Anonymous_User Absent Member.
Absent Member.
354 views

Resource request activity and resource with trailing space in CN

Hello

Identity Manager Roles Based Provisioning Module Version 4.0.2 Patch D
Build Revision 41026

LDAP Agent for NetIQ eDirectory 8.8 SP8 (20802.09)

I have some resources that were created with RMA and since they have
very long names in AD RMA created some resources with a trailing space
in the CN.

When we try to use the resource request activity we are getting errors
that it can't find the resource. If we rename it so it's named without a
trailing space it works, but it should work anyway since RMA created it.
And I'm not sure if it is supported to rename resources via LDAP.

This is what we see in the LDAP trace.
For some reason there are three \\\ in the query.

12:46:04 437D7700 LDAP: DoSearch on connection 0x801d070
12:46:04 437D7700 LDAP: Search request:
base:
"cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectClass=nrfResource))"
attribute: "nrfEntitlementRef"
attribute: "nrfLocalizedDescrs"
attribute: "nrfCategoryKey"
attribute: "nrfLocalizedNames"
attribute: "nrfResourceParms"
attribute: "srvprvHideUser"
attribute: "srvprvHideAttributes"
attribute: "modifyTimeStamp"
attribute: "objectClass"
12:46:04 437D7700 LDAP: nds_back_search: Search Control OID
2.16.840.1.113730.3.4.2
12:46:04 437D7700 LDAP: Sending search result entry "cn=CN_Admin XXXXXXX
YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
to connection 0x801d070
12:46:04 437D7700 LDAP: Sending search result entry "cn=cn=CN_Admin
XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\ \
,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
to connection 0x801d070
12:46:04 437D7700 LDAP: Sending operation result 0:"":"" to connection
0x801d070
12:46:08 43CDC700 LDAP: DoSearch on connection 0x801b460
12:46:08 43CDC700 LDAP: Search request:
base: "cn=CN_Admin XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ
OOOOOOO_OU_UUUUUU\\\
,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
scope:0 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
attribute: "nrfApprovers"
attribute: "nrfRevokeQuorum"
attribute: "nrfCategoryKey"
attribute: "nrfAllowAprOveride"
attribute: "nrfRequestDef"
attribute: "nrfResourceParms"
attribute: "nrfRevokeApprovers"
attribute: "nrfQuorum"
attribute: "nrfRevokeRequestDef"
attribute: "nrfEntitlementRef"
attribute: "nrfLocalizedDescrs"
attribute: "nrfAllowMulti"
attribute: "owner"
attribute: "nrfLocalizedNames"
attribute: "nrfActive"
attribute: "srvprvHideUser"
attribute: "srvprvHideAttributes"
attribute: "modifyTimeStamp"
attribute: "objectClass"
12:46:08 43CDC700 LDAP: nds_back_search: Search Control OID
2.16.840.1.113730.3.4.2
12:46:08 43CDC700 LDAP: Cannot resolve NDS name 'CN=CN_Admin XXXXXXX
YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
..CN=ResourceDefs.CN=RoleConfig.CN=AppConfig.CN=UA.CN=DriverSet.O=System'
in ResolveAndAuthNDSName, err = no such entry (-601)
12:46:08 43CDC700 LDAP: Base "cn=CN_Admin XXXXXXX
YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\\\
,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
not found, err = no such entry (-601)
12:46:08 43CDC700 LDAP: Sending operation result
32:"cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System":"NDS
error: no such entry (-601)" to connection 0x801b460
Labels (1)
0 Likes
17 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Resource request activity and resource with trailing space inCN

On 03/18/2014 11:21 AM, alekz wrote:
> Hello
>
> Identity Manager Roles Based Provisioning Module Version 4.0.2 Patch D
> Build Revision 41026
>
> LDAP Agent for NetIQ eDirectory 8.8 SP8 (20802.09)
>
> I have some resources that were created with RMA and since they have
> very long names in AD RMA created some resources with a trailing space
> in the CN.
>
> When we try to use the resource request activity we are getting errors
> that it can't find the resource. If we rename it so it's named without a
> trailing space it works, but it should work anyway since RMA created it.
> And I'm not sure if it is supported to rename resources via LDAP.
>
> This is what we see in the LDAP trace.
> For some reason there are three \\\ in the query.
>
> 12:46:04 437D7700 LDAP: DoSearch on connection 0x801d070
> 12:46:04 437D7700 LDAP: Search request:
> base:
> "cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
> scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
> filter: "(&(objectClass=nrfResource))"
> attribute: "nrfEntitlementRef"
> attribute: "nrfLocalizedDescrs"
> attribute: "nrfCategoryKey"
> attribute: "nrfLocalizedNames"
> attribute: "nrfResourceParms"
> attribute: "srvprvHideUser"
> attribute: "srvprvHideAttributes"
> attribute: "modifyTimeStamp"
> attribute: "objectClass"
> 12:46:04 437D7700 LDAP: nds_back_search: Search Control OID
> 2.16.840.1.113730.3.4.2
> 12:46:04 437D7700 LDAP: Sending search result entry "cn=CN_Admin XXXXXXX
> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
> to connection 0x801d070
> 12:46:04 437D7700 LDAP: Sending search result entry "cn=cn=CN_Admin
> XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\ \
> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
> to connection 0x801d070
> 12:46:04 437D7700 LDAP: Sending operation result 0:"":"" to connection
> 0x801d070
> 12:46:08 43CDC700 LDAP: DoSearch on connection 0x801b460
> 12:46:08 43CDC700 LDAP: Search request:
> base: "cn=CN_Admin XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ
> OOOOOOO_OU_UUUUUU\\\
> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
> scope:0 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
> filter: "(objectClass=*)"
> attribute: "nrfApprovers"
> attribute: "nrfRevokeQuorum"
> attribute: "nrfCategoryKey"
> attribute: "nrfAllowAprOveride"
> attribute: "nrfRequestDef"
> attribute: "nrfResourceParms"
> attribute: "nrfRevokeApprovers"
> attribute: "nrfQuorum"
> attribute: "nrfRevokeRequestDef"
> attribute: "nrfEntitlementRef"
> attribute: "nrfLocalizedDescrs"
> attribute: "nrfAllowMulti"
> attribute: "owner"
> attribute: "nrfLocalizedNames"
> attribute: "nrfActive"
> attribute: "srvprvHideUser"
> attribute: "srvprvHideAttributes"
> attribute: "modifyTimeStamp"
> attribute: "objectClass"
> 12:46:08 43CDC700 LDAP: nds_back_search: Search Control OID
> 2.16.840.1.113730.3.4.2
> 12:46:08 43CDC700 LDAP: Cannot resolve NDS name 'CN=CN_Admin XXXXXXX
> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
> ..CN=ResourceDefs.CN=RoleConfig.CN=AppConfig.CN=UA.CN=DriverSet.O=System'
> in ResolveAndAuthNDSName, err = no such entry (-601)
> 12:46:08 43CDC700 LDAP: Base "cn=CN_Admin XXXXXXX
> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\\\
> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
> not found, err = no such entry (-601)
> 12:46:08 43CDC700 LDAP: Sending operation result
> 32:"cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System":"NDS
> error: no such entry (-601)" to connection 0x801b460
>

Greetings,
What version of RMA was used?

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Resource request activity and resource with trailing space inCN

On 2014-03-18 21:09, Steven Williams wrote:
> On 03/18/2014 11:21 AM, alekz wrote:
>> Hello
>>
>> Identity Manager Roles Based Provisioning Module Version 4.0.2 Patch D
>> Build Revision 41026
>>
>> LDAP Agent for NetIQ eDirectory 8.8 SP8 (20802.09)
>>
>> I have some resources that were created with RMA and since they have
>> very long names in AD RMA created some resources with a trailing space
>> in the CN.
>>
>> When we try to use the resource request activity we are getting errors
>> that it can't find the resource. If we rename it so it's named without a
>> trailing space it works, but it should work anyway since RMA created it.
>> And I'm not sure if it is supported to rename resources via LDAP.
>>
>> This is what we see in the LDAP trace.
>> For some reason there are three \\\ in the query.
>>
>> 12:46:04 437D7700 LDAP: DoSearch on connection 0x801d070
>> 12:46:04 437D7700 LDAP: Search request:
>> base:
>> "cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>> scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
>> filter: "(&(objectClass=nrfResource))"
>> attribute: "nrfEntitlementRef"
>> attribute: "nrfLocalizedDescrs"
>> attribute: "nrfCategoryKey"
>> attribute: "nrfLocalizedNames"
>> attribute: "nrfResourceParms"
>> attribute: "srvprvHideUser"
>> attribute: "srvprvHideAttributes"
>> attribute: "modifyTimeStamp"
>> attribute: "objectClass"
>> 12:46:04 437D7700 LDAP: nds_back_search: Search Control OID
>> 2.16.840.1.113730.3.4.2
>> 12:46:04 437D7700 LDAP: Sending search result entry "cn=CN_Admin XXXXXXX
>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>> to connection 0x801d070
>> 12:46:04 437D7700 LDAP: Sending search result entry "cn=cn=CN_Admin
>> XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\ \
>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>> to connection 0x801d070
>> 12:46:04 437D7700 LDAP: Sending operation result 0:"":"" to connection
>> 0x801d070
>> 12:46:08 43CDC700 LDAP: DoSearch on connection 0x801b460
>> 12:46:08 43CDC700 LDAP: Search request:
>> base: "cn=CN_Admin XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ
>> OOOOOOO_OU_UUUUUU\\\
>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>> scope:0 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
>> filter: "(objectClass=*)"
>> attribute: "nrfApprovers"
>> attribute: "nrfRevokeQuorum"
>> attribute: "nrfCategoryKey"
>> attribute: "nrfAllowAprOveride"
>> attribute: "nrfRequestDef"
>> attribute: "nrfResourceParms"
>> attribute: "nrfRevokeApprovers"
>> attribute: "nrfQuorum"
>> attribute: "nrfRevokeRequestDef"
>> attribute: "nrfEntitlementRef"
>> attribute: "nrfLocalizedDescrs"
>> attribute: "nrfAllowMulti"
>> attribute: "owner"
>> attribute: "nrfLocalizedNames"
>> attribute: "nrfActive"
>> attribute: "srvprvHideUser"
>> attribute: "srvprvHideAttributes"
>> attribute: "modifyTimeStamp"
>> attribute: "objectClass"
>> 12:46:08 43CDC700 LDAP: nds_back_search: Search Control OID
>> 2.16.840.1.113730.3.4.2
>> 12:46:08 43CDC700 LDAP: Cannot resolve NDS name 'CN=CN_Admin XXXXXXX
>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
>> ..CN=ResourceDefs.CN=RoleConfig.CN=AppConfig.CN=UA.CN=DriverSet.O=System'
>> in ResolveAndAuthNDSName, err = no such entry (-601)
>> 12:46:08 43CDC700 LDAP: Base "cn=CN_Admin XXXXXXX
>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\\\
>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>> not found, err = no such entry (-601)
>> 12:46:08 43CDC700 LDAP: Sending operation result
>> 32:"cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System":"NDS
>>
>> error: no such entry (-601)" to connection 0x801b460
>>

> Greetings,
> What version of RMA was used?
>


Role Mapping Administrator - Build Information

Version: 4.0.2
Built By: hudson
Build Date: 07:24 AM June 11, 2012
Build Revision: 57068


-alekz
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Resource request activity and resource with trailing space inCN

On 03/18/2014 06:26 PM, alekz wrote:
> On 2014-03-18 21:09, Steven Williams wrote:
>> On 03/18/2014 11:21 AM, alekz wrote:
>>> Hello
>>>
>>> Identity Manager Roles Based Provisioning Module Version 4.0.2 Patch D
>>> Build Revision 41026
>>>
>>> LDAP Agent for NetIQ eDirectory 8.8 SP8 (20802.09)
>>>
>>> I have some resources that were created with RMA and since they have
>>> very long names in AD RMA created some resources with a trailing space
>>> in the CN.
>>>
>>> When we try to use the resource request activity we are getting errors
>>> that it can't find the resource. If we rename it so it's named without a
>>> trailing space it works, but it should work anyway since RMA created it.
>>> And I'm not sure if it is supported to rename resources via LDAP.
>>>
>>> This is what we see in the LDAP trace.
>>> For some reason there are three \\\ in the query.
>>>
>>> 12:46:04 437D7700 LDAP: DoSearch on connection 0x801d070
>>> 12:46:04 437D7700 LDAP: Search request:
>>> base:
>>> "cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>> scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
>>> filter: "(&(objectClass=nrfResource))"
>>> attribute: "nrfEntitlementRef"
>>> attribute: "nrfLocalizedDescrs"
>>> attribute: "nrfCategoryKey"
>>> attribute: "nrfLocalizedNames"
>>> attribute: "nrfResourceParms"
>>> attribute: "srvprvHideUser"
>>> attribute: "srvprvHideAttributes"
>>> attribute: "modifyTimeStamp"
>>> attribute: "objectClass"
>>> 12:46:04 437D7700 LDAP: nds_back_search: Search Control OID
>>> 2.16.840.1.113730.3.4.2
>>> 12:46:04 437D7700 LDAP: Sending search result entry "cn=CN_Admin XXXXXXX
>>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>> to connection 0x801d070
>>> 12:46:04 437D7700 LDAP: Sending search result entry "cn=cn=CN_Admin
>>> XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\ \
>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>> to connection 0x801d070
>>> 12:46:04 437D7700 LDAP: Sending operation result 0:"":"" to connection
>>> 0x801d070
>>> 12:46:08 43CDC700 LDAP: DoSearch on connection 0x801b460
>>> 12:46:08 43CDC700 LDAP: Search request:
>>> base: "cn=CN_Admin XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ
>>> OOOOOOO_OU_UUUUUU\\\
>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>> scope:0 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
>>> filter: "(objectClass=*)"
>>> attribute: "nrfApprovers"
>>> attribute: "nrfRevokeQuorum"
>>> attribute: "nrfCategoryKey"
>>> attribute: "nrfAllowAprOveride"
>>> attribute: "nrfRequestDef"
>>> attribute: "nrfResourceParms"
>>> attribute: "nrfRevokeApprovers"
>>> attribute: "nrfQuorum"
>>> attribute: "nrfRevokeRequestDef"
>>> attribute: "nrfEntitlementRef"
>>> attribute: "nrfLocalizedDescrs"
>>> attribute: "nrfAllowMulti"
>>> attribute: "owner"
>>> attribute: "nrfLocalizedNames"
>>> attribute: "nrfActive"
>>> attribute: "srvprvHideUser"
>>> attribute: "srvprvHideAttributes"
>>> attribute: "modifyTimeStamp"
>>> attribute: "objectClass"
>>> 12:46:08 43CDC700 LDAP: nds_back_search: Search Control OID
>>> 2.16.840.1.113730.3.4.2
>>> 12:46:08 43CDC700 LDAP: Cannot resolve NDS name 'CN=CN_Admin XXXXXXX
>>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
>>> ..CN=ResourceDefs.CN=RoleConfig.CN=AppConfig.CN=UA.CN=DriverSet.O=System'
>>> in ResolveAndAuthNDSName, err = no such entry (-601)
>>> 12:46:08 43CDC700 LDAP: Base "cn=CN_Admin XXXXXXX
>>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\\\
>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>> not found, err = no such entry (-601)
>>> 12:46:08 43CDC700 LDAP: Sending operation result
>>> 32:"cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System":"NDS
>>>
>>> error: no such entry (-601)" to connection 0x801b460
>>>

>> Greetings,
>> What version of RMA was used?
>>

>
> Role Mapping Administrator - Build Information
>
> Version: 4.0.2
> Built By: hudson
> Build Date: 07:24 AM June 11, 2012
> Build Revision: 57068
>
>
> -alekz
>

Greetings,
There is a limit of 64 characters (including spaces) for the ID
value of a Role or a Resource (the cn entry) for within the User
Application code base.
Is the value you provided for the cn above what is actually is in
the system?

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Resource request activity and resource with trailing space inCN

On 2014-03-19 01:42, Steven Williams wrote:
> On 03/18/2014 06:26 PM, alekz wrote:
>> On 2014-03-18 21:09, Steven Williams wrote:
>>> On 03/18/2014 11:21 AM, alekz wrote:
>>>> Hello
>>>>
>>>> Identity Manager Roles Based Provisioning Module Version 4.0.2 Patch D
>>>> Build Revision 41026
>>>>
>>>> LDAP Agent for NetIQ eDirectory 8.8 SP8 (20802.09)
>>>>
>>>> I have some resources that were created with RMA and since they have
>>>> very long names in AD RMA created some resources with a trailing space
>>>> in the CN.
>>>>
>>>> When we try to use the resource request activity we are getting errors
>>>> that it can't find the resource. If we rename it so it's named
>>>> without a
>>>> trailing space it works, but it should work anyway since RMA created
>>>> it.
>>>> And I'm not sure if it is supported to rename resources via LDAP.
>>>>
>>>> This is what we see in the LDAP trace.
>>>> For some reason there are three \\\ in the query.
>>>>
>>>> 12:46:04 437D7700 LDAP: DoSearch on connection 0x801d070
>>>> 12:46:04 437D7700 LDAP: Search request:
>>>> base:
>>>> "cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>
>>>> scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
>>>> filter: "(&(objectClass=nrfResource))"
>>>> attribute: "nrfEntitlementRef"
>>>> attribute: "nrfLocalizedDescrs"
>>>> attribute: "nrfCategoryKey"
>>>> attribute: "nrfLocalizedNames"
>>>> attribute: "nrfResourceParms"
>>>> attribute: "srvprvHideUser"
>>>> attribute: "srvprvHideAttributes"
>>>> attribute: "modifyTimeStamp"
>>>> attribute: "objectClass"
>>>> 12:46:04 437D7700 LDAP: nds_back_search: Search Control OID
>>>> 2.16.840.1.113730.3.4.2
>>>> 12:46:04 437D7700 LDAP: Sending search result entry "cn=CN_Admin
>>>> XXXXXXX
>>>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
>>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>
>>>> to connection 0x801d070
>>>> 12:46:04 437D7700 LDAP: Sending search result entry "cn=cn=CN_Admin
>>>> XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\ \
>>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>
>>>> to connection 0x801d070
>>>> 12:46:04 437D7700 LDAP: Sending operation result 0:"":"" to connection
>>>> 0x801d070
>>>> 12:46:08 43CDC700 LDAP: DoSearch on connection 0x801b460
>>>> 12:46:08 43CDC700 LDAP: Search request:
>>>> base: "cn=CN_Admin XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ
>>>> OOOOOOO_OU_UUUUUU\\\
>>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>
>>>> scope:0 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
>>>> filter: "(objectClass=*)"
>>>> attribute: "nrfApprovers"
>>>> attribute: "nrfRevokeQuorum"
>>>> attribute: "nrfCategoryKey"
>>>> attribute: "nrfAllowAprOveride"
>>>> attribute: "nrfRequestDef"
>>>> attribute: "nrfResourceParms"
>>>> attribute: "nrfRevokeApprovers"
>>>> attribute: "nrfQuorum"
>>>> attribute: "nrfRevokeRequestDef"
>>>> attribute: "nrfEntitlementRef"
>>>> attribute: "nrfLocalizedDescrs"
>>>> attribute: "nrfAllowMulti"
>>>> attribute: "owner"
>>>> attribute: "nrfLocalizedNames"
>>>> attribute: "nrfActive"
>>>> attribute: "srvprvHideUser"
>>>> attribute: "srvprvHideAttributes"
>>>> attribute: "modifyTimeStamp"
>>>> attribute: "objectClass"
>>>> 12:46:08 43CDC700 LDAP: nds_back_search: Search Control OID
>>>> 2.16.840.1.113730.3.4.2
>>>> 12:46:08 43CDC700 LDAP: Cannot resolve NDS name 'CN=CN_Admin XXXXXXX
>>>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
>>>> ..CN=ResourceDefs.CN=RoleConfig.CN=AppConfig.CN=UA.CN=DriverSet.O=System'
>>>>
>>>> in ResolveAndAuthNDSName, err = no such entry (-601)
>>>> 12:46:08 43CDC700 LDAP: Base "cn=CN_Admin XXXXXXX
>>>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\\\
>>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>
>>>> not found, err = no such entry (-601)
>>>> 12:46:08 43CDC700 LDAP: Sending operation result
>>>> 32:"cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System":"NDS
>>>>
>>>>
>>>> error: no such entry (-601)" to connection 0x801b460
>>>>
>>> Greetings,
>>> What version of RMA was used?
>>>

>>
>> Role Mapping Administrator - Build Information
>>
>> Version: 4.0.2
>> Built By: hudson
>> Build Date: 07:24 AM June 11, 2012
>> Build Revision: 57068
>>
>>
>> -alekz
>>

> Greetings,
> There is a limit of 64 characters (including spaces) for the ID
> value of a Role or a Resource (the cn entry) for within the User
> Application code base.
> Is the value you provided for the cn above what is actually is in
> the system?
>

The actual CN value is 64 characters including the space at the end.
This is the anonymized value. Without the '.

'CN_Admin 12345678 iiiiiiiii_OU_Administrativa Grupper_OU_Lokala '

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Resource request activity and resource with trailing space inCN

On 03/19/2014 06:27 AM, alekz wrote:
> On 2014-03-19 01:42, Steven Williams wrote:
>> On 03/18/2014 06:26 PM, alekz wrote:
>>> On 2014-03-18 21:09, Steven Williams wrote:
>>>> On 03/18/2014 11:21 AM, alekz wrote:
>>>>> Hello
>>>>>
>>>>> Identity Manager Roles Based Provisioning Module Version 4.0.2 Patch D
>>>>> Build Revision 41026
>>>>>
>>>>> LDAP Agent for NetIQ eDirectory 8.8 SP8 (20802.09)
>>>>>
>>>>> I have some resources that were created with RMA and since they have
>>>>> very long names in AD RMA created some resources with a trailing space
>>>>> in the CN.
>>>>>
>>>>> When we try to use the resource request activity we are getting errors
>>>>> that it can't find the resource. If we rename it so it's named
>>>>> without a
>>>>> trailing space it works, but it should work anyway since RMA created
>>>>> it.
>>>>> And I'm not sure if it is supported to rename resources via LDAP.
>>>>>
>>>>> This is what we see in the LDAP trace.
>>>>> For some reason there are three \\\ in the query.
>>>>>
>>>>> 12:46:04 437D7700 LDAP: DoSearch on connection 0x801d070
>>>>> 12:46:04 437D7700 LDAP: Search request:
>>>>> base:
>>>>> "cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>>
>>>>> scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
>>>>> filter: "(&(objectClass=nrfResource))"
>>>>> attribute: "nrfEntitlementRef"
>>>>> attribute: "nrfLocalizedDescrs"
>>>>> attribute: "nrfCategoryKey"
>>>>> attribute: "nrfLocalizedNames"
>>>>> attribute: "nrfResourceParms"
>>>>> attribute: "srvprvHideUser"
>>>>> attribute: "srvprvHideAttributes"
>>>>> attribute: "modifyTimeStamp"
>>>>> attribute: "objectClass"
>>>>> 12:46:04 437D7700 LDAP: nds_back_search: Search Control OID
>>>>> 2.16.840.1.113730.3.4.2
>>>>> 12:46:04 437D7700 LDAP: Sending search result entry "cn=CN_Admin
>>>>> XXXXXXX
>>>>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
>>>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>>
>>>>> to connection 0x801d070
>>>>> 12:46:04 437D7700 LDAP: Sending search result entry "cn=cn=CN_Admin
>>>>> XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\ \
>>>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>>
>>>>> to connection 0x801d070
>>>>> 12:46:04 437D7700 LDAP: Sending operation result 0:"":"" to connection
>>>>> 0x801d070
>>>>> 12:46:08 43CDC700 LDAP: DoSearch on connection 0x801b460
>>>>> 12:46:08 43CDC700 LDAP: Search request:
>>>>> base: "cn=CN_Admin XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ
>>>>> OOOOOOO_OU_UUUUUU\\\
>>>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>>
>>>>> scope:0 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
>>>>> filter: "(objectClass=*)"
>>>>> attribute: "nrfApprovers"
>>>>> attribute: "nrfRevokeQuorum"
>>>>> attribute: "nrfCategoryKey"
>>>>> attribute: "nrfAllowAprOveride"
>>>>> attribute: "nrfRequestDef"
>>>>> attribute: "nrfResourceParms"
>>>>> attribute: "nrfRevokeApprovers"
>>>>> attribute: "nrfQuorum"
>>>>> attribute: "nrfRevokeRequestDef"
>>>>> attribute: "nrfEntitlementRef"
>>>>> attribute: "nrfLocalizedDescrs"
>>>>> attribute: "nrfAllowMulti"
>>>>> attribute: "owner"
>>>>> attribute: "nrfLocalizedNames"
>>>>> attribute: "nrfActive"
>>>>> attribute: "srvprvHideUser"
>>>>> attribute: "srvprvHideAttributes"
>>>>> attribute: "modifyTimeStamp"
>>>>> attribute: "objectClass"
>>>>> 12:46:08 43CDC700 LDAP: nds_back_search: Search Control OID
>>>>> 2.16.840.1.113730.3.4.2
>>>>> 12:46:08 43CDC700 LDAP: Cannot resolve NDS name 'CN=CN_Admin XXXXXXX
>>>>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
>>>>> ..CN=ResourceDefs.CN=RoleConfig.CN=AppConfig.CN=UA.CN=DriverSet.O=System'
>>>>>
>>>>> in ResolveAndAuthNDSName, err = no such entry (-601)
>>>>> 12:46:08 43CDC700 LDAP: Base "cn=CN_Admin XXXXXXX
>>>>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\\\
>>>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>>
>>>>> not found, err = no such entry (-601)
>>>>> 12:46:08 43CDC700 LDAP: Sending operation result
>>>>> 32:"cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System":"NDS
>>>>>
>>>>>
>>>>> error: no such entry (-601)" to connection 0x801b460
>>>>>
>>>> Greetings,
>>>> What version of RMA was used?
>>>>
>>>
>>> Role Mapping Administrator - Build Information
>>>
>>> Version: 4.0.2
>>> Built By: hudson
>>> Build Date: 07:24 AM June 11, 2012
>>> Build Revision: 57068
>>>
>>>
>>> -alekz
>>>

>> Greetings,
>> There is a limit of 64 characters (including spaces) for the ID
>> value of a Role or a Resource (the cn entry) for within the User
>> Application code base.
>> Is the value you provided for the cn above what is actually is in
>> the system?
>>

> The actual CN value is 64 characters including the space at the end.
> This is the anonymized value. Without the '.
>
> 'CN_Admin 12345678 iiiiiiiii_OU_Administrativa Grupper_OU_Lokala'
>

Greetings,
I have tried a number of different ways and can not get an object to
be created in eDirectory with a trailing space. I will see if I can
create an set-up that will allow RMA to create a similar cn.
Do you have any rules or custom properties being utilized in RMA?

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Resource request activity and resource with trailing space inCN

On 2014-03-19 12:28, Steven Williams wrote:
> On 03/19/2014 06:27 AM, alekz wrote:
>> On 2014-03-19 01:42, Steven Williams wrote:
>>> On 03/18/2014 06:26 PM, alekz wrote:
>>>> On 2014-03-18 21:09, Steven Williams wrote:
>>>>> On 03/18/2014 11:21 AM, alekz wrote:
>>>>>> Hello
>>>>>>
>>>>>> Identity Manager Roles Based Provisioning Module Version 4.0.2
>>>>>> Patch D
>>>>>> Build Revision 41026
>>>>>>
>>>>>> LDAP Agent for NetIQ eDirectory 8.8 SP8 (20802.09)
>>>>>>
>>>>>> I have some resources that were created with RMA and since they have
>>>>>> very long names in AD RMA created some resources with a trailing
>>>>>> space
>>>>>> in the CN.
>>>>>>
>>>>>> When we try to use the resource request activity we are getting
>>>>>> errors
>>>>>> that it can't find the resource. If we rename it so it's named
>>>>>> without a
>>>>>> trailing space it works, but it should work anyway since RMA created
>>>>>> it.
>>>>>> And I'm not sure if it is supported to rename resources via LDAP.
>>>>>>
>>>>>> This is what we see in the LDAP trace.
>>>>>> For some reason there are three \\\ in the query.
>>>>>>
>>>>>> 12:46:04 437D7700 LDAP: DoSearch on connection 0x801d070
>>>>>> 12:46:04 437D7700 LDAP: Search request:
>>>>>> base:
>>>>>> "cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>>>
>>>>>>
>>>>>> scope:2 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
>>>>>> filter: "(&(objectClass=nrfResource))"
>>>>>> attribute: "nrfEntitlementRef"
>>>>>> attribute: "nrfLocalizedDescrs"
>>>>>> attribute: "nrfCategoryKey"
>>>>>> attribute: "nrfLocalizedNames"
>>>>>> attribute: "nrfResourceParms"
>>>>>> attribute: "srvprvHideUser"
>>>>>> attribute: "srvprvHideAttributes"
>>>>>> attribute: "modifyTimeStamp"
>>>>>> attribute: "objectClass"
>>>>>> 12:46:04 437D7700 LDAP: nds_back_search: Search Control OID
>>>>>> 2.16.840.1.113730.3.4.2
>>>>>> 12:46:04 437D7700 LDAP: Sending search result entry "cn=CN_Admin
>>>>>> XXXXXXX
>>>>>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
>>>>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>>>
>>>>>>
>>>>>> to connection 0x801d070
>>>>>> 12:46:04 437D7700 LDAP: Sending search result entry "cn=cn=CN_Admin
>>>>>> XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\ \
>>>>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>>>
>>>>>>
>>>>>> to connection 0x801d070
>>>>>> 12:46:04 437D7700 LDAP: Sending operation result 0:"":"" to
>>>>>> connection
>>>>>> 0x801d070
>>>>>> 12:46:08 43CDC700 LDAP: DoSearch on connection 0x801b460
>>>>>> 12:46:08 43CDC700 LDAP: Search request:
>>>>>> base: "cn=CN_Admin XXXXXXX YYYYYYYYY_OU_ZZZZZZZZZZZZZZ
>>>>>> OOOOOOO_OU_UUUUUU\\\
>>>>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>>>
>>>>>>
>>>>>> scope:0 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
>>>>>> filter: "(objectClass=*)"
>>>>>> attribute: "nrfApprovers"
>>>>>> attribute: "nrfRevokeQuorum"
>>>>>> attribute: "nrfCategoryKey"
>>>>>> attribute: "nrfAllowAprOveride"
>>>>>> attribute: "nrfRequestDef"
>>>>>> attribute: "nrfResourceParms"
>>>>>> attribute: "nrfRevokeApprovers"
>>>>>> attribute: "nrfQuorum"
>>>>>> attribute: "nrfRevokeRequestDef"
>>>>>> attribute: "nrfEntitlementRef"
>>>>>> attribute: "nrfLocalizedDescrs"
>>>>>> attribute: "nrfAllowMulti"
>>>>>> attribute: "owner"
>>>>>> attribute: "nrfLocalizedNames"
>>>>>> attribute: "nrfActive"
>>>>>> attribute: "srvprvHideUser"
>>>>>> attribute: "srvprvHideAttributes"
>>>>>> attribute: "modifyTimeStamp"
>>>>>> attribute: "objectClass"
>>>>>> 12:46:08 43CDC700 LDAP: nds_back_search: Search Control OID
>>>>>> 2.16.840.1.113730.3.4.2
>>>>>> 12:46:08 43CDC700 LDAP: Cannot resolve NDS name 'CN=CN_Admin XXXXXXX
>>>>>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\
>>>>>> ..CN=ResourceDefs.CN=RoleConfig.CN=AppConfig.CN=UA.CN=DriverSet.O=System'
>>>>>>
>>>>>>
>>>>>> in ResolveAndAuthNDSName, err = no such entry (-601)
>>>>>> 12:46:08 43CDC700 LDAP: Base "cn=CN_Admin XXXXXXX
>>>>>> YYYYYYYYY_OU_ZZZZZZZZZZZZZZ OOOOOOO_OU_UUUUUU\\\
>>>>>> ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System"
>>>>>>
>>>>>>
>>>>>> not found, err = no such entry (-601)
>>>>>> 12:46:08 43CDC700 LDAP: Sending operation result
>>>>>> 32:"cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UA,cn=DriverSet,o=System":"NDS
>>>>>>
>>>>>>
>>>>>>
>>>>>> error: no such entry (-601)" to connection 0x801b460
>>>>>>
>>>>> Greetings,
>>>>> What version of RMA was used?
>>>>>
>>>>
>>>> Role Mapping Administrator - Build Information
>>>>
>>>> Version: 4.0.2
>>>> Built By: hudson
>>>> Build Date: 07:24 AM June 11, 2012
>>>> Build Revision: 57068
>>>>
>>>>
>>>> -alekz
>>>>
>>> Greetings,
>>> There is a limit of 64 characters (including spaces) for the ID
>>> value of a Role or a Resource (the cn entry) for within the User
>>> Application code base.
>>> Is the value you provided for the cn above what is actually is in
>>> the system?
>>>

>> The actual CN value is 64 characters including the space at the end.
>> This is the anonymized value. Without the '.
>>
>> 'CN_Admin 12345678 iiiiiiiii_OU_Administrativa Grupper_OU_Lokala'
>>

> Greetings,
> I have tried a number of different ways and can not get an object to
> be created in eDirectory with a trailing space. I will see if I can
> create an set-up that will allow RMA to create a similar cn.
> Do you have any rules or custom properties being utilized in RMA?
>

Hello,

How odd, we are using RMA as-is out of the box.
I'm mapping Groups from AD using the standard Group entitlement which
queries AD for all groups.
The groups and OU's in AD have spaces and Swedish characters in their
names if that makes any difference, åäö and ÅÄÖ.

The DN's in AD are also very long, for example I have a group DN that is
105 characters long and RMA has created a resource with a CN 64
characters long with a space at the end.
The space exists in the DN in the name of a OU in position 64.

Example anonymized DN in AD:
CN=XYZ D-Aäbbbbbbbbbb tr. Kacccccccc,OU=Grupper,OU=Västoooooooo
Tpppppppp,OU=Miiiiiiiiii,DC=xxxxxx,DC=zz

The resource CN is:
'CN_XYZ D-Aäbbbbbbbbbb tr_Kacccccccc_OU_Grupper_OU_Västoooooooo '

-alekz

0 Likes
Knowledge Partner
Knowledge Partner

Re: Resource request activity and resource with trailing space inCN


>> The actual CN value is 64 characters including the space at the end.
>> This is the anonymized value. Without the '.
>>
>> 'CN_Admin 12345678 iiiiiiiii_OU_Administrativa Grupper_OU_Lokala'
>>

> Greetings,
> I have tried a number of different ways and can not get an object to
> be created in eDirectory with a trailing space. I will see if I can
> create an set-up that will allow RMA to create a similar cn.


Easy to create an object with a trailing space.

Designer will do it. Name a policy or something with a trailing space.
(It won't compare properly after that, due an eDir vagary).

LDAP, using an LDIF< base64 encode the value, and use a :: notation on
the data line to indicate it is encoded.

Console1 can do it.

eDir has a funny behavior around leading and trailing spaces in Naming
attributes (cn=, ou=, whatever your naming attribute it).

It will consider "Geoffrey " the same as "Geoffrey", "Geoffrey " and
everywhere in between. Same for leading spaces. And I believe it will
sort of ignore leading and trailing spaces when doing searches/compares.
That is, "cn=Geoffrey" and "cn=Geoffrey " are basically the same
thing from eDir's perspective. It has been this way for decades now.

This manifests in Designer if you create an object with a
leading/trailing space (Though I have only every tried with trailing
space (inadvertantly)) it will push it out. But on every compare it
will recognize that the Designer side object does not match the eDir
object, since Designer is remembering the trailing space and eDir is
sort of ignoring it.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Resource request activity and resource with trailing space inCN

On 3/19/2014 8:13 AM, Geoffrey Carman wrote:
>
>>> The actual CN value is 64 characters including the space at the end.
>>> This is the anonymized value. Without the '.
>>>
>>> 'CN_Admin 12345678 iiiiiiiii_OU_Administrativa Grupper_OU_Lokala'
>>>

>> Greetings,
>> I have tried a number of different ways and can not get an object to
>> be created in eDirectory with a trailing space. I will see if I can
>> create an set-up that will allow RMA to create a similar cn.

>
> Easy to create an object with a trailing space.
>
> Designer will do it. Name a policy or something with a trailing space.
> (It won't compare properly after that, due an eDir vagary).
>
> LDAP, using an LDIF< base64 encode the value, and use a :: notation on
> the data line to indicate it is encoded.
>
> Console1 can do it.
>
> eDir has a funny behavior around leading and trailing spaces in Naming
> attributes (cn=, ou=, whatever your naming attribute it).
>
> It will consider "Geoffrey " the same as "Geoffrey", "Geoffrey " and
> everywhere in between. Same for leading spaces. And I believe it will
> sort of ignore leading and trailing spaces when doing searches/compares.
> That is, "cn=Geoffrey" and "cn=Geoffrey " are basically the same
> thing from eDir's perspective. It has been this way for decades now.
>
> This manifests in Designer if you create an object with a
> leading/trailing space (Though I have only every tried with trailing
> space (inadvertantly)) it will push it out. But on every compare it
> will recognize that the Designer side object does not match the eDir
> object, since Designer is remembering the trailing space and eDir is
> sort of ignoring it.


Now that I think about it, I have no idea what eDir does, if the field
length is 64 chars, and you have a 63 char string, followed by 3 spaces?
Probably does not allow you to create it at create/rename time.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Resource request activity and resource with trailing space inCN

On 03/19/2014 08:17 AM, Geoffrey Carman wrote:
> On 3/19/2014 8:13 AM, Geoffrey Carman wrote:
>>
>>>> The actual CN value is 64 characters including the space at the end.
>>>> This is the anonymized value. Without the '.
>>>>
>>>> 'CN_Admin 12345678 iiiiiiiii_OU_Administrativa Grupper_OU_Lokala'
>>>>
>>> Greetings,
>>> I have tried a number of different ways and can not get an object to
>>> be created in eDirectory with a trailing space. I will see if I can
>>> create an set-up that will allow RMA to create a similar cn.

>>
>> Easy to create an object with a trailing space.
>>
>> Designer will do it. Name a policy or something with a trailing space.
>> (It won't compare properly after that, due an eDir vagary).
>>
>> LDAP, using an LDIF< base64 encode the value, and use a :: notation on
>> the data line to indicate it is encoded.
>>
>> Console1 can do it.
>>
>> eDir has a funny behavior around leading and trailing spaces in Naming
>> attributes (cn=, ou=, whatever your naming attribute it).
>>
>> It will consider "Geoffrey " the same as "Geoffrey", "Geoffrey " and
>> everywhere in between. Same for leading spaces. And I believe it will
>> sort of ignore leading and trailing spaces when doing searches/compares.
>> That is, "cn=Geoffrey" and "cn=Geoffrey " are basically the same
>> thing from eDir's perspective. It has been this way for decades now.
>>
>> This manifests in Designer if you create an object with a
>> leading/trailing space (Though I have only every tried with trailing
>> space (inadvertantly)) it will push it out. But on every compare it
>> will recognize that the Designer side object does not match the eDir
>> object, since Designer is remembering the trailing space and eDir is
>> sort of ignoring it.

>
> Now that I think about it, I have no idea what eDir does, if the field
> length is 64 chars, and you have a 63 char string, followed by 3 spaces?
> Probably does not allow you to create it at create/rename time.
>
>

Greetings,
Thank you Geoffrey. Designer was the ticket. You do not need it to
be 60+ characters. I created a resource: 'End with Space ' and
deployed from Designer.

When I went to the Assignments tab of the Resource in the User
Application, I received the following error:

Error loading resource assignments: Resource with DN = [cn=End with
Space\ ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application
Driver,cn=driverset1,o=system ] does not exist.


I will investigate this a bit more to determine if the bug should go
against RBPM or Designer & RMA.

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Knowledge Partner
Knowledge Partner

Re: Resource request activity and resource with trailing space inCN

> Thank you Geoffrey. Designer was the ticket. You do not need it to
> be 60+ characters. I created a resource: 'End with Space ' and
> deployed from Designer.
>
> When I went to the Assignments tab of the Resource in the User
> Application, I received the following error:
>
> Error loading resource assignments: Resource with DN = [cn=End with
> Space\ ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application
> Driver,cn=driverset1,o=system ] does not exist.
>
>
> I will investigate this a bit more to determine if the bug should go
> against RBPM or Designer & RMA.


1) Designer should properly handle trailing spaces. (Try comparing it
now in Designer, in Policy view, you see Designer has a object "End with
Space" and eDir has an object "End with Space" but they are not the
same, and you cannot see the trailing space in either view.

2) VDX or LDAP layer that reads out of eDir should handle trailing
spaces properly.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Resource request activity and resource with trailing space inCN

On 03/19/2014 08:50 AM, Steven Williams wrote:
> On 03/19/2014 08:17 AM, Geoffrey Carman wrote:
>> On 3/19/2014 8:13 AM, Geoffrey Carman wrote:
>>>
>>>>> The actual CN value is 64 characters including the space at the end.
>>>>> This is the anonymized value. Without the '.
>>>>>
>>>>> 'CN_Admin 12345678 iiiiiiiii_OU_Administrativa Grupper_OU_Lokala'
>>>>>
>>>> Greetings,
>>>> I have tried a number of different ways and can not get an
>>>> object to
>>>> be created in eDirectory with a trailing space. I will see if I can
>>>> create an set-up that will allow RMA to create a similar cn.
>>>
>>> Easy to create an object with a trailing space.
>>>
>>> Designer will do it. Name a policy or something with a trailing space.
>>> (It won't compare properly after that, due an eDir vagary).
>>>
>>> LDAP, using an LDIF< base64 encode the value, and use a :: notation on
>>> the data line to indicate it is encoded.
>>>
>>> Console1 can do it.
>>>
>>> eDir has a funny behavior around leading and trailing spaces in Naming
>>> attributes (cn=, ou=, whatever your naming attribute it).
>>>
>>> It will consider "Geoffrey " the same as "Geoffrey", "Geoffrey " and
>>> everywhere in between. Same for leading spaces. And I believe it will
>>> sort of ignore leading and trailing spaces when doing searches/compares.
>>> That is, "cn=Geoffrey" and "cn=Geoffrey " are basically the same
>>> thing from eDir's perspective. It has been this way for decades now.
>>>
>>> This manifests in Designer if you create an object with a
>>> leading/trailing space (Though I have only every tried with trailing
>>> space (inadvertantly)) it will push it out. But on every compare it
>>> will recognize that the Designer side object does not match the eDir
>>> object, since Designer is remembering the trailing space and eDir is
>>> sort of ignoring it.

>>
>> Now that I think about it, I have no idea what eDir does, if the field
>> length is 64 chars, and you have a 63 char string, followed by 3 spaces?
>> Probably does not allow you to create it at create/rename time.
>>
>>

> Greetings,
> Thank you Geoffrey. Designer was the ticket. You do not need it to
> be 60+ characters. I created a resource: 'End with Space ' and
> deployed from Designer.
>
> When I went to the Assignments tab of the Resource in the User
> Application, I received the following error:
>
> Error loading resource assignments: Resource with DN = [cn=End with
> Space\ ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application
> Driver,cn=driverset1,o=system ] does not exist.
>
>
> I will investigate this a bit more to determine if the bug should go
> against RBPM or Designer & RMA.
>

Greetings,
I am not seeing a problem using the Resource Request Activity in a
workflow.

Here is the value in the Resource field:

'CN=End with Space,CN=ResourceDefs,CN=RoleConfig,CN=AppConfig,CN=User
Application Driver,CN=driverset1,O=system'

The Resource does get assigned to the user.

With that said, the Resource does not render 100% correctly on the Work
Dashboard. In that the Display name of the Resource is not there. It
is empty.

Questions:

1) Are you mapping to the Resource directly or are you utilizing an
Expression in the Resource Request Activity?

2) Is the Vault on Windows or Linux?

3) Is User Application on Windows or Linux?

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Resource request activity and resource with trailing space inCN

On 2014-03-19 14:12, Steven Williams wrote:
> On 03/19/2014 08:50 AM, Steven Williams wrote:
>> On 03/19/2014 08:17 AM, Geoffrey Carman wrote:
>>> On 3/19/2014 8:13 AM, Geoffrey Carman wrote:
>>>>
>>>>>> The actual CN value is 64 characters including the space at the end.
>>>>>> This is the anonymized value. Without the '.
>>>>>>
>>>>>> 'CN_Admin 12345678 iiiiiiiii_OU_Administrativa Grupper_OU_Lokala'
>>>>>>
>>>>> Greetings,
>>>>> I have tried a number of different ways and can not get an
>>>>> object to
>>>>> be created in eDirectory with a trailing space. I will see if I can
>>>>> create an set-up that will allow RMA to create a similar cn.
>>>>
>>>> Easy to create an object with a trailing space.
>>>>
>>>> Designer will do it. Name a policy or something with a trailing space.
>>>> (It won't compare properly after that, due an eDir vagary).
>>>>
>>>> LDAP, using an LDIF< base64 encode the value, and use a :: notation on
>>>> the data line to indicate it is encoded.
>>>>
>>>> Console1 can do it.
>>>>
>>>> eDir has a funny behavior around leading and trailing spaces in Naming
>>>> attributes (cn=, ou=, whatever your naming attribute it).
>>>>
>>>> It will consider "Geoffrey " the same as "Geoffrey", "Geoffrey "
>>>> and
>>>> everywhere in between. Same for leading spaces. And I believe it will
>>>> sort of ignore leading and trailing spaces when doing
>>>> searches/compares.
>>>> That is, "cn=Geoffrey" and "cn=Geoffrey " are basically the same
>>>> thing from eDir's perspective. It has been this way for decades now.
>>>>
>>>> This manifests in Designer if you create an object with a
>>>> leading/trailing space (Though I have only every tried with trailing
>>>> space (inadvertantly)) it will push it out. But on every compare it
>>>> will recognize that the Designer side object does not match the eDir
>>>> object, since Designer is remembering the trailing space and eDir is
>>>> sort of ignoring it.
>>>
>>> Now that I think about it, I have no idea what eDir does, if the field
>>> length is 64 chars, and you have a 63 char string, followed by 3 spaces?
>>> Probably does not allow you to create it at create/rename time.
>>>
>>>

>> Greetings,
>> Thank you Geoffrey. Designer was the ticket. You do not need it to
>> be 60+ characters. I created a resource: 'End with Space ' and
>> deployed from Designer.
>>
>> When I went to the Assignments tab of the Resource in the User
>> Application, I received the following error:
>>
>> Error loading resource assignments: Resource with DN = [cn=End with
>> Space\ ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application
>> Driver,cn=driverset1,o=system ] does not exist.
>>
>>
>> I will investigate this a bit more to determine if the bug should go
>> against RBPM or Designer & RMA.
>>

> Greetings,
> I am not seeing a problem using the Resource Request Activity in a
> workflow.
>
> Here is the value in the Resource field:
>
> 'CN=End with Space,CN=ResourceDefs,CN=RoleConfig,CN=AppConfig,CN=User
> Application Driver,CN=driverset1,O=system'
>
> The Resource does get assigned to the user.
>
> With that said, the Resource does not render 100% correctly on the Work
> Dashboard. In that the Display name of the Resource is not there. It
> is empty.
>
> Questions:
>
> 1) Are you mapping to the Resource directly or are you utilizing an
> Expression in the Resource Request Activity?
>
> 2) Is the Vault on Windows or Linux?
>
> 3) Is User Application on Windows or Linux?
>



1) Expression, we are getting the resource DNs from a query in the form
which gives us 'CN=End with Space\ ,CN=ResourceDefs......'
Notice the '\ '.

Something like this in a mapping activity:

flowdata.targetresource:

function getNextResource()
{
var nextResource = flowdata.get('addResources[' +
flowdata.get('dnCounter') + ']');
return nextResource;
};
getNextResource();

2) Linux, non-root


3) Linux

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Resource request activity and resource with trailing space inCN

On 03/19/2014 09:33 AM, alekz wrote:
> On 2014-03-19 14:12, Steven Williams wrote:
>> On 03/19/2014 08:50 AM, Steven Williams wrote:
>>> On 03/19/2014 08:17 AM, Geoffrey Carman wrote:
>>>> On 3/19/2014 8:13 AM, Geoffrey Carman wrote:
>>>>>
>>>>>>> The actual CN value is 64 characters including the space at the end.
>>>>>>> This is the anonymized value. Without the '.
>>>>>>>
>>>>>>> 'CN_Admin 12345678 iiiiiiiii_OU_Administrativa Grupper_OU_Lokala'
>>>>>>>
>>>>>> Greetings,
>>>>>> I have tried a number of different ways and can not get an
>>>>>> object to
>>>>>> be created in eDirectory with a trailing space. I will see if I can
>>>>>> create an set-up that will allow RMA to create a similar cn.
>>>>>
>>>>> Easy to create an object with a trailing space.
>>>>>
>>>>> Designer will do it. Name a policy or something with a trailing space.
>>>>> (It won't compare properly after that, due an eDir vagary).
>>>>>
>>>>> LDAP, using an LDIF< base64 encode the value, and use a :: notation on
>>>>> the data line to indicate it is encoded.
>>>>>
>>>>> Console1 can do it.
>>>>>
>>>>> eDir has a funny behavior around leading and trailing spaces in Naming
>>>>> attributes (cn=, ou=, whatever your naming attribute it).
>>>>>
>>>>> It will consider "Geoffrey " the same as "Geoffrey", "Geoffrey "
>>>>> and
>>>>> everywhere in between. Same for leading spaces. And I believe it will
>>>>> sort of ignore leading and trailing spaces when doing
>>>>> searches/compares.
>>>>> That is, "cn=Geoffrey" and "cn=Geoffrey " are basically the same
>>>>> thing from eDir's perspective. It has been this way for decades now.
>>>>>
>>>>> This manifests in Designer if you create an object with a
>>>>> leading/trailing space (Though I have only every tried with trailing
>>>>> space (inadvertantly)) it will push it out. But on every compare it
>>>>> will recognize that the Designer side object does not match the eDir
>>>>> object, since Designer is remembering the trailing space and eDir is
>>>>> sort of ignoring it.
>>>>
>>>> Now that I think about it, I have no idea what eDir does, if the field
>>>> length is 64 chars, and you have a 63 char string, followed by 3 spaces?
>>>> Probably does not allow you to create it at create/rename time.
>>>>
>>>>
>>> Greetings,
>>> Thank you Geoffrey. Designer was the ticket. You do not need it to
>>> be 60+ characters. I created a resource: 'End with Space ' and
>>> deployed from Designer.
>>>
>>> When I went to the Assignments tab of the Resource in the User
>>> Application, I received the following error:
>>>
>>> Error loading resource assignments: Resource with DN = [cn=End with
>>> Space\ ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application
>>> Driver,cn=driverset1,o=system ] does not exist.
>>>
>>>
>>> I will investigate this a bit more to determine if the bug should go
>>> against RBPM or Designer & RMA.
>>>

>> Greetings,
>> I am not seeing a problem using the Resource Request Activity in a
>> workflow.
>>
>> Here is the value in the Resource field:
>>
>> 'CN=End with Space,CN=ResourceDefs,CN=RoleConfig,CN=AppConfig,CN=User
>> Application Driver,CN=driverset1,O=system'
>>
>> The Resource does get assigned to the user.
>>
>> With that said, the Resource does not render 100% correctly on the Work
>> Dashboard. In that the Display name of the Resource is not there. It
>> is empty.
>>
>> Questions:
>>
>> 1) Are you mapping to the Resource directly or are you utilizing an
>> Expression in the Resource Request Activity?
>>
>> 2) Is the Vault on Windows or Linux?
>>
>> 3) Is User Application on Windows or Linux?
>>

>
>
> 1) Expression, we are getting the resource DNs from a query in the form
> which gives us 'CN=End with Space\ ,CN=ResourceDefs......'
> Notice the '\ '.
>
> Something like this in a mapping activity:
>
> flowdata.targetresource:
>
> function getNextResource()
> {
> var nextResource = flowdata.get('addResources[' +
> flowdata.get('dnCounter') + ']');
> return nextResource;
> };
> getNextResource();
>
> 2) Linux, non-root
>
>
> 3) Linux
>

Greetings,
How are you creating the list for the end-users to select from in in
the Workflow? Are you using a DAL Query to present a list of Resources?
Are you showing a static list and then building the dn after?
Understanding what your are doing is important here. From my earlier
post, you can see that quoting the entire DN works. Also, for Roles the
Expression Build creates it correctly.

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Resource request activity and resource with trailing space inCN

On 2014-03-24 13:55, Steven Williams wrote:
> On 03/19/2014 09:33 AM, alekz wrote:
>> On 2014-03-19 14:12, Steven Williams wrote:
>>> On 03/19/2014 08:50 AM, Steven Williams wrote:
>>>> On 03/19/2014 08:17 AM, Geoffrey Carman wrote:
>>>>> On 3/19/2014 8:13 AM, Geoffrey Carman wrote:
>>>>>>
>>>>>>>> The actual CN value is 64 characters including the space at the
>>>>>>>> end.
>>>>>>>> This is the anonymized value. Without the '.
>>>>>>>>
>>>>>>>> 'CN_Admin 12345678 iiiiiiiii_OU_Administrativa Grupper_OU_Lokala'
>>>>>>>>
>>>>>>> Greetings,
>>>>>>> I have tried a number of different ways and can not get an
>>>>>>> object to
>>>>>>> be created in eDirectory with a trailing space. I will see if I can
>>>>>>> create an set-up that will allow RMA to create a similar cn.
>>>>>>
>>>>>> Easy to create an object with a trailing space.
>>>>>>
>>>>>> Designer will do it. Name a policy or something with a trailing
>>>>>> space.
>>>>>> (It won't compare properly after that, due an eDir vagary).
>>>>>>
>>>>>> LDAP, using an LDIF< base64 encode the value, and use a ::
>>>>>> notation on
>>>>>> the data line to indicate it is encoded.
>>>>>>
>>>>>> Console1 can do it.
>>>>>>
>>>>>> eDir has a funny behavior around leading and trailing spaces in
>>>>>> Naming
>>>>>> attributes (cn=, ou=, whatever your naming attribute it).
>>>>>>
>>>>>> It will consider "Geoffrey " the same as "Geoffrey", "Geoffrey "
>>>>>> and
>>>>>> everywhere in between. Same for leading spaces. And I believe it
>>>>>> will
>>>>>> sort of ignore leading and trailing spaces when doing
>>>>>> searches/compares.
>>>>>> That is, "cn=Geoffrey" and "cn=Geoffrey " are basically the same
>>>>>> thing from eDir's perspective. It has been this way for decades now.
>>>>>>
>>>>>> This manifests in Designer if you create an object with a
>>>>>> leading/trailing space (Though I have only every tried with trailing
>>>>>> space (inadvertantly)) it will push it out. But on every compare it
>>>>>> will recognize that the Designer side object does not match the eDir
>>>>>> object, since Designer is remembering the trailing space and eDir is
>>>>>> sort of ignoring it.
>>>>>
>>>>> Now that I think about it, I have no idea what eDir does, if the field
>>>>> length is 64 chars, and you have a 63 char string, followed by 3
>>>>> spaces?
>>>>> Probably does not allow you to create it at create/rename time.
>>>>>
>>>>>
>>>> Greetings,
>>>> Thank you Geoffrey. Designer was the ticket. You do not need
>>>> it to
>>>> be 60+ characters. I created a resource: 'End with Space ' and
>>>> deployed from Designer.
>>>>
>>>> When I went to the Assignments tab of the Resource in the User
>>>> Application, I received the following error:
>>>>
>>>> Error loading resource assignments: Resource with DN = [cn=End with
>>>> Space\ ,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application
>>>> Driver,cn=driverset1,o=system ] does not exist.
>>>>
>>>>
>>>> I will investigate this a bit more to determine if the bug should go
>>>> against RBPM or Designer & RMA.
>>>>
>>> Greetings,
>>> I am not seeing a problem using the Resource Request Activity in a
>>> workflow.
>>>
>>> Here is the value in the Resource field:
>>>
>>> 'CN=End with Space,CN=ResourceDefs,CN=RoleConfig,CN=AppConfig,CN=User
>>> Application Driver,CN=driverset1,O=system'
>>>
>>> The Resource does get assigned to the user.
>>>
>>> With that said, the Resource does not render 100% correctly on the Work
>>> Dashboard. In that the Display name of the Resource is not there. It
>>> is empty.
>>>
>>> Questions:
>>>
>>> 1) Are you mapping to the Resource directly or are you utilizing an
>>> Expression in the Resource Request Activity?
>>>
>>> 2) Is the Vault on Windows or Linux?
>>>
>>> 3) Is User Application on Windows or Linux?
>>>

>>
>>
>> 1) Expression, we are getting the resource DNs from a query in the form
>> which gives us 'CN=End with Space\ ,CN=ResourceDefs......'
>> Notice the '\ '.
>>
>> Something like this in a mapping activity:
>>
>> flowdata.targetresource:
>>
>> function getNextResource()
>> {
>> var nextResource = flowdata.get('addResources[' +
>> flowdata.get('dnCounter') + ']');
>> return nextResource;
>> };
>> getNextResource();
>>
>> 2) Linux, non-root
>>
>>
>> 3) Linux
>>

> Greetings,
> How are you creating the list for the end-users to select from in in
> the Workflow? Are you using a DAL Query to present a list of Resources?
> Are you showing a static list and then building the dn after?
> Understanding what your are doing is important here. From my earlier
> post, you can see that quoting the entire DN works. Also, for Roles the
> Expression Build creates it correctly.
>

I'll try to find out how we do it.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.