Hi,

We are having a strange issue with some users where an eDirectory
domain is trying to write to the Identity Vault. I have taken a look at
the DirXML trace on both the source and destination servers and for the
users having the problem, the driver is searching the wrong OU in the
identity vault for their account (in the root of the tree, rather than
the people container). For the vast majority of users, the correct
ou/container is searched and their attributes synchronised.

I've attached the trace from the source eDirectory and the destination
IDM vault as well as a comparison trace with a functioning user...does
anyone have a clue what is setting these non-functional user accounts
apart?

Source Trace:

<application>DirXML</application>
<module>Tree</module>
<object-dn>\Tree\O\Ou\Ou\Ou\DudeS (\Dud-E Some 4mk7pb9ct)</object-dn>
<component>Publisher</component>
<operation-data>
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</status>
</output>
</nds>
18:43:01 4943C600 Drvrs: IDM ST:Applying schema mapping policies to
input.
18:43:01 4943C600 Drvrs: IDM ST:Applying policy: MappingRule.
18:43:01 4943C600 Drvrs: IDM ST:Resolving association references.
18:43:01 4943C600 Drvrs: IDM ST:Processing returned document.
18:43:01 4943C600 Drvrs: IDM ST:Processing operation <status> for .
18:43:01 4943C600 Drvrs: IDM ST:
DirXML Log Event -------------------
Driver: \Tree\O\Ou\DirXML\DriverSet-4\IDM
Channel: Subscriber
Object: \Tree\O\Ou\Ou\Ou\DudeS
Status: Error
Message: Code(-9010) An exception occurred: novell.jclient.JCException:
nameToID -601 ERR_NO_SUCH_ENTRY<application>DirXML</application>
<module>Tree</module>
<object-dn>\Tree\O\Ou\Ou\Ou\DudeS (\Dud-E Some 4mk7pb9ct)</object-dn>
<component>Publisher</component>
18:43:01 4943C600 Drvrs: IDM ST:End transaction.

IDM Trace:

<application>DirXML</application>
<module>Tree</module>
<object-dn>\Tree\O\Ou\Ou\Ou\DudeS (\Dud-E Some 4mk7pb9ct)</object-dn>
<component>Publisher</component>
<operation-data>
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</status>
</output>
</nds>
13:57:29 4943C600 Drvrs: IDM ST:Applying schema mapping policies to
input.
13:57:29 4943C600 Drvrs: IDM ST:Applying policy: MappingRule.
13:57:29 4943C600 Drvrs: IDM ST:Resolving association references.
13:57:29 4943C600 Drvrs: IDM ST:Processing returned document.
13:57:29 4943C600 Drvrs: IDM ST:Processing operation <status> for .
13:57:29 4943C600 Drvrs: IDM ST:
DirXML Log Event -------------------
Driver: \Tree\O\Ou\DirXML\DriverSet-4\IDM
Channel: Subscriber
Object: \Tree\O\Ou\Ou\Ou\DudeS
Status: Error
Message: Code(-9010) An exception occurred: novell.jclient.JCException:
nameToID -601 ERR_NO_SUCH_ENTRY<application>DirXML</application>
<module>Tree</module>
<object-dn>\Tree\O\Ou\Ou\Ou\DudeS (\Dud-E Some 4mk7pb9ct)</object-dn>
<component>Publisher</component>
13:57:29 4943C600 Drvrs: IDM ST:End transaction.

(Ignore the non-matching timestamps, I checked things out from the
source directory before running 2 more traces the next day, one on each
side. The source trace returned the same error it did previously for
this user which I already had stored, so I only copied the trace from
the IDM vault.)

Functional user:

43:36 4943C600 Drvrs: IDM ST:
DirXML Log Event -------------------
Driver: \Tree\O\Ou\DirXML\DriverSet-4\IDM
Channel: Subscriber
Object: \Tree\O\Ou\Ou\Ou\GuyA
Status: Success
Message: <application>DirXML</application>
<module>Tree</module>
<object-dn>\Tree\O\Ou\Ou\Ou\GuyA (People\Guy A 4gjj2cdlr)</object-dn>
<component>Publisher</component>
18:43:36 4943C600 Drvrs: IDM ST:End transaction.

The difference in syntax in the object-dn line leads me to believe the
driver is trying to search for these users with issues in the IDM\ Tree
rather than the IDM\People\ Organisation object. The reason why it would
then return a -601 error is pretty obvious. Why it would do so in the
first place baffles me. I have checked the matching policy on the driver
and it is set to check IDM\People\, IDM\Inactive\, and
ADMIN\Duplicates\. It's not told to search IDM\ anywhere, nor should
it.

We are running IDM 3.5.2 on NetWare 6.5 servers. There is a project in
the works to upgrade to OES, but for now we have to work with what we
have.

Does anyone have any ideas?

Regards,
Bruno


--
fergubru
------------------------------------------------------------------------
fergubru's Profile: http://forums.novell.com/member.php?userid=124710
View this thread: http://forums.novell.com/showthread.php?t=453198