Anonymous_User Absent Member.
Absent Member.
210 views

eDirToeDir driver gives Operation vetoed by filter Warning


We have edirtoedir driver. METAtoEdir1 driver has mapping
for managerID in META to ManagerDN in eDir1 attribute. Now we want
managerID in META to sync with ManagerID in edir1. We added new
attribute managerID in eDir1. Couple of rules were added to "Subscriber
Output transformation policy".

Rule1:
Add ManagerID Attribute to eDir1

Conditions
if association associated
And if source attribute 'ManagerID' available

Actions
set destination attribute value ("ManagerID", direct="true", Source
Attribute ("ManagerID") )

Rule2:
Remove ManagerID in eDir1

Conditions
if association associated
And if destination attribute 'managerID' not available

Actions
clear destination attribute value ("managerID", direct="true")


Rule1 works alright and update the changes to managerID in META to
ManagerDN and managerID in eDir1.

Rule2 does not work when managerID in META is removed. Rule gets fired
correctly but causes following Warning Message. Please suggest what
could cause this.

[01/03/14 08:03:15.229]:MetaToEdir1 ST: Processing returned document.
[01/03/14 08:03:15.229]:MetaToEdir1 ST: Processing operation <status>
for .
[01/03/14 08:03:15.229]:MetaToEdir1 ST:
DirXML Log Event -------------------
Driver: \META\com\company\services\DriverSet\MetaToedir1
Channel: Subscriber
Object: \META\com\company\user\X01234
Status: Warning
Message: Code(-8015) Operation vetoed by filter.
[01/03/14 08:03:15.240]:MetaToEdir1 ST: Direct command from policy
result
[01/03/14 08:03:15.240]:MetaToEdir1 ST:



======
More Details:
======

[01/03/14 08:03:15.169]:MetaToEdir1 ST: : Sending...
[01/03/14 08:03:15.169]:MetaToEdir1 ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User"
event-id="SERVER1_META#20140103130315#2#1:765648b1-9a50-4551-ab92"
qualified-src-dn="dc=com\dc=company\OU=user\
uniqueID=X01234" src-dn="\META\com\company\user\X01234"
src-entry-id="108041">
<association>{EAEDA307-13B6-ee4b-4F9}</association>
<modify-attr attr-name="ManagerId">
<remove-all-values/>
<add-value>
<value type="string"/>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[01/03/14 08:03:15.170]:MetaToEdir1 ST: : Document sent.
[01/03/14 08:03:15.170]:MetaToEdir1 ST: : Waiting for receive...
[01/03/14 08:03:15.227]:MetaToEdir1 ST: : Received.
[01/03/14 08:03:15.227]:MetaToEdir1 ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status
event-id="SERVER1_META#20140103130315#2#1:765648b1-9a50-4551-ab92"
level="warning">Code(-8015) Operation vetoed by filter.</status>
</output>
</nds>
[01/03/14 08:03:15.228]:MetaToEdir1 ST: SubscriptionShim.execute()
returned:


--
sureshwshinde
------------------------------------------------------------------------
sureshwshinde's Profile: https://forums.netiq.com/member.php?userid=4352
View this thread: https://forums.netiq.com/showthread.php?t=49609

Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: eDirToeDir driver gives Operation vetoed by filter Warning

On 01/03/2014 06:54 AM, sureshwshinde wrote:
>
> We have edirtoedir driver. METAtoEdir1 driver has mapping
> for managerID in META to ManagerDN in eDir1 attribute. Now we want
> managerID in META to sync with ManagerID in edir1. We added new
> attribute managerID in eDir1. Couple of rules were added to "Subscriber


Did you add the attribute to the receiving driver's filter as well? I
believe you are using the regular eDirectory drivers vs. the new singe
driver that can talk to another tree without an engine and if so you need
to be sure the other filter is open, and preferably post that side's trace
sine that is where the filter is causing things to be vetoed.

> ======
> More Details:
> ======
>
> [01/03/14 08:03:15.169]:MetaToEdir1 ST: : Sending...
> [01/03/14 08:03:15.169]:MetaToEdir1 ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.0.2.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <modify class-name="User"
> event-id="SERVER1_META#20140103130315#2#1:765648b1-9a50-4551-ab92"
> qualified-src-dn="dc=com\dc=company\OU=user\
> uniqueID=X01234" src-dn="\META\com\company\user\X01234"
> src-entry-id="108041">
> <association>{EAEDA307-13B6-ee4b-4F9}</association>
> <modify-attr attr-name="ManagerId">
> <remove-all-values/>
> <add-value>
> <value type="string"/>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> [01/03/14 08:03:15.170]:MetaToEdir1 ST: : Document sent.


As in, sent to the receiving driver for processing.

> [01/03/14 08:03:15.170]:MetaToEdir1 ST: : Waiting for receive...
> [01/03/14 08:03:15.227]:MetaToEdir1 ST: : Received.


And a tenth of a second it received back the warning. We need to see the
other side's trace since it is the one that vetoed based on the filter,
probably for the reasons mentioned earlier.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirToeDir driver gives Operation vetoed by filter Warning


Thanks for your response.

I am using EdirToEdir driver. It has 2 drivers MetaToEdir and
EdirToMeta. This is what I see in Publisher channel.

I do not see the new attribute managerDN on eDirtoMETA driver filter. It
is not there under schemamapping. Do I need to add it to eDirtoMETA
driver similar to MetaToeDir driver?

[01/03/14 08:03:15.225]:EdirToMeta PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="META#20140103130315#2#1:765648b1-9a50-4551-ab92"
level="warning">Code(-8015) Operation vetoed by filter.</status>
</output>
</nds>
[01/03/14 08:03:15.226]:EdirToMeta PT:: Sending...
[01/03/14 08:03:15.226]:EdirToMeta PT:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="META#20140103130315#2#1:765648b1-9a50-4551-ab92"
level="warning">Code(-8015) Operation vetoed by filter.</status>
</output>
</nds>
[01/03/14 08:03:15.227]:EdirToMeta PT:: Document sent.
[01/03/14 08:03:15.227]:EdirToMeta PT:: Reusing connection
[01/03/14 08:03:15.227]:EdirToMeta PT:: Waiting for receive...
[01/03/14 08:03:15.247]:EdirToMeta PT:: Received.
[01/03/14 08:03:15.247]:EdirToMeta PT:


--
sureshwshinde
------------------------------------------------------------------------
sureshwshinde's Profile: https://forums.netiq.com/member.php?userid=4352
View this thread: https://forums.netiq.com/showthread.php?t=49609

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirToeDir driver gives Operation vetoed by filter Warning

This isn't enough trace to show the problem, but since you do not have the
attribute in the filter it is going to be stripped out at the filter,
which will cause the operation document to be empty, which leads to an
operation being effectively vetoed by the filter. Post the full trace
from this side and/or fix it and post an updated trace if things are not
resolved by that.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirToeDir driver gives Operation vetoed by filter Warning

On Fri, 03 Jan 2014 13:54:01 +0000, sureshwshinde wrote:

> Conditions
> if association associated
> And if destination attribute 'managerID' not available
> Actions
> clear destination attribute value ("managerID", direct="true")


This makes no sense. Read it out loud. If destination attribute
"managerID" is NOT AVAILABLE, then clear destination attribute
"managerID"... So if it's not there, remove it?

You might be able to make this work with "if source attribute..."
instead. Post a level 3 trace otherwise, so we can see what you're doing.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDirToeDir driver gives Operation vetoed by filter Warning


Thanks for your update.

Modified Rule2: Remove ManagerID in eDir1

Conditions
if association associated
And if source attribute 'managerID' not available
Actions
clear destination attribute value ("managerID", direct="true")

It still do not work. Trace3 logs below

[01/06/14 02:31:33.230]:MetaToeDir1 ST: Evaluating selection criteria
for rule 'Remove ManagerID in eDir1'.
[01/06/14 02:31:33.231]:MetaToeDir1 ST: (if-association associated)
= TRUE.
[01/06/14 02:31:33.231]:MetaToeDir1 ST: (if-src-attr 'ManagerID'
not-available) = TRUE.
[01/06/14 02:31:33.231]:MetaToeDir1 ST: Rule selected.
[01/06/14 02:31:33.231]:MetaToeDir1 ST: Applying rule 'Remove
ManagerID in eDir1'.
[01/06/14 02:31:33.231]:MetaToeDir1 ST: Action:
do-clear-dest-attr-value("ManagerID",direct="true").
[01/06/14 02:31:33.232]:MetaToeDir1 ST: Direct command from policy
[01/06/14 02:31:33.232]:MetaToeDir1 ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User"
event-id="META#20140106073133#2#1:dede9259-6e3a-4880-ffa1"
qualified-src-dn="dc=com\dc=company\OU=user\
uniqueID=x01234" src-dn="\META\com\company\users\x01234"
src-entry-id="108041">
<association>{EAEDA307-13B6-ee4b-4F9E}</association>
<modify-attr attr-name="ManagerID">
<remove-all-values/>
</modify-attr>
</modify>
</input>
</nds>
[01/06/14 02:31:33.233]:MetaToeDir1 ST: Submitting document to
subscriber shim:
[01/06/14 02:31:33.233]:MetaToeDir1 ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User"
event-id="META#20140106073133#2#1:dede9259-6e3a-4880-ffa1"
qualified-src-dn="dc=com\dc=company\OU=user\
uniqueID=x01234" src-dn="\META\com\company\users\x01234"
src-entry-id="108041">
<association>{EAEDA307-13B6-ee4b-4F9E}</association>
<modify-attr attr-name="ManagerID">
<remove-all-values/>
</modify-attr>
</modify>
</input>
</nds>
[01/06/14 02:31:33.234]:MetaToeDir1 ST: : Reusing connection.
[01/06/14 02:31:33.235]:MetaToeDir1 ST: : Sending...
[01/06/14 02:31:33.235]:MetaToeDir1 ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User"
event-id="META#20140106073133#2#1:dede9259-6e3a-4880-ffa1"
qualified-src-dn="dc=com\dc=company\OU=user\
uniqueID=x01234" src-dn="\META\com\company\users\x01234"
src-entry-id="108041">
<association>{EAEDA307-13B6-ee4b-4F9E}</association>
<modify-attr attr-name="ManagerID">
<remove-all-values/>
</modify-attr>
</modify>
</input>
</nds>
[01/06/14 02:31:33.236]:MetaToeDir1 ST: : Document sent.
[01/06/14 02:31:33.236]:MetaToeDir1 ST: : Waiting for receive...
[01/06/14 02:31:33.254]:MetaToeDir1 ST: : Received.
[01/06/14 02:31:33.254]:MetaToeDir1 ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="META#20140106073133#2#1:dede9259-6e3a-4880-ffa1"
level="warning">Code(-8015) Operation vetoed by filter.</status>
</output>
</nds>
[01/06/14 02:31:33.255]:MetaToeDir1 ST: SubscriptionShim.execute()
returned:
[01/06/14 02:31:33.255]:MetaToeDir1 ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="META#20140106073133#2#1:dede9259-6e3a-4880-ffa1"
level="warning">Code(-8015) Operation vetoed by filter.</status>
</output>
</nds>
[01/06/14 02:31:33.256]:MetaToeDir1 ST: Processing returned document.
[01/06/14 02:31:33.256]:MetaToeDir1 ST: Processing operation <status>
for .

[01/06/14 02:31:33.256]:MetaToeDir1 ST:
DirXML Log Event -------------------
Driver: \META\com\company\services\Driver\MetaToeDir1
Channel: Subscriber
Object: \META\com\company\user\x01234
Status: Warning
Message: Code(-8015) Operation vetoed by filter.


--
sureshwshinde
------------------------------------------------------------------------
sureshwshinde's Profile: https://forums.netiq.com/member.php?userid=4352
View this thread: https://forums.netiq.com/showthread.php?t=49609

0 Likes
Knowledge Partner
Knowledge Partner

Re: eDirToeDir driver gives Operation vetoed by filter Warning

sureshwshinde wrote:

> We have edirtoedir driver. METAtoEdir1 driver has mapping
> for managerID in META to ManagerDN in eDir1 attribute. Now we want
> managerID in META to sync with ManagerID in edir1. We added new
> attribute managerID in eDir1.


So you want META:managerID to sync to both Edir1:managerID and Edir1:managerDN,
right?

> Couple of rules were added to "Subscriber
> Output transformation policy".


I assume this on the META side of the edir2edir driver pair. Would be easier to
simply clone the managerDN attribute on the Edir1 side driver in a publisher
command transform to managerID, I'd guess. No need to fiddle with filters, just
make sure the "optimize modify" option is disabled for managerDN on the Edir1
side driver, si you can use a sync/migrate to/from ID vault (depending on which
driver you trigger from) to force updating both target attrs.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.