Highlighted
Anonymous_User Absent Member.
Absent Member.
302 views

User Object Missing Object ID Connected Systems


I have a user object whose password is not synchronizing between eDir
and AD. Looking at the properties of the user in iManager tab >
Identity Manager > Connected Systems the AD driver shows as processed
however there is no Object ID. I am guessing this is why her password
will not synchronize. When she changes her password the following error
is on the AD remote loader: 8019 operation vetoed on unassociated
object. Any ideas as to how I can re-associate so as the Object ID will
populate. Thank you.


--
kbannister
------------------------------------------------------------------------
kbannister's Profile: https://forums.netiq.com/member.php?userid=2831
View this thread: https://forums.netiq.com/showthread.php?t=51689

Labels (1)
0 Likes
12 Replies
Knowledge Partner
Knowledge Partner

Re: User Object Missing Object ID Connected Systems

On 9/5/2014 9:07 AM, kbannister wrote:
>
> I have a user object whose password is not synchronizing between eDir
> and AD. Looking at the properties of the user in iManager tab >
> Identity Manager > Connected Systems the AD driver shows as processed
> however there is no Object ID. I am guessing this is why her password
> will not synchronize. When she changes her password the following error
> is on the AD remote loader: 8019 operation vetoed on unassociated
> object. Any ideas as to how I can re-associate so as the Object ID will
> populate. Thank you.


If you use any tool that can see raw attributes, you will see her
DirXMl-Associations for this specific driver, is probably state 4, and
value of null.

Just delete the instance of DirXML-Associations for this driver, and try
to migrate again. Or simply change an attr in the filter. (Often I just
change description). If the issue is she does not properly
match/create, then a Migrate would get you back in the same state.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Object Missing Object ID Connected Systems

And as always, post a trace, since a standard configuration should match
(or attempt to) on a subscriber channel password change, so something is
amiss and a trace should show what (level three or higher, written
directly from the driver config object to a file on the server).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Object Missing Object ID Connected Systems


I deleted the AD connected system to this user. The I did a migrate.
After the migration it showed as manual (in iManager. Still no Object
ID associated with the AD connected system. I changed the state of 3 to
1 in ConsoleOne under the other tab. Still no object ID. After I
migrated the user the remote loader trace log shows a LDAP 68
name-already exists and a 6005 entry exists. This would be expected I
suppose because the user is in AD already. Any ideas. I can't ask the
user to change her password right now however I still don't think it
will work as the Object ID is still missing on the AD connected system.

geoffc;248402 Wrote:
> On 9/5/2014 9:07 AM, kbannister wrote:
> >
> > I have a user object whose password is not synchronizing between eDir
> > and AD. Looking at the properties of the user in iManager tab >
> > Identity Manager > Connected Systems the AD driver shows as processed
> > however there is no Object ID. I am guessing this is why her

> password
> > will not synchronize. When she changes her password the following

> error
> > is on the AD remote loader: 8019 operation vetoed on unassociated
> > object. Any ideas as to how I can re-associate so as the Object ID

> will
> > populate. Thank you.

>
> If you use any tool that can see raw attributes, you will see her
> DirXMl-Associations for this specific driver, is probably state 4, and
> value of null.
>
> Just delete the instance of DirXML-Associations for this driver, and
> try
> to migrate again. Or simply change an attr in the filter. (Often I just
> change description). If the issue is she does not properly
> match/create, then a Migrate would get you back in the same state.



--
kbannister
------------------------------------------------------------------------
kbannister's Profile: https://forums.netiq.com/member.php?userid=2831
View this thread: https://forums.netiq.com/showthread.php?t=51689

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Object Missing Object ID Connected Systems

Repeating previous post in case it was still lost, as it still applies:

And as always, post a trace, since a standard configuration should match
(or attempt to) on a subscriber channel password change, so something is
amiss and a trace should show what (level three or higher, written
directly from the driver config object to a file on the server).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Object Missing Object ID Connected Systems


kbannister;248529 Wrote:
> I deleted the AD connected system to this user. The I did a migrate.
> After the migration it showed as manual (in iManager. Still no Object
> ID associated with the AD connected system. I changed the state of 3 to
> 1 in ConsoleOne under the other tab. Still no object ID. After I
> migrated the user the remote loader trace log shows a LDAP 68
> name-already exists and a 6005 entry exists. This would be expected I
> suppose because the user is in AD already. Any ideas. I can't ask the
> user to change her password right now however I still don't think it
> will work as the Object ID is still missing on the AD connected system.


Hi

It sound like your have problem with the matching policy. So it will try
to create a new user object in AD. A level 3 trace will be nice.

/Michael


--
mJg2XW
------------------------------------------------------------------------
mJg2XW's Profile: https://forums.netiq.com/member.php?userid=442
View this thread: https://forums.netiq.com/showthread.php?t=51689

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Object Missing Object ID Connected Systems

On Tue, 09 Sep 2014 19:00:34 +0000, kbannister wrote:

> I deleted the AD connected system to this user. The I did a migrate.
> After the migration it showed as manual (in iManager. Still no Object
> ID associated with the AD connected system. I changed the state of 3 to
> 1 in ConsoleOne under the other tab. Still no object ID.


Don't do that. You're telling it that the object is associated, when it
is not.


> After I
> migrated the user the remote loader trace log shows a LDAP 68
> name-already exists and a 6005 entry exists. This would be expected I
> suppose because the user is in AD already. Any ideas.


Your subscriber matching rules aren't working. You'll need to fix that. A
trace (level 3) would show us how they're not working.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Object Missing Object ID Connected Systems


Here is the level 5 trace from the AD Remote Loader attempting to change
my password. Is this what you are asking for. Y'all are confusing me
🙂
<source>
<product edition="Standard" version="4.0.1.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add cached-time="20140909194100.473Z" class-name="user"
dest-dn="CN=Kathy A
Bannister,ou=Users,ou=IT,ou=AUD,dc=audits,dc=ga,dc=gov"
event-id="doaawf-p#20140909194100#99#1:2f6c3674-5ba5-4319-ad86-74366c2fa55b"
qualified-src-dn="O=DOAAWF\OU=USERS\OU=AUD\OU=IT\OU=Users\CN=Banniste"
src-dn="\DOAA_WFTREE\DOAAWF\USERS\AUD\IT\Users\Banniste"
src-entry-id="32867" timestamp="0#0">
<add-attr attr-name="company">
<value timestamp="1392821544#66" type="string">7</value>
</add-attr>
<add-attr attr-name="departmentNumber">
<value timestamp="1392821544#69" type="string">7</value>
</add-attr>
<add-attr attr-name="displayName">
<value timestamp="1410290389#2" type="string">Kathy A
Bannister</value>
</add-attr>
<add-attr attr-name="givenName">
<value timestamp="1392821544#52" type="string">Kathy</value>
</add-attr>
<add-attr attr-name="initials">
<value timestamp="1410291276#2" type="string">A</value>
</add-attr>
<add-attr attr-name="mail">
<value timestamp="1392821544#65"
type="string">Banniste@audits.ga.gov</value>
</add-attr>
<add-attr attr-name="dirxml-uACAccountDisable">
<value timestamp="1392821544#28" type="state">false</value>
</add-attr>
<add-attr attr-name="sn">
<value timestamp="1392821544#47" type="string">Bannister</value>
</add-attr>
<add-attr attr-name="title">
<value timestamp="1392821544#49" type="string">Systems
Administrator</value>
</add-attr>
<add-attr attr-name="sAMAccountName">
<value type="string">Banniste</value>
</add-attr>
<add-attr attr-name="userPrincipalName">
<value type="string">Ban
DirXML: [09/09/14 15:41:00.57]: niste@audits.ga.gov</value>
</add-attr>
<add-attr attr-name="telephoneNumber">
<value type="string">(404) 657-4626</value>
</add-attr>
<password><!-- content suppressed --></password>
</add>
</input>
</nds>
DirXML: [09/09/14 15:41:00.59]: ADDriver: MadCommandAdd::onCommand
DirXML: [09/09/14 15:41:00.59]: ADDriver:
MadCommandAdd::insertXdsAttributes()
DirXML: [09/09/14 15:41:00.59]: ADDriver: company
DirXML: [09/09/14 15:41:00.59]: ADDriver: departmentNumber
DirXML: [09/09/14 15:41:00.59]: ADDriver: displayName
DirXML: [09/09/14 15:41:00.59]: ADDriver: givenName
DirXML: [09/09/14 15:41:00.61]: ADDriver: initials
DirXML: [09/09/14 15:41:00.61]: ADDriver: mail
DirXML: [09/09/14 15:41:00.61]: ADDriver: dirxml-uACAccountDisable
DirXML: [09/09/14 15:41:00.61]: ADDriver: sn
DirXML: [09/09/14 15:41:00.61]: ADDriver: title
DirXML: [09/09/14 15:41:00.62]: ADDriver: sAMAccountName
DirXML: [09/09/14 15:41:00.62]: ADDriver: userPrincipalName
DirXML: [09/09/14 15:41:00.62]: ADDriver: telephoneNumber
DirXML: [09/09/14 15:41:00.62]: ADDriver: Add user CN=Kathy A
Bannister,ou=Users,ou=IT,ou=AUD,dc=audits,dc=ga,dc=gov
LDAPMod operations:
add attribute objectClass
>> user

add attribute objectCategory
>> CN=Person,CN=Schema,CN=Configuration,DC=audits,DC=ga,DC=gov

add attribute company
>> 7

add attribute departmentNumber
>> 7

add attribute displayName
>> Kathy A Bannister

add attribute givenName
>> Kathy

add attribute initials
>> A

add attribute mail
>> Banniste@audits.ga.gov

add attribute sn
>> Bannister

add attribute title
>> Systems Administrator

add attribute sAMAccountName
>> Banniste

add attribute userPrincipalName
>> Banniste@audits.ga.gov

add attribute telephoneNumber
>> (404) 657-4626

DirXML: [09/09/14 15:41:00.64]: Loader: subscriptionShim->execute()
returned:
DirXML: [09/09/14 15:41:00.64]: Loader: XML Document:
DirXML: [09/09/14 15:41:00.64]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.0.2" asn1id="" build="20130813_120000"
instance="\DOAA_WFTREE\DOAAWF\DOAA Driver Set\Audit Active
Directory">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status level="error" type="driver-general"
event-id="doaawf-p#20140909194100#99#1:2f6c3674-5ba5-4319-ad86-74366c2fa55b">
<ldap-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">
<client-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">Already
Exists</client-err>
<server-err>00000524: UpdErr: DSID-031A122A, problem 6005
(ENTRY_EXISTS), data 0
</server-err>
<server-err-ex win32-rc="1316"/>
</ldap-err>
</status>
</output>
</nds>
DirXML: [09/09/14 15:41:00.64]:
DirXML Log Event -------------------
Driver = \DOAA_WFTREE\DOAAWF\DOAA Driver Set\Audit Active
Directory
Thread = Subscriber Channel
Object = \DOAA_WFTREE\DOAAWF\USERS\AUD\IT\Users\Banniste (CN=Kathy
A Bannister,ou=Users,ou=IT,ou=AUD,dc=audits,dc=ga,dc=gov)
Level = error
Message = <ldap-err ldap-rc="68"
ldap-rc-name="LDAP_ALREADY_EXISTS">
<client-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">Already
Exists</client-err>
<server-err>00000524: UpdErr: DSID-031A122A, problem 6005
(ENTRY_EXISTS), data 0
</server-err>
<server-err-ex win32-rc="1316"/>
</ldap-err>


--
kbannister
------------------------------------------------------------------------
kbannister's Profile: https://forums.netiq.com/member.php?userid=2831
View this thread: https://forums.netiq.com/showthread.php?t=51689

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Object Missing Object ID Connected Systems


There are no spaces in the original trace log within my name, banniste.
Not sure why the paste put them there.


--
kbannister
------------------------------------------------------------------------
kbannister's Profile: https://forums.netiq.com/member.php?userid=2831
View this thread: https://forums.netiq.com/showthread.php?t=51689

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Object Missing Object ID Connected Systems

No, we want the level three (at least) trace from the engine side, showing
the entire transaction from the time the engine picked up something until
the error was processed. The RL side is not as useful for this type of issue.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Object Missing Object ID Connected Systems


Here is the level 3 trace from the engine side. My password only
changed in AD and not eDir. This is only happening to me and one other
user. We have in common the missing Object ID on the AD connected
System. Hope this helps. Thank you!!


+----------------------------------------------------------------------+
|Filename: Level 3 Trace.txt |
|Download: https://forums.netiq.com/attachment.php?attachmentid=190 |
+----------------------------------------------------------------------+

--
kbannister
------------------------------------------------------------------------
kbannister's Profile: https://forums.netiq.com/member.php?userid=2831
View this thread: https://forums.netiq.com/showthread.php?t=51689

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Object Missing Object ID Connected Systems

Ah.... and I think all along (per the comments about migrating and
associations) everybody was thinking this was a transaction starting from
the vault and going over TO the MAD environment, not the other way around.

Assuming your driver config is semi-default, you can add a description on
your object in MAD which should cause it to synchronize over into the
vault. Alternatively, you can go to the driver config object in iManager,
choose to 'Migrate Into Vault...', and then choose List: Object Class
(user): CN and then specify 'Kathy*' or 'kbannister' to pull her into the
vault and create that association. Alternatively, change the password in
the vault, or change most other common attributes in the vault, or
"Migrate From Vault' in iManager and choose this user object, and
everything should synchronize over to MAD, as long as requirements are met.

What your trace shows is a MAD-side password change, which will not cause
a full synchronization in your case, so you need to migrate or modify the
object elsewhere first. Once associated (processed association in the
vault) then password changes from the application are allowed.

If it was my setup I'd just set the password using iManager: Passwords:
Set Universal Password on this user and then be sure trace is running,
just in case something doesn't work.

Note: getting the trace from ndstrace or iMonitor is not valid because of
buffer limits there. In the future it is best if you configure the driver
object to write a trace directly to a file, and then send that file. This
is done in Designer: Properties of the driver: Trace/Tracing, or in
iManager: driver object: Edit Properties: Misc.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Object Missing Object ID Connected Systems


delete the association and re-migrate to match the user to the ad.


--
maqsood
------------------------------------------------------------------------
maqsood's Profile: https://forums.netiq.com/member.php?userid=2617
View this thread: https://forums.netiq.com/showthread.php?t=51689

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.