Hi,


Currently I have managed to syncronize my users from an Edir to an AD
using idm 3.6.1. Thats all working fine, except for the groups in Edir.
Other then the password nothing has to sync back from the AD.

Edir has the following structure :

o=idm
ou=Groups (has all the groups)
ou=Users (has all the users)

I've used the root idm as base container for Edir in my driver
configuration and I've used the OU IDM as my base container in AD. So
ou=IDM,DC=test2,DC=int.

All the users are present in the IDM ou in AD, but no groups.

When I try to migrate a group from the identity vault I get a veto from
the matching policy on the subscriber channel.

I don't understand why that is happening though. Anyone that can point
out to me what I'am doing wrong?


Added the level 3 trace from the engine site aswell :


15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:No
event transformation policies.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Subscriber processing sync for \IDM\idm\groups\Testgroupidm.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Reading relevant attributes from \IDM\idm\groups\Testgroupidm.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="Group" dest-dn="\IDM\idm\groups\Testgroupidm"
dest-entry-id="48640" scope="entry">
<read-attr attr-name="Description"/>
<read-attr attr-name="Full Name"/>
<read-attr attr-name="L"/>
<read-attr attr-name="Member"/>
<read-attr attr-name="Owner"/>
</query>
</input>
</nds>
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Pumping XDS to eDirectory.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Performing operation query for \IDM\idm\groups\Testgroupidm.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:Read
result:
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="Group"
qualified-src-dn="O=idm\OU=groups\CN=Testgroupidm"
src-dn="\IDM\idm\groups\Testgroupidm" src-entry-id="48640">
<association state="manual"></association>
<attr attr-name="Member">
<value timestamp="1264580300#1"
type="dn">\IDM\idm\users\active\idmtest</value>
<value timestamp="1264580300#6"
type="dn">\IDM\idm\users\active\idmtest2</value>
</attr>
</instance>
<status level="success"></status>
</output>
</nds>
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Synthetic add:
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<add class-name="Group" event-id="IDM#20100127141007#1#1"
qualified-src-dn="O=idm\OU=groups\CN=Testgroupidm"
src-dn="\IDM\idm\groups\Testgroupidm" src-entry-id="48640">
<association state="manual"></association>
<add-attr attr-name="Member">
<value timestamp="1264580300#1"
type="dn">\IDM\idm\users\active\idmtest</value>
<value timestamp="1264580300#6"
type="dn">\IDM\idm\users\active\idmtest2</value>
</add-attr>
</add>
<status level="success"></status>
</output>
</nds>
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Applying object matching policies.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Applying policy: sub-mp-Scoping.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
Applying to add #1.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
Evaluating selection criteria for rule 'remember relative position in
hierarchy'.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
(if-src-dn in-subtree "idm\users\active") = FALSE.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST: Rule
rejected.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Policy returned:
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="Group" event-id="IDM#20100127141007#1#1"
qualified-src-dn="O=idm\OU=groups\CN=Testgroupidm"
src-dn="\IDM\idm\groups\Testgroupidm" src-entry-id="48640">
<add-attr attr-name="Member">
<value timestamp="1264580300#1"
type="dn">\IDM\idm\users\active\idmtest</value>
<value timestamp="1264580300#6"
type="dn">\IDM\idm\users\active\idmtest2</value>
</add-attr>
</add>
</input>
</nds>
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Applying policy: sub-mp-EntitlementsImpl.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
Applying to add #1.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
Evaluating selection criteria for rule 'UserAccount entitlement: do not
match existing accounts'.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
(if-class-name equal "User") = FALSE.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST: Rule
rejected.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Policy returned:
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="Group" event-id="IDM#20100127141007#1#1"
qualified-src-dn="O=idm\OU=groups\CN=Testgroupidm"
src-dn="\IDM\idm\groups\Testgroupidm" src-entry-id="48640">
<add-attr attr-name="Member">
<value timestamp="1264580300#1"
type="dn">\IDM\idm\users\active\idmtest</value>
<value timestamp="1264580300#6"
type="dn">\IDM\idm\users\active\idmtest2</value>
</add-attr>
</add>
</input>
</nds>
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Applying policy: sub-mp.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
Applying to add #1.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
Evaluating selection criteria for rule 'veto out-of-scope events'.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
(if-op-property 'attempt-to-match' not-available) = TRUE.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST: Rule
selected.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
Applying rule 'veto out-of-scope events'.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
Action: do-veto().
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Policy returned:
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Processing returned document.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups
ST:Processing operation <status> for .
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:
DirXML Log Event -------------------
Driver: \IDM\idm\Driver Set\Active Directory test2int with groups
Channel: Subscriber
Object: \IDM\idm\groups\Testgroupidm
Status: Warning
Message: Code(-8016) Operation vetoed by object matching policy.
15:10:08 9B024BA0 Drvrs: Active Directory test2int with groups ST:End
transaction.


--
wbeerten
------------------------------------------------------------------------
wbeerten's Profile: http://forums.novell.com/member.php?userid=45041
View this thread: http://forums.novell.com/showthread.php?t=399713