Support Home Communities Home   Search Today's Posts Mark Forums Read
Notices


 
 
LinkBack Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 04-Apr-2008, 03:06 PM
Member
  
Join Date: Dec 2007
Posts: 52
johnehurst 0 reputation points
Default cannot sync group membership to AD
We have a IDM 3.5 system that was upgraded from IDM2, so drivers are legacy code but engines are not.

We sync only 1 group between our IDvault and AD. It is called trackitusers. We want all created users to be in this group.

Our ADDed users show up in the group in our IDvault on the eDir side, but they do not show up in the group in AD.

However, if we manually add a user to the group in eDir, that membership syncs to AD. If we delete a user from the group, they get deleted from AD. The exact same thing happens from AD to eDir. We can add a user or delete a users membership in that group and it syncs correctly.

It's only when we use IDM that we get no joy. BTW, the user does get added w/ all other attributes into AD, other than this group membership.

We do notice an LDAP error on adds that we cannot figure out. We see the following trace on the AD side at the very end of our ADDs. It does not seem to be related to the group membership.

We have small traces from the AD side and the eDir side that only show a single ADD, if necessary.



DirXML: [04/04/08 13:43:59.61]: Loader: Calling subscriptionShim->execute()
DirXML: [04/04/08 13:43:59.61]: Loader: XML Document:
DirXML: [04/04/08 13:43:59.61]: <nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.1.20070411 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="user" dest-dn="CN=55\, 33,OU=Pusd Users,DC=pusd,DC=dom" event-id="Active Directory##1191b2e73d2##0" src-dn="vault\Staff\3355" src-entry-id="203518">
<association>ffa511af19d47e47ad91d1d7a2a0ec64</association>
<modify-attr attr-name="wWWHomePage">
<remove-all-values/>
<add-value>
<value type="string"/>
</add-value>
</modify-attr>
<modify-attr attr-name="dirxml-uACAccountDisable">
<add-value>
<value type="string">FALSE</value>
</add-value>
</modify-attr>
<modify-attr attr-name="wWWHomePage">
<remove-all-values/>
<add-value>
<value type="string">3355</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [04/04/08 13:43:59.61]: ADDriver: parse command

className user
destDN CN=55\, 33,OU=Pusd Users,DC=pusd,DC=dom
eventId Active Directory##1191b2e73d2##0
association ffa511af19d47e47ad91d1d7a2a0ec64
DirXML: [04/04/08 13:43:59.61]: ADDriver: parse modify class = user
DirXML: [04/04/08 13:43:59.61]: ADDriver: association
DirXML: [04/04/08 13:43:59.61]: ADDriver: ffa511af19d47e47ad91d1d7a2a0ec64
DirXML: [04/04/08 13:43:59.61]: ADDriver: modify-attr
DirXML: [04/04/08 13:43:59.61]: ADDriver: remove-all-values
DirXML: [04/04/08 13:43:59.61]: ADDriver: add-value
DirXML: [04/04/08 13:43:59.61]: ADDriver: value
DirXML: [04/04/08 13:43:59.61]: ADDriver:
DirXML: [04/04/08 13:43:59.61]: ADDriver: modify-attr
DirXML: [04/04/08 13:43:59.61]: ADDriver: add-value
DirXML: [04/04/08 13:43:59.61]: ADDriver: value
DirXML: [04/04/08 13:43:59.61]: ADDriver: FALSE
DirXML: [04/04/08 13:43:59.61]: ADDriver: modify-attr
DirXML: [04/04/08 13:43:59.61]: ADDriver: remove-all-values
DirXML: [04/04/08 13:43:59.61]: ADDriver: add-value
DirXML: [04/04/08 13:43:59.61]: ADDriver: value
DirXML: [04/04/08 13:43:59.61]: ADDriver: 3355
DirXML: [04/04/08 13:43:59.61]: ADDriver: ldap_modify user CN=55\, 33,OU=Pusd Users,DC=pusd,DC=dom
LDAPMod operations:
delete attribute wWWHomePage
add attribute wWWHomePage
>>
delete attribute wWWHomePage
add attribute wWWHomePage
>> 3355
replace attribute userAccountControl
>> 544
DirXML: [04/04/08 13:43:59.61]: Loader: subscriptionShim->execute() returned:
DirXML: [04/04/08 13:43:59.61]: Loader: XML Document:
DirXML: [04/04/08 13:43:59.61]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="3.5.1" asn1id="" build="20070531_104500" instance="\IDENTITY_VAULT\vault\IDVaultDriverSet\A ctive Directory">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status level="error" type="driver-general" event-id="Active Directory##1191b2e73d2##0">
<ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
</status>
</output>
</nds>
DirXML: [04/04/08 13:43:59.61]:
DirXML Log Event -------------------
Driver = \IDENTITY_VAULT\vault\IDVaultDriverSet\Active Directory
Thread = Subscriber Channel
Object = vault\Staff\3355 (CN=55\, 33,OU=Pusd Users,DC=pusd,DC=dom)
Level = error
Message = <ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
DirXML: [04/04/08 13:44:08.86]: Loader: Waiting for driver thread to exit...
Reply With Quote
 

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -6. The time now is 10:12 AM.
Contact Us - NOVELL FORUMS - Archive - Privacy Statement - Top

© 2007 Novell, Inc. All Rights Reserved.

Search Engine Friendly URLs by vBSEO 3.3.0 RC2