Highlighted
Respected Contributor.
Respected Contributor.
1614 views

Setting UPN and getting LDAP Error on Remote Loader

Hi All,

I am working on setting UPN for users. We have 2 different conditions Employees and Non-Employees. I have the AD Policy set to None. The code is working correctly and updating eDir but not AD. The Remote Loader logs show this error, can anyone advise:


DirXML Log Event -------------------
Driver = \HONORHEALTH-TEST\system\Driver Set\AD-SLHNAZ
Thread = Subscriber Channel
Object = \HONORHEALTH-TEST\data\users\ALEET
Level = success
DirXML: [02/20/18 16:29:34.52]: Loader: Received 'subscriber execute' document
DirXML: [02/20/18 16:29:34.52]: Loader: XML Document:
DirXML: [02/20/18 16:29:34.52]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180220232934.388Z" class-name="user" event-id="c1vtlidm2edirwb01#20180220232934#3#1:5d6c44f5-d6a8-4b20-9749-f5446c5da8d6" qualified-src-dn="O=data\OU=users\CN=ALEET" src-dn="\HONORHEALTH-TEST\data\users\ALEET" src-entry-id="1010653" timestamp="1519169374#2">
<association state="associated">4b0e80e56785e4469b8d84f1455cfef6</association>
<modify-attr attr-name="userPrincipalName">
<remove-value>
<value timestamp="1519169366#54" type="string">angie.leet@tstslhnaz.org</value>
</remove-value>
<add-value>
<value timestamp="1519169374#2" type="string">angie.leet@tstslhnaz.org </value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [02/20/18 16:29:34.52]: Loader: Calling subscriptionShim->execute()
DirXML: [02/20/18 16:29:34.52]: Loader: XML Document:
DirXML: [02/20/18 16:29:34.52]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180220232934.388Z" class-name="user" event-id="c1vtlidm2edirwb01#20180220232934#3#1:5d6c44f5-d6a8-4b20-9749-f5446c5da8d6" qualified-src-dn="O=data\OU=users\CN=ALEET" src-dn="\HONORHEALTH-TEST\data\users\ALEET" src-entry-id="1010653" timestamp="1519169374#2">
<association state="associated">4b0e80e56785e4469b8d84f1455cfef6</association>
<modify-attr attr-name="userPrincipalName">
<remove-value>
<value timestamp="1519169366#54" type="string">angie.leet@tstslhnaz.org</value>
</remove-value>
<add-value>
<value timestamp="1519169374#2" type="string">angie.leet@tstslhnaz.org </value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [02/20/18 16:29:34.52]: ADDriver: parse command

className user
destDN
eventId c1vtlidm2edirwb01#20180220232934#3#1:5d6c44f5-d6a8-4b20-9749-f5446c5da8d6
association 4b0e80e56785e4469b8d84f1455cfef6
DirXML: [02/20/18 16:29:34.52]: ADDriver: parse modify class = user
DirXML: [02/20/18 16:29:34.52]: ADDriver: association
DirXML: [02/20/18 16:29:34.52]: ADDriver: 4b0e80e56785e4469b8d84f1455cfef6
DirXML: [02/20/18 16:29:34.52]: ADDriver: modify-attr
DirXML: [02/20/18 16:29:34.52]: ADDriver: remove-value
DirXML: [02/20/18 16:29:34.52]: ADDriver: value
DirXML: [02/20/18 16:29:34.52]: ADDriver: angie.leet@tstslhnaz.org
DirXML: [02/20/18 16:29:34.52]: ADDriver: add-value
DirXML: [02/20/18 16:29:34.52]: ADDriver: value
DirXML: [02/20/18 16:29:34.52]: ADDriver: angie.leet@tstslhnaz.org
DirXML: [02/20/18 16:29:34.54]: ADDriver: ldap_modify user CN=Leet\, Angie N,OU=Standard,OU=People,DC=tstslhnaz,DC=org
LDAPMod operations:
delete attribute userPrincipalName
>> angie.leet@tstslhnaz.org
add attribute userPrincipalName
>> angie.leet@tstslhnaz.org
DirXML: [02/20/18 16:29:34.58]: Loader: subscriptionShim->execute() returned:
DirXML: [02/20/18 16:29:34.58]: Loader: XML Document:
DirXML: [02/20/18 16:29:34.58]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\HONORHEALTH-TEST\system\Driver Set\AD-SLHNAZ">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="error" type="driver-general" event-id="c1vtlidm2edirwb01#20180220232934#3#1:5d6c44f5-d6a8-4b20-9749-f5446c5da8d6">
<ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
<client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
<server-err>00002081: AtrErr: DSID-030F1821, #1:
0: 00002081: DSID-030F1821, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90290 (userPrincipalName)
</server-err>
<server-err-ex win32-rc="8321"/>
</ldap-err>
</status>
</output>
</nds>
DirXML: [02/20/18 16:29:34.58]:
DirXML Log Event -------------------
Driver = \HONORHEALTH-TEST\system\Driver Set\AD-SLHNAZ
Thread = Subscriber Channel
Object = \HONORHEALTH-TEST\data\users\ALEET
Level = error
Message = <ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
<client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
<server-err>00002081: AtrErr: DSID-030F1821, #1:
0: 00002081: DSID-030F1821, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90290 (userPrincipalName)
</server-err>

<server-err-ex win32-rc="8321"/>
</ldap-err>
DirXML: [02/20/18 16:29:36.82]: Loader: Received 'subscriber execute' document
DirXML: [02/20/18 16:29:36.82]: Loader: XML Document:
DirXML: [02/20/18 16:29:36.82]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180220232936.755Z" class-name="user" event-id="c1vtlidm2edirwb01#20180220232936#3#1:86514ce7-9ab1-4e97-8cd9-e74c5186b19a" qualified-src-dn="O=data\OU=users\CN=ALEET" src-dn="\HONORHEALTH-TEST\data\users\ALEET" src-entry-id="1010653" timestamp="1519169376#5">
<association state="associated">4b0e80e56785e4469b8d84f1455cfef6</association>
<modify-attr attr-name="userPrincipalName">
<remove-value>
<value timestamp="1519169374#2" type="string">angie.leet@tstslhnaz.org </value>
</remove-value>
<add-value>
<value timestamp="1519169376#5" type="string">angie.leet@tstslhnaz.org</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [02/20/18 16:29:36.82]: Loader: Calling subscriptionShim->execute()
DirXML: [02/20/18 16:29:36.82]: Loader: XML Document:
DirXML: [02/20/18 16:29:36.82]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180220232936.755Z" class-name="user" event-id="c1vtlidm2edirwb01#20180220232936#3#1:86514ce7-9ab1-4e97-8cd9-e74c5186b19a" qualified-src-dn="O=data\OU=users\CN=ALEET" src-dn="\HONORHEALTH-TEST\data\users\ALEET" src-entry-id="1010653" timestamp="1519169376#5">
<association state="associated">4b0e80e56785e4469b8d84f1455cfef6</association>
<modify-attr attr-name="userPrincipalName">
<remove-value>
<value timestamp="1519169374#2" type="string">angie.leet@tstslhnaz.org </value>
</remove-value>
<add-value>
<value timestamp="1519169376#5" type="string">angie.leet@tstslhnaz.org</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [02/20/18 16:29:36.82]: ADDriver: parse command

className user
destDN
eventId c1vtlidm2edirwb01#20180220232936#3#1:86514ce7-9ab1-4e97-8cd9-e74c5186b19a
association 4b0e80e56785e4469b8d84f1455cfef6
DirXML: [02/20/18 16:29:36.82]: ADDriver: parse modify class = user
DirXML: [02/20/18 16:29:36.82]: ADDriver: association
DirXML: [02/20/18 16:29:36.82]: ADDriver: 4b0e80e56785e4469b8d84f1455cfef6
DirXML: [02/20/18 16:29:36.82]: ADDriver: modify-attr
DirXML: [02/20/18 16:29:36.82]: ADDriver: remove-value
DirXML: [02/20/18 16:29:36.82]: ADDriver: value
DirXML: [02/20/18 16:29:36.82]: ADDriver: angie.leet@tstslhnaz.org
DirXML: [02/20/18 16:29:36.82]: ADDriver: add-value
DirXML: [02/20/18 16:29:36.82]: ADDriver: value
DirXML: [02/20/18 16:29:36.82]: ADDriver: angie.leet@tstslhnaz.org
DirXML: [02/20/18 16:29:36.83]: ADDriver: ldap_modify user CN=Leet\, Angie N,OU=Standard,OU=People,DC=tstslhnaz,DC=org
LDAPMod operations:
delete attribute userPrincipalName
>> angie.leet@tstslhnaz.org
add attribute userPrincipalName
>> angie.leet@tstslhnaz.org
DirXML: [02/20/18 16:29:36.85]: Loader: subscriptionShim->execute() returned:
DirXML: [02/20/18 16:29:36.85]: Loader: XML Document:
DirXML: [02/20/18 16:29:36.85]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\HONORHEALTH-TEST\system\Driver Set\AD-SLHNAZ">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="error" type="driver-general" event-id="c1vtlidm2edirwb01#20180220232936#3#1:86514ce7-9ab1-4e97-8cd9-e74c5186b19a">
<ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
<client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
<server-err>00002081: AtrErr: DSID-030F1821, #1:
0: 00002081: DSID-030F1821, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90290 (userPrincipalName)
</server-err>
<server-err-ex win32-rc="8321"/>
</ldap-err>
</status>
</output>
</nds>
DirXML: [02/20/18 16:29:36.85]:
DirXML Log Event -------------
Labels (1)
0 Likes
23 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

Are you able to make that change to a user object using a standard LDAP
tool like Apache Directory Studio? I do not know that a trailing space on
the value SHOULD cause an issue, but it would be easy to test:



dn: cn=user,ou=people,dc=your,dc=org
changetype: modify
delete: userPrincipalName
userPrincipalName: angiel.leet@tstslhnaz.org
-
add: userPrincipalName
userPrincipalName: space-at-the-end@tstslhnaz.org




--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
Highlighted
Respected Contributor.
Respected Contributor.

Re: Setting UPN and getting LDAP Error on Remote Loader

It appears the extra space does matter, here is log from LDIF. I'm not sure how I am getting the extra space to begin with but I will look at code again. In the Driver trace log it does not show the extra space like the Remote Loader log does which seems strange. Here is error from LDIF log:

#!RESULT ERROR
#!CONNECTION ldap://10.252.168.51:389
#!DATE 2018-02-21T13:00:37.078
#!ERROR [LDAP: error code 16 - 00002085: AtrErr: DSID-03152367, #2: 0: 00002085: DSID-03152367, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 90290 (userPrincipalName):len 48 1: 00002083: DSID-03151830, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90290 (userPrincipalName):len 50 ]
dn: CN=Leet\, Angie N,OU=Standard,OU=People,DC=tstslhnaz,DC=org
changetype: modify
delete: userPrincipalName
userPrincipalName: angie.leet@tstslhnaz.org
-
add: userPrincipalName
userPrincipalName: angie.leet@tstslhnaz.org
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

If you want to post the engine-side trace, level three (3) or higher, I am
sure we can figure it out.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Setting UPN and getting LDAP Error on Remote Loader

ab;2475928 wrote:
Are you able to make that change to a user object using a standard LDAP
tool like Apache Directory Studio? I do not know that a trailing space on
the value SHOULD cause an issue, but it would be easy to test:



dn: cn=user,ou=people,dc=your,dc=org
changetype: modify
delete: userPrincipalName
userPrincipalName: angiel.leet@tstslhnaz.org
-
add: userPrincipalName
userPrincipalName: space-at-the-end@tstslhnaz.org




--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


The extra space was it! In our code we were accounting for a 15 character substring to evaluate, which it would be in PROD but not in TEST, so it was adding an extra space. Changed code to 14 character substring and it is now working perfectly! Thank you!
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

Glad to hear it is working. Thank-you for confirming your fix.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Setting UPN and getting LDAP Error on Remote Loader

So after seeming to work, there was another change done to AD driver, I am now seeing the LDAP errors again when trying to set UPN. It works in TEST but PROD gets these errors. Filter settings are the same between test and prod. PROD is now Windows Server 2016 for DC while TEST is 2012 R2, not sure if there is an issue with the DC versions. We are on IDM 4.6.2.
Here is LDAP erros I am getting for UPN:

DirXML: [03/29/18 20:03:31.30]: Loader: Received 'subscriber execute' document
DirXML: [03/29/18 20:03:31.30]: Loader: XML Document:
DirXML: [03/29/18 20:03:31.30]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180330030258.922Z" class-name="user" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330" qualified-src-dn="O=data\OU=users\CN=EPETERS" src-dn="\HONORHEALTH\data\users\EPETERS" src-entry-id="817266" timestamp="1522378978#55">
<association state="associated">e578a0476d7dc4479f047dcf2086497d</association>
<modify-attr attr-name="userPrincipalName">
<remove-value>
<value timestamp="1522378956#56" type="string"/>
</remove-value>
<add-value>
<value timestamp="1522378978#55" type="string">Eniola.Peters@honorhealth.com</value>
</add-value>
</modify-attr>
</modify>
<rename dest-dn="CN=Peters\, Eniola,OU=Standard,OU=People,DC=slhnaz,DC=org" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330">
<new-name>Peters\, Eniola</new-name>
</rename>
</input>
</nds>
DirXML: [03/29/18 20:03:31.30]: Loader: Calling subscriptionShim->execute()
DirXML: [03/29/18 20:03:31.30]: Loader: XML Document:
DirXML: [03/29/18 20:03:31.30]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180330030258.922Z" class-name="user" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330" qualified-src-dn="O=data\OU=users\CN=EPETERS" src-dn="\HONORHEALTH\data\users\EPETERS" src-entry-id="817266" timestamp="1522378978#55">
<association state="associated">e578a0476d7dc4479f047dcf2086497d</association>
<modify-attr attr-name="userPrincipalName">
<remove-value>
<value timestamp="1522378956#56" type="string"/>
</remove-value>
<add-value>
<value timestamp="1522378978#55" type="string">Eniola.Peters@honorhealth.com</value>
</add-value>
</modify-attr>
</modify>
<rename dest-dn="CN=Peters\, Eniola,OU=Standard,OU=People,DC=slhnaz,DC=org" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330">
<new-name>Peters\, Eniola</new-name>
</rename>
</input>
</nds>
DirXML: [03/29/18 20:03:31.30]: ADDriver: parse command

className user
destDN
eventId AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330
association e578a0476d7dc4479f047dcf2086497d
DirXML: [03/29/18 20:03:31.30]: ADDriver: parse modify class = user
DirXML: [03/29/18 20:03:31.30]: ADDriver: association
DirXML: [03/29/18 20:03:31.30]: ADDriver: e578a0476d7dc4479f047dcf2086497d
DirXML: [03/29/18 20:03:31.30]: ADDriver: modify-attr
DirXML: [03/29/18 20:03:31.30]: ADDriver: remove-value
DirXML: [03/29/18 20:03:31.30]: ADDriver: value
DirXML: [03/29/18 20:03:31.30]: ADDriver:
DirXML: [03/29/18 20:03:31.30]: ADDriver: add-value
DirXML: [03/29/18 20:03:31.30]: ADDriver: value
DirXML: [03/29/18 20:03:31.30]: ADDriver: Eniola.Peters@honorhealth.com
DirXML: [03/29/18 20:03:31.31]: ADDriver: ldap_modify user CN=Peters\, Eniola,OU=Standard,OU=People,DC=slhnaz,DC=org
LDAPMod operations:
delete attribute userPrincipalName
>>
add attribute userPrincipalName
>> Eniola.Peters@honorhealth.com
DirXML: [03/29/18 20:03:31.33]: ADDriver: parse command

className
destDN CN=Peters\, Eniola,OU=Standard,OU=People,DC=slhnaz,DC=org
eventId AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330
association
DirXML: [03/29/18 20:03:31.33]: ADDriver: parse rename
DirXML: [03/29/18 20:03:31.33]: ADDriver: remove-old-name
DirXML: [03/29/18 20:03:31.33]: ADDriver: new-name Peters\, Eniola
DirXML: [03/29/18 20:03:31.34]: Loader: subscriptionShim->execute() returned:
DirXML: [03/29/18 20:03:31.34]: Loader: XML Document:
DirXML: [03/29/18 20:03:31.34]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\HONORHEALTH\system\Driver Set\AD-SLHNAZ">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="error" type="driver-general" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330">
<ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090F3A, comment: Error in attribute conversion operation, data 0, v3839</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
</status>
<status level="success" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330"/>
</output>
</nds>
DirXML: [03/29/18 20:03:31.34]:
DirXML Log Event -------------------
Driver = \HONORHEALTH\system\Driver Set\AD-SLHNAZ
Thread = Subscriber Channel
Object = \HONORHEALTH\data\users\EPETERS
Level = error
Message = <ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090F3A, comment: Error in attribute conversion operation, data 0, v3839</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
DirXML: [03/29/18 20:03:31.36]:
DirXML Log Event -------------------
Driver = \HONORHEALTH\system\Driver Set\AD-SLHNAZ
Thread = Subscriber Channel
Object = \HONORHEALTH\data\users\EPETERS
Level = success

Thanks,
Casey
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

This does not look very similar to your original issue. In this case, you
are trying to remove a zero-length string, and I doubt you have one of
those in the UPN attribute as microsoft active directory (MAD) does not
have many attributes with a definition allowing zero-length strings.

Also, this has a rename event in addition to a simple modify operation
that changes UPN. That rename event looks like it may be the one failing,
so understanding why that is there may be relevant, especially since the
value does not seem to really be changing.

Seeing the trace from the start may help us better understand what the
logic is doing.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Setting UPN and getting LDAP Error on Remote Loader

Thanks for the replies. We have added this Logic to the sub-otp-XMLPayLoad Policy, this is to rename AD objects when they change:
<rule>
<description>Check for User Full Name Modify Operations</description>
<comment xml:space="preserve">Checking for the Full Name to be modified to rename the User object</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation mode="nocase" op="equal">Modify</if-operation>
<if-attr name="employeeType" op="available"/>
<if-src-attr name="Full Name" op="available"/>
<if-association op="associated"/>
</and>
</conditions>
<actions>
<do-rename-dest-object>
<arg-dn>
<token-attr name="DirXML-ADContext"/>
</arg-dn>
<arg-string>
<token-replace-all regex="[,]" replace-with="\\,">
<token-attr name="Full Name"/>
</token-replace-all>
</arg-string>
</do-rename-dest-object>
</actions>
</rule>
</policy>

And yes I don't understand why it queries UPN and gets a null value string. The ones that aren't working have CN@domainname.com. And that is confusing to as it is not failing for everyone, some update UPN to what we have coded some stay as CN@domainname.com.

Maybe this additional info can help?
Thanks,
Casey
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

Based on the name I presume this is in the Output Transformation Policyset
(OTP); is that correct? This does not seem to be the kin of thing that
should go there, as opposed to, perhaps the Command Transformation
Policyset (CTP), but it may not matter a lot. Normally when out there you
should use application attribute names, and 'Full Name' is not an
application attribute. Also, normally only transformations required to
handle formatting, or syntax changes for the application are done out
there, usually with a corresponding inverse policy on the Input
Transformation Policyset (ITP), and this is not that kind of
transformation. Again, it may not matter.

Seeing a trace from start to finish would probably help. It is not clear
to us that querying UPN returned a zero-length string, but apparently the
trace showed that to you.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Setting UPN and getting LDAP Error on Remote Loader

Hey guys,
The dreaded ldap syntax error seems to be back in force on our Remote Loader. This is causing major problems as we cannot count on data in eDirectory making it over to AD. The main issue with this is the account expiration time. It looks good in eDir but never makes it over to AD so the end user cannot log into their account. We have been taking a lot of heat for this from our customers. I have error below from RL, if anyone has a magic bullet for this or any input, please help! Thanks! 🙂

DirXML: [11/12/18 07:03:51.41]: ADDriver: parse command

className user
destDN
eventId My Clinical Exchange#Publisher#0:76925246-a225-4c42-a4dd-2cbf08b1f8f7
association 44b3692dad3984429f89cb7bf5ffef69
DirXML: [11/12/18 07:03:51.41]: ADDriver: parse modify class = user
DirXML: [11/12/18 07:03:51.41]: ADDriver: association
DirXML: [11/12/18 07:03:51.41]: ADDriver: 44b3692dad3984429f89cb7bf5ffef69
DirXML: [11/12/18 07:03:51.41]: ADDriver: modify-attr
DirXML: [11/12/18 07:03:51.41]: ADDriver: remove-value
DirXML: [11/12/18 07:03:51.41]: ADDriver: value
DirXML: [11/12/18 07:03:51.41]: ADDriver: Terminated by IDMS on 10/05/18 - MCE Student - Organizational Developmnt (719570)
DirXML: [11/12/18 07:03:51.41]: ADDriver: modify-attr
DirXML: [11/12/18 07:03:51.41]: ADDriver: remove-all-values
DirXML: [11/12/18 07:03:51.41]: ADDriver: add-value
DirXML: [11/12/18 07:03:51.41]: ADDriver: value
DirXML: [11/12/18 07:03:51.41]: ADDriver: 131887872000000000
DirXML: [11/12/18 07:03:51.41]: ADDriver: modify-attr
DirXML: [11/12/18 07:03:51.41]: ADDriver: remove-all-values
DirXML: [11/12/18 07:03:51.41]: ADDriver: add-value
DirXML: [11/12/18 07:03:51.41]: ADDriver: value
DirXML: [11/12/18 07:03:51.41]: ADDriver:
DirXML: [11/12/18 07:03:51.41]: ADDriver: modify-attr
DirXML: [11/12/18 07:03:51.41]: ADDriver: remove-all-values
DirXML: [11/12/18 07:03:51.41]: ADDriver: add-value
DirXML: [11/12/18 07:03:51.41]: ADDriver: value
DirXML: [11/12/18 07:03:51.41]: ADDriver: false
DirXML: [11/12/18 07:03:51.41]: ADDriver: modify-attr
DirXML: [11/12/18 07:03:51.41]: ADDriver: remove-all-values
DirXML: [11/12/18 07:03:51.41]: ADDriver: add-value
DirXML: [11/12/18 07:03:51.41]: ADDriver: value
DirXML: [11/12/18 07:03:51.41]: ADDriver: BRMOORE@Acme.com
DirXML: [11/12/18 07:03:51.41]: ADDriver: ldap_modify user CN=Moore\, Britton (STUDENT),OU=Disabled Users,DC=Acme,DC=org
LDAPMod operations:
delete attribute description
>> Terminated by IDMS on 10/05/18 - MCE Student - Organizational Developmnt (719570)
replace attribute accountExpires
>> 131887872000000000
delete attribute department
add attribute department
>>
delete attribute userPrincipalName
add attribute userPrincipalName
>> BRMOORE@Acme.com
replace attribute userAccountControl
>> 512
DirXML: [11/12/18 07:03:51.41]: ADDriver: parse command

className user
destDN
eventId My Clinical Exchange#Publisher#0:76925246-a225-4c42-a4dd-2cbf08b1f8f7
association 44b3692dad3984429f89cb7bf5ffef69
DirXML: [11/12/18 07:03:51.41]: ADDriver: parse rename
DirXML: [11/12/18 07:03:51.41]: ADDriver: move CN=Moore\, Britton (STUDENT),OU=Disabled Users,DC=Acme,DC=org to OU=Students,OU=Standard,OU=People,DC=Acme,DC=org
DirXML: [11/12/18 07:03:51.43]: Loader: subscriptionShim->execute() returned:
DirXML: [11/12/18 07:03:51.43]: Loader: XML Document:
DirXML: [11/12/18 07:03:51.43]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\Acme\system\Driver Set\AD-Acme">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="error" type="driver-general" event-id="My Clinical Exchange#Publisher#0:76925246-a225-4c42-a4dd-2cbf08b1f8f7">
<ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090F3A, comment: Error in attribute conversion operation, data 0, v3839</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
</status>
<status level="success" event-id="My Clinical Exchange#Publisher#0:76925246-a225-4c42-a4dd-2cbf08b1f8f7"/>
</output>
</nds>
DirXML: [11/12/18 07:03:51.43]:
DirXML Log Event -------------------
Driver = \Acme\system\Driver Set\AD-Acme
Thread = Subscriber Channel
Object = \Acme\data\users\BRMOORE
Level = error
Message = <ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090F3A, comment: Error in attribute conversion operation, data 0, v3839</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

You need to post the full trace from the engine side; for some reason
your system is trying to remove one value and then replace it with a
zero-length string, and that's likely something that microsoft active
directory (MAD) cannot handle, thus the error. You should be writing a
valid value, maybe even a zero, but writing a zero-length string is not a
valid value for something expecting a big integer, so whatever policy you
have doing that is wrong. The engine-side trace of the whole event will
show where that originates.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.