Hi people,

I have several policies configured to role based entitlements driver in
a system of 2 replicas with IDM standard version 4.0.2 and eDirectory
8.8 SP7 v20701.37 running on SUSE Linux Enterprise Server 11 (x86_64)
patchlevel 2.

Sometimes (2-3% of new users) the entitlements are not granted as if the
attribute data required for the entitlement is not yet available in the
identity storage while the event is processed. An example below of this
incident:

- a lot of users are being created due to new registrations synced from SQL
- attribute "myattr" value "ORG value" is added to a user
- entitlement "ORG entitlement" membership is configured as follows:

LDAP Filter (&(myattr=ORG%20value)(objectClass=inetOrgPerson ))
Search Identity admin.org
Base DN .TREE.
Scope This container and subcontainers

- role based entitlements driver detects "myattr" add value event
- for the 2-3% of users the role based entitlements driver determines
the user NOT satisfying the entitlement grant policy, even though the
condition is just being met
- after the transaction a sync is received due to movement, the driver
queries the values found in filter, including "myattr"
- query returns an empty "myattr" attribute value, even though we've
just received the add transaction. as if the value was added but
something nullified the change

The driver has not been tampered with other than log file adjustment and
policy definitions, other than that it is out of package. The system
however has seen some times of power failures etc so the possibility of
faulty data exists. Also the second replica (read-write) had a disk
storage issue a year or two ago. Ndsrepairs have been executed
sometimes. Both replicas are time syncing hourly to the same time server
via sntp.

The "myattr" attribute is being modified by a single driver which is a
very simple one. The driver's logs show it has not cleared the attribute.

The entitlement is granted when i remove and re-add the value from
"myattr" attribute.

This is quite a mystery and I remember running into similar behavior
with role based entitlements driver before too. My best guess is a
driver bug under heavy load or a corrupted edirectory partition in the
second replica (read-write) due to its problems before but I have no
evidence on anything. All help is welcome.

Here are snipplets from the role based entitlements driver log. A
transaction explained above, add-value to the attribute that is supposed
to grant the entitlement:

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20140730101201.007Z" class-name="User"
event-id="172233-172234:265a5e24-478e-4699-a337-554ce932b2af"
qualified-src-dn="xxx" src
-dn="xxx" src-entry-id="164005" timestamp="1406715121#8">
<association
state="associated">{03142A97-F04F-4456-06AF-972A14034FF0}</association>
<modify-attr attr-name="myattr">
<add-value>
<value timestamp="1406715121#7" type="string">ORG value</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[07/30/14 13:12:01.487]:Entitlement driver ST:
DirXML Log Event -------------------
Driver: xxx
Channel: Subscriber
Object: xxx
Status: Warning
Message: code(31622) Entitlement_Revoke: Entitlement-request
revoked. Unable to satisfy entitlement grant policy
[07/30/14 13:12:01.492]:Entitlement driver ST: is NOT a member of
entitlement policy 'system\IDM\Entitlement Policies\ORG entitlement
[07/30/14 13:12:01.492]:Entitlement driver ST:
DirXML Log Event -------------------
Driver: \xxx\system\IDM\Entitlement driver
Channel: Subscriber
Object: xxx
Status: Warning
Message: code(31622) Entitlement_Revoke: Entitlement-request
revoked. Unable to satisfy entitlement grant policy

This is from the sync operation following and showing the "myattr" to be
empty:

[07/30/14 13:12:01.571]:Entitlement driver ST:No event transformation
policies.
[07/30/14 13:12:01.571]:Entitlement driver ST:Subscriber processing sync
for xxx.
[07/30/14 13:12:01.572]:Entitlement driver ST:Merging eDirectory and
application values.
[07/30/14 13:12:01.572]:Entitlement driver ST:Reading relevant
attributes from xxx.
[07/30/14 13:12:01.572]:Entitlement driver ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="User" dest-dn="xxx" dest-entry-id="164005"
scope="entry">
<read-attr attr-name="DirXML-ADAliasName"/>
<read-attr attr-name="myattr"/>
<read-attr attr-name="Object Class"/>
</query>
</input>
</nds>
[07/30/14 13:12:01.573]:Entitlement driver ST:Pumping XDS to eDirectory.
[07/30/14 13:12:01.573]:Entitlement driver ST:Performing operation query
for xxx.
[07/30/14 13:12:01.573]:Entitlement driver ST:--JCLNT-- xxx :
Duplicating : context = 1228144873, tempContext = 1228144863
[07/30/14 13:12:01.574]:Entitlement driver ST:--JCLNT-- xxx : Calling
free on tempContext = 1228144863
[07/30/14 13:12:01.574]:Entitlement driver ST:Read result:
[07/30/14 13:12:01.575]:Entitlement driver ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="User" qualified-src-dn="xxx" src-dn="xxx"
src-entry-id="164005">
<association
state="associated">{03142A97-F04F-4456-06AF-972A14034FF0}</association>
<attr attr-name="Object Class">
<value timestamp="1406715120#324" type="string">User</value>
<value timestamp="1406715120#325" type="string">xxx</value>
<value timestamp="1406715120#326" type="string">Organizational
Person</value>
<value timestamp="1406715120#327" type="string">Person</value>
<value timestamp="1406715120#328"
type="string">ndsLoginProperties</value>
<value timestamp="1406715120#329" type="string">Top</value>
<value timestamp="1406715121#19"
type="string">DirXML-PasswordSyncStatusUser</value>
</attr>
</instance>
<status level="success"></status>
</output>
</nds>
[07/30/14 13:12:01.577]:Entitlement driver ST:Updating application with
eDirectory values.
[07/30/14 13:12:01.577]:Entitlement driver ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Standard" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify class-name="User"
event-id="172233-172234:265a5e24-478e-4699-a337-554ce932b2af"
from-merge="true" qualified-src-dn="xxx" src-dn="xxx" src-entry-id="164005">
<association>{03142A97-F04F-4456-06AF-972A14034FF0}</association>
<modify-attr attr-name="Object Class">
<remove-all-values/>
<add-value>
<value timestamp="1406715120#324" type="string">User</value>
<value timestamp="1406715120#325" type="string">xxx</value>
<value timestamp="1406715120#326"
type="string">Organizational Person</value>
<value timestamp="1406715120#327" type="string">Person</value>
<value timestamp="1406715120#328"
type="string">ndsLoginProperties</value>
<value timestamp="1406715120#329" type="string">Top</value>
<value timestamp="1406715121#19"
type="string">DirXML-PasswordSyncStatusUser</value>
</add-value>
</modify-attr>
<modify-attr attr-name="DirXML-ADAliasName">
<remove-all-values/>
</modify-attr>
<modify-attr attr-name="myattr">
<remove-all-values/>
</modify-attr>
</modify>
</input>
</nds>


Cheers,
Pekka