Hello,

I am testing out our new Active Directory driver for production and am
finding that the Driver creates the account in AD, places an entitlement
and alias on the identity, but the remote loader log is throwing an
error in regards to setting the password. I confirmed the account the
driver is using is a domain admin and the driver object itself has
security equivalent to an admin the IDM Vault engine tree. Any ideas
why I am getting an access denied error?



)
DirXML: [10/04/10 13:55:09.32]: ADDriver: Connect using ldap_bind:
user=didm999, domain=upcorp, password=***, method=negotiate,
server=omhq5952.upcorp.ad.uprr.com, sign=no, seal=no ssl=no
DirXML: [10/04/10 13:55:09.34]: ADDriver: ldap_bind connection
succeeded
DirXML: [10/04/10 13:55:09.34]: ADDriver: query
base DN: dc=upcorp,dc=ad,dc=uprr,dc=com,
filter:
(&(&(objectCategory=CN=Person,CN=Schema,CN=Configu ration,DC=upcorp,DC=ad,DC=uprr,DC=com)(objectClass =user))(cn=igen401)),
return: (attribute values) objectClass, objectGUID,
DirXML: [10/04/10 13:55:09.34]: ADDriver: query
base DN: dc=upcorp,dc=ad,dc=uprr,dc=com,
filter:
(&(&(objectCategory=CN=Person,CN=Schema,CN=Configu ration,DC=upcorp,DC=ad,DC=uprr,DC=com)(objectClass =user))(cn=igen401)),
return: (attribute values) objectClass, objectGUID,
DirXML: [10/04/10 13:55:09.34]: ADDriver: ldap get next page (
2147483647)

Driver = \VAULT_PRD\up\services\idm\IDMDriverSet\Active Directory
Thread = Subscriber Channel
Level = success
DirXML: [10/04/10 13:55:09.67]: Loader: Received 'subscriber execute'
document
DirXML: [10/04/10 13:55:09.67]: Loader: XML Document:
DirXML: [10/04/10 13:55:09.67]: <nds dtdversion="3.5"
ndsversion="8.x">
<source>
<product version="3.5.10.20070918 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="user"
dest-dn="CN=igen401,ou=UPUsers,dc=upcorp,dc=ad,dc=uprr, dc=com"
event-id="omhq14e8#20101004185509#1#1"
qualified-src-dn="O=up\OU=VAULT\OU=IDENTITIES\CN=0000000927"
src-dn="\VAULT_PRD\up\VAULT\IDENTITIES\0000000927"
src-entry-id="35752">
<add-attr attr-name="displayName">
<value timestamp="1231796862#6" type="string">Troubleshooting,
User</value>
</add-attr>
<add-attr attr-name="givenName">
<value timestamp="1231796862#3"
type="string">Troubleshooting</value>
</add-attr>
<add-attr attr-name="initials">
<value timestamp="1231796862#4" type="string">N</value>
</add-attr>
<add-attr attr-name="physicalDeliveryOfficeName">
<value timestamp="1231796862#15" type="string">Daly City</value>
</add-attr>
<add-attr attr-name="dirxml-uACAccountDisable">
<value timestamp="1231796862#37" type="state">false</value>
</add-attr>
<add-attr attr-name="l">
<value timestamp="1231796862#11" type="string">San
Francisco</value>
</add-attr>
<add-attr attr-name="postalCode">
<value timestamp="1231796862#13" type="string">94109</value>
</add-attr>
<add-attr attr-name="st">
<value timestamp="1231796862#12" type="string">CA</value>
</add-attr>
<add-attr attr-name="streetAddress">
<value>Hyde Street</value>
</add-attr>
<add-attr attr-name="sn">
<value timestamp="1231796862#5" type="string">User</value>
</add-attr>
<add-attr attr-name="employeeID">
<value timestamp="1231796862#7" type="string">0000000927</value>
</add-attr>
<add-attr attr-name="sAMAccountName">
<value type="string">igen401</value>
</add-a
DirXML: [10/04/10 13:55:09.67]: ttr>
<add-attr attr-name="userPrincipalName">
<value type="string">igen401@upcorp.ad.uprr.com</value>
</add-attr>
<password><!-- content suppressed --></password>
</add>
</input>
</nds>
DirXML: [10/04/10 13:55:09.67]: Loader: Calling
subscriptionShim->execute()
DirXML: [10/04/10 13:55:09.81]: Loader: XML Document:
DirXML: [10/04/10 13:55:09.82]: <nds dtdversion="3.5"
ndsversion="8.x">
<source>
<product version="3.5.10.20070918 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="user"
dest-dn="CN=igen401,ou=UPUsers,dc=upcorp,dc=ad,dc=uprr, dc=com"
event-id="omhq14e8#20101004185509#1#1"
qualified-src-dn="O=up\OU=VAULT\OU=IDENTITIES\CN=0000000927"
src-dn="\VAULT_PRD\up\VAULT\IDENTITIES\0000000927"
src-entry-id="35752">
<add-attr attr-name="displayName">
<value timestamp="1231796862#6" type="string">Troubleshooting,
User</value>
</add-attr>
<add-attr attr-name="givenName">
<value timestamp="1231796862#3"
type="string">Troubleshooting</value>
</add-attr>
<add-attr attr-name="initials">
<value timestamp="1231796862#4" type="string">N</value>
</add-attr>
<add-attr attr-name="physicalDeliveryOfficeName">
<value timestamp="1231796862#15" type="string">Daly City</value>
</add-attr>
<add-attr attr-name="dirxml-uACAccountDisable">
<value timestamp="1231796862#37" type="state">false</value>
</add-attr>
<add-attr attr-name="l">
<value timestamp="1231796862#11" type="string">San
Francisco</value>
</add-attr>
<add-attr attr-name="postalCode">
<value timestamp="1231796862#13" type="string">94109</value>
</add-attr>
<add-attr attr-name="st">
<value timestamp="1231796862#12" type="string">CA</value>
</add-attr>
<add-attr attr-name="streetAddress">
<value>Hyde Street</value>
</add-attr>
<add-attr attr-name="sn">
<value timestamp="1231796862#5" type="string">User</value>
</add-attr>
<add-attr attr-name="employeeID">
<value timestamp="1231796862#7" type="string">0000000927</value>
</add-attr>
<add-attr attr-name="sAMAccountName">
<value type="string">igen401</value>
</add-a
DirXML: [10/04/10 13:55:09.82]: ttr>
<add-attr attr-name="userPrincipalName">
<value type="string">igen401@upcorp.ad.uprr.com</value>
</add-attr>
<password><!-- content suppressed --></password>
</add>
</input>
</nds>
DirXML: [10/04/10 13:55:09.84]: ADDriver: parse command

className user
destDN CN=igen401,ou=UPUsers,dc=upcorp,dc=ad,dc=uprr,dc=c om
eventId omhq14e8#20101004185509#1#1
association
DirXML: [10/04/10 13:55:09.85]: ADDriver: MadCommandAdd:nCommand
DirXML: [10/04/10 13:55:09.85]: ADDriver:
MadCommandAdd::insertXdsAttributes()
DirXML: [10/04/10 13:55:09.85]: ADDriver: displayName
DirXML: [10/04/10 13:55:09.87]: ADDriver: givenName
DirXML: [10/04/10 13:55:09.87]: ADDriver: initials
DirXML: [10/04/10 13:55:09.87]: ADDriver: physicalDeliveryOfficeName
DirXML: [10/04/10 13:55:09.92]: ADDriver: dirxml-uACAccountDisable
DirXML: [10/04/10 13:55:09.92]: ADDriver: l
DirXML: [10/04/10 13:55:09.92]: ADDriver: postalCode
DirXML: [10/04/10 13:55:09.92]: ADDriver: st
DirXML: [10/04/10 13:55:09.92]: ADDriver: streetAddress
DirXML: [10/04/10 13:55:09.92]: ADDriver: sn
DirXML: [10/04/10 13:55:09.92]: ADDriver: employeeID
DirXML: [10/04/10 13:55:09.92]: ADDriver: sAMAccountName
DirXML: [10/04/10 13:55:09.92]: ADDriver: userPrincipalName
DirXML: [10/04/10 13:55:09.92]: ADDriver: Add user
CN=igen401,ou=UPUsers,dc=upcorp,dc=ad,dc=uprr,dc=c om
LDAPMod operations:
add attribute objectClass
>> user

add attribute objectCategory
>> CN=Person,CN=Schema,CN=Configuration,DC=upcorp,DC= ad,DC=uprr,DC=com

add attribute displayName
>> Troubleshooting, User

add attribute givenName
>> Troubleshooting

add attribute initials
>> N

add attribute physicalDeliveryOfficeName
>> Daly City

add attribute l
>> San Francisco

add attribute postalCode
>> 94109

add attribute st
>> CA

add attribute streetAddress
>> Hyde Street

add attribute sn
>> User

add attribute employeeID
>> 0000000927

add attribute sAMAccountName
>> igen401

add attribute userPrincipalName
>> igen401@upcorp.ad.uprr.com

DirXML: [10/04/10 13:55:09.95]: ADDriver: change password: old=(none),
new=***
DirXML: [10/04/10 13:55:11.25]: ADDriver: Could not set password via
platform call. Err=5
DirXML: [10/04/10 13:55:11.25]: ADDriver: password change complete
DirXML: [10/04/10 13:55:11.25]: ADDriver: set userAccountControl
returns 0x0035
DirXML: [10/04/10 13:55:11.25]: Loader: subscriptionShim->execute()
returned:
DirXML: [10/04/10 13:55:11.25]: Loader: XML Document:
DirXML: [10/04/10 13:55:11.25]: <nds ndsversion="8.7"
dtdversion="1.1">
<source>
<product version="3.5.5" asn1id="" build="20090313_120000"
instance="\VAULT_PRD\up\services\idm\IDMDriverSet\ Active
Directory">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<add-association dest-dn="\VAULT_PRD\up\VAULT\IDENTITIES\0000000927"
dest-entry-id="35752"
event-id="omhq14e8#20101004185509#1#1">15978acef5c986419 926ab0d92590fb9</add-association>
<status level="error" type="driver-general"
event-id="omhq14e8#20101004185509#1#1">Could not set password via
platform call. Err=5 (access denied)</status>
<status level="success" event-id="omhq14e8#20101004185509#1#1"/>
</output>
</nds>
DirXML: [10/04/10 13:55:11.25]:
DirXML Log Event -------------------
Driver = \VAULT_PRD\up\services\idm\IDMDriverSet\Active Directory
Thread = Subscriber Channel
* Object = \VAULT_PRD\up\VAULT\IDENTITIES\0000000927
(CN=igen401,ou=UPUsers,dc=upcorp,dc=ad,dc=uprr,dc= com)
Level = error
Message = Could not set password via platform call. Err=5 (access
denied)*
DirXML: [10/04/10 13:55:11.26]:
DirXML Log Event -------------------
Driver = \VAULT_PRD\up\services\idm\IDMDriverSet\Active Directory
Thread = Subscriber Channel
Object = \VAULT_PRD\up\VAULT\IDENTITIES\0000000927
(CN=igen401,ou=UPUsers,dc=upcorp,dc=ad,dc=uprr,dc= com)
Level = success


--
thrabak
------------------------------------------------------------------------
thrabak's Profile: http://forums.novell.com/member.php?userid=44572
View this thread: http://forums.novell.com/showthread.php?t=422537