Highlighted
gdrtx1977 Absent Member.
Absent Member.
311 views

Product Edition="Evaluation" and driver hangs calling es:

We are running and IDM 4.5 environment and recently added a new server to our tree. The new server is also installed with IDM 4.5.0 and has been successfully added to the driver set running our other drivers. We attempted to move one of our null drivers from an old server to the new server but have been experiencing issues since the move. The driver starts normally but when certain rules are called that leverage ecmascript functions to perform advanced LDAP queries the driver hangs and the only way to recover is a restart of eDir. Stopping the driver from iManager does not succeed and using dxcmd appears to stop the driver but it doesn't really stop.

Below is what the driver log looks like for the rule in question:

[01/30/19 21:44:31.467]:ScheduledJob ST: Evaluating selection criteria for rule 'Set up LDAP parameters'.
[01/30/19 21:44:31.468]:ScheduledJob ST: Rule selected.
[01/30/19 21:44:31.468]:ScheduledJob ST: Applying rule 'Set up LDAP parameters'.
[01/30/19 21:44:31.468]:ScheduledJob ST: Action: do-set-local-variable("BindPassword",scope="policy",token-named-password("LdapPassword")).
[01/30/19 21:44:31.468]:ScheduledJob ST: arg-string(token-named-password("LdapPassword"))
[01/30/19 21:44:31.468]:ScheduledJob ST: token-named-password("LdapPassword")
[01/30/19 21:44:31.468]:ScheduledJob ST: Retrieving password value for named password 'LdapPassword'.
[01/30/19 21:44:31.477]:ScheduledJob ST: Token Value: "-- suppressed --".
[01/30/19 21:44:31.477]:ScheduledJob ST: Arg Value: "-- suppressed --".
[01/30/19 21:44:31.478]:ScheduledJob ST: Action: do-set-local-variable("LdapStorePass",scope="policy",token-named-password("LDAPTLSStorePass")).
[01/30/19 21:44:31.478]:ScheduledJob ST: arg-string(token-named-password("LDAPTLSStorePass"))
[01/30/19 21:44:31.478]:ScheduledJob ST: token-named-password("LDAPTLSStorePass")
[01/30/19 21:44:31.478]:ScheduledJob ST: Retrieving password value for named password 'LDAPTLSStorePass'.
[01/30/19 21:44:31.494]:ScheduledJob ST: Token Value: "-- suppressed --".
[01/30/19 21:44:31.494]:ScheduledJob ST: Arg Value: "-- suppressed --".
[01/30/19 21:44:31.495]:ScheduledJob ST: Action: do-set-local-variable("vDisabledAttr",scope="policy","cn,loginExpirationTime").
[01/30/19 21:44:31.495]:ScheduledJob ST: arg-string("cn,loginExpirationTime")
[01/30/19 21:44:31.495]:ScheduledJob ST: token-text("cn,loginExpirationTime")
[01/30/19 21:44:31.495]:ScheduledJob ST: Arg Value: "cn,loginExpirationTime".
[01/30/19 21:44:31.495]:ScheduledJob ST: Evaluating selection criteria for rule 'Built Disabled List-users'.
[01/30/19 21:44:31.495]:ScheduledJob ST: (if-operation equal "trigger") = TRUE.
[01/30/19 21:44:31.496]:ScheduledJob ST: (if-op-property 'source' equal "DisableExpired") = TRUE.
[01/30/19 21:44:31.496]:ScheduledJob ST: Rule selected.
[01/30/19 21:44:31.496]:ScheduledJob ST: Applying rule 'Built Disabled List-users'.
[01/30/19 21:44:31.496]:ScheduledJob ST: Action: do-set-local-variable("SearchBase",scope="policy","ou=users,o=grainger").
[01/30/19 21:44:31.496]:ScheduledJob ST: arg-string("ou=users,o=data")
[01/30/19 21:44:31.496]:ScheduledJob ST: token-text("ou=users,o=data")
[01/30/19 21:44:31.496]:ScheduledJob ST: Arg Value: "ou=users,o=data".
[01/30/19 21:44:31.497]:ScheduledJob ST: Action: do-set-local-variable("filter",scope="policy","(&"+"(loginExpirationTime<="+token-local-variable("datetodayfmtdZ")+")"+"(employeeStatus=A)"+")").
[01/30/19 21:44:31.497]:ScheduledJob ST: arg-string("(&"+"(loginExpirationTime<="+token-local-variable("datetodayfmtdZ")+")"+"(employeeStatus=A)"+")")
[01/30/19 21:44:31.497]:ScheduledJob ST: token-text("(&")
[01/30/19 21:44:31.497]:ScheduledJob ST: token-text("(loginExpirationTime<=")
[01/30/19 21:44:31.497]:ScheduledJob ST: token-local-variable("datetodayfmtdZ")
[01/30/19 21:44:31.498]:ScheduledJob ST: Token Value: "20190131034431Z".
[01/30/19 21:44:31.498]:ScheduledJob ST: token-text(")")
[01/30/19 21:44:31.498]:ScheduledJob ST: token-text("(employeeStatus=A)")
[01/30/19 21:44:31.498]:ScheduledJob ST: token-text(")")
[01/30/19 21:44:31.498]:ScheduledJob ST: Arg Value: "(&(loginExpirationTime<=20190131034431Z)(employeeStatus=A))".
[01/30/19 21:44:31.498]:ScheduledJob ST: Action: do-set-local-variable("LogFile",scope="policy","/idtm/Logs/JobLogs/DisableExpiredUsers.log").
[01/30/19 21:44:31.498]:ScheduledJob ST: arg-string("/idtm/Logs/JobLogs/DisableExpiredUsers.log")
[01/30/19 21:44:31.499]:ScheduledJob ST: token-text("/idtm/Logs/JobLogs/DisableExpiredUsers.log")
[01/30/19 21:44:31.499]:ScheduledJob ST: Arg Value: "/idtm/Logs/JobLogs/DisableExpiredUsers.log".
[01/30/19 21:44:31.499]:ScheduledJob ST: Action: do-trace-message(level="0","Filter="+token-local-variable("filter")).
[01/30/19 21:44:31.499]:ScheduledJob ST: arg-string("Filter="+token-local-variable("filter"))
[01/30/19 21:44:31.500]:ScheduledJob ST: token-text("Filter=")
[01/30/19 21:44:31.500]:ScheduledJob ST: token-local-variable("filter")
[01/30/19 21:44:31.500]:ScheduledJob ST: Token Value: "(&(loginExpirationTime<=20190131034431Z)(employeeStatus=A))".
[01/30/19 21:44:31.500]:ScheduledJob ST: Arg Value: "Filter=(&(loginExpirationTime<=20190131034431Z)(employeeStatus=A))".
[01/30/19 21:44:31.500]:ScheduledJob ST:Filter=(&(loginExpirationTime<=20190131034431Z)(employeeStatus=A))
[01/30/19 21:44:31.501]:ScheduledJob ST: Action: do-set-local-variable("ExpiredList",scope="policy",arg-node-set(token-xpath("es:ldapSearch('~LdapServer~','389','false','/idtm/ldapkeystore-new.jks',$LdapStorePass,'CN=zPWDNotify,OU=srv,OU=chi,O=data',$BindPassword,$SearchBase,'sub',$filter,$vDisabledAttr,'0')"))).
[01/30/19 21:44:31.501]:ScheduledJob ST: arg-node-set(token-xpath("es:ldapSearch('~LdapServer~','389','false','/idtm/ldapkeystore-new.jks',$LdapStorePass,'CN=zPWDNotify,OU=srv,OU=chi,O=data',$BindPassword,$SearchBase,'sub',$filter,$vDisabledAttr,'0')"))
[01/30/19 21:44:31.502]:ScheduledJob ST: token-xpath("es:ldapSearch('prlidvap013.prod-sap.ourname.com','389','false','/idtm/ldapkeystore-new.jks',$LdapStorePass,'CN=zPWDNotify,OU=srv,OU=chi,O=data',$BindPassword,$SearchBase,'sub',$filter,$vDisabledAttr,'0')")

The ecmascript has not changed and is present. The keystore file exists in the expected path and the proper password has been set in the driver config. The LDAP bind account and password have been verified to be correct. There is no explanation found in the logs for this behavior as we have let it run for multiple days with no progress. It is not an index issue, the driver is running on the same server it is trying to query so it is not a routing or firewall problem.

The only thing we have found so far is that driver on the new server shows this:
<product edition="Evaluation" version="4.5.0.0">DirXML</product>

product edition of "Evaluation" and the driver log from the old server, where it works fine, shows a product edition of "Advanced"

Naturally one might assume that the Eval designation would indicate that the IDM 4.5 engine is not licensed in that driver set but the license shows and appears valid when viewing the licensing information in iManager. Is there some type of product limitation if the driver reports as Evaluation that would prevent it from using the ecmascript logic that works on the other server? Why would the driver on the new server running the same IDM version as the old server show Evaluation? How do I get it to report as Advanced edition too?

Thanks in advance.
Labels (1)
0 Likes
2 Replies
Knowledge Partner
Knowledge Partner

Re: Product Edition="Evaluation" and driver hangs calling es:

I'm not sure the "Evaluation" edition is actually causing ldapsearch to fail.
What do you see in the LDAP server trace? Is the search executed at all, if so:
does it complete sucessfully? At which step in the ECMAScript does it hang
exactly?

You can trace from ECMA for a step-by-step analysis like this:

var tracer = new Packages.com.novell.nds.dirxml.driver.Trace("ldapSearch");
tracer.trace(message, level);

If you are using the version that comes with the PWNotify driver, just up the
trace level to 10, as that's already built in.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Product Edition="Evaluation" and driver hangs calling es

gdrtx1977;2494602 wrote:
We are running and IDM 4.5 environment and recently added a new server to our tree. The new server is also installed with IDM 4.5.0 and has been successfully added to the driver set running our other drivers. We attempted to move one of our null drivers from an old server to the new server but have been experiencing issues since the move. The driver starts normally but when certain rules are called that leverage ecmascript functions to perform advanced LDAP queries the driver hangs and the only way to recover is a restart of eDir. Stopping the driver from iManager does not succeed and using dxcmd appears to stop the driver but it doesn't really stop.

Below is what the driver log looks like for the rule in question:

[01/30/19 21:44:31.467]:ScheduledJob ST: Evaluating selection criteria for rule 'Set up LDAP parameters'.
[01/30/19 21:44:31.468]:ScheduledJob ST: Rule selected.
[01/30/19 21:44:31.468]:ScheduledJob ST: Applying rule 'Set up LDAP parameters'.
[01/30/19 21:44:31.468]:ScheduledJob ST: Action: do-set-local-variable("BindPassword",scope="policy",token-named-password("LdapPassword")).
[01/30/19 21:44:31.468]:ScheduledJob ST: arg-string(token-named-password("LdapPassword"))
[01/30/19 21:44:31.468]:ScheduledJob ST: token-named-password("LdapPassword")
[01/30/19 21:44:31.468]:ScheduledJob ST: Retrieving password value for named password 'LdapPassword'.
[01/30/19 21:44:31.477]:ScheduledJob ST: Token Value: "-- suppressed --".
[01/30/19 21:44:31.477]:ScheduledJob ST: Arg Value: "-- suppressed --".
[01/30/19 21:44:31.478]:ScheduledJob ST: Action: do-set-local-variable("LdapStorePass",scope="policy",token-named-password("LDAPTLSStorePass")).
[01/30/19 21:44:31.478]:ScheduledJob ST: arg-string(token-named-password("LDAPTLSStorePass"))
[01/30/19 21:44:31.478]:ScheduledJob ST: token-named-password("LDAPTLSStorePass")
[01/30/19 21:44:31.478]:ScheduledJob ST: Retrieving password value for named password 'LDAPTLSStorePass'.
[01/30/19 21:44:31.494]:ScheduledJob ST: Token Value: "-- suppressed --".
[01/30/19 21:44:31.494]:ScheduledJob ST: Arg Value: "-- suppressed --".
[01/30/19 21:44:31.495]:ScheduledJob ST: Action: do-set-local-variable("vDisabledAttr",scope="policy","cn,loginExpirationTime").
[01/30/19 21:44:31.495]:ScheduledJob ST: arg-string("cn,loginExpirationTime")
[01/30/19 21:44:31.495]:ScheduledJob ST: token-text("cn,loginExpirationTime")
[01/30/19 21:44:31.495]:ScheduledJob ST: Arg Value: "cn,loginExpirationTime".
[01/30/19 21:44:31.495]:ScheduledJob ST: Evaluating selection criteria for rule 'Built Disabled List-users'.
[01/30/19 21:44:31.495]:ScheduledJob ST: (if-operation equal "trigger") = TRUE.
[01/30/19 21:44:31.496]:ScheduledJob ST: (if-op-property 'source' equal "DisableExpired") = TRUE.
[01/30/19 21:44:31.496]:ScheduledJob ST: Rule selected.
[01/30/19 21:44:31.496]:ScheduledJob ST: Applying rule 'Built Disabled List-users'.
[01/30/19 21:44:31.496]:ScheduledJob ST: Action: do-set-local-variable("SearchBase",scope="policy","ou=users,o=grainger").
[01/30/19 21:44:31.496]:ScheduledJob ST: arg-string("ou=users,o=data")
[01/30/19 21:44:31.496]:ScheduledJob ST: token-text("ou=users,o=data")
[01/30/19 21:44:31.496]:ScheduledJob ST: Arg Value: "ou=users,o=data".
[01/30/19 21:44:31.497]:ScheduledJob ST: Action: do-set-local-variable("filter",scope="policy","(&"+"(loginExpirationTime<="+token-local-variable("datetodayfmtdZ")+")"+"(employeeStatus=A)"+")").
[01/30/19 21:44:31.497]:ScheduledJob ST: arg-string("(&"+"(loginExpirationTime<="+token-local-variable("datetodayfmtdZ")+")"+"(employeeStatus=A)"+")")
[01/30/19 21:44:31.497]:ScheduledJob ST: token-text("(&")
[01/30/19 21:44:31.497]:ScheduledJob ST: token-text("(loginExpirationTime<=")
[01/30/19 21:44:31.497]:ScheduledJob ST: token-local-variable("datetodayfmtdZ")
[01/30/19 21:44:31.498]:ScheduledJob ST: Token Value: "20190131034431Z".
[01/30/19 21:44:31.498]:ScheduledJob ST: token-text(")")
[01/30/19 21:44:31.498]:ScheduledJob ST: token-text("(employeeStatus=A)")
[01/30/19 21:44:31.498]:ScheduledJob ST: token-text(")")
[01/30/19 21:44:31.498]:ScheduledJob ST: Arg Value: "(&(loginExpirationTime<=20190131034431Z)(employeeStatus=A))".
[01/30/19 21:44:31.498]:ScheduledJob ST: Action: do-set-local-variable("LogFile",scope="policy","/idtm/Logs/JobLogs/DisableExpiredUsers.log").
[01/30/19 21:44:31.498]:ScheduledJob ST: arg-string("/idtm/Logs/JobLogs/DisableExpiredUsers.log")
[01/30/19 21:44:31.499]:ScheduledJob ST: token-text("/idtm/Logs/JobLogs/DisableExpiredUsers.log")
[01/30/19 21:44:31.499]:ScheduledJob ST: Arg Value: "/idtm/Logs/JobLogs/DisableExpiredUsers.log".
[01/30/19 21:44:31.499]:ScheduledJob ST: Action: do-trace-message(level="0","Filter="+token-local-variable("filter")).
[01/30/19 21:44:31.499]:ScheduledJob ST: arg-string("Filter="+token-local-variable("filter"))
[01/30/19 21:44:31.500]:ScheduledJob ST: token-text("Filter=")
[01/30/19 21:44:31.500]:ScheduledJob ST: token-local-variable("filter")
[01/30/19 21:44:31.500]:ScheduledJob ST: Token Value: "(&(loginExpirationTime<=20190131034431Z)(employeeStatus=A))".
[01/30/19 21:44:31.500]:ScheduledJob ST: Arg Value: "Filter=(&(loginExpirationTime<=20190131034431Z)(employeeStatus=A))".
[01/30/19 21:44:31.500]:ScheduledJob ST:Filter=(&(loginExpirationTime<=20190131034431Z)(employeeStatus=A))
[01/30/19 21:44:31.501]:ScheduledJob ST: Action: do-set-local-variable("ExpiredList",scope="policy",arg-node-set(token-xpath("es:ldapSearch('~LdapServer~','389','false','/idtm/ldapkeystore-new.jks',$LdapStorePass,'CN=zPWDNotify,OU=srv,OU=chi,O=data',$BindPassword,$SearchBase,'sub',$filter,$vDisabledAttr,'0')"))).
[01/30/19 21:44:31.501]:ScheduledJob ST: arg-node-set(token-xpath("es:ldapSearch('~LdapServer~','389','false','/idtm/ldapkeystore-new.jks',$LdapStorePass,'CN=zPWDNotify,OU=srv,OU=chi,O=data',$BindPassword,$SearchBase,'sub',$filter,$vDisabledAttr,'0')"))
[01/30/19 21:44:31.502]:ScheduledJob ST: token-xpath("es:ldapSearch('prlidvap013.prod-sap.ourname.com','389','false','/idtm/ldapkeystore-new.jks',$LdapStorePass,'CN=zPWDNotify,OU=srv,OU=chi,O=data',$BindPassword,$SearchBase,'sub',$filter,$vDisabledAttr,'0')")

The ecmascript has not changed and is present. The keystore file exists in the expected path and the proper password has been set in the driver config. The LDAP bind account and password have been verified to be correct. There is no explanation found in the logs for this behavior as we have let it run for multiple days with no progress. It is not an index issue, the driver is running on the same server it is trying to query so it is not a routing or firewall problem.

The only thing we have found so far is that driver on the new server shows this:
<product edition="Evaluation" version="4.5.0.0">DirXML</product>

product edition of "Evaluation" and the driver log from the old server, where it works fine, shows a product edition of "Advanced"

Naturally one might assume that the Eval designation would indicate that the IDM 4.5 engine is not licensed in that driver set but the license shows and appears valid when viewing the licensing information in iManager. Is there some type of product limitation if the driver reports as Evaluation that would prevent it from using the ecmascript logic that works on the other server? Why would the driver on the new server running the same IDM version as the old server show Evaluation? How do I get it to report as Advanced edition too?

Thanks in advance.


Guessing, your ldapsearch is probably using SSL / TLS, and the connection is failing at the handshake step. Make sure all of the correct certificates are imported in to the engine's keystore (cacerts).
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.