NOVELL FORUMS

johnehurst · #1 04-Apr-2008, 04:06 PM

We have a IDM 3.5 system that was upgraded from IDM2, so drivers are legacy code but engines are not.

We sync only 1 group between our IDvault and AD. It is called trackitusers. We want all created users to be in this group.

Our ADDed users show up in the group in our IDvault on the eDir side, but they do not show up in the group in AD.

However, if we manually add a user to the group in eDir, that membership syncs to AD. If we delete a user from the group, they get deleted from AD. The exact same thing happens from AD to eDir. We can add a user or delete a users membership in that group and it syncs correctly.

It's only when we use IDM that we get no joy. BTW, the user does get added w/ all other attributes into AD, other than this group membership.

We do notice an LDAP error on adds that we cannot figure out. We see the following trace on the AD side at the very end of our ADDs. It does not seem to be related to the group membership.

We have small traces from the AD side and the eDir side that only show a single ADD, if necessary.

DirXML: [04/04/08 13:43:59.61]: Loader: Calling subscriptionShim->execute()
DirXML: [04/04/08 13:43:59.61]: Loader: XML Document:
DirXML: [04/04/08 13:43:59.61]: <nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.5.1.20070411 ">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="user" dest-dn="CN=55\, 33,OU=Pusd Users,DC=pusd,DC=dom" event-id="Active Directory##1191b2e73d2##0" src-dn="vault\Staff\3355" src-entry-id="203518">
<association>ffa511af19d47e47ad91d1d7a2a0ec64</association>
<modify-attr attr-name="wWWHomePage">
<remove-all-values/>
<add-value>
<value type="string"/>
</add-value>
</modify-attr>
<modify-attr attr-name="dirxml-uACAccountDisable">
<add-value>
<value type="string">FALSE</value>
</add-value>
</modify-attr>
<modify-attr attr-name="wWWHomePage">
<remove-all-values/>
<add-value>
<value type="string">3355</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
DirXML: [04/04/08 13:43:59.61]: ADDriver: parse command

className user
destDN CN=55\, 33,OU=Pusd Users,DC=pusd,DC=dom
eventId Active Directory##1191b2e73d2##0
association ffa511af19d47e47ad91d1d7a2a0ec64
DirXML: [04/04/08 13:43:59.61]: ADDriver: parse modify class = user
DirXML: [04/04/08 13:43:59.61]: ADDriver: association
DirXML: [04/04/08 13:43:59.61]: ADDriver: ffa511af19d47e47ad91d1d7a2a0ec64
DirXML: [04/04/08 13:43:59.61]: ADDriver: modify-attr
DirXML: [04/04/08 13:43:59.61]: ADDriver: remove-all-values
DirXML: [04/04/08 13:43:59.61]: ADDriver: add-value
DirXML: [04/04/08 13:43:59.61]: ADDriver: value
DirXML: [04/04/08 13:43:59.61]: ADDriver:
DirXML: [04/04/08 13:43:59.61]: ADDriver: modify-attr
DirXML: [04/04/08 13:43:59.61]: ADDriver: add-value
DirXML: [04/04/08 13:43:59.61]: ADDriver: value
DirXML: [04/04/08 13:43:59.61]: ADDriver: FALSE
DirXML: [04/04/08 13:43:59.61]: ADDriver: modify-attr
DirXML: [04/04/08 13:43:59.61]: ADDriver: remove-all-values
DirXML: [04/04/08 13:43:59.61]: ADDriver: add-value
DirXML: [04/04/08 13:43:59.61]: ADDriver: value
DirXML: [04/04/08 13:43:59.61]: ADDriver: 3355
DirXML: [04/04/08 13:43:59.61]: ADDriver: ldap_modify user CN=55\, 33,OU=Pusd Users,DC=pusd,DC=dom
LDAPMod operations:
delete attribute wWWHomePage
add attribute wWWHomePage
>>
delete attribute wWWHomePage
add attribute wWWHomePage
>> 3355
replace attribute userAccountControl
>> 544
DirXML: [04/04/08 13:43:59.61]: Loader: subscriptionShim->execute() returned:
DirXML: [04/04/08 13:43:59.61]: Loader: XML Document:
DirXML: [04/04/08 13:43:59.61]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="3.5.1" asn1id="" build="20070531_104500" instance="\IDENTITY_VAULT\vault\IDVaultDriverSet\A ctive Directory">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<status level="error" type="driver-general" event-id="Active Directory##1191b2e73d2##0">
<ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
</status>
</output>
</nds>
DirXML: [04/04/08 13:43:59.61]:
DirXML Log Event -------------------
Driver = \IDENTITY_VAULT\vault\IDVaultDriverSet\Active Directory
Thread = Subscriber Channel
Object = vault\Staff\3355 (CN=55\, 33,OU=Pusd Users,DC=pusd,DC=dom)
Level = error
Message = <ldap-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">
<client-err ldap-rc="21" ldap-rc-name="LDAP_INVALID_SYNTAX">Invalid Syntax</client-err>
<server-err>00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece</server-err>
<server-err-ex win32-rc="87"/>
</ldap-err>
DirXML: [04/04/08 13:44:08.86]: Loader: Waiting for driver thread to exit...