This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
wferguson
wferguson Trusted Contributor.
Trusted Contributor.
‎2019-12-09 15:26
387 views

Single AD query is returning both a success and error at the same time

Jump to solution

From the eDirectory side...I initiated a migrate to Active Directory on an account that didn't have an AD association. The migrate was turned into a Synthetic Add, then when going through the matching polices and querying AD....I know the account exists in AD and the matching attributes are there as well but the return results of the query #1 are as follows and it looks like it is reporting that it found the match but the it also tried to create.....hence the reason for the status of success and then status of error 'ldap already exist'. Can someone please help me make sense of this ?

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.7.2.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<query class-name="user" dest-dn="DC=xxx,DC=xxx,DC=xxx" event-id="0" scope="subtree">
<search-class class-name="user"/>
<search-attr attr-name="sAMAccountName">
<value type="string">Chocolate</value>
</search-attr>
<search-attr attr-name="businessCategory">
<value timestamp="1574868858#240" type="string">EID0028</value>
</search-attr>
<read-attr/>
</query>
</input>
</nds>
[12/03/19 15:35:02.308]:HIMCG ST: Remote Interface Driver: Document sent.
[12/03/19 15:35:02.308]:HIMCG ST: Remote Interface Driver: Received
[12/03/19 15:35:02.308]:HIMCG ST:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20180125_120000" instance="\IDV\AD_xxx" version="4.1.0.0">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="ent-prodidm-idv01#20191203203428#1#2:6434-4d5b-9a47-ed84ec9b3464" level="success"/>
<status event-id="ent-prodidm-idv01#20191203203428#1#2:6434-4d5b-9a47-ed84ec9b3464" level="error" type="driver-general">
<ldap-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">
<client-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">Already Exists</client-err>
<server-err>00000562: UpdErr: DSID-031A11D7, problem 6005 (ENTRY_EXISTS), data 0
</server-err>
<server-err-ex win32-rc="1378"/>
</ldap-err>
</status>
</output>
</nds>
[12/03/1

Labels (1)
Tags (1)
0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
al_b
Knowledge Partner
Knowledge Partner
‎2019-12-10 21:52

Re: Single AD query is returning both a success and error at the same time

Jump to solution
I expect to see filter generated by driver SHIM and expect to see AND filter
something like (&(cn=user1)(uid=user1)) that will return one result instead 2 separate query.
This info will be available only in RL trace

View solution in original post

0 Likes
Reply
Report Inappropriate Content
10 Replies
al_b
Knowledge Partner
Knowledge Partner
‎2019-12-09 16:20

Re: Single AD query is returning both a success and error at the same time

Jump to solution

What trace level you have on RemoteLoader side?

1. I can recommend setting of RemoteLoader trace to level 5 or at least 3.

2. Publish RemoteLoader trace for this query operation.

It supposed to include details about the query to AD and the exact response from AD.

0 Likes
Reply
Report Inappropriate Content
Michiel Los
Michiel Los Valued Contributor.
Valued Contributor.
‎2019-12-09 22:41

Re: Single AD query is returning both a success and error at the same time

Jump to solution

In your search there is one strange thing, a timestamp on the value, normally this is never on a search attribute. Might be a problem there.

0 Likes
Reply
Report Inappropriate Content
wferguson
wferguson Trusted Contributor.
Trusted Contributor.
‎2019-12-10 14:16

Re: Single AD query is returning both a success and error at the same time

Jump to solution

Could you please explain the significance of a timestamp being on a query object ?

0 Likes
Reply
Report Inappropriate Content
wferguson
wferguson Trusted Contributor.
Trusted Contributor.
‎2019-12-10 14:25

Re: Single AD query is returning both a success and error at the same time

Jump to solution

Attached is the driver trace up until the errors and my apologies as I do not have the remote loader trace and I am unable to reproduce the error on this particular account since I have moved the account manually and now it syncs fine. 

3 questions I have:

1)Why did the first match rule return a success and error both?

<status event-id="ent-prodidm-idv01#20191203203428#1#2:6434-4d5b-9a47-ed84ec9b3464" level="success"/>
<status event-id="ent-prodidm-idv01#20191203203428#1#2:6434-4d5b-9a47-ed84ec9b3464" level="error" type="driver-general">

2)Why does it appear that all of the query 'results' from AD are always one rule behind? Meaning it seems when a query is done on Full Name for example, the driver returns fail...but the next query that is done in a following rule for a different attribute.....will return the value of the Full Name attribute even though the current query did not even query for it but instead the previous query was looking for Full Name. I am seeing that on most every query to AD.

3)Code(-9999) Element &lt;parent> does not have a valid association ? I am thinking this is because the account was moving and the association still had the old location in it. 

0 Likes
Reply
Report Inappropriate Content
al_b
Knowledge Partner
Knowledge Partner
‎2019-12-10 16:20

Re: Single AD query is returning both a success and error at the same time

Jump to solution

It is better to look directly into RemoteLoader trace (what kind of query going to AD and what AD returned).

From Engine perspective, driver initiate query with search based on 2 attributes.

<nds dtdversion="4.0" ndsversion="8.x">
  <source>
    <product edition="Advanced" version="4.7.2.0">xmldir</product>
    <contact>NetIQ Corporation</contact>
  </source>
  <input>
    <query class-name="User" dest-dn="DC=medical,DC=educational" scope="subtree">
      <search-class class-name="User"/>
      <search-attr attr-name="CN">
        <value type="string">BUBBAGUMP</value>
      </search-attr>
      <search-attr attr-name="uniqueID">
        <value timestamp="1574868858#240" type="string">7584393EID</value>
      </search-attr>
      <read-attr/>
    </query>
  </input>
</nds>

 Please provide RemoteLoader trace

0 Likes
Reply
Report Inappropriate Content
wferguson
wferguson Trusted Contributor.
Trusted Contributor.
‎2019-12-10 16:28

Re: Single AD query is returning both a success and error at the same time

Jump to solution

Yes the matching rule is looking for two attributes and so I am guessing the return status is one for each attribute? I was not aware that it returns a status for each attribute but rather it would be a success for finding a matching account based on the 2 attributes being found or either a status of failure if one or neither attribute was found.

If that is the case....why on the second rule when the match was found does it just have a simple success and not a success for each of the two attributes it searched for.

 

Any thoughts on the other 2 questions?

0 Likes
Reply
Report Inappropriate Content
al_b
Knowledge Partner
Knowledge Partner
‎2019-12-10 17:23

Re: Single AD query is returning both a success and error at the same time

Jump to solution
This is a reason, why we have to look into RemoteLoader log.
How this IDM query "transformed" to AD (LDAP) query and what kind of result AD return?
>other 2 questions
Let's solve problems sequentially. First things first...
Maybe answer for the first question will provide answer to the second question too
0 Likes
Reply
Report Inappropriate Content
wferguson
wferguson Trusted Contributor.
Trusted Contributor.
‎2019-12-10 19:58

Re: Single AD query is returning both a success and error at the same time

Jump to solution

my apologies as I do not have the remote loader trace and I am unable to reproduce the error on this particular account since I have moved the account manually and now it syncs fine.

0 Likes
Reply
Report Inappropriate Content
al_b
Knowledge Partner
Knowledge Partner
‎2019-12-10 20:10

Re: Single AD query is returning both a success and error at the same time

Jump to solution

The move is always a "questionable" operation for almost any LDAP implementation.

The server can have an "incomplete" double copy of the object before "internal" cut off.

In theory "move" on AD end can generate a "double" response.

I can recommend enabling RemoteLoader trace (at least for level 3).

It will help you in your future troubleshooting and show things specific for application (in this case AD), that not available in the Engine side trace.

 

0 Likes
Reply
Report Inappropriate Content
al_b
Knowledge Partner
Knowledge Partner
‎2019-12-10 21:52

Re: Single AD query is returning both a success and error at the same time

Jump to solution
I expect to see filter generated by driver SHIM and expect to see AND filter
something like (&(cn=user1)(uid=user1)) that will return one result instead 2 separate query.
This info will be available only in RL trace

View solution in original post

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.