Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
TakaM Absent Member.
Absent Member.
1177 views

ldap error when provisioning to Active Directory


Hi Guys

Iam experiencing the following error when provisioning users in Active
Directory from the IDM Vault.The end result is the account is never
created in MAD.

Iam using IDM 4.0.1
SUSE 11 Enterprise
Active Directory Driver version 3.5.11

I have attached the trace log below.Any help will be greatly
appreciated.

<status
event-id="cen-idm01#20120202115044#1#1:7a469332-8877-4d94-50a6-3293467a7788"
level="success"><application>DirXML</application>
<module>Cathed Active Directory Driver</module>
<object-dn>\CENIDM\data\users\Wanalirri Catholic
School\Numendumah.Sonya</object-dn>
<component>Subscriber</component>
</status>
</output>
</nds>
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Applying to status #5.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Evaluating selection
criteria for rule 'AccountTracking - Initialize Realm Mapping'.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-global-variable
'drv.acctTrk.enable' equal "true") = TRUE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-global-variable
'drv.acctTrk.mode' equal "fanout") = FALSE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Rule rejected.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Evaluating selection
criteria for rule 'AccountTracking - disregard if disabled'.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-global-variable
'drv.acctTrk.enable' not-equal "true") = FALSE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Rule rejected.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Evaluating selection
criteria for rule 'AccountTracking - query DirXML-Accounts Attribute'.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-op-property
'AccountTracking-ObjectDN' available) = FALSE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Rule rejected.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Evaluating selection
criteria for rule 'AccountTracking - remove Dirxml-Account values on
regular delete operation'.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-operation match
"delete|remove-association") = FALSE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-operation equal
"status") = TRUE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-op-property
'AccountTracking-ObjectDN' available) = FALSE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Rule rejected.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Evaluating selection
criteria for rule 'AccountTracking - update DirXMLAccounts attribute on
regular operations'.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-op-property
'AccountTracking-Operation' not-available) = TRUE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-op-property
'AccountTracking-ObjectDN' available) = FALSE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-operation equal
"status") = TRUE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-xpath true
"./@level='success' or ./@level='warning'") = FALSE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Rule rejected.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Evaluating selection
criteria for rule 'AccountTracking - update DirXMLAccounts attribute on
mapped operations'.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-xpath true
"operation-data/account-tracking-operation") = FALSE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: (if-xpath true
"operation-data/account-tracking-operation") = FALSE.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST: Rule rejected.
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST:Policy returned:
19:50:51 FFFFFFFFE14A7950 Drvrs: SK *** ST:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20100723_120000"
instance="\CENIDM\system\Cathed\Cathed Active Directory Driver"
version="3.5.11">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status
event-id="cen-idm01#20120202115044#1#1:7a469332-8877-4d94-50a6-3293467a7788"
level="error" type="driver-general">
<ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid
Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090B38, comment: Error in
attribute conversion operation, data 0, vece</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
19:50:51 FFFFFFFFE14A7950 Drvrs: <operation-data
AccountTracking-AccountStatusChanged="true"
AccountTracking-AppAccountStatus="-"
AccountTracking-IdvAccountStatus="A"
AccountTracking-LDAPDN="CN=Numendumah\,
Sonya,DC=cathednet,DC=wa,DC=edu,DC=au"
AccountTracking-ObjectDN="\CENIDM\data\users\Wanalirri Catholic
School\Numendumah.Sonya" AccountTracking-Operation="add"
AccountTracking-sAMAccountName="Numendumah.Sonya"
AccountTracking-userPrincipalName="Numendumah.Sonya@cathednet.wa.edu.au"
LEGACY-OBJECT="FALSE" NASurname="Numendumah" NEWUSER="TRUE"
Normalized-GivenName="Sonya" Normalized-MiddleName=""
Normalized-PreferredName="Sonya" Normalized-Surname="Numendumah"
UNIQUE-GN="Sonya" USER-ID="NUMESX"
accountAction="accountCreateByEntitlementGrant" association=""
check-exch-mailbox-entitlements="true" check-group-entitlements="true"
guid="en6qc2hdO0tvmXp+qnNoXQ==" objectClass="User" schoolName=""
sized-samaccountname-normalized="Numendumah.Sonya"
sourceDN="\CENIDM\data\users\Wanalirri Catholic
School\Numendumah.Sonya">
<entitlement-impl id="system\Cathed\Entitlement Policies\All Staff"
name="UserAccount" qualified-src-dn="O=data\OU=users\OU=Wanalirri
Catholic School\CN=Numendumah.Sonya" src="RBE"
src-dn="\CENIDM\data\users\Wanalirri Catholic School\Numendumah.Sonya"
src-entry-id="54258" state="1">cathednet.wa.edu.au</entitlement-impl>
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</status>
<status
event-id="cen-idm01#20120202115044#1#1:7a469332-8877-4d94-50a6-3293467a7788"
level="warning" type="driver-general">
<ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
19:50:51 FFFFFFFFE14A7950 Drvrs: <client-err ldap-rc="32"
ldap-rc-name="LDAP_NO_SUCH_OBJECT">No Such Object</client-err>
<server-err>0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT),
data 0, best match of:
'DC=cathednet,DC=wa,DC=edu,DC=au'

Thanks

TM


--
TakaM
------------------------------------------------------------------------
TakaM's Profile: http://forums.novell.com/member.php?userid=103757
View this thread: http://forums.novell.com/showthread.php?t=451749

Labels (1)
0 Likes
9 Replies
Anonymous_User Absent Member.
Absent Member.

Re: ldap error when provisioning to Active Directory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It'd help if you posted the full trace, or the RL trace of the operation
going in and the status coming back.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPK3mjAAoJEF+XTK08PnB5Tl4P/AgRN+zgLNEUjF7xgyIFuyMe
n2rK3Iu1kOYiQ7uRzHTusvWPI8+NY1vWSnTOfBEDr9+72MWl40xWYVK1vERICfVa
BQRHH302EdgLkVXhjRgQae2NxCj9R51r7t9paYKVnnZINXlP2emEc++b7u0IcGz5
QpnegRLkdlr0VcAFZN4IOUatsZbNvbynx+uEevmX4EllRBm898MsfTyRdVuNACth
vMtCHV6erFFwo+2lqGiym0RmK08BcSRZua1dF8lhVOGpuc2CLD24EccMap12pQPO
QFiJXm7CZXe5fCx++dUMoFzLBGmnA1AA/wkvTcX8HqBoNj2lOv/REq+rQ1/0eI1v
BS8g17xGleKLR5L6gSb2refB4COo8hb+zGnQqi0crnQbYg0kC8x3u4aVPd/YATo5
abypTWa1joKc+Ik6FAdrpoJUKB5nP8SDkQk5KQocvGuhU9IMTddjW4cdjQB1rqAd
JOmpq23rC6Pz8FbChsAXB2CLhxw+5cDslNYjly1OkiTdAZGCCLZUxrFwRdBWLvxf
B0pQXUwDaxB7LCQkiAoVfTYsi32rFEMBen6vD/r+IfZ5uoOyWmlyZqyn/9JWoHV7
E3EFikTTCeMG5wxJxLcF4/go5b8DBor8M3oSSSMUJ9cCYQDn0VhWKT5ti1p1hsus
8qMJluJtdQZdS/c4vOa4
=MJhX
-----END PGP SIGNATURE-----
0 Likes
TakaM Absent Member.
Absent Member.

Re: ldap error when provisioning to Active Directory


Hi Guys

My trace file is quite big , i how can i attach the file to the forum?

regards

TM


--
TakaM
------------------------------------------------------------------------
TakaM's Profile: http://forums.novell.com/member.php?userid=103757
View this thread: http://forums.novell.com/showthread.php?t=451749

0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap error when provisioning to Active Directory

On Fri, 03 Feb 2012 08:16:02 +0000, TakaM wrote:

> My trace file is quite big , i how can i attach the file to the forum?


Post it to pastebin.com and put the URL here.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap error when provisioning to Active Directory

On 03.02.2012 06:16, TakaM wrote:
>
> Hi Guys
>
> Iam experiencing the following error when provisioning users in Active
> Directory from the IDM Vault.The end result is the account is never
> created in MAD.

....
> AccountTracking-LDAPDN="CN=Numendumah\,
> Sonya,DC=cathednet,DC=wa,DC=edu,DC=au"
> AccountTracking-ObjectDN="\CENIDM\data\users\Wanalirri Catholic
> School\Numendumah.Sonya" AccountTracking-Operation="add"


....

> event-id="cen-idm01#20120202115044#1#1:7a469332-8877-4d94-50a6-3293467a7788"
> level="warning" type="driver-general">
> <ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
> 19:50:51 FFFFFFFFE14A7950 Drvrs:<client-err ldap-rc="32"
> ldap-rc-name="LDAP_NO_SUCH_OBJECT">No Such Object</client-err>
> <server-err>0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT),
> data 0, best match of:
> 'DC=cathednet,DC=wa,DC=edu,DC=au'


Aaron is right, you really need to post more of the trace to help
troubleshooting. Whenever AD returns an error, you need to look at the
event as it was recieved from the driver shim in a level 3 trace on the
remote loader side.

Then once you see what specific part of the event triggered the error.
Go back through a level 3 trace on the engine side and try to identify
where the error originated.

I can hazard an educated guess from some of the information in the
snippet you posted though.

This error normally occurs when you have attempted to place a user
within an Active Directory OU that doesn't exist (moved, deleted, never
created).

The weird thing with your error is that the AccountTracking-LDAPDN shows
you are placing your user flat at the root level of your specific AD
domain (parent container is a DC).

It could be a permissions thing (is the account that IDM uses to sync to
AD a member of domain administrators?) or you are changing the placement
in the ITP (not a good idea).

Note AD doesn't stop you creating user object at the root level of the
domain, so simply placing the user at "CN=Numendumah\,
Sonya,DC=cathednet,DC=wa,DC=edu,DC=au" shouldn't generate this error.

Also keep in mind IDM best practice is to have a flat placement in IDV
(which you don't).


Regarding large trace files, use a pastesite (for example
http://pastebin.com )
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
TakaM Absent Member.
Absent Member.

Re: ldap error when provisioning to Active Directory


Hi Guys

Please find the full trace here : 'Trace ldap error - Pastebin.com'
(http://pastebin.com/ng1NfYja)

Of special interest is how i can fix the two errors below.


status
event-id="cen-idm01#20120205164953#1#1:39ff08ba-c4bf-411c-f384-ba08ff39bfc4"
level="error" type="driver-general">
<ldap-err ldap-rc="53"
ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">
<client-err ldap-rc="53"
ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">Unwilling To
Perform</client-err>
<server-err>00000057: LdapErr: DSID-0C090A47, comment:
Error in attribute conversion operation, data 0, vece</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>



<ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21"
ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090B38, comment:
Error in attribute conversion operation, data 0, vece</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>

regards

TM


--
TakaM
------------------------------------------------------------------------
TakaM's Profile: http://forums.novell.com/member.php?userid=103757
View this thread: http://forums.novell.com/showthread.php?t=451749

0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap error when provisioning to Active Directory

On 07.02.2012 05:16, TakaM wrote:
> Hi Guys
>
> Please find the full trace here : 'Trace ldap error - Pastebin.com'
> (http://pastebin.com/ng1NfYja)
>
> Of special interest is how i can fix the two errors below.


This is not a complete level 3 trace (from Engine or Remote Loader),
you've onnly listed the actual errors returned from each operation.
Without the input event that caused each error we cannot tell you why
each error occurred and how to fix this.

The AD Driver shim considers operations against AD to be atomic, if
anything fails then it considers the whole event as failed.

What I suggest you do (especially in your development environment) is
place a rule that stops processing and starts retrying when an error occurs.

Then you can (if necessary) increase the trace level (on remote loader
and engine), let the 'retry' replay the event and see what happens (and
hopefully spot the problem and fix your code so that the event is
successful).

The default retry interval is 30 seconds.

The following is an example of what I use in my AD development projects.
Note this policy should be the LAST policy in your input transform

<rule>
<description>Change error status to retry</description>
<conditions>
<or>
<if-xpath op="true">self::status[@level = 'error']</if-xpath>
</or>
<or>
<if-xpath
op="true">ldap-err[@ldap-rc-name='LDAP_INVALID_SYNTAX']</if-xpath>
<if-xpath
op="true">ldap-err[@ldap-rc-name='LDAP_INVALID_DN_SYNTAX']</if-xpath>
<if-xpath
op="true">ldap-err[@ldap-rc-name='LDAP_NO_SUCH_ATTRIBUTE']</if-xpath>
<if-xpath
op="true">ldap-err[@ldap-rc-name='LDAP_UNWILLING_TO_PERFORM']</if-xpath>
<if-xpath
op="true">ldap-err[@ldap-rc-name='LDAP_ATTRIBUTE_OR_VALUE_EXISTS']</if-xpath>
<if-xpath
op="true">ldap-err[@ldap-rc-name='LDAP_NO_SUCH_OBJECT']</if-xpath>
<if-xpath op="true">ldap-err[@ldap-rc-name='LDAP_REFERRAL']</if-xpath>
<if-xpath
op="true">ldap-err[@ldap-rc-name='ERROR_PASSWORD_RESTRICTION']</if-xpath>
</or>
</conditions>
<actions>
<do-trace-message color="red">
<arg-string>
<token-text xml:space="preserve">Converting status=Error to Retry,
</token-text>
<token-text xml:space="preserve">Complete Error Text:</token-text>
<token-xml-serialize>
<token-xpath expression="self::status"/>
</token-xml-serialize>
</arg-string>
</do-trace-message>
<do-set-xml-attr expression="." name="level">
<arg-string>
<token-text xml:space="preserve">retry</token-text>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>

<rule>
<description>Change warning status to retry</description>
<comment xml:space="preserve">Only active in test, will pick up missing
OUs and retry until someone creates them in AD</comment>
<conditions>
<
<if-xpath op="true">self::status[@level = 'warning']</if-xpath>
<if-xpath
op="true">ldap-err[@ldap-rc-name='LDAP_NO_SUCH_OBJECT']</if-xpath>
</and>
</conditions>
<actions>
<do-trace-message color="red">
<arg-string>
<token-text xml:space="preserve">Converting status=Warning to Retry,
</token-text>
<token-text xml:space="preserve">Missing OU(s), Requested placement:
</token-text>
<token-op-property name="AccountTracking-LDAPDN"/>
<token-text xml:space="preserve">, last valid container in DN:
</token-text>
<token-replace-first regex="^\s*'(.+)'\s*" replace-with="$1">
<token-xpath
expression="substring-after(ldap-err/server-err/text(),'best match of:')"/>
</token-replace-first>
</arg-string>
</do-trace-message>
<do-set-xml-attr expression="." name="level">
<arg-string>
<token-text xml:space="preserve">retry</token-text>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>


I also suggest you read Geoffrey's informative articles on AD error
messages and how to fix them.

http://www.novell.com/communities/node/7702/active-directory-driver-error-messages-part-1

http://www.novell.com/communities/node/8228/active-directory-driver-error-messages-part-2

http://www.novell.com/communities/node/8304/active-directory-driver-error-messages-part-3

http://www.novell.com/communities/node/8551/active-directory-driver-error-messages-part-4

http://www.novell.com/communities/node/9272/active-directory-driver-error-messages-part-5

> status
> event-id="cen-idm01#20120205164953#1#1:39ff08ba-c4bf-411c-f384-ba08ff39bfc4"
> level="error" type="driver-general">
> <ldap-err ldap-rc="53"
> ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">
> <client-err ldap-rc="53"
> ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">Unwilling To
> Perform</client-err>
> <server-err>00000057: LdapErr: DSID-0C090A47, comment:
> Error in attribute conversion operation, data 0, vece</server-err>
> <server-err-ex win32-rc="87"/>
> </ldap-err>


This could be several things, but based on the limited trace file you
posted to pastebin, I think this is related to your dest DN for the
user. Is it a proper LDAP syntax DN? have you properly escaped special
characters? (a common gotcha is Full Name placement with people who have
names like O'Reilly, the apostrophe must be quoted). Use the Escape Dest
DN token when building your dest DN.

> <ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
> <client-err ldap-rc="21"
> ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
> <server-err>00000057: LdapErr: DSID-0C090B38, comment:
> Error in attribute conversion operation, data 0, vece</server-err>
> <server-err-ex win32-rc="87"/>
> </ldap-err>


This generally means that you are trying to put a value into an AD attr
that it won't/can't accept. For example an attribute that only accepts
an integer and you are trying to set text to it. Or if the event is
structured in IDV but not structured in AD.

Another example of where this can produce an error like this is a value
that is multi-valued in IDM and an single valued in AD.

As a "generic" solution to this kind of problem. I suggest you implement
Rob's very clever solution
http://www.novell.com/communities/node/9413/generic-single-valued-schema-enforcement

It could also be that you are trying to write an "empty" value to an
attribute in AD. This is generally not allowed in AD and you should
transform empty values to a clear destination attribute.

A generic solution for this from Lothar is:
http://wiki.novell.com/index.php/XPATH_Examples#Strip_All_Empty_Nodes_.28unscoped.29

However, even if these generic solutions "fix" your problem, it's better
you understand the underlying problem as you may find the best fix is to
correct the incorrect data (empty value, multi-valued) being written to
your IDV from another driver.

This is why we need to see the entire event sent to AD, it's likely just
one attribute is wrong.

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap error when provisioning to Active Directory

On 07.02.2012 08:39, Alex McHugh wrote:

There was a small copy/paste error in the warning to retry rule from my
previous post. - here is the correct code.

<rule>
<description>Change warning status to retry</description>
<comment xml:space="preserve">Will pick up missing OUs and retry
until someone creates them in AD</comment>
<conditions>
<and>
<if-xpath op="true">self::status[@level = 'warning']</if-xpath>
<if-xpath
op="true">ldap-err[@ldap-rc-name='LDAP_NO_SUCH_OBJECT']</if-xpath>
</and>
</conditions>
<actions>
<do-trace-message color="red">
<arg-string>
<token-text xml:space="preserve">Converting
status=Warning to Retry, </token-text>
<token-text xml:space="preserve">Missing OU(s),
Requested placement: </token-text>
<token-op-property name="AccountTracking-LDAPDN"/>
<token-text xml:space="preserve">, last valid container
in DN: </token-text>
<token-replace-first regex="^\s*'(.+)'\s*"
replace-with="$1">
<token-xpath
expression="substring-after(ldap-err/server-err/text(),'best match of:')"/>
</token-replace-first>
</arg-string>
</do-trace-message>
<do-set-xml-attr expression="." name="level">
<arg-string>
<token-text xml:space="preserve">retry</token-text>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
TakaM Absent Member.
Absent Member.

Re: ldap error when provisioning to Active Directory


Hi Guys

My apologies for not sending a detailed trace:
Here is a more detailed trace:
'Detailed Trace - Pastebin.com' (http://pastebin.com/f4tJwpLG)

Hopefully this will be more clearer.

regards

TakaM


--
TakaM
------------------------------------------------------------------------
TakaM's Profile: http://forums.novell.com/member.php?userid=103757
View this thread: http://forums.novell.com/showthread.php?t=451749

0 Likes
Knowledge Partner
Knowledge Partner

Re: ldap error when provisioning to Active Directory

On 08.02.2012 04:36, TakaM wrote:
>
> Hi Guys
>
> My apologies for not sending a detailed trace:
> Here is a more detailed trace:
> 'Detailed Trace - Pastebin.com' (http://pastebin.com/f4tJwpLG)
>
> Hopefully this will be more clearer.


Thanks..

OK. I see a couple of problems.

Problem #1 empty string (this is in your original Add), I'd suggest you
find out what other driver is setting this to "blank" in your IDVAult.

<add-attr attr-name="company">
<value type="string"/>
</add-attr>

This causes the following error <status level="error"
type="driver-general"
event-id="cen-idm01#20120206121420#1#2:8e7b8728-3603-41f7-4585-28877b8e0336">
<ldap-err ldap-rc="21"
ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21"
ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr:
DSID-0C090B38, comment: Error in attribute conversion operation, data 0,
vece</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
</status>

Possible problem #2

1. Clear samAccountName
2. Clear samAccountName again and setting it again to the same value as
before.
3. Clear samAccountName
4. Clear samAccountName again and setting it again to the same value as
before.

I don't know if this would generate an error (it might samAccountName is
mandatory), but it's rather useless code. Why?

It's hard to know if this is an error, because problem #1 causes all the
remaining events to fail. This warning is saying that it's not possible
to execute the first modify because the object was never added.

<status level="warning" type="driver-general"
event-id="cen-idm01#20120206121420#1#2:8e7b8728-3603-41f7-4585-28877b8e0336_opData0">
<ldap-err ldap-rc="32"
ldap-rc-name="LDAP_NO_SUCH_OBJECT">
<client-err ldap-rc="32"
ldap-rc-name="LDAP_NO_SUCH_OBJECT">No Such Object</client-err>
<server-err>0000208D: NameErr:
DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=cathednet,DC=wa,DC=edu,DC=au'
</server-err>
<server-err-ex win32-rc="8333"/>
</ldap-err>
</status>


Problem #3, changing UPN to include a comma. I'm pretty sure this is is
a disallowed character in the UPN.

<modify-attr attr-name="userPrincipalName">
<remove-all-values/>
<add-value>
<value type="string">Test,
Senge@cathednet.wa.edu.au</value>
</add-value>
</modify-attr>
<modify-attr
attr-name="proxyAddresses">
<add-value>
<value
type="string">smtp:Test.Senge@cathednet.wa.edu.au</value>
</add-value>
</modify-attr>


Problem #4 rename followed by a modify event to change CN.

In principle, these do the exact same thing. Only the first will work.
Don't bother with the CN change.

This warning is again saying, rename failed because the object hasn't
yet been created.
<status level="warning" type="driver-general"
event-id="cen-idm01#20120206121420#1#2:8e7b8728-3603-41f7-4585-28877b8e0336_opData1">
<message>Rename failed</message>
<ldap-err ldap-rc="32"
ldap-rc-name="LDAP_NO_SUCH_OBJECT">
<client-err ldap-rc="32"
ldap-rc-name="LDAP_NO_SUCH_OBJECT">No Such Object</client-err>
<server-err>0000208D: NameErr:
DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=cathednet,DC=wa,DC=edu,DC=au'
</server-err>
<server-err-ex win32-rc="8333"/>
</ldap-err>
</status>
and so on.. fix your first error with blank company and clean up your
unecessary modifications to samAccountName, CN and userPrincipleName
then try again.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.