Anonymous_User Absent Member.
Absent Member.
478 views

not allowed to change samAccountName

Is it a legal operation to change samAccountName on rename? Is there
something I need to set in AD before I can do it? I've tried this:

<modify-attr attr-name="sAMAccountName">
<remove-value>
<value type="string">old_name</value>
</remove-value>
</modify-attr>
<modify-attr attr-name="sAMAccountName">
<add-value>
<value type="string">new_name</value>
</add-value>
</modify-attr>

and this:

<modify-attr attr-name="sAMAccountName">
<remove-all-values/>
<add-value>
<value>new_name</value>
</add-value>
</modify-attr>

and they both end up as not willing to perform:

<status
event-id="ksmeta1#20160512110957#1#2:ccbfde72-b5d3-42bc-08a0-72debfccd3b5_opData0"
level="error" type="driver-general">
<ldap-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">
<client-err ldap-rc="53"
ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">Unwilling To Perform</client-err>
<server-err>00002016: SvcErr: DSID-031A12D2, problem 5003
(WILL_NOT_PERFORM), data 0
</server-err>
<server-err-ex win32-rc="8214"/>
</ldap-err>
</status>

My idm user has the rights of domain admin to add or delete users but
does it require something more special to change samAccountName?

Thanks,
Pekka
Labels (1)
0 Likes
9 Replies
Knowledge Partner
Knowledge Partner

Re: not allowed to change samAccountName

Pekka Kuronen wrote:

> My idm user has the rights of domain admin to add or delete users but does it
> require something more special to change sAMAccountName?


Is your connection to AD SSL-encrypted? Is the new value syntactically OK, i.e.
contains only the allowed characters?

--
http://www.is4it.de/en/solution/identity-access-management/
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: not allowed to change samAccountName

Connection between AD and remote loader is not encrypted because they
are on the same server. Is it needed for samAccountName rename?

Characters are ok and change can be done via LDAP using the same login
credentials as the AD driver does.

On 12/05/16 15:23, Lothar Haeger wrote:
> Pekka Kuronen wrote:
>
>> My idm user has the rights of domain admin to add or delete users but does it
>> require something more special to change sAMAccountName?

>
> Is your connection to AD SSL-encrypted? Is the new value syntactically OK, i.e.
> contains only the allowed characters?
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: not allowed to change samAccountName

Pekka Kuronen wrote:

> Connection between AD and remote loader is not encrypted because they are on
> the same server. Is it needed for samAccountName rename?


AD required SSL for certain operations and throws an error similar to yours
otherwise. Not sure if changing sAMAccountName has that same requirement, but
it may worth a try. Try if securing both IDM <-> RL and Shim <-> AD solves your
issue. I would suspect the latter to be the relevant connection.

--
http://www.is4it.de/en/solution/identity-access-management/
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: not allowed to change samAccountName

Have you checked that the new_name is unique?

On 2016-05-12 14:02, Pekka Kuronen wrote:
> Is it a legal operation to change samAccountName on rename? Is there
> something I need to set in AD before I can do it? I've tried this:
>
> <modify-attr attr-name="sAMAccountName">
> <remove-value>
> <value type="string">old_name</value>
> </remove-value>
> </modify-attr>
> <modify-attr attr-name="sAMAccountName">
> <add-value>
> <value type="string">new_name</value>
> </add-value>
> </modify-attr>
>
> and this:
>
> <modify-attr attr-name="sAMAccountName">
> <remove-all-values/>
> <add-value>
> <value>new_name</value>
> </add-value>
> </modify-attr>
>
> and they both end up as not willing to perform:
>
> <status
> event-id="ksmeta1#20160512110957#1#2:ccbfde72-b5d3-42bc-08a0-72debfccd3b5_opData0"
> level="error" type="driver-general">
> <ldap-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">
> <client-err ldap-rc="53"
> ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">Unwilling To Perform</client-err>
> <server-err>00002016: SvcErr: DSID-031A12D2, problem 5003
> (WILL_NOT_PERFORM), data 0
> </server-err>
> <server-err-ex win32-rc="8214"/>
> </ldap-err>
> </status>
>
> My idm user has the rights of domain admin to add or delete users but
> does it require something more special to change samAccountName?
>
> Thanks,
> Pekka

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: not allowed to change samAccountName

On 5/12/16 6:02 AM, Pekka Kuronen wrote:
> <server-err-ex win32-rc="8214"/>


I wasn't here, but..

ERROR_DS_CANT_ON_RDN
8214 (0x2016)
The directory service cannot perform the requested operation on the RDN
attribute of an object.

This tells me you are probably also sending a modify of CN attribute,
which is not allowed to be modified directly, but requires a rename.


--
Shon
0 Likes
Knowledge Partner
Knowledge Partner

Re: not allowed to change samAccountName

Shon Vella <svella@technologist.com> wrote:
> On 5/12/16 6:02 AM, Pekka Kuronen wrote:
>> <server-err-ex win32-rc="8214"/>

>
> I wasn't here, but..
>
> ERROR_DS_CANT_ON_RDN
> 8214 (0x2016)
> The directory service cannot perform the requested operation on the RDN
> attribute of an object.
>
> This tells me you are probably also sending a modify of CN attribute,
> which is not allowed to be modified directly, but requires a rename.
>


As always completely correct.

The cause could be your driver filter.

Or you could have policy that generates a modify-attr rather than rename.

There is a TID related to this which explained why for AD shin one can't
have attribute that maps to AD CN in driver filter as subscriber sync (must
be ignore)

https://www.netiq.com/support/kb/doc.php?id=10100761

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: not allowed to change samAccountName


Pekka Kuronen;267717 Wrote:
> Is it a legal operation to change samAccountName on rename? Is there
> something I need to set in AD before I can do it? I've tried this:
>
> <modify-attr attr-name="sAMAccountName">
> <remove-value>
> <value type="string">old_name</value>
> </remove-value>
> </modify-attr>
> <modify-attr attr-name="sAMAccountName">
> <add-value>
> <value type="string">new_name</value>
> </add-value>
> </modify-attr>
>
> and this:
>
> <modify-attr attr-name="sAMAccountName">
> <remove-all-values/>
> <add-value>
> <value>new_name</value>
> </add-value>
> </modify-attr>
>
> and they both end up as not willing to perform:
>
> <status
> event-id="ksmeta1#20160512110957#1#2:ccbfde72-b5d3-42bc-08a0-72debfccd3b5_opData0"
> level="error" type="driver-general">
> <ldap-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">
> <client-err ldap-rc="53"
> ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">Unwilling To
> Perform</client-err>
> <server-err>00002016: SvcErr: DSID-031A12D2, problem 5003
> (WILL_NOT_PERFORM), data 0
> </server-err>
> <server-err-ex win32-rc="8214"/>
> </ldap-err>
> </status>
>
> My idm user has the rights of domain admin to add or delete users but
> does it require something more special to change samAccountName?
>
> Thanks,
> Pekka


Hi Pekka,
I have absolutely no problems to rename eDir account and rename
samAccountName in AD.

Initial document:
> 23:46:19 ACD36700 Drvrs: AD8101 ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.5.2.1">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <rename cached-time="20160513034619.934Z" class-name="User"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> old-src-dn="\EDS\BMGC\data\users\test1"
> qualified-old-src-dn="O=BMGC\OU=data\OU=users\CN=test1"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> remove-old-name="true" src-dn="\EDS\BMGC\data\users\test2"
> src-entry-id="76800" timestamp="1463111175#2">
> <association
> state="associated">e29d75351b7f5546a8c89034dd83179f</association>
> <new-name>test2</new-name>
> </rename>
> </input>
> </nds>
> 23:46:19 ACD36700 Drvrs: AD8101 ST:No event transformation policies.
> 23:46:19 ACD36700 Drvrs: AD8101 ST:Subscriber processing rename for
> \EDS\BMGC\data\users\test2.
> 23:46:19 ACD36700 Drvrs: AD8101 ST:Applying command transformation
> policies.




After NOVLADDCFG-sub-ctp-UserNameMap and Schema mapping:
> 23:46:20 ACD36700 Drvrs: AD8101 ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.5.2.1">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <rename cached-time="20160513034619.934Z" class-name="user"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> old-src-dn="\EDS\BMGC\data\users\test1"
> qualified-old-src-dn="O=BMGC\OU=data\OU=users\CN=test1"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> remove-old-name="true" src-dn="\EDS\BMGC\data\users\test2"
> src-entry-id="76800" timestamp="1463111175#2">
> <association
> state="associated">e29d75351b7f5546a8c89034dd83179f</association>
> <new-name>test2</new-name>
> </rename>
> <modify class-name="user"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> src-dn="\EDS\BMGC\data\users\test2" src-entry-id="76800">
> <association>e29d75351b7f5546a8c89034dd83179f</association>
> <modify-attr attr-name="sAMAccountName">
> <remove-all-values/>
> <add-value>
> <value>test2</value>
> </add-value>
> </modify-attr>
> <modify-attr attr-name="userPrincipalName">
> <remove-all-values/>
> <add-value>
> <value>test2@rrr.co.uk</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> 23:46:20 ACD36700 Drvrs: AD8101 ST:Applying policy:
> NOVLADDCFG-otp-ExchangeEntitlementQuery.
> 23:46:20 ACD36700 Drvrs: AD8101 ST: Applying to rename #1.
> 23:46:20 ACD36700 Drvrs: AD8101 ST: Evaluating selection criteria for
> rule 'Add dest-dn to the Exchange Entitlement Query'.
> 23:46:20 ACD36700 Drvrs: AD8101 ST: (if-operation equal "query") =
> FALSE.
> 23:46:20 ACD36700 Drvrs: AD8101 ST: Rule rejected.
> 23:46:20 ACD36700 Drvrs: AD8101 ST: Applying to modify #2.
> 05/12/16
> 23:46:20 ACD36700 Drvrs: AD8101 ST: Evaluating selection criteria for
> rule 'Add dest-dn to the Exchange Entitlement Query'.
> 23:46:20 ACD36700 Drvrs: AD8101 ST: (if-operation equal "query") =
> FALSE.
> 23:46:20 ACD36700 Drvrs: AD8101 ST: Rule rejected.
> 23:46:20 ACD36700 Drvrs: AD8101 ST:Policy returned:
> 23:46:20 ACD36700 Drvrs: AD8101 ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.5.2.1">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <rename cached-time="20160513034619.934Z" class-name="user"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> old-src-dn="\EDS\BMGC\data\users\test1"
> qualified-old-src-dn="O=BMGC\OU=data\OU=users\CN=test1"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> remove-old-name="true" src-dn="\EDS\BMGC\data\users\test2"
> src-entry-id="76800" timestamp="1463111175#2">
> <association
> state="associated">e29d75351b7f5546a8c89034dd83179f</association>
> <new-name>test2</new-name>
> </rename>
> <modify class-name="user"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> src-dn="\EDS\BMGC\data\users\test2" src-entry-id="76800">
> <association>e29d75351b7f5546a8c89034dd83179f</association>
> <modify-attr attr-name="sAMAccountName">
> <remove-all-values/>
> <add-value>
> <value>test2</value>
> </add-value>
> </modify-attr>
> <modify-attr attr-name="userPrincipalName">
> <remove-all-values/>
> <add-value>
> <value>test2@rrr.co.uk</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> 23:46:20 ACD36700 Drvrs: AD8101 ST:Submitting document to subscriber
> shim:
> 23:46:20 ACD36700 Drvrs: AD8101 ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.5.2.1">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <rename cached-time="20160513034619.934Z" class-name="user"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> old-src-dn="\EDS\BMGC\data\users\test1"
> qualified-old-src-dn="O=BMGC\OU=data\OU=users\CN=test1"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> remove-old-name="true" src-dn="\EDS\BMGC\data\users\test2"
> src-entry-id="76800" timestamp="1463111175#2">
> <association
> state="associated">e29d75351b7f5546a8c89034dd83179f</association>
> <new-name>test2</new-name>
> </rename>
> <modify class-name="user"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> src-dn="\EDS\BMGC\data\users\test2" src-entry-id="76800">
> <association>e29d75351b7f5546a8c89034dd83179f</association>
> <modify-attr attr-name="sAMAccountName">
> <remove-all-values/>
> <add-value>
> <value>test2</value>
> </add-value>
> </modify-attr>
> <modify-attr attr-name="userPrincipalName">
> <remove-all-values/>
> <add-value>
> <value>test2@rrr.co.uk</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> 23:46:20 ACD36700 Drvrs: AD8101 ST:Remote Interface Driver: Sending...
> 23:46:20 ACD36700 Drvrs: AD8101 ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.5.2.1">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <rename cached-time="20160513034619.934Z" class-name="user"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> old-src-dn="\EDS\BMGC\data\users\test1"
> qualified-old-src-dn="O=BMGC\OU=data\OU=users\CN=test1"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> remove-old-name="true" src-dn="\EDS\BMGC\data\users\test2"
> src-entry-id="76800" timestamp="1463111175#2">
> <association
> state="associated">e29d75351b7f5546a8c89034dd83179f</association>
> <new-name>test2</new-name>
> </rename>
> <modify class-name="user"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> src-dn="\EDS\BMGC\data\users\test2" src-entry-id="76800">
> <association>e29d75351b7f5546a8c89034dd83179f</association>
> <modify-attr attr-name="sAMAccountName">
> <remove-all-values/>
> <add-value>
> <value>test2</value>
> </add-value>
> </modify-attr>
> <modify-attr attr-name="userPrincipalName">
> <remove-all-values/>
> <add-value>
> <value>test2@rrr.co.uk</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> 23:46:20 ACD36700 Drvrs: AD8101 ST:Remote Interface Driver: Document
> sent.
> 23:46:20 831C2700 Drvrs: AD8101 :Remote Interface Driver: Received.
> 23:46:20 831C2700 Drvrs: AD8101 :
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20131219_120000"
> instance="\EDS\BMGC\Services\QA-idm45\AD8101"
> version="4.0.0.3">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <status
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> level="success"/>
> <status
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> level="success"/>
> </output>
> </nds>
> 23:46:20 831C2700 Drvrs: AD8101 :Remote Interface Driver: Received
> document for subscriber channel
> 23:46:20 831C2700 Drvrs: AD8101 :Remote Interface Driver: Waiting for
> receive...
> 23:46:20 ACD36700 Drvrs: AD8101 ST:SubscriptionShim.execute() returned:
> 23:46:20 ACD36700 Drvrs: AD8101 ST:
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20131219_120000"
> instance="\EDS\BMGC\Services\QA-idm45\AD8101"
> version="4.0.0.3">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <status
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> level="success"/>
> <status
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> level="success"/>
> </output>
> </nds>



--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=55863

0 Likes
Knowledge Partner
Knowledge Partner

Re: not allowed to change samAccountName


Remote Loader part:
> DirXML: [05/12/16 23:46:20.24]: Loader: Received 'subscriber execute'
> document
> DirXML: [05/12/16 23:46:20.26]: Loader: XML Document:
> DirXML: [05/12/16 23:46:20.26]: <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.5.2.1">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <rename cached-time="20160513034619.934Z" class-name="user"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> old-src-dn="\EDS\BMGC\data\users\test1"
> qualified-old-src-dn="O=BMGC\OU=data\OU=users\CN=test1"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> remove-old-name="true" src-dn="\EDS\BMGC\data\users\test2"
> src-entry-id="76800" timestamp="1463111175#2">
> <association
> state="associated">e29d75351b7f5546a8c89034dd83179f</association>
> <new-name>test2</new-name>
> </rename>
> <modify class-name="user"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> src-dn="\EDS\BMGC\data\users\test2" src-entry-id="76800">
> <association>e29d75351b7f5546a8c89034dd83179f</association>
> <modify-attr attr-name="sAMAccountName">
> <remove-all-values/>
> <add-value>
> <value>test2</value>
> </add-value>
> </modify-attr>
> <modify-attr attr-name="userPrincipalName">
> <remove-all-values/>
> <add-value>
> <value>test2@rrr.co.uk</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> DirXML: [05/12/16 23:46:20.26]: Loader: Calling
> subscriptionShim->execute()
> DirXML: [05/12/16 23:46:20.26]: Loader: XML Document:
> DirXML: [05/12/16 23:46:20.26]: <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Standard" version="4.5.2.1">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <rename cached-time="20160513034619.934Z" class-name="user"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> old-src-dn="\EDS\BMGC\data\users\test1"
> qualified-old-src-dn="O=BMGC\OU=data\OU=users\CN=test1"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> remove-old-name="true" src-dn="\EDS\BMGC\data\users\test2"
> src-entry-id="76800" timestamp="1463111175#2">
> <association
> state="associated">e29d75351b7f5546a8c89034dd83179f</association>
> <new-name>test2</new-name>
> </rename>
> <modify class-name="user"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
> src-dn="\EDS\BMGC\data\users\test2" src-entry-id="76800">
> <association>e29d75351b7f5546a8c89034dd83179f</association>
> <modify-attr attr-name="sAMAccountName">
> <remove-all-values/>
> <add-value>
> <value>test2</value>
> </add-value>
> </modify-attr>
> <modify-attr attr-name="userPrincipalName">
> <remove-all-values/>
> <add-value>
> <value>test2@rrr.co.uk</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> DirXML: [05/12/16 23:46:20.27]: ADDriver: parse command
>
> className user
> destDN
> eventId
> idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88
> association e29d75351b7f5546a8c89034dd83179f
> DirXML: [05/12/16 23:46:20.27]: ADDriver: parse rename
> DirXML: [05/12/16 23:46:20.27]: ADDriver: remove-old-name true
> DirXML: [05/12/16 23:46:20.27]: ADDriver: new-name test2
> DirXML: [05/12/16 23:46:20.30]: ADDriver: parse command
>
> className user
> destDN
> eventId
> idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88
> association e29d75351b7f5546a8c89034dd83179f
> DirXML: [05/12/16 23:46:20.32]: ADDriver: parse modify class = user
> DirXML: [05/12/16 23:46:20.32]: ADDriver: association
> DirXML: [05/12/16 23:46:20.32]: ADDriver:
> e29d75351b7f5546a8c89034dd83179f
> DirXML: [05/12/16 23:46:20.32]: ADDriver: modify-attr
> DirXML: [05/12/16 23:46:20.32]: ADDriver: remove-all-values
> DirXML: [05/12/16 23:46:20.32]: ADDriver: add-value
> DirXML: [05/12/16 23:46:20.33]: ADDriver: value
> DirXML: [05/12/16 23:46:20.33]: ADDriver: test2
> DirXML: [05/12/16 23:46:20.33]: ADDriver: modify-attr
> DirXML: [05/12/16 23:46:20.33]: ADDriver: remove-all-values
> DirXML: [05/12/16 23:46:20.33]: ADDriver: add-value
> DirXML: [05/12/16 23:46:20.33]: ADDriver: value
> DirXML: [05/12/16 23:46:20.35]: ADDriver: test2@rrr.co.uk
> DirXML: [05/12/16 23:46:20.35]: ADDriver: ldap_modify user
> CN=test2,OU=test-al,DC=reit,DC=co,DC=uk
> LDAPMod operations:
> replace attribute sAMAccountName
> >> test2

> delete attribute userPrincipalName
> add attribute userPrincipalName
> >> test2@rrr.co.uk

> DirXML: [05/12/16 23:46:20.36]: Loader: subscriptionShim->execute()
> returned:
> DirXML: [05/12/16 23:46:20.36]: Loader: XML Document:
> DirXML: [05/12/16 23:46:20.36]: <nds ndsversion="8.7" dtdversion="1.1">
> <source>
> <product version="4.0.0.3" asn1id="" build="20131219_120000"
> instance="\EDS\BMGC\Services\QA-idm45\AD8101">AD</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <status level="success"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"/>
> <status level="success"
> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"/>
> </output>
> </nds>
> DirXML: [05/12/16 23:46:20.38]:
> DirXML Log Event -------------------
> Driver = \EDS\BMGC\Services\QA-idm45\AD8101
> Thread = Subscriber Channel
> Object = \EDS\BMGC\data\users\test2
> Level = success
> DirXML: [05/12/16 23:46:20.38]:
> DirXML Log Event -------------------
> Driver = \EDS-P2\BMGC\Services\QA-idm45\AD8101
> Thread = Subscriber Channel
> Object = \EDS-P2\BMGC\data\users\test2
> Level = success
>



--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=55863

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: not allowed to change samAccountName

This one was resolved. There was AD-attribute 'name' added later in the
operation, which was not supposed to happen. Should have seen it but
sometimes cannot see forest from the trees.

Thanks a lot for your help Lothar, Alex, Shon and Al. You guys are doing
great work here.

Pekka

On 13/05/16 08:14, al b wrote:
>
> Remote Loader part:
>> DirXML: [05/12/16 23:46:20.24]: Loader: Received 'subscriber execute'
>> document
>> DirXML: [05/12/16 23:46:20.26]: Loader: XML Document:
>> DirXML: [05/12/16 23:46:20.26]: <nds dtdversion="4.0" ndsversion="8.x">
>> <source>
>> <product edition="Standard" version="4.5.2.1">DirXML</product>
>> <contact>NetIQ Corporation</contact>
>> </source>
>> <input>
>> <rename cached-time="20160513034619.934Z" class-name="user"
>> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
>> old-src-dn="\EDS\BMGC\data\users\test1"
>> qualified-old-src-dn="O=BMGC\OU=data\OU=users\CN=test1"
>> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
>> remove-old-name="true" src-dn="\EDS\BMGC\data\users\test2"
>> src-entry-id="76800" timestamp="1463111175#2">
>> <association
>> state="associated">e29d75351b7f5546a8c89034dd83179f</association>
>> <new-name>test2</new-name>
>> </rename>
>> <modify class-name="user"
>> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
>> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
>> src-dn="\EDS\BMGC\data\users\test2" src-entry-id="76800">
>> <association>e29d75351b7f5546a8c89034dd83179f</association>
>> <modify-attr attr-name="sAMAccountName">
>> <remove-all-values/>
>> <add-value>
>> <value>test2</value>
>> </add-value>
>> </modify-attr>
>> <modify-attr attr-name="userPrincipalName">
>> <remove-all-values/>
>> <add-value>
>> <value>test2@rrr.co.uk</value>
>> </add-value>
>> </modify-attr>
>> </modify>
>> </input>
>> </nds>
>> DirXML: [05/12/16 23:46:20.26]: Loader: Calling
>> subscriptionShim->execute()
>> DirXML: [05/12/16 23:46:20.26]: Loader: XML Document:
>> DirXML: [05/12/16 23:46:20.26]: <nds dtdversion="4.0" ndsversion="8.x">
>> <source>
>> <product edition="Standard" version="4.5.2.1">DirXML</product>
>> <contact>NetIQ Corporation</contact>
>> </source>
>> <input>
>> <rename cached-time="20160513034619.934Z" class-name="user"
>> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
>> old-src-dn="\EDS\BMGC\data\users\test1"
>> qualified-old-src-dn="O=BMGC\OU=data\OU=users\CN=test1"
>> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
>> remove-old-name="true" src-dn="\EDS\BMGC\data\users\test2"
>> src-entry-id="76800" timestamp="1463111175#2">
>> <association
>> state="associated">e29d75351b7f5546a8c89034dd83179f</association>
>> <new-name>test2</new-name>
>> </rename>
>> <modify class-name="user"
>> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"
>> qualified-src-dn="O=BMGC\OU=data\OU=users\CN=test2"
>> src-dn="\EDS\BMGC\data\users\test2" src-entry-id="76800">
>> <association>e29d75351b7f5546a8c89034dd83179f</association>
>> <modify-attr attr-name="sAMAccountName">
>> <remove-all-values/>
>> <add-value>
>> <value>test2</value>
>> </add-value>
>> </modify-attr>
>> <modify-attr attr-name="userPrincipalName">
>> <remove-all-values/>
>> <add-value>
>> <value>test2@rrr.co.uk</value>
>> </add-value>
>> </modify-attr>
>> </modify>
>> </input>
>> </nds>
>> DirXML: [05/12/16 23:46:20.27]: ADDriver: parse command
>>
>> className user
>> destDN
>> eventId
>> idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88
>> association e29d75351b7f5546a8c89034dd83179f
>> DirXML: [05/12/16 23:46:20.27]: ADDriver: parse rename
>> DirXML: [05/12/16 23:46:20.27]: ADDriver: remove-old-name true
>> DirXML: [05/12/16 23:46:20.27]: ADDriver: new-name test2
>> DirXML: [05/12/16 23:46:20.30]: ADDriver: parse command
>>
>> className user
>> destDN
>> eventId
>> idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88
>> association e29d75351b7f5546a8c89034dd83179f
>> DirXML: [05/12/16 23:46:20.32]: ADDriver: parse modify class = user
>> DirXML: [05/12/16 23:46:20.32]: ADDriver: association
>> DirXML: [05/12/16 23:46:20.32]: ADDriver:
>> e29d75351b7f5546a8c89034dd83179f
>> DirXML: [05/12/16 23:46:20.32]: ADDriver: modify-attr
>> DirXML: [05/12/16 23:46:20.32]: ADDriver: remove-all-values
>> DirXML: [05/12/16 23:46:20.32]: ADDriver: add-value
>> DirXML: [05/12/16 23:46:20.33]: ADDriver: value
>> DirXML: [05/12/16 23:46:20.33]: ADDriver: test2
>> DirXML: [05/12/16 23:46:20.33]: ADDriver: modify-attr
>> DirXML: [05/12/16 23:46:20.33]: ADDriver: remove-all-values
>> DirXML: [05/12/16 23:46:20.33]: ADDriver: add-value
>> DirXML: [05/12/16 23:46:20.33]: ADDriver: value
>> DirXML: [05/12/16 23:46:20.35]: ADDriver: test2@rrr.co.uk
>> DirXML: [05/12/16 23:46:20.35]: ADDriver: ldap_modify user
>> CN=test2,OU=test-al,DC=reit,DC=co,DC=uk
>> LDAPMod operations:
>> replace attribute sAMAccountName
>>>> test2

>> delete attribute userPrincipalName
>> add attribute userPrincipalName
>>>> test2@rrr.co.uk

>> DirXML: [05/12/16 23:46:20.36]: Loader: subscriptionShim->execute()
>> returned:
>> DirXML: [05/12/16 23:46:20.36]: Loader: XML Document:
>> DirXML: [05/12/16 23:46:20.36]: <nds ndsversion="8.7" dtdversion="1.1">
>> <source>
>> <product version="4.0.0.3" asn1id="" build="20131219_120000"
>> instance="\EDS\BMGC\Services\QA-idm45\AD8101">AD</product>
>> <contact>Novell, Inc.</contact>
>> </source>
>> <output>
>> <status level="success"
>> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"/>
>> <status level="success"
>> event-id="idm45#20160513034619#2#2:4735a3b5-886a-418b-f396-b5a335476a88"/>
>> </output>
>> </nds>
>> DirXML: [05/12/16 23:46:20.38]:
>> DirXML Log Event -------------------
>> Driver = \EDS\BMGC\Services\QA-idm45\AD8101
>> Thread = Subscriber Channel
>> Object = \EDS\BMGC\data\users\test2
>> Level = success
>> DirXML: [05/12/16 23:46:20.38]:
>> DirXML Log Event -------------------
>> Driver = \EDS-P2\BMGC\Services\QA-idm45\AD8101
>> Thread = Subscriber Channel
>> Object = \EDS-P2\BMGC\data\users\test2
>> Level = success
>>

>
>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.