Hi,
I have encounter a strange behaviour on entitlement driver.
There is about 50 policies working fine for six months. Since a few
days, some accounts are not granted anymore. This append with new or
updated accounts, on one policy only as far I can see.
Obviously, there is no change on any policies or driver or something
else.
Amazingly, some accounts (new or updated) are well granted, and some
not.

The policy which seems to stop working well is a very simple one :
Objectclass=user AND C=FR. This grant two entitlements.
When one or more attribute are updated (OU, custom attributes...) the
entitlement is revoked. But if I check membership, using iManager, the
account apperas as a member.

I reevaluate mebership for some accounts one by one, then for the
subtree and entitlements are now granted well.
I'm a bit stuck as I see no reason for the revocation.

Does anybody encouter this kind of trouble ?

Following is a level 3 trace of the entitlement driver for an account
beeing updated on 2 attributes which have nothing to deal with the
entitlement policy.


Thanks for help

Gilles


[07/08/10 18:42:31.867]:Entitlements Service ST:No event transformation
policies.
[07/08/10 18:42:31.864]:Entitlements Service ST:Subscriber processing
modify for \IDV-INT\COMPANY\Users\FR\10457.
[07/08/10 18:42:31.864]:Entitlements Service ST:No command
transformation policies.
[07/08/10 18:42:31.864]:Entitlements Service ST:Filtering out
notification-only attributes.
[07/08/10 18:42:31.864]:Entitlements Service ST:Fixing up association
references.
[07/08/10 18:42:31.864]:Entitlements Service ST:No schema mapping
policies.
[07/08/10 18:42:31.865]:Entitlements Service ST:No output
transformation policies.
[07/08/10 18:42:31.877]:Entitlements Service ST:Submitting document to
subscriber shim:
[07/08/10 18:42:31.877]:Entitlements Service ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20100708164231.782Z" class-name="User"
event-id="PK_PERSON_ID=45193,table=XXCOHR_IDENTITY_MAJOR _V"
qualified-src-dn="O=COMPANY\OU=Users\OU=FR\CN=10457"
src-dn="\IDV-INT\COMPANY\Users\FR\10457" src-entry-id="35295"
timestamp="1278607351#6">
<association
state="associated">{75F12704-F900-427F-8DA5-0427F17500F9}</association>
<modify-attr attr-name="COMPANYDepartmentName">
<remove-value>
<value timestamp="1271373361#14" type="string">Industry
Audit</value>
</remove-value>
<add-value>
<value timestamp="1278607351#6" type="string">Services
Audit</value>
</add-value>
</modify-attr>
<modify-attr attr-name="OU">
<remove-value>
<value timestamp="1271373361#25"
type="string">INDUSTRY_AUDIT</value>
</remove-value>
<add-value>
<value timestamp="1278607351#5"
type="string">SERVICES_AUDIT</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[07/08/10 18:42:31.881]:Entitlements Service ST:BEGIN evaluate object
@dn='COMPANY\Users\FR\10457'
[07/08/10 18:42:31.881]:Entitlements Service ST:determine policy
membership:
[07/08/10 18:42:31.892]:Entitlements Service ST: is NOT a member of
entitlement policy 'COMPANY\Services\DrvSet\Entitlement
Policies\ep-NL-Group-afd_Fiscalisten_Belastingadvies_GSG
[07/08/10 18:42:31.897]:Entitlements Service ST: is NOT a member of
entitlement policy 'COMPANY\Services\DrvSet\Entitlement
Policies\ep-FR-Grant
[07/08/10 18:42:31.899]:Entitlements Service ST: is NOT a member of
entitlement policy 'COMPANY\Services\DrvSet\Entitlement
Policies\ep-NL-Group-vest_Nijmegen_GSG
[07/08/10 18:42:32.698]:Entitlements Service ST:add aux class:
[07/08/10 18:42:32.696]:Entitlements Service ST: overwrite:
Syntax=SYNTAX_CLASS_NAME, attributeName=Object Class,
className=DirXML-EntitlementRecipient
[07/08/10 18:42:32.696]:Entitlements Service ST:resolve conflicts:
[07/08/10 18:42:32.696]:Entitlements Service ST: no conflicts for
entitlement 'COMPANY\Services\DrvSet\EBS\Account'
[07/08/10 18:42:32.701]:Entitlements Service ST:read legacy refs:
[07/08/10 18:42:32.701]:Entitlements Service STbject doesn't have any
legacy entitlement refs
[07/08/10 18:42:32.705]:Entitlements Service ST:handle invalid refs:
[07/08/10 18:42:32.705]:Entitlements Service ST:read results:
[07/08/10 18:42:32.709]:Entitlements Service ST: removing result
surpassing threshold: Syntax=SYNTAX_OCTET_STRING, length=234,
octetStringXml=<result><dn>CN=UserAccount,CN=AD-FR,CN=DrvSet,OU=Services,O=COMPANY</dn><src>RBE</src><id>COMPANY\Services\DrvSet\Entitlement
Policies\ep-FR-Grant</id><state>1</state><status>success</status><timestamp>1275065212749</timestamp></result>
[07/08/10 18:42:32.709]:Entitlements Service ST: removing result
surpassing threshold: Syntax=SYNTAX_OCTET_STRING, length=234,
octetStringXml=<result><dn>CN=UserAccount,CN=AD-FR,CN=DrvSet,OU=Services,O=COMPANY</dn><src>RBE</src><id>COMPANY\Services\DrvSet\Entitlement
Policies\ep-FR-Grant</id><state>1</state><status>success</status><timestamp>1275065212785</timestamp></result>
[07/08/10 18:42:32.712]:Entitlements Service ST: removing result
surpassing threshold: Syntax=SYNTAX_OCTET_STRING, length=234,
octetStringXml=<result><dn>CN=UserAccount,CN=AD-FR,CN=DrvSet,OU=Services,O=COMPANY</dn><src>RBE</src><id>COMPANY\Services\DrvSet\Entitlement
Policies\ep-FR-Grant</id><state>1</state><status>success</status><timestamp>1271685646096</timestamp></result>
[07/08/10 18:42:32.719]:Entitlements Service ST: removing result
surpassing threshold: Syntax=SYNTAX_OCTET_STRING, length=234,
octetStringXml=<result><dn>CN=UserAccount,CN=AD-FR,CN=DrvSet,OU=Services,O=COMPANY</dn><src>RBE</src><id>COMPANY\Services\DrvSet\Entitlement
Policies\ep-FR-Grant</id><state>1</state><status>success</status><timestamp>1276704110830</timestamp></result>
[07/08/10 18:42:32.716]:Entitlements Service ST:convert legacy refs:
[07/08/10 18:42:32.716]:Entitlements Service ST:handle current refs:
[07/08/10 18:42:32.717]:Entitlements Service ST: revoke ref: [state=1,
src=RBE, ent=COMPANY\Services\DrvSet\AD-FR\UserAccount,
id=COMPANY\Services\DrvSet\Entitlement Policies\ep-FR-Grant]
[07/08/10 18:42:32.717]:Entitlements Service ST: remove:
Syntax=SYNTAX_PATH, volumeDN=COMPANY\Services\DrvSet\AD-FR\UserAccount,
volumePath=<ref><src>RBE</src><id>COMPANY\Services\DrvSet\Entitlement
Policies\ep-FR-Grant</id></ref>, nameSpace=1
[07/08/10 18:42:32.725]:Entitlements Service ST: add:
Syntax=SYNTAX_PATH, volumeDN=COMPANY\Services\DrvSet\AD-FR\UserAccount,
volumePath=<ref><src>RBE</src><id>COMPANY\Services\DrvSet\Entitlement
Policies\ep-FR-Grant</id></ref>, nameSpace=0
[07/08/10 18:42:32.726]:Entitlements Service ST: no change: [state=1,
src=RBE, ent=COMPANY\Services\DrvSet\EBS\Account,
id=COMPANY\Services\DrvSet\Entitlement Policies\ep-Drv-EBS-Grant]
[07/08/10 18:42:32.725]:Entitlements Service ST: revoke ref: [state=1,
src=RBE, ent=COMPANY\Services\DrvSet\OID-FR\Account,
id=COMPANY\Services\DrvSet\Entitlement Policies\ep-FR-Grant]
[07/08/10 18:42:32.729]:Entitlements Service ST: remove:
Syntax=SYNTAX_PATH, volumeDN=COMPANY\Services\DrvSet\OID-FR\Account,
volumePath=<ref><src>RBE</src><id>COMPANY\Services\DrvSet\Entitlement
Policies\ep-FR-Grant</id></ref>, nameSpace=1
[07/08/10 18:42:32.729]:Entitlements Service ST: add:
Syntax=SYNTAX_PATH, volumeDN=COMPANY\Services\DrvSet\OID-FR\Account,
volumePath=<ref><src>RBE</src><id>COMPANY\Services\DrvSet\Entitlement
Policies\ep-FR-Grant</id></ref>, nameSpace=0
[07/08/10 18:42:32.733]:Entitlements Service ST:handle missing refs:
[07/08/10 18:42:32.732]:Entitlements Service ST:writing changes...
[07/08/10 18:42:32.801]:Entitlements Service ST:written
[07/08/10 18:42:32.801]:Entitlements Service ST:END evaluate object
@dn='COMPANY\Users\FR\10457'
[07/08/10 18:42:32.802]:Entitlements Service
ST:SubscriptionShim.execute() returned:
[07/08/10 18:42:32.802]:Entitlements Service ST:
<nds dtdversion="3.0">
<source>
<product build="20090520_1257"
instance="\IDV-INT\COMPANY\Services\DrvSet\Entitlements Service"
version="3.5.0">DirXML Entitlement Service Driver</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status event-id="PK_PERSON_ID=45193,table=XXCOHR_IDENTITY_MAJOR _V"
level="success" type="driver-general"/>
</output>
</nds>
[07/08/10 18:42:32.806]:Entitlements Service ST:No input transformation
policies.
[07/08/10 18:42:32.806]:Entitlements Service ST:No schema mapping
policies.
[07/08/10 18:42:32.806]:Entitlements Service ST:Resolving association
references.
[07/08/10 18:42:32.804]:Entitlements Service ST:Processing returned
document.
[07/08/10 18:42:32.809]:Entitlements Service ST:Processing operation
<status> for .
[07/08/10 18:42:32.809]:Entitlements Service ST:
DirXML Log Event -------------------
Driver: \IDV-INT\COMPANY\Services\DrvSet\Entitlements Service
Channel: Subscriber
Object: \IDV-INT\COMPANY\Users\FR\10457
Status: Success
[07/08/10 18:42:32.808]:Entitlements Service ST:End transaction.


--
gbastie
------------------------------------------------------------------------
gbastie's Profile: http://forums.novell.com/member.php?userid=31736
View this thread: http://forums.novell.com/showthread.php?t=415442