I need an assist figuring out some JDBC driver behavior. We have a
subscriber-only JDBC connector talking to db2. The DBAs have constraints
on several fields in the database such that we veto add events if they
are not available. These values are added to the record by disparate
processes and so it is not unusual to veto an add for a particular user
a time or two until all the data is available.

Occasionally, an add runs afoul of this veto logic and I am not able to
explain why. In the trace below you can see the <modify> convert to an
<add>, after which all attributes in the filter are read from the IDV.
The add then proceeds, but only with five of these attributes in the
operation, and as a result it gets vetoed. I can subsequently trigger a
re-sync of the object using iManager and it will be added to db2 without
issue, but fixing them all manually is obviously not an option. What am
I doing wrong here?

I have redacted data from the trace file; anywhere you see <suppressed>
that was a manual edit; the operation had values present.


<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20130212110308.728Z" class-name="User"
event-id="idm3#20130212110308#8#1"
qualified-src-dn="O=UGA\OU=CoreIDs\CN=CoreID-ESCHWART9"
src-dn="\MYID-TREE\UGA\CoreIDs\CoreID-ESCHWART9" src-entry-id="813577"
timestamp="1360666986#7">
<modify-attr attr-name="ugaIDNumber">
<add-value>
<value timestamp="1360666986#7"
type="string"><suppressed></value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[02/12/13 06:03:08.748]:ssntrans ST:Subscriber processing modify for
\MYID-TREE\UGA\CoreIDs\CoreID-ESCHWART9.
[02/12/13 06:03:08.749]:ssntrans ST:Converting <modify> to <add>
[02/12/13 06:03:08.749]:ssntrans ST:Reading relevant attributes from
\MYID-TREE\UGA\CoreIDs\CoreID-ESCHWART9.
[02/12/13 06:03:08.750]:ssntrans ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="User"
dest-dn="\MYID-TREE\UGA\CoreIDs\CoreID-ESCHWART9" dest-entry-id="813577"
scope="entry">
<read-attr attr-name="Full Name"/>
<read-attr attr-name="Given Name"/>
<read-attr attr-name="Surname"/>
<read-attr attr-name="ugaBlockFacStaffDirectoryInfo"/>
<read-attr attr-name="ugaDOB"/>
<read-attr attr-name="ugaEmail"/>
<read-attr attr-name="ugaHRSSN"/>
<read-attr attr-name="ugaIDNumber"/>
<read-attr attr-name="ugaMiddleName"/>
<read-attr attr-name="ugaMyID"/>
<read-attr attr-name="ugaSSN"/>
<read-attr attr-name="ugaUniqueID"/>
</query>
</input>
</nds>
[02/12/13 06:03:08.754]:ssntrans ST:Pumping XDS to eDirectory.
[02/12/13 06:03:08.755]:ssntrans ST:Performing operation query for
\MYID-TREE\UGA\CoreIDs\CoreID-ESCHWART9.
[02/12/13 06:03:08.758]:ssntrans ST:Read result:
[02/12/13 06:03:08.758]:ssntrans ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="User"
qualified-src-dn="O=UGA\OU=CoreIDs\CN=CoreID-ESCHWART9"
src-dn="\MYID-TREE\UGA\CoreIDs\CoreID-ESCHWART9" src-entry-id="813577">
<attr attr-name="Full Name">
<value timestamp="1360666987#39" type="string">Edward E
Schwartz</value>
</attr>
<attr attr-name="Given Name">
<value timestamp="1360666987#29" type="string">Edward</value>
</attr>
<attr attr-name="Surname">
<value timestamp="1360666987#33" type="string">Schwartz</value>
</attr>
<attr attr-name="ugaBlockFacStaffDirectoryInfo">
<value timestamp="1360666971#13" type="string">N</value>
</attr>
<attr attr-name="ugaDOB">
<value timestamp="1360666971#5"
type="string"><suppressed></value>
</attr>
<attr attr-name="ugaHRSSN">
<value timestamp="1360666971#24"
type="string"><suppressed></value>
</attr>
<attr attr-name="ugaIDNumber">
<value timestamp="1360666986#7"
type="string"><suppressed></value>
</attr>
<attr attr-name="ugaMiddleName">
<value timestamp="1360666987#31" type="string">E</value>
</attr>
<attr attr-name="ugaSSN">
<value timestamp="1360666971#14"
type="string"><suppressed></value>
</attr>
<attr attr-name="ugaUniqueID">
<value timestamp="1360666987#9"
type="string"><suppressed></value>
</attr>
</instance>
<status level="success"></status>
</output>
</nds>
[02/12/13 06:03:08.761]:ssntrans ST:Synthetic add:
[02/12/13 06:03:08.762]:ssntrans ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" event-id="idm3#20130212110308#8#1"
qualified-src-dn="O=UGA\OU=CoreIDs\CN=CoreID-ESCHWART9"
src-dn="\MYID-TREE\UGA\CoreIDs\CoreID-ESCHWART9" src-entry-id="813577">
<add-attr attr-name="ugaBlockFacStaffDirectoryInfo">
<value timestamp="1360666971#13" type="string">N</value>
</add-attr>
<add-attr attr-name="ugaDOB">
<value timestamp="1360666971#5"
type="string"><suppressed></value>
</add-attr>
<add-attr attr-name="ugaHRSSN">
<value timestamp="1360666971#24"
type="string"><suppressed></value>
</add-attr>
<add-attr attr-name="ugaIDNumber">
<value timestamp="1360666986#7"
type="string"><suppressed></value>
</add-attr>
<add-attr attr-name="ugaSSN">
<value timestamp="1360666971#14"
type="string"><suppressed></value>
</add-attr>
</add>
</input>
</nds>
[02/12/13 06:03:08.763]:ssntrans ST:Applying object matching policies.
[02/12/13 06:03:08.763]:ssntrans ST:Applying policy: %+C%14CMatching
Rule%-C.
[02/12/13 06:03:08.763]:ssntrans ST: Applying to add #1.
[02/12/13 06:03:08.764]:ssntrans ST: Evaluating selection criteria
for rule 'User: Match on ugaUniqueID'.
[02/12/13 06:03:08.764]:ssntrans ST: (if-operation equal "add") =
TRUE.
[02/12/13 06:03:08.764]:ssntrans ST: (if-class-name equal "User") =
TRUE.
[02/12/13 06:03:08.764]:ssntrans ST: Rule selected.
[02/12/13 06:03:08.764]:ssntrans ST: Applying rule 'User: Match on
ugaUniqueID'.
[02/12/13 06:03:08.764]:ssntrans ST: Action:
do-find-matching-object(scope="subtree",arg-match-attr("ugaUniqueID")).
[02/12/13 06:03:08.764]:ssntrans ST:
arg-match-attr("ugaUniqueID")
[02/12/13 06:03:08.765]:ssntrans ST:Policy returned:
[02/12/13 06:03:08.765]:ssntrans ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="User" event-id="idm3#20130212110308#8#1"
qualified-src-dn="O=UGA\OU=CoreIDs\CN=CoreID-ESCHWART9"
src-dn="\MYID-TREE\UGA\CoreIDs\CoreID-ESCHWART9" src-entry-id="813577">
<add-attr attr-name="ugaBlockFacStaffDirectoryInfo">
<value timestamp="1360666971#13" type="string">N</value>
</add-attr>
<add-attr attr-name="ugaDOB">
<value timestamp="1360666971#5"
type="string"><suppressed></value>
</add-attr>
<add-attr attr-name="ugaHRSSN">
<value timestamp="1360666971#24"
type="string"><suppressed></value>
</add-attr>
<add-attr attr-name="ugaIDNumber">
<value timestamp="1360666986#7"
type="string"><suppressed></value>
</add-attr>
<add-attr attr-name="ugaSSN">
<value timestamp="1360666971#14"
type="string"><suppressed></value>
</add-attr>
</add>
</input>
</nds>
[02/12/13 06:03:08.766]:ssntrans ST:No match found.
[02/12/13 06:03:08.766]:ssntrans ST:Applying object creation policies.
[02/12/13 06:03:08.767]:ssntrans ST:Applying policy: %+C%14CCreate
Rule%-C.
[02/12/13 06:03:08.767]:ssntrans ST: Applying to add #1.
[02/12/13 06:03:08.767]:ssntrans ST: Evaluating selection criteria
for rule 'Create'.
[02/12/13 06:03:08.767]:ssntrans ST: (if-class-name equal "User") =
TRUE.
[02/12/13 06:03:08.767]:ssntrans ST: (if-operation equal "add") =
TRUE.
[02/12/13 06:03:08.767]:ssntrans ST: Rule selected.
[02/12/13 06:03:08.767]:ssntrans ST: Applying rule 'Create'.
[02/12/13 06:03:08.767]:ssntrans ST: Action:
do-veto-if-op-attr-not-available("ugaIDNumber").
[02/12/13 06:03:08.768]:ssntrans ST: Action:
do-veto-if-op-attr-not-available("ugaUniqueID").
[02/12/13 06:03:08.768]:ssntrans ST:Policy returned:
[02/12/13 06:03:08.768]:ssntrans ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product version="3.6.10.4747">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input/>
</nds>
[02/12/13 06:03:08.768]:ssntrans ST:Processing returned document.
[02/12/13 06:03:08.768]:ssntrans ST:Processing operation <status> for .
[02/12/13 06:03:08.768]:ssntrans ST:
DirXML Log Event -------------------
Driver: \MYID-TREE\UGA\services\UGADriverSet\SSN-Translation
Channel: Subscriber
Object: \MYID-TREE\UGA\CoreIDs\CoreID-ESCHWART9
Status: Warning
Message: Code(-8017) Operation vetoed by object creation policy.


--
keithbmartin
------------------------------------------------------------------------
keithbmartin's Profile: https://forums.netiq.com/member.php?userid=524
View this thread: https://forums.netiq.com/showthread.php?t=46828