Hi,

I have an identity vault with at 2 servers in the tree.

Server A has the master replica of my identity data. Server B has a RW
replica of the same data.

Server B also has the engine and drivers installed, including the role
based entitlements driver. When we test our RBE policies (via the "test
filter" button in iMan.), it shows that they operate as expected.

When trying to evaluate RBE membership in the Entitlements driver, we
get the following:

(Entitlement driver trace)

<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.1.20070411 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User" event-id="CORNWAD1#20080612060308#1#1"
qualified-src-dn="O=communities\OU=staff\CN=C00273"
src-dn="\CORP\communities\staff\C00273" src-entry-id="37536"
timestamp="1213250583#7">
<association
state="associated">{CCD60E81-E7CE-11D9-B9C5-000D60EBD9DA}</association>
<modify-attr attr-name="STGBPMGrps">
<add-value>
<value timestamp="1213250583#1"
type="string">SGIAdministrator</value>
</add-value>
</modify-attr>
<modify-attr attr-name="STGBPMAccess">
<remove-value>
<value timestamp="1213250580#7" type="state">false</value>
</remove-value>
<add-value>
<value timestamp="1213250583#7" type="state">true</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[06/12/08 16:03:08.682]:CORP-ENT ST:BEGIN evaluate object
@dn='communities\staff\C00273'
[06/12/08 16:03:08.682]:CORP-ENT ST:determine policy membership:
[06/12/08 16:03:08.683]:CORP-ENT ST: is NOT a member of entitlement
policy 'admin\DirXML\DriverSet2\Entitlement
Policies\SGISuperUserEntitlementPolicy
[06/12/08 16:03:08.684]:CORP-ENT ST: is NOT a member of entitlement
policy 'admin\DirXML\DriverSet2\Entitlement
Policies\SGIAdministratorEntitlementPolicy
[06/12/08 16:03:08.684]:CORP-ENT ST: is NOT a member of entitlement
policy 'admin\DirXML\DriverSet2\Entitlement
Policies\SGIUserEntitlementPolicy
[06/12/08 16:03:08.685]:CORP-ENT ST: is NOT a member of entitlement
policy 'admin\DirXML\DriverSet2\Entitlement
Policies\BPMAccountEntitlement


Further investigation (DS Traces on Server A and B) found that when
evaluating membership on the RBE policy (i.e., dynamic group object),
Server A was actually being queried.

Does anyone know if this is normal operation for RBE? Is there a work
around? Would browsing to the server with a master replica even affect
the functionality of RBE?

Any help would be much appreciated.

Thanks in advance.

Paul


--
pnemet
------------------------------------------------------------------------
pnemet's Profile: http://forums.novell.com/member.php?userid=14069
View this thread: http://forums.novell.com/showthread.php?t=332718