when the driver config is initially started so the filter
settings and other things are shown.

In this case the error coming back is that some change you are trying to
make is already present in MAD. This implies that you are trying to do
things that are already done (why?) and that your two environments are out
of sync for some reason (why?). Knowing how things came to get into this
state may be useful.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: LDAP errors can't update NetIQ data to AD

cosborne;2480413 wrote:
Getting errors on RL when trying to update NetIQ data to AD. Most commonly seeing them on title and department. This is severly impacting end users and our customers as if an AD account has expired and it needs to be extended via a form we created for customers, it fails do to the "atomic" modify from RL to AD. Has anyone seen this before I would think the solution would not be too complex but I cannot find from simple googling.

Thanks!
Casey

DirXML: [05/03/18 07:09:07.10]: Loader: Received 'subscriber execute' document
DirXML: [05/03/18 07:09:07.10]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.10]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="user" event-id="0" scope="entry">
<association>b1856054cc99b4478cf8fbac94c78ca4</association>
<read-attr attr-name="displayName"/>
</query>
</input>
</nds>
DirXML: [05/03/18 07:09:07.10]: Loader: Calling subscriptionShim->execute()
DirXML: [05/03/18 07:09:07.10]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.10]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="user" event-id="0" scope="entry">
<association>b1856054cc99b4478cf8fbac94c78ca4</association>
<read-attr attr-name="displayName"/>
</query>
</input>
</nds>
DirXML: [05/03/18 07:09:07.10]: ADDriver: parse command

className user
destDN
eventId 0
association b1856054cc99b4478cf8fbac94c78ca4
DirXML: [05/03/18 07:09:07.10]: ADDriver: query
DirXML: [05/03/18 07:09:07.10]: ADDriver: query constraints
DirXML: [05/03/18 07:09:07.10]: ADDriver: query
base DN: CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org,
filter: (objectClass=*),
return: (attribute values) objectClass, objectGUID, displayName,
DirXML: [05/03/18 07:09:07.10]: ADDriver: query
base DN: CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org,
filter: (objectClass=*),
return: (attribute values) objectClass, objectGUID, displayName,
DirXML: [05/03/18 07:09:07.10]: ADDriver: ldap get next page ( 2147483647)
DirXML: [05/03/18 07:09:07.10]: ADDriver: ldap get next page ( 2147483647)
DirXML: [05/03/18 07:09:07.10]: Loader: subscriptionShim->execute() returned:
DirXML: [05/03/18 07:09:07.10]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.10]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\EXAMPLE\system\Driver Set\AD-domainname">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<instance src-dn="CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org" class-name="user" event-id="0">
<association>b1856054cc99b4478cf8fbac94c78ca4</association>
<attr attr-name="displayName">
<value type="string" naming="true">Desiderato, Erika (STUDENT)</value>
</attr>
</instance>
<status level="success" event-id="0"/>
</output>
</nds>
DirXML: [05/03/18 07:09:07.10]:
DirXML Log Event -------------------
Driver = \EXAMPLE\system\Driver Set\AD-domainname
Thread = Subscriber Channel
Level = success
DirXML: [05/03/18 07:09:07.50]: Loader: Received 'subscriber execute' document
DirXML: [05/03/18 07:09:07.50]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.50]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180503140902.633Z" class-name="user" event-id="My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac" qualified-src-dn="O=data\OU=users\CN=EDESIDERATO" src-dn="\EXAMPLE\data\users\EDESIDERATO" src-entry-id="232674" timestamp="1525356542#83">
<association state="associated">b1856054cc99b4478cf8fbac94c78ca4</association>
<modify-attr attr-name="description">
<add-value>
<value timestamp="1525356542#81" type="string">MCE Student - Organizational Developmnt (719570)</value>
</add-value>
</modify-attr>
<modify-attr attr-name="department">
<remove-value>
<value timestamp="1525356537#32" type="string">Critical Care</value>
</remove-value>
<add-value>
<value timestamp="1525356542#79" type="string">Organizational Developmnt (719570)</value>
</add-value>
</modify-attr>
<modify-attr attr-name="userPrincipalName">
<remove-all-values/>
<add-value>
<value type="string">EDESIDERATO@EXAMPLE.com</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [05/03/18 07:09:07.50]: Loader: Calling subscriptionShim->execute()
DirXML: [05/03/18 07:09:07.50]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.50]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180503140902.633Z" class-name="user" event-id="My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac" qualified-src-dn="O=data\OU=users\CN=EDESIDERATO" src-dn="\EXAMPLE\data\users\EDESIDERATO" src-entry-id="232674" timestamp="1525356542#83">
<association state="associated">b1856054cc99b4478cf8fbac94c78ca4</association>
<modify-attr attr-name="description">
<add-value>
<value timestamp="1525356542#81" type="string">MCE Student - Organizational Developmnt (719570)</value>
</add-value>
</modify-attr>
<modify-attr attr-name="department">
<remove-value>
<value timestamp="1525356537#32" type="string">Critical Care</value>
</remove-value>
<add-value>
<value timestamp="1525356542#79" type="string">Organizational Developmnt (719570)</value>
</add-value>
</modify-attr>
<modify-attr attr-name="userPrincipalName">
<remove-all-values/>
<add-value>
<value type="string">EDESIDERATO@EXAMPLE.com</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [05/03/18 07:09:07.50]: ADDriver: parse command

className user
destDN
eventId My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac
association b1856054cc99b4478cf8fbac94c78ca4
DirXML: [05/03/18 07:09:07.50]: ADDriver: parse modify class = user
DirXML: [05/03/18 07:09:07.50]: ADDriver: association
DirXML: [05/03/18 07:09:07.50]: ADDriver: b1856054cc99b4478cf8fbac94c78ca4
DirXML: [05/03/18 07:09:07.50]: ADDriver: modify-attr
DirXML: [05/03/18 07:09:07.50]: ADDriver: add-value
DirXML: [05/03/18 07:09:07.50]: ADDriver: value
DirXML: [05/03/18 07:09:07.50]: ADDriver: MCE Student - Organizational Developmnt (719570)
DirXML: [05/03/18 07:09:07.50]: ADDriver: modify-attr
DirXML: [05/03/18 07:09:07.50]: ADDriver: remove-value
DirXML: [05/03/18 07:09:07.50]: ADDriver: value
DirXML: [05/03/18 07:09:07.50]: ADDriver: Critical Care
DirXML: [05/03/18 07:09:07.50]: ADDriver: add-value
DirXML: [05/03/18 07:09:07.50]: ADDriver: value
DirXML: [05/03/18 07:09:07.50]: ADDriver: Organizational Developmnt (719570)
DirXML: [05/03/18 07:09:07.50]: ADDriver: modify-attr
DirXML: [05/03/18 07:09:07.50]: ADDriver: remove-all-values
DirXML: [05/03/18 07:09:07.50]: ADDriver: add-value
DirXML: [05/03/18 07:09:07.50]: ADDriver: value
DirXML: [05/03/18 07:09:07.50]: ADDriver: EDESIDERATO@EXAMPLE.com
DirXML: [05/03/18 07:09:07.50]: ADDriver: ldap_modify user CN=Desiderato\, Erika (STUDENT),OU=Students,OU=Standard,OU=People,DC=domainname,DC=org
LDAPMod operations:
replace attribute description
>> MCE Student - Organizational Developmnt (719570)
delete attribute department
>> Critical Care
add attribute department
>> Organizational Developmnt (719570)
delete attribute userPrincipalName
add attribute userPrincipalName
>> EDESIDERATO@EXAMPLE.com
DirXML: [05/03/18 07:09:07.50]: Loader: subscriptionShim->execute() returned:
DirXML: [05/03/18 07:09:07.50]: Loader: XML Document:
DirXML: [05/03/18 07:09:07.50]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\EXAMPLE\system\Driver Set\AD-domainname">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="error" type="driver-general" event-id="My Clinical Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac">
<ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
<client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
<server-err>00002081: AtrErr: DSID-030F18AE, #1:
0: 00002081: DSID-030F18AE, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 2008d (department)
</server-err>
<server-err-ex win32-rc="8321"/>
</ldap-err>
</status>
</output>
</nds>
DirXML: [05/03/18 07:09:07.50]:
DirXML Log Event -------------------
Driver = \EXAMPLE\system\Driver Set\AD-domainname
Thread = Subscriber Channel
Object = \EXAMPLE\data\users\EDESIDERATO
Level = error
Message = <ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
<client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
<server-err>00002081: AtrErr: DSID-030F18AE, #1:
0: 00002081: DSID-030F18AE, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 2008d (department)
</server-err>
<server-err-ex win32-rc="8321"/>
</ldap-err>


As Aaron says, it sounds like your environments are out of sync, so you're trying to remove a value that isn't there, and the subsequent add value fails because it's already present or some such. You'd need to have a look at the object in MAD to see what's there and what isn't.

The root problem is that IDM assumes that your environments are in sync, because that's what it does. Where people get involved and make that not true, you see things like this happen. There have been some previous solutions posted to this forum, but here's mine:

Create a GCV of attributes you want to overwrite when they change (title, department). Then put this on your subscriber command transform:


<rule>
<description>Force Attribute Updates</description>
<comment xml:space="preserve">Force overwrite of attributes in destination to fix any that are incorrect.</comment>
<conditions>
<and>
<if-operation mode="nocase" op="equal">modify</if-operation>
<if-global-variable name="MAD-ForceAttrsList" op="available"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="ForceAttributes" scope="policy">
<arg-node-set>
<token-split delimiter=",">
<token-global-variable name="MAD-ForceAttrsList"/>
</token-split>
</arg-node-set>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-local-variable name="ForceAttributes"/>
</arg-node-set>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-op-attr name="$current-node$" op="available"/>
<if-xpath op="not-true">modify-attr[@attr-name=$current-node]/remove-all-values</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Overwriting destination attribute: </token-text>
<token-local-variable name="current-node"/>
<token-text xml:space="preserve"> </token-text>
<token-op-attr name="$current-node$"/>
</arg-string>
</do-trace-message>
<do-append-xml-element before="add-value" expression="*[@attr-name=$current-node]" name="remove-all-values"/>
<do-strip-xpath expression="modify-attr[@attr-name=$current-node]/remove-value"/>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-for-each>
</actions>
</rule>
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: LDAP errors can't update NetIQ data to AD

On 5/4/2018 4:46 PM, cosborne wrote:
> <output>
> <status level="error"
> type="driver-general" event-id="My Clinical
> Exchange#Publisher#0:fce8cac9-3015-4305-92d6-2bb8fa5b2fac">
> <ldap-err ldap-rc="20"
> ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
>
> <client-err ldap-rc="20"
> ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value
> Exists</client-err>
>
> <server-err>00002081: AtrErr: DSID-030F18AE, #1:
> 0: 00002081: DSID-030F18AE, problem 1006
> (ATT_OR_VALUE_EXISTS), data 0, Att 2008d (department)
> </server-err>
>
> <server-err-ex win32-rc="8321"/>
> </ldap-err>
> </status>
> </output>


Look at the <server-err-ex win32-rc="8321"> node and look up 8321 at
this page:
https://msdn.microsoft.com/en-us/library/ms681390(VS.85).aspx

8321 says:
ERROR_DS_SINGLE_VALUE_CONSTRAINT

8321 (0x2081)

Multiple values were specified for an attribute that can have only
one value.



So single valued attribute and you are adding a second value.

Change it to Set Dest Attr if you can, so you have a <remove-all-values>
instead of a remove-value/add-value since once you are out of sync, you
are in trouble.

What I did was make a package call Multi Valued Attribute cleaner that
reads the AD schema and learns which attrs are single valued, and
converts modifies to include a remove-all-values node.

You can get that from my companies public Repo:

https://idmfolder.ciscony.com/cis-idm-repo/

Add it in Designer and you can try it in your driver.


0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: LDAP errors can't update NetIQ data to AD

Support pointed me to this code, which is in the output tranformation policy, it has seemed to work, detects if it is single or multi valued and makes right call accordingly, here is the code:

<rule>
<description>[CIS] Handle Multi-to-single valued conversions</description>
<comment xml:space="preserve">Generic Rule which reads the application schema from AD and determines if it needs to take only the first value from a multi-valued eDirectory attribute
</comment>
<conditions>
<or>
<if-operation mode="case" op="equal">modify</if-operation>
<if-operation mode="case" op="equal">add</if-operation>
</or>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-local-variable name="APP-SCHEMA" op="not-available"/>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="APP-SCHEMA" scope="driver">
<arg-node-set>
<token-xml-parse notrace="true">
<token-base64-decode notrace="true">
<token-src-attr name="DirXML-ApplicationSchema" notrace="true">
<arg-dn>
<token-global-variable name="dirxml.auto.driverdn"/>
</arg-dn>
</token-src-attr>
</token-base64-decode>
</token-xml-parse>
</arg-node-set>
</do-set-local-variable>
</arg-actions>
<arg-actions/>
</do-if>
<do-for-each>
<arg-node-set>
<token-xpath expression=".//@attr-name"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="CLASS" scope="policy">
<arg-string>
<token-class-name/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="ATTR-DEF" notrace="true" scope="policy">
<arg-node-set>
<token-xpath expression="$APP-SCHEMA/schema-def/class-def/attr-def[@attr-name=$current-node]"/>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="MULTI-VALUED" scope="policy">
<arg-string>
<token-xpath expression="$ATTR-DEF[1]/@multi-valued"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="MULTI-VALUED" op="equal">false</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="VALUE" scope="policy">
<arg-string>
<token-op-attr name="$current-node$"/>
</arg-string>
</do-set-local-variable>
<do-strip-op-attr name="$current-node$"/>
<do-set-dest-attr-value name="$current-node$">
<arg-value>
<token-local-variable name="VALUE"/>
</arg-value>
</do-set-dest-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-for-each>
</actions>
</rule>
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: LDAP errors can't update NetIQ data to AD

On 5/14/2018 12:24 PM, cosborne wrote:
>
> Support pointed me to this code, which is in the output tranformation
> policy, it has seemed to work, detects if it is single or multi valued
> and makes right call accordingly, here is the code:



Hmm, I am a little annoyed. My name was in the Comment fields, and
someone removed it. Not cool man, not cool! 🙂

This is from a package I maintain.

Please show me the trace of it failing so we can fix it.

Do you happen to have the package installed on your driver? (Look at
this policy object in LDAP and show us the DirXML-PkgGUID value, since
if you import it and do not have the package in your local Designer
instance, it won't report it as installed on the driver).


> <rule>
> <description>[CIS] Handle Multi-to-single valued
> conversions</description>
> <comment xml:space="preserve">Generic Rule which reads the application
> schema from AD and determines if it needs to take only the first value
> from a multi-valued eDirectory attribute
> </comment>
> <conditions>
> <or>
> <if-operation mode="case" op="equal">modify</if-operation>
> <if-operation mode="case" op="equal">add</if-operation>
> </or>
> </conditions>
> <actions>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable name="APP-SCHEMA" op="not-available"/>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-set-local-variable name="APP-SCHEMA" scope="driver">
> <arg-node-set>
> <token-xml-parse notrace="true">
> <token-base64-decode notrace="true">
> <token-src-attr name="DirXML-ApplicationSchema"
> notrace="true">
> <arg-dn>
> <token-global-variable name="dirxml.auto.driverdn"/>
> </arg-dn>
> </token-src-attr>
> </token-base64-decode>
> </token-xml-parse>
> </arg-node-set>
> </do-set-local-variable>
> </arg-actions>
> <arg-actions/>
> </do-if>
> <do-for-each>
> <arg-node-set>
> <token-xpath expression=".//@attr-name"/>
> </arg-node-set>
> <arg-actions>
> <do-set-local-variable name="CLASS" scope="policy">
> <arg-string>
> <token-class-name/>
> </arg-string>
> </do-set-local-variable>
> <do-set-local-variable name="ATTR-DEF" notrace="true"
> scope="policy">
> <arg-node-set>
> <token-xpath
> expression="$APP-SCHEMA/schema-def/class-def/attr-def[@attr-name=$current-node]"/>
> </arg-node-set>
> </do-set-local-variable>
> <do-set-local-variable name="MULTI-VALUED" scope="policy">
> <arg-string>
> <token-xpath expression="$ATTR-DEF[1]/@multi-valued"/>
> </arg-string>
> </do-set-local-variable>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable mode="nocase" name="MULTI-VALUED"
> op="equal">false</if-local-variable>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-set-local-variable name="VALUE" scope="policy">
> <arg-string>
> <token-op-attr name="$current-node$"/>
> </arg-string>
> </do-set-local-variable>
> <do-strip-op-attr name="$current-node$"/>
> <do-set-dest-attr-value name="$current-node$">
> <arg-value>
> <token-local-variable name="VALUE"/>
> </arg-value>
> </do-set-dest-attr-value>
> </arg-actions>
> <arg-actions/>
> </do-if>
> </arg-actions>
> </do-for-each>
> </actions>
> </rule>
>
>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.