UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Commander
Commander
166 views

User Application creating invalid nrfEntitlementRef for new Resource

I am attempting to create a new resource via the User Application. The resource is a Group that exists in my eDirectory server. I can choose the Bi-Directional eDirectory driver, choose the EDirectory Groups entitlement and then the group in question.

However when the user application creates the resource it is adding the nrfEntitlementRef as follows:

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.8.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<instance class-name="nrfResource" qualified-src-dn="O=poc\CN=driverset1\CN=User Application Driver\CN=AppConfig\CN=RoleConfig\CN=ResourceDefs\CN=cn_TestGroup_ou_groups_o_poc" src-dn="\poc\poc\driverset1\User Application Driver\AppConfig\RoleConfig\ResourceDefs\cn_TestGroup_ou_groups_o_poc" src-entry-id="37654">
<attr attr-name="nrfActive">
<value timestamp="1616677688#13" type="state">false</value>
</attr>
<attr attr-name="nrfEntitlementRef">
<value timestamp="1616677688#10" type="structured">
<component name="nameSpace">1</component>
<component name="volume">\T=poc\O=poc\CN=driverset1\CN=Bi-directional eDirectory POC\CN=Group</component>
<component name="path">&lt;?xml version="1.0" encoding="UTF-8"?>&lt;ref>
&lt;src>UA&lt;/src>
&lt;id/>
&lt;param>{"ID":"DB27D40D7B0C3F45A5DEDB27D40D7B0C","ID2":"DB27D40D7B0C3F45A5DEDB27D40D7B0C"}&lt;/param>
&lt;/ref>
</component>
</value>
</attr>
<attr attr-name="nrfIsExpirationRequired">
<value timestamp="1616677688#17" type="state">false</value>
</attr>
<attr attr-name="nrfLocalizedDescrs">
<value timestamp="1616677688#14" type="string">en~Another test group</value>
</attr>
<attr attr-name="nrfLocalizedNames">
<value timestamp="1616677688#15" type="string">en~cn_TestGroup_ou_groups_o_poc</value>
</attr>
</instance>
<status level="success"></status>
</output>
</nds>

I am sure that the ID2 should not be the GUID of the group in question but the full DN.

This is confirmed by the fact that when I attempt to grant a user access to the resource the process fails with the following:

 

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.8.3.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20210326143458.969Z" class-name="User" event-id="netiqidm-win-NDS#20210326143458#1#5:b1f815fe-0173-412b-9a63-8553fb3fc4a3" qualified-src-dn="O=poc\OU=users\OU=STAFF\CN=s1700821test" src-dn="\poc\poc\users\STAFF\s1700821test" src-entry-id="37671" timestamp="1616769298#104">
<association state="associated">9D5384173720574D9BBA9D5384173720</association>
<modify-attr attr-name="DirXML-EntitlementRef">
<remove-value>
<value timestamp="1616769233#73" type="structured">
<component name="nameSpace">0</component>
<component name="volume">\poc\poc\driverset1\Bi-directional eDirectory POC\Group</component>
<component name="path.xml">
<ref>
<src>UA</src>
<id/>
<param>{"ID":"DB27D40D7B0C3F45A5DEDB27D40D7B0C","ID2":"DB27D40D7B0C3F45A5DEDB27D40D7B0C"}</param>
</ref>
</component>
</value>
</remove-value>
<add-value>
<value timestamp="1616769298#104" type="structured">
<component name="nameSpace">1</component>
<component name="volume">\poc\poc\driverset1\Bi-directional eDirectory POC\Group</component>
<component name="path.xml">
<ref>
<src>UA</src>
<id/>
<param>{"ID":"DB27D40D7B0C3F45A5DEDB27D40D7B0C","ID2":"DB27D40D7B0C3F45A5DEDB27D40D7B0C"}</param>
</ref>
</component>
</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
.
.
.
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20201203_0158" instance="Bi-directional eDirectory POC" version="4.0.8.1">Identity Manager Bi-directional Driver for eDirectory</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="netiqidm-win-NDS#20210326143458#1#5:b1f815fe-0173-412b-9a63-8553fb3fc4a3" level="error">No association key for modification operation.<operation-data>
<entitlement-impl id="" name="Group" qualified-src-dn="O=poc\OU=users\OU=STAFF\CN=s1700821test" src="UA" src-dn="\poc\poc\users\STAFF\s1700821test" src-entry-id="37671" state="1">{"ID":"DB27D40D7B0C3F45A5DEDB27D40D7B0C","ID2":"DB27D40D7B0C3F45A5DEDB27D40D7B0C"}</entitlement-impl>
</operation-data>
</status>
<status event-id="netiqidm-win-NDS#20210326143458#1#5:b1f815fe-0173-412b-9a63-8553fb3fc4a3" level="error">LDAPException: Invalid DN Syntax (34) Invalid DN Syntax
LDAPException: Matched DN: CN=s1700821test,ou=users,o=poc
<operation-data AccountTracking-AppAccountStatus="-" AccountTracking-IdvAccountStatus="-" AccountTracking-Operation="modify" AccountTracking-association="9D5384173720574D9BBA9D5384173720">
<entitlement-impl id="" name="Group" qualified-src-dn="O=poc\OU=users\OU=STAFF\CN=s1700821test" src="UA" src-dn="\poc\poc\users\STAFF\s1700821test" src-entry-id="37671" state="1">{"ID":"DB27D40D7B0C3F45A5DEDB27D40D7B0C","ID2":"DB27D40D7B0C3F45A5DEDB27D40D7B0C"}</entitlement-impl>
</operation-data>
</status>
</output>
</nds>

However a resource associated with an AD group is defined as follows:

<add-value>
<value timestamp="1616766389#8" type="structured">
<component name="nameSpace">0</component>
<component name="volume">\T=poc\O=poc\CN=driverset1\CN=Active Directory Driver\CN=Group</component>
<component name="path">&lt;?xml version="1.0" encoding="UTF-8"?>&lt;ref>
&lt;src>UA&lt;/src>
&lt;id/>
&lt;param>{"ID":"5b70731db99fba4d8012a6658536effe","ID2":"CN=Accounting Department,CN=Users,DC=poc,DC=ru,DC=ac,DC=za"}&lt;/param>
&lt;/ref>
</component>
</value>
</add-value>

And the assignment of the resource to a user works perfectly.

I am sure that there is just some GCV or something not set correctly, but it is holding up my POC progress.

0 Likes
1 Reply
Commander
Commander

I have worked out what is causing the problem. In the default policy "NOVLEDIR2ENT-startup-InitEntitlementConfigurationResource" that is supplied as part of the NOVLEDIR2ENT version 2.2.6.20190319091722 the ID and ID2 contained in the group entitlement path.xml are both set to association. This is shown below by a portion of the Entitlement section of the above mentioned policy:

<do-if>
<arg-conditions>
<and>
<if-global-variable mode="nocase" name="drv.entitlement.format.Group" op="equal">idm4</if-global-variable>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="parameters" scope="policy">
<arg-node-set>
<token-xml-parse>
<token-text xml:space="preserve">&lt;parameters>
&lt;parameter mandatory="true" name="ID" source="association"/>
&lt;parameter mandatory="true" name="ID2" source="association"/>
&lt;/parameters></token-text>
</token-xml-parse>
</arg-node-set>
</do-set-local-variable>
<do-clone-xpath dest-expression="$xml/entitlement-configuration/entitlements/entitlement[last()]" src-expression="$parameters"/>
</arg-actions>
</do-if>


If one looks at the equivalent policy in the older Bi-Directional eDirectory Driver Entitlements Driver(legacy driver) version 2.2.1.20180927211607, those two values are set as follows:

<do-if>
<arg-conditions>
<and>
<if-global-variable mode="nocase" name="drv.entitlement.format.Group" op="equal">idm4</if-global-variable>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="parameters" scope="policy">
<arg-node-set>
<token-xml-parse>
<token-text xml:space="preserve">&lt;parameters>
&lt;parameter mandatory="true" name="ID" source="association"/>
&lt;parameter mandatory="true" name="ID2" source="src-dn"/>
&lt;/parameters></token-text>
</token-xml-parse>
</arg-node-set>
</do-set-local-variable>
<do-clone-xpath dest-expression="$xml/entitlement-configuration/entitlements/entitlement[last()]" src-expression="$parameters"/>
</arg-actions>
</do-if>

If one changes the policy in the Bi-directional eDirectory Driver's policy, then the Group Entitlements are created correctly and can then be successfully created and assigned as a resource to an identity.

So my follow on question is, how is it that it appears that I'm the only person to have had this issue (or do the very expensive consultants quietly fix this on the side), how is it that the newer driver was released with this bug and how is it that it has not been fixed. (Do the developers not test their code before releasing it) (I would love the developers to perform a test install of IDM and get it the Bi-directional eDirectory driver to work WITHOUT modifying a single policy. I don't believe that it will work)

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.