Home

Results 1 to 7 of 7

Thread: Disappearing Associations

  1. #1
    ccikara NNTP User

    Disappearing Associations


    Associations to a driver keep disappearing... I am sure it is not the
    driver doing the removal of this association as there is no trace of it
    happening in the driver logs...
    We also have Sentinel log manager installed and monitoring adding and
    removing associations, but these removals are not showing up...
    The modify of the attribute does not show up either.

    The problem with these associations disappearing is that when there is a
    change of entitlement on the object (remove entitlement) the driver sees
    the event, but then sees that the object is not associated and strips
    the remove entitlement and changes the modify event to an add event...
    This then causes the granted entitlement value to remain in the target
    DB and adds the new entitlement value, even though the rule applied says
    that a person can only have one entitlement for that system.

    We are using IDM 4.0.1.

    Has anyone heard or seen this happen? Is there another way for us to
    monitor why this is happening?

    At one stage I had 12 objects with the association, I checked again 5
    minutes later and they were all gone. Again, no trace of why or how...
    And the users still has the same entitlements and no modify event
    happened from when the associations existed to when they were
    deleted...

    Could the value of the entitlement be an issue? Because these objects
    are not related to a table in the DB I have given the association the
    value of "AnAssociation" when I grant the association.

    But this cant be the issue as I have done a similar thing on another
    driver (same version and everything) and this problem does not
    happen...

    Help would be much appreciated.

    Regards,
    Craig Cikara


    --
    ccikara
    ------------------------------------------------------------------------
    ccikara's Profile: https://forums.netiq.com/member.php?userid=506
    View this thread: https://forums.netiq.com/showthread.php?t=47537


  2. #2
    ab NNTP User

    Re: Disappearing Associations

    > Associations to a driver keep disappearing... I am sure it is not the
    > driver doing the removal of this association as there is no trace of it
    > happening in the driver logs...
    > We also have Sentinel log manager installed and monitoring adding and
    > removing associations, but these removals are not showing up...
    > The modify of the attribute does not show up either.


    So Log Manager does pick up association changes? From which application
    (eDir, IDM, etc.) and for which type of event exactly? Are you auditing
    all eDirectory servers individually or just one server (meaning changes
    from any other server could be missed)?

    > The problem with these associations disappearing is that when there is a
    > change of entitlement on the object (remove entitlement) the driver sees
    > the event, but then sees that the object is not associated and strips
    > the remove entitlement and changes the modify event to an add event...
    > This then causes the granted entitlement value to remain in the target
    > DB and adds the new entitlement value, even though the rule applied says
    > that a person can only have one entitlement for that system.


    A trace would be nice.

    > We are using IDM 4.0.1.


    Using the latest SP is always recommended; worst case, it shouldn't hurt
    as it is only a set of patches.

    > Has anyone heard or seen this happen? Is there another way for us to
    > monitor why this is happening?
    >
    > At one stage I had 12 objects with the association, I checked again 5
    > minutes later and they were all gone. Again, no trace of why or how...
    > And the users still has the same entitlements and no modify event
    > happened from when the associations existed to when they were
    > deleted...


    What happened to make you check five minutes later?

    Good luck.

  3. #3
    ccikara NNTP User

    Re: Disappearing Associations


    Hi AB,

    Yup, Log manager does pick up association changes... But it only picks
    up association changes because I set it on the driver-set I believe it
    is the Identity Manager collector that picks this up? I would have
    expected association attribute modifies / deletes etc. to also be picked
    up by the eDir collector as it is an attribute that is changing... But
    no association attribute modifies show up.

    At the moment I am monitoring our SIT environment that only has 1 eDir
    instance, so I should be picking up everything, this issue is happening
    throughout our environments (Dev, SIT, UAT, LOAD, Prod)

    There was no event that made me decide to look again, it was just me
    monitoring the system manually... But I didn't pickup anything from the
    logs...

    Here is the trace file: http://pastebin.com/bE1FUUn2

    Thanks


    --
    ccikara
    ------------------------------------------------------------------------
    ccikara's Profile: https://forums.netiq.com/member.php?userid=506
    View this thread: https://forums.netiq.com/showthread.php?t=47537


  4. #4
    ccikara NNTP User

    Re: Disappearing Associations


    at 9:00 this morning there were 18 associated objects

    at 9:11 there were only 3... And these 3 are new associations (i.e. did
    not exist at 9:00)

    So somewhere in those 11 minutes something happened to remove all
    associations, but again, Sentinel does not show these associations being
    removed... And neither does the driver log. Will post this trace when I
    get it from the ops people.

    The only time this association is removed in the driver is when the
    object has no more entitlements for the app...

    Regards,
    Craig Cikara


    --
    ccikara
    ------------------------------------------------------------------------
    ccikara's Profile: https://forums.netiq.com/member.php?userid=506
    View this thread: https://forums.netiq.com/showthread.php?t=47537


  5. #5
    ab NNTP User

    Re: Disappearing Associations

    When all else fails there is always the hard way to narrow down the
    problem. If you have other driver objects running, trace all of them. If
    that doesn't show you a problem, turn half of them off and see if the
    problem still happens. If so, turn half of the remaining drivers objects
    off and test again. Continue until the driver (if indeed it is a driver)
    at fault is identified, then find the problem there. Cutting the problem
    down by halves should make it pretty clear relatively quickly. If turning
    off all drivers doesn't do it, be sure you do not have any jobs that could
    affect things, and then you're down to eDirectory.

    I see no reason why eDir auditing, if configured correctly, would audit
    some attributes but not the association attributes, but I've never looked
    for association attributes specifically in the past. Are you using the
    Novell Audit type of auditing (vs. XDAS), and if so, have you configured
    ay filters on which attributes or classes should be audited within
    eDirectory? Which exact version of eDir are you running, and what is the
    full RPM version of the novell-AUDTedirinst package?

    Good luck.

  6. #6
    ccikara NNTP User

    Re: Disappearing Associations


    I do not believe there are any filters configured, the ops team would
    have just installed and not done much configuration.

    If I check through iManager, under "Attributes" everything is ticked.

    novell-AUDTedirinst-8.8.5-13

    Tree Name: FRGSITIDV
    Server Name:
    ..CN=RBGSITIDV101.OU=services.OU=fnb.O=firstrand.T =FRGSITIDV.
    Binary Version: 20601.18
    Root Most Entry Depth: 0
    Product Version: eDirectory for Linux x86_64 v8.8 SP6 [DS]

    I will try your approach of switching off drivers etc and see where that
    takes me.

    Thanks for the assistance.


    --
    ccikara
    ------------------------------------------------------------------------
    ccikara's Profile: https://forums.netiq.com/member.php?userid=506
    View this thread: https://forums.netiq.com/showthread.php?t=47537


  7. #7
    ab NNTP User

    Re: Disappearing Associations

    > novell-AUDTedirinst-8.8.5-13
    >
    > Tree Name: FRGSITIDV
    > Server Name:
    > .CN=RBGSITIDV101.OU=services.OU=fnb.O=firstrand.T= FRGSITIDV.
    > Binary Version: 20601.18
    > Root Most Entry Depth: 0
    > Product Version: eDirectory for Linux x86_64 v8.8 SP6 [DS]
    >
    > I will try your approach of switching off drivers etc and see where that
    > takes me.


    Before spending too much time there, just be aware you're on an old
    version of eDirectory (8.8 SP6) and an even older, mis-matched version of
    the eDirectory instrumentation module (8.8 SP5). One of those may be
    related... maybe.

    Good luck.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •