I know a lot of posts have been created regarding moves/ sync. However,
this one is very exotic and is also pissing me off...
I have an issue with a command/event interaction of two drivers. The
first driver is a PeopleSoft driver that activates an identity via the
Publisher channel by initiating a modify and a move (to an active
container) command to the Identity Vault. A second driver (Loopback
Password driver, Subscriber only) generates a Password upon this move
event. The Password driver is able to consume move events by adding an
assocation to the event and User object within the Subscriber ET. Both
drivers are located on the master replica and the move operation is
within one partition. No other drivers are running. IDM version is
The actual commands (modify + move) from the PeopleSoft driver (extract
from trace level 3):
'[XML] PeopleSoft Driver trace level 3 - Pastebin.com'
So far so good. However I notice two issues on the Subscriber Channel
of the Loopback Password driver:
1) The IDM engine fires a regular sync
2) It seems that eDir/IDM does not handle the move atomic
The actual input/output for the Loopback Password driver (trace level
'[XML] Loopback Password Driver trace level 3 - Pastebin.com'
-1) The IDM engine fires a regular sync-
What I would expect as events on the Loopback Password Driver:
- one or more sync events with @from-move='true'
- one move event
What I see in a trace level 3 of the Loopback Password Driver
- one sync event with @from-move='true'
- one cached sync event without @from-move='true'
- one sync event with @from-move='true' combined with a move event
Could anybody explain to me why I get a sync event without
@from-move='true'? In my understanding this event should not happen,
because this event is reserved for a regular sync (i.e. migrate from
Identity Vault). What is the reason that a regular sync is fired and for
-2) It seems that eDir/IDM does not handle the move atomic-
If you take a close look at the trace level 3 from the Loopback
Password Driver something strange is happening with the cached sync
event without @from-move='true' ([05/01/12 12:01:23.731]). If the DN of
the sync event is used by the SrcQueryProcessor to read a couple of
attributes, values are being returned nicely ([05/01/12 12:01:23.934]).
If another policy rule further down the chain, uses the same DN by using
the SrcCommandProccesor (issuing a modify-password), the command fails:
Code(-9010) An exception occurred: novell.jclient.JCException: -601
How is this possible? According to the SrcQueryProcessor the User is
situated in the Active container([05/01/12 12:01:23.948]). When I use
the same DN later on with the srcCommandProcessor it is not there
(yet?). Now this gives me two nasty feelings:
- moves are not atomic
-the query is not always done on the replica that the IDM engine
I can't imagine that this is the case, so therefore I hope somebody
could clarify this behaviour. This "feature" makes it quite impossible
to handle a move event reliable. Any thoughts?
sveldhuisen's Profile: http://forums.novell.com/member.php?userid=18142
View this thread: http://forums.novell.com/showthread.php?t=455357