Highlighted
Valued Contributor.
Valued Contributor.
165 views

LinuxUnix Driver

Jump to solution

Folks:

I am standing up a pair of LinuxUnix drivers (bidir) on a new 4.8.1 vault (on SLES15sp1). All new all good (not without some pain, however).

I went through a few machinations as the documentation is missing important details like you MUST fill in the PermissionNameToFile mapping table (and once you know that, what do you put in it?)

Screenshot_20200614_205623.png

And that you need to also fill in StaticValueEntitlementMap

Screenshot_20200614_210015.png

And to change the unvalued entitlements to static valued entitlements with a JSON string as each value {"ID":"users"} for example.

And finally, my code map refresh could see the entitlements so I could make a resource associated to the entitlement and a role assigned to the resource. Then I assigned a user to the role, watched the trace with great anticipation, only to be smacked down with this:

[06/13/20 22:42:11.040]:sles15 ST:Applying policy: %+C%14CNOVLNXENT-sub-ctp-EntitlementsImpl%-C.
   ....unimportant...
06/13/20 22:42:11.069]:sles15 ST: Action: do-set-local-variable("rpStatus",scope="policy",token-xpath("ps:AllowEntitlementGrantOrRevoke($adminQualifiedLDAPDn,$timeStamp,$checkPayLoad,true)")).
[06/13/20 22:42:11.069]:sles15 ST: arg-string(token-xpath("ps:AllowEntitlementGrantOrRevoke($adminQualifiedLDAPDn,$timeStamp,$checkPayLoad,true)"))
[06/13/20 22:42:11.069]:sles15 ST: token-xpath("ps:AllowEntitlementGrantOrRevoke($adminQualifiedLDAPDn,$timeStamp,$checkPayLoad,true)")
[06/13/20 22:42:11.121]:sles15 ST:Processing returned document.
[06/13/20 22:42:11.121]:sles15 ST:Processing operation <status> for .
[06/13/20 22:42:11.121]:sles15 ST:
DirXML Log Event -------------------
Driver: \PYTHIA\system\driverset1\sles15
Channel: Subscriber
Object: \PYTHIA\data\users\IDM\rrawson
Status: Error
Message: Code(-9131) Error in vnd.nds.stream://PYTHIA/system/driverset1/sles15/Subscriber/NOVLNXENT-sub-ctp-EntitlementsImpl#XmlData:634 : Error evaluating XPATH expression 'token-xpath("ps:AllowEntitlementGrantOrRevoke($adminQualifiedLDAPDn,$timeStamp,$checkPayLoad,true)")' : com.novell.xml.xpath.XPathEvaluationException: function 'ps:AllowEntitlementGrantOrRevoke' not found.

This seems like a missing namespace declaration of a java class. Very sloppy. No idea where to get the java code path or if I have the right jar. Tried to add the name space declaration to the policy element manually thinking that perhaps the method might be within the shim class itself (I do that in my own shims) but Designer gave me a validation error that made no sense.

Any experience or guidance here would be welcome and appreciated.

Thanks
Rob

Labels (1)
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner
Knowledge Partner

Re: LinuxUnix Driver

Jump to solution

Class is in init-idm-resources.jar which was part of PCRS and came with IDM 4.5 and higher.

 

Namespace declaration should be com.netiq.resources.ProvisioningScheduler I think.

View solution in original post

0 Likes
5 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: LinuxUnix Driver

Jump to solution

Class is in init-idm-resources.jar which was part of PCRS and came with IDM 4.5 and higher.

 

Namespace declaration should be com.netiq.resources.ProvisioningScheduler I think.

View solution in original post

0 Likes
Highlighted
Valued Contributor.
Valued Contributor.

Re: LinuxUnix Driver

Jump to solution

Thanks Geoff!

Of course this just peeled another layer of the onion. Investigating this now:

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.8.1.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<add cached-time="20200615141338.818Z" class-name="User" event-id="sles15#20200615141338#1#14:12bf4256-fbbf-4a25-821e-5642bf12bffb" qualified-src-dn="O=data\OU=users\OU=IDM\CN=rrawson"
src-dn="\PYTHIA\data\users\IDM\rrawson" src-entry-id="34208" timestamp="1592230418#220">
<add-attr attr-name="loginName">
<value type="string">rrawson</value>
</add-attr>
<add-attr attr-name="Login Disabled">
<value timestamp="1591114753#88" type="state">false</value>
</add-attr>
<add-attr attr-name="loginName">
<value type="string">rrawson</value>
</add-attr>
<add-attr attr-name="loginName">
<value type="string">rrawson</value>
</add-attr>
<add-attr attr-name="Login Disabled">
<value type="state">false</value>
</add-attr>
<password><!-- content suppressed --></password>
</add>
</input>
</nds>
[06/15/20 10:13:40.139]:sles15 ST:Remote Interface Driver: Document sent.
[06/15/20 10:13:40.139]:sles15 ST:Remote Interface Driver: Waiting for receive...
[06/15/20 10:13:40.392]:sles15 ST:Remote Interface Driver: Received
[06/15/20 10:13:40.392]:sles15 ST:
<nds dtdversion="2.0">
<source>
<product build="201907100943" version="4.8"/>
<contact/>
</source>
<output>
<status event-id="sles15#20200615141338#1#14:12bf4256-fbbf-4a25-821e-5642bf12bffb" level="error">Command Error: "/usr/sbin/useradd -m "rrawson rrawson rrawson"" failed with RC=3, respo
nse: useradd: invalid user name 'rrawson rrawson rrawson'</status>
</output>
</nds>

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: LinuxUnix Driver

Jump to solution

Hi!

You have three elements with loginName sent to the driver shim, so I guess the issue is in your policies before the driver shim.

Best regards

Marcus

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: LinuxUnix Driver

Jump to solution
Saw that, which is what I am trying to track down. It looks like it's related to the PCRS stuff being half required and half deprecated but still trying to track it down...

















LinuxUnixAccount

unvalued







LinuxUnixGroup

users









{"ID":"rrawson"}





{"ID":"rrawson"}



CN=rrawson,OU=IDM,OU=users,O=data

{"ID":"unvalued"}

{"ID":"users"}










0 Likes
Highlighted
Valued Contributor.
Valued Contributor.

Re: LinuxUnix Driver

Jump to solution
Hot on the trail now; working back to earlier in the trace:







src-dn="\PYTHIA\data\users\IDM\rrawson" src-entry-id="34208" timestamp="1592230418#220">



rrawson







1

\PYTHIA\system\driverset1\sles15\LinuxUnixGroup





UA



{"ID":"users"}









1

\PYTHIA\system\driverset1\sles15\LinuxUnixAccount





UA



{"ID":"unvalued"}











false









unvalued





users



...



So these coming from one of the PCRS mapping tables



And so the answer was: Disabling the two NOVLCOMPCRS policies. When I first imported the driver I didn't include those packages but I could not get the entitlement code map refresh to see the drivers without them, but with the packages in place the driver could not provision.



This is all very sloppy, this should have been cleaned up once PCRS became deprecated, the necessary mappings should have been in a package, or the PCRS policies should default to disabled if PCRS packages are required but should not be used. But I have a successful provision.


The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.