Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

Hi Casey,
I can see a number of suspicious actions on AD side.
replace attribute accountExpires
>> 131887872000000000

attribute accountExpires replaced with value 131887872000000000 (looks like valid operation)

The current LDAP/Win32 FILETIME: 131887872000000000
Epoch/Unix time: 1544313600
GMT: Sunday, December 9, 2018 12:00:00 AM


delete attribute department
add attribute department
>>

Delete department attribute value and add "empty" value (!)

delete attribute userPrincipalName
add attribute userPrincipalName
>> BRMOORE@Acme.com

Delete userPrincipalName attribute value and add BRMOORE@Acme.com value (looks like valid operation)

replace attribute userAccountControl
>> 512

(looks like unnecesary, but valid operation)


I think, that Aaron right.
Your issue in Department attribute.
By schema definition, Department value can be from 1 to 64 characters and can't be empty, if Department attribute exist.

CN Department
Ldap-Display-Name department
Size -
Update Privilege Domain administrator or account owner.
Update Frequency Whenever the department needs to change.
Attribute-Id 1.2.840.113556.1.2.141
System-Id-Guid bf96794f-0de6-11d0-a285-00aa003049e2
Link-Id -
MAPI-Id 0x3A18
System-Only False
Is-Single-Valued True
Is Indexed False
In Global Catalog False
NT-Security-Descriptor O:BAG:BAD:S:
Range-Lower 1
Range-Upper 64
Search-Flags 0x00000010
System-Flags 0x00000010
Classes used in Organizational-Person
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

al b wrote:

>
> I think, that Aaron right.
> Your issue in Department attribute.
> By schema definition, Department value can be from 1 to 64 characters
> and can't be empty, if Department attribute exist.
>


Several of us have at various times worked on what has become a generic policy
that cleans up this kind of problem.
Last I heard was that Geoffrey hosts a package for this policy as it was his
boss who came up with the original approach.
It should be added at the tail end of the output transform - just before the
event gets sent to AD.


--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

On 11/13/2018 7:30 AM, Alex McHugh wrote:
> al b wrote:
>
>>
>> I think, that Aaron right.
>> Your issue in Department attribute.
>> By schema definition, Department value can be from 1 to 64 characters
>> and can't be empty, if Department attribute exist.
>>

>
> Several of us have at various times worked on what has become a generic policy
> that cleans up this kind of problem.
> Last I heard was that Geoffrey hosts a package for this policy as it was his
> boss who came up with the original approach.
> It should be added at the tail end of the output transform - just before the
> event gets sent to AD.


The idea is read the DirXML-ApplicationSchema, and store it in a
variable, then compare each attributes name to the list, and see if it
is single or multivalued. If Single, replace any modify's with a
<remove-all-values> then an <add-value> so you do not end up with adding
a second value to a single valued attribute.

So I think in this case, Alex is recommending a useful tool, but perhaps
not quite the correct one.

I suppose it could be modified to check if the value is empty and strip
it, that might be a useful feature as well. I do not think we get the
length constraints in DirXML-ApplicationSchema, alas, else that would be
even more generic and better.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

Geoffrey Carman wrote:

> The idea is read the DirXML-ApplicationSchema, and store it in a variable,
> then compare each attributes name to the list, and see if it is single or
> multivalued. If Single, replace any modify's with a <remove-all-values>
> then an <add-value> so you do not end up with adding a second value to a
> single valued attribute.
>
> So I think in this case, Alex is recommending a useful tool, but perhaps not
> quite the correct one.
>
> I suppose it could be modified to check if the value is empty and strip it,
> that might be a useful feature as well. I do not think we get the length
> constraints in DirXML-ApplicationSchema, alas, else that would be even more
> generic and better.


In AD you can assume that empty but present is not permitted.
Pretty sure the combo of this MV to SV code and Lothar's strip empty nodes
gives what you need.

--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Setting UPN and getting LDAP Error on Remote Loader

alexmchugh;2490642 wrote:
Geoffrey Carman wrote:

> The idea is read the DirXML-ApplicationSchema, and store it in a variable,
> then compare each attributes name to the list, and see if it is single or
> multivalued. If Single, replace any modify's with a <remove-all-values>
> then an <add-value> so you do not end up with adding a second value to a
> single valued attribute.
>
> So I think in this case, Alex is recommending a useful tool, but perhaps not
> quite the correct one.
>
> I suppose it could be modified to check if the value is empty and strip it,
> that might be a useful feature as well. I do not think we get the length
> constraints in DirXML-ApplicationSchema, alas, else that would be even more
> generic and better.


In AD you can assume that empty but present is not permitted.
Pretty sure the combo of this MV to SV code and Lothar's strip empty nodes
gives what you need.

--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below


The multi-value rule is in place in the OTP, I have also since added a policy to strip Null values (yesterday afternoon), I agree it looks like Department is the culprit, I guess I need to look in Engine side trace why we want to remove Department and not add one back. Anyway here are the rules I have in place in OTP, is this what everyone uses on there AD driver OTP?

<rule>
<description>[CIS] Handle Multi-to-single valued conversions</description>
<comment xml:space="preserve">Generic Rule which reads the application schema from AD and determines if it needs to take only the first value from a multi-valued eDirectory attribute
</comment>
<conditions>
<or>
<if-operation mode="case" op="equal">modify</if-operation>
<if-operation mode="case" op="equal">add</if-operation>
</or>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-local-variable name="APP-SCHEMA" op="not-available"/>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="APP-SCHEMA" scope="driver">
<arg-node-set>
<token-xml-parse notrace="true">
<token-base64-decode notrace="true">
<token-src-attr name="DirXML-ApplicationSchema" notrace="true">
<arg-dn>
<token-global-variable name="dirxml.auto.driverdn"/>
</arg-dn>
</token-src-attr>
</token-base64-decode>
</token-xml-parse>
</arg-node-set>
</do-set-local-variable>
</arg-actions>
<arg-actions/>
</do-if>
<do-for-each>
<arg-node-set>
<token-xpath expression=".//@attr-name"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="CLASS" scope="policy">
<arg-string>
<token-class-name/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="ATTR-DEF" notrace="true" scope="policy">
<arg-node-set>
<token-xpath expression="$APP-SCHEMA/schema-def/class-def/attr-def[@attr-name=$current-node]"/>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="MULTI-VALUED" scope="policy">
<arg-string>
<token-xpath expression="$ATTR-DEF[1]/@multi-valued"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="MULTI-VALUED" op="equal">false</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="VALUE" scope="policy">
<arg-string>
<token-op-attr name="$current-node$"/>
</arg-string>
</do-set-local-variable>
<do-strip-op-attr name="$current-node$"/>
<do-set-dest-attr-value name="$current-node$">
<arg-value>
<token-local-variable name="VALUE"/>
</arg-value>
</do-set-dest-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-for-each>
</actions>
</rule>
<rule>
<description>Strip Empty Nodes</description>
<conditions/>
<actions>
<do-strip-xpath expression='self::instance/attr/value[not(*)][not(text()) or text()=""]'/>
<do-strip-xpath expression="self::instance/attr[not(*)]"/>
<do-strip-xpath expression='self::add/add-attr/value[not(*)][not(text()) or text()=""]'/>
<do-strip-xpath expression="self::add/add-attr[not(*)]"/>
<do-strip-xpath expression='self::modify/modify-attr/remove-value/value[not(*)][not(text()) or text()=""]'/>
<do-strip-xpath expression="self::modify/modify-attr/remove-value[not(*)]"/>
<do-strip-xpath expression='self::modify/modify-attr/add-value/value[not(*)][not(text()) or text()=""]'/>
<do-strip-xpath expression="self::modify/modify-attr/add-value[not(*)]"/>
<do-strip-xpath expression="self::modify/modify-attr[not(*)]"/>
</actions>
</rule>
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Setting UPN and getting LDAP Error on Remote Loader

Here is another with the ldap error this morning, even after adding the strip null values to rule to the OTP, culprit appears to be Initials? I notice this user is missing Description and Department in AD, which should be populated. The eDir account was just created this morning:

DirXML: [11/13/18 07:35:30.88]: ADDriver: ldap_modify user CN=Tadinada\, Ramya (STUDENT),OU=Students,OU=Standard,OU=People,DC=slhnaz,DC=org
LDAPMod operations:
delete attribute description
replace attribute description
>> UME Medical Student - Academic Affairs/GME (718200)
delete attribute initials
add attribute initials
>>
delete attribute department
add attribute department
>> Academic Affairs/GME (718200)
delete attribute givenName
add attribute givenName
>> Ramya
delete attribute msExchHideFromAddressLists
delete attribute displayName
replace attribute displayName
>> Tadinada, Ramya (STUDENT)
delete attribute physicalDeliveryOfficeName
add attribute physicalDeliveryOfficeName
>> DV MEDICAL CENTER
delete attribute title
add attribute title
>> UME Medical Student
delete attribute employeeID
add attribute employeeID
>> 7014214
replace attribute accountExpires
>> 131908608000000000
delete attribute sn
replace attribute sn
>> Tadinada
delete attribute company
add attribute company
>> MWU
delete attribute userPrincipalName
add attribute userPrincipalName
>> RTADINADA@Acme.com
delete attribute manager
add attribute manager
>> CN=Scrabeck\, Jennifer,OU=Standard,OU=People,DC=Acme,DC=org
replace attribute userAccountControl
>> 512
DirXML: [11/13/18 07:35:30.88]: ADDriver: parse command

className
destDN CN=Tadinada\, Ramya (STUDENT),OU=Students,OU=Standard,OU=People,DC=Acme,DC=org
eventId AD-Acme##1670d7fa932##0
association
DirXML: [11/13/18 07:35:30.88]: ADDriver: parse rename
DirXML: [11/13/18 07:35:30.88]: ADDriver: remove-old-name
DirXML: [11/13/18 07:35:30.88]: ADDriver: new-name Tadinada\, Ramya (STUDENT)
DirXML: [11/13/18 07:35:30.88]: Loader: subscriptionShim->execute() returned:
DirXML: [11/13/18 07:35:30.88]: Loader: XML Document:
DirXML: [11/13/18 07:35:30.88]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\Acme\system\Driver Set\AD-Acme">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="error" type="driver-general" event-id="AD-Acme##1670d7fa932##0">
<ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090F3A, comment: Error in attribute conversion operation, data 0, v3839</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
</status>
<status level="success" event-id="AD-Acme##1670d7fa932##0"/>
</output>
</nds>
DirXML: [11/13/18 07:35:30.88]:
DirXML Log Event -------------------
Driver = \Acme\system\Driver Set\AD-Acme
Thread = Subscriber Channel
Object = data\users\RTADINADA
Level = error
Message = <ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090F3A, comment: Error in attribute conversion operation, data 0, v3839</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Setting UPN and getting LDAP Error on Remote Loader

Well my mistake, I didn't have the strip empty nodes rule deployed to Driver, uggh. Have deployed that rule and restarted AD driver. Hopefully this should keep null values from being sent out?
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

On 11/13/2018 10:06 AM, cosborne wrote:
>
> Well my mistake, I didn't have the strip empty nodes rule deployed to
> Driver, uggh. Have deployed that rule and restarted AD driver. Hopefully
> this should keep null values from being sent out?


Careful. Definition of NULL is important. Empty, non-valued. Value of
" " (space) might not qualify, depending on syntax, might be allowed,
might not, otherwise, you should be ok.


0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Setting UPN and getting LDAP Error on Remote Loader

Hey guys so after the Multi-Value to Single Value and Strip Empty Nodes rules in the OTP AND from what I noticed a lot of the ldap syntax errors were do to a blank value on the Initials attribute. I checked our AD filter and we had a RESET on Initials on the PUB side. From what I can tell the RESET will call the Subscriber/IDV side for the attr value, now not everyone has Initials, so this would return a blank value back in to the operation (correct me if I'm wrong). So many of our issues had to do with fact we were trying to insert blank values into Initials field in MAD, which it did not like and threw all the ldap syntax errors and caused data not to sync over. Since I changed the filter setting on that I have not seen any ldap syntax errors and all data is populated from edir to AD on new employees created last night.

The students main issues look like a RESET on the ou/Department attr on the AD filter, so we were putting in a blank value if the IDV did not have Ou yet, thus causing the ldap errors. I have added code to set dest attr value on ou when Students are created or modified. I ran this through our TEST enviornment and no ldap syntax errors on new Student either!

I just want to confirm you guys the RESET on the AD filter would cause a call to IDV and it could return a blank value on that attr if not populated. Either way looks like we are making good progress. Thanks for everyone that has helped me with this!
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Setting UPN and getting LDAP Error on Remote Loader

So stupid question but the filter settings still get me sometimes, is the below true, if we reset on publisher side and don't have a value in the vault in will put in a blank value as we are calling a reset on it? Is it better to call a Notify or Ignore? We want NetIQ to be source of truth for AD - but want to avoid these issues with blank values and ldap errors:

Hey guys so after the Multi-Value to Single Value and Strip Empty Nodes rules in the OTP AND from what I noticed a lot of the ldap syntax errors were do to a blank value on the Initials attribute. I checked our AD filter and we had a RESET on Initials on the PUB side. From what I can tell the RESET will call the Subscriber/IDV side for the attr value, now not everyone has Initials, so this would return a blank value back in to the operation (correct me if I'm wrong). So many of our issues had to do with fact we were trying to insert blank values into Initials field in MAD, which it did not like and threw all the ldap syntax errors and caused data not to sync over. Since I changed the filter setting on that I have not seen any ldap syntax errors and all data is populated from edir to AD on new employees created last night.

The students main issues look like a RESET on the ou/Department attr on the AD filter, so we were putting in a blank value if the IDV did not have Ou yet, thus causing the ldap errors. I have added code to set dest attr value on ou when Students are created or modified. I ran this through our TEST enviornment and no ldap syntax errors on new Student either!

I just want to confirm you guys the RESET on the AD filter would cause a call to IDV and it could return a blank value on that attr if not populated. Either way looks like we are making good progress. Thanks for everyone that has helped me with this!
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

cosborne;2490886 wrote:
So stupid question but the filter settings still get me sometimes, is the below true, if we reset on publisher side and don't have a value in the vault in will put in a blank value as we are calling a reset on it? Is it better to call a Notify or Ignore? We want NetIQ to be source of truth for AD - but want to avoid these issues with blank values and ldap errors:

Hey guys so after the Multi-Value to Single Value and Strip Empty Nodes rules in the OTP AND from what I noticed a lot of the ldap syntax errors were do to a blank value on the Initials attribute. I checked our AD filter and we had a RESET on Initials on the PUB side. From what I can tell the RESET will call the Subscriber/IDV side for the attr value, now not everyone has Initials, so this would return a blank value back in to the operation (correct me if I'm wrong). So many of our issues had to do with fact we were trying to insert blank values into Initials field in MAD, which it did not like and threw all the ldap syntax errors and caused data not to sync over. Since I changed the filter setting on that I have not seen any ldap syntax errors and all data is populated from edir to AD on new employees created last night.

The students main issues look like a RESET on the ou/Department attr on the AD filter, so we were putting in a blank value if the IDV did not have Ou yet, thus causing the ldap errors. I have added code to set dest attr value on ou when Students are created or modified. I ran this through our TEST enviornment and no ldap syntax errors on new Student either!

I just want to confirm you guys the RESET on the AD filter would cause a call to IDV and it could return a blank value on that attr if not populated. Either way looks like we are making good progress. Thanks for everyone that has helped me with this!


Filter publisher/reset with *no* value in the vault should cause a <remove-value> or <remove-all-values/> to be sent back to MAD.

Filter publiser/reset with a *blank* value in the vault would probably cause a <remove-value> and an <add-value> to be sent back to MAD, with the <add-value> being empty.

Try it out and look at the trace, see what you get.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Setting UPN and getting LDAP Error on Remote Loader

cosborne;2478371 wrote:
So after seeming to work, there was another change done to AD driver, I am now seeing the LDAP errors again when trying to set UPN. It works in TEST but PROD gets these errors. Filter settings are the same between test and prod. PROD is now Windows Server 2016 for DC while TEST is 2012 R2, not sure if there is an issue with the DC versions. We are on IDM 4.6.2.
Here is LDAP erros I am getting for UPN:

DirXML: [03/29/18 20:03:31.30]: Loader: Received 'subscriber execute' document
DirXML: [03/29/18 20:03:31.30]: Loader: XML Document:
DirXML: [03/29/18 20:03:31.30]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180330030258.922Z" class-name="user" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330" qualified-src-dn="O=data\OU=users\CN=EPETERS" src-dn="\HONORHEALTH\data\users\EPETERS" src-entry-id="817266" timestamp="1522378978#55">
<association state="associated">e578a0476d7dc4479f047dcf2086497d</association>
<modify-attr attr-name="userPrincipalName">
<remove-value>
<value timestamp="1522378956#56" type="string"/>
</remove-value>
<add-value>
<value timestamp="1522378978#55" type="string">Eniola.Peters@honorhealth.com</value>
</add-value>
</modify-attr>
</modify>
<rename dest-dn="CN=Peters\, Eniola,OU=Standard,OU=People,DC=slhnaz,DC=org" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330">
<new-name>Peters\, Eniola</new-name>
</rename>
</input>
</nds>
DirXML: [03/29/18 20:03:31.30]: Loader: Calling subscriptionShim->execute()
DirXML: [03/29/18 20:03:31.30]: Loader: XML Document:
DirXML: [03/29/18 20:03:31.30]: <nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20180330030258.922Z" class-name="user" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330" qualified-src-dn="O=data\OU=users\CN=EPETERS" src-dn="\HONORHEALTH\data\users\EPETERS" src-entry-id="817266" timestamp="1522378978#55">
<association state="associated">e578a0476d7dc4479f047dcf2086497d</association>
<modify-attr attr-name="userPrincipalName">
<remove-value>
<value timestamp="1522378956#56" type="string"/>
</remove-value>
<add-value>
<value timestamp="1522378978#55" type="string">Eniola.Peters@honorhealth.com</value>
</add-value>
</modify-attr>
</modify>
<rename dest-dn="CN=Peters\, Eniola,OU=Standard,OU=People,DC=slhnaz,DC=org" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330">
<new-name>Peters\, Eniola</new-name>
</rename>
</input>
</nds>
DirXML: [03/29/18 20:03:31.30]: ADDriver: parse command

className user
destDN
eventId AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330
association e578a0476d7dc4479f047dcf2086497d
DirXML: [03/29/18 20:03:31.30]: ADDriver: parse modify class = user
DirXML: [03/29/18 20:03:31.30]: ADDriver: association
DirXML: [03/29/18 20:03:31.30]: ADDriver: e578a0476d7dc4479f047dcf2086497d
DirXML: [03/29/18 20:03:31.30]: ADDriver: modify-attr
DirXML: [03/29/18 20:03:31.30]: ADDriver: remove-value
DirXML: [03/29/18 20:03:31.30]: ADDriver: value
DirXML: [03/29/18 20:03:31.30]: ADDriver:
DirXML: [03/29/18 20:03:31.30]: ADDriver: add-value
DirXML: [03/29/18 20:03:31.30]: ADDriver: value
DirXML: [03/29/18 20:03:31.30]: ADDriver: Eniola.Peters@honorhealth.com
DirXML: [03/29/18 20:03:31.31]: ADDriver: ldap_modify user CN=Peters\, Eniola,OU=Standard,OU=People,DC=slhnaz,DC=org
LDAPMod operations:
delete attribute userPrincipalName
>>
add attribute userPrincipalName
>> Eniola.Peters@honorhealth.com
DirXML: [03/29/18 20:03:31.33]: ADDriver: parse command

className
destDN CN=Peters\, Eniola,OU=Standard,OU=People,DC=slhnaz,DC=org
eventId AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330
association
DirXML: [03/29/18 20:03:31.33]: ADDriver: parse rename
DirXML: [03/29/18 20:03:31.33]: ADDriver: remove-old-name
DirXML: [03/29/18 20:03:31.33]: ADDriver: new-name Peters\, Eniola
DirXML: [03/29/18 20:03:31.34]: Loader: subscriptionShim->execute() returned:
DirXML: [03/29/18 20:03:31.34]: Loader: XML Document:
DirXML: [03/29/18 20:03:31.34]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\HONORHEALTH\system\Driver Set\AD-SLHNAZ">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status level="error" type="driver-general" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330">
<ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090F3A, comment: Error in attribute conversion operation, data 0, v3839</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
</status>
<status level="success" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330"/>
</output>
</nds>
DirXML: [03/29/18 20:03:31.34]:
DirXML Log Event -------------------
Driver = \HONORHEALTH\system\Driver Set\AD-SLHNAZ
Thread = Subscriber Channel
Object = \HONORHEALTH\data\users\EPETERS
Level = error
Message = <ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090F3A, comment: Error in attribute conversion operation, data 0, v3839</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
DirXML: [03/29/18 20:03:31.36]:
DirXML Log Event -------------------
Driver = \HONORHEALTH\system\Driver Set\AD-SLHNAZ
Thread = Subscriber Channel
Object = \HONORHEALTH\data\users\EPETERS
Level = success

Thanks,
Casey


Hi Casey,
You don't have any issue with UPN update.
You have issue with "strange" rename operation.

This is "strange" rename: you trying to change object DN to exactly same DN.
</modify>
<rename dest-dn="CN=Peters\, Eniola,OU=Standard,OU=People,DC=slhnaz,DC=org" event-id="AD-SLHNAZ##16274dbb489##0:8c47cbb1-6c0d-45fa-b37c-26fef1eba330">
<new-name>Peters\, Eniola</new-name>
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.