On Wed, 16 May 2012 19:06:03 +0000, fnutter wrote:

> We are trying to sync a single group to openldap from edirectory. Right
> now we only sync users.
> I had to build matching, create and placement policies for the group,


Your create rule is broken.

Up to here, you were doing pretty good. You have a <add> in the document:


> 11:21:42.309]:sys:/ldap-1 ST:Policy returned: [05/16/12
> 11:21:42.310]:sys:/ldap-1 ST: <nds dtdversion="3.5" ndsversion="8.x">
> <source>
> <product version="3.5.10.20070918 ">DirXML</product> <contact>Novell,
> Inc.</contact>
> </source>
> <input>
> <add class-name="Group" event-id="TS_IDM#20120516182142#99#1"
> qualified-src-dn="O=Location\OU=TS\OU=Groups\CN=GW-Mobility"
> src-dn="\Location\Location\TS\Groups\GW-Mobility" src-entry-id="352975">
> <add-attr attr-name="CN">
> <value naming="true" timestamp="1337191362#15"
> type="string">GW-Mobility</value>
> </add-attr>
> </add>
> </input>
> </nds>



The Create rule should check for any required attributes and make sure
that they are present in the document. Instead, yours has what looks like
it may have been intended as a placement, but instead generates a second
<add> event in the current document:

> [05/16/12 11:21:42.310]:sys:/ldap-1 ST:Applying policy: %+C%14CGW
> Mobility Group%-C.
> [05/16/12 11:21:42.310]:sys:/ldap-1 ST: Applying to add #1. [05/16/12
> 11:21:42.310]:sys:/ldap-1 ST: Evaluating selection criteria for rule
> 'Sync Group GW Mobility'. [05/16/12 11:21:42.315]:sys:/ldap-1 ST:
> (if-class-name equal "Group") = TRUE.
> [05/16/12 11:21:42.315]:sys:/ldap-1 ST: (if-src-dn equal
> "Location\ts\groups\GW-Mobility") = TRUE. [05/16/12
> 11:21:42.315]:sys:/ldap-1 ST: Rule selected. [05/16/12
> 11:21:42.315]:sys:/ldap-1 ST: Applying rule 'Sync Group GW Mobility'.
> [05/16/12 11:21:42.315]:sys:/ldap-1 ST: Action:
> do-add-dest-object(class-name="Group",arg-dn(token-substring(token-src-

name()))).
> [05/16/12 11:21:42.315]:sys:/ldap-1 ST:
> arg-dn(token-substring(token-src-name())) [05/16/12
> 11:21:42.315]:sys:/ldap-1 ST: token-substring(token-src-name())
> [05/16/12 11:21:42.315]:sys:/ldap-1 ST:
> token-substring(token-src-name())
> [05/16/12 11:21:42.315]:sys:/ldap-1 ST: token-src-name()
> [05/16/12 11:21:42.315]:sys:/ldap-1 ST: Token Value:
> "GW-Mobility".
> [05/16/12 11:21:42.315]:sys:/ldap-1 ST: Arg Value:
> "GW-Mobility".
> [05/16/12 11:21:42.315]:sys:/ldap-1 ST: Token Value:
> "GW-Mobility".
> [05/16/12 11:21:42.315]:sys:/ldap-1 ST: Arg Value:
> "GW-Mobility".
> [05/16/12 11:21:42.316]:sys:/ldap-1 ST:Policy returned: [05/16/12
> 11:21:42.316]:sys:/ldap-1 ST: <nds dtdversion="3.5" ndsversion="8.x">
> <source>
> <product version="3.5.10.20070918 ">DirXML</product> <contact>Novell,
> Inc.</contact>
> </source>
> <input>
> <add class-name="Group" event-id="TS_IDM#20120516182142#99#1"
> qualified-src-dn="O=Location\OU=TS\OU=Groups\CN=GW-Mobility"
> src-dn="\Location\Location\TS\Groups\GW-Mobility" src-entry-id="352975">
> <add-attr attr-name="CN">
> <value naming="true" timestamp="1337191362#15"
> type="string">GW-Mobility</value>
> </add-attr>
> </add>
> <add class-name="Group" dest-dn="GW-Mobility"
> event-id="TS_IDM#20120516182142#99#1"/> </input>
> </nds>


So now you're trying to create two groups. The one you started with has
no dest-dn (it should), and the new one that this rule added has a
malformed dest-dn.

Personally, I'd scrap this rule entirely.


> [05/16/12 11:21:42.316]:sys:/ldap-1 ST:Applying object placement
> policies.


*This* is where you should be generating a dest-dn for the object in the
current document.

> [05/16/12 11:21:42.316]:sys:/ldap-1 ST:Applying policy:
> %+C%14Csub-pp-SubscriberPlacement%-C. [05/16/12
> 11:21:42.316]:sys:/ldap-1 ST: Applying to add #1.


add #1 is the "good" one you should be working with.

> 11:21:42.316]:sys:/ldap-1 ST: Evaluating selection criteria for rule
> 'Subscriber Placement Rule'. [05/16/12 11:21:42.316]:sys:/ldap-1 ST:
> (if-class-name equal "User") = FALSE.
> [05/16/12 11:21:42.317]:sys:/ldap-1 ST: Rule rejected. [05/16/12
> 11:21:42.317]:sys:/ldap-1 ST: Evaluating selection criteria for rule
> 'Flat Placement by CN if uniqueID not present'. [05/16/12
> 11:21:42.317]:sys:/ldap-1 ST: (if-class-name equal "User") = FALSE.
> [05/16/12 11:21:42.317]:sys:/ldap-1 ST: Rule rejected.


Note that you have two placement rules, both of which are rejected, so no
dest-dn is generated. Fail.

So, what you need is a placement rule, for Group objects, to put them
wherever it is in the openLDAP directory tree that you want them to go.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.