We have an edir2edir driver. I added a new policy in the command
transform and I needed to sync the existing users to have this policy
process through existing users. We also have an attribute 'UserRole'. I
only wanted this sync to process users with a certain value for
'UserRole' so I put a policy in the event transform that would veto any
sync event where 'UserRole' was not equal to the value 'STANDARD'. This
ran fine for around 80k of the users that it was supposed to but for
some reason there are about 346 users where it did not work. I checked
my policies, I checked the users, and I checked the trace and for some
reason it is getting vetoed by that 'UserRole' policy. I tried migrating
just one of the users that did not work and here is the trace:


Code:
--------------------
08:57:35 26E71700 FFFFFFFF Drvrs: Edir-Vault2Auth ST:Applying policy: stop sync.
08:57:35 26E71700 FFFFFFFF Drvrs: Edir-Vault2Auth ST: Applying to sync #1.
08:57:35 26E71700 FFFFFFFF Drvrs: Edir-Vault2Auth ST: Evaluating selection criteria for rule 'veto non-standard user sync'.
08:57:35 26E71700 FFFFFFFF Drvrs: Edir-Vault2Auth ST: (if-operation equal "sync") = TRUE.
08:57:35 26E71700 FFFFFFFF Drvrs: Edir-Vault2Auth ST: (if-op-attr 'UserRole' not-equal "STANDARD") = TRUE.
08:57:35 26E71700 FFFFFFFF Drvrs: Edir-Vault2Auth ST: Rule selected.
08:57:35 26E71700 FFFFFFFF Drvrs: Edir-Vault2Auth ST: Applying rule 'veto non-standard user sync'.
08:57:35 26E71700 FFFFFFFF Drvrs: Edir-Vault2Auth ST: Action: do-veto().
--------------------


For some reason, and I cannot figure out why, even though the 'UserRole'
attribute is 'STANDARD' it is evaluating to not-equal 'STANDARD'. I have
checked many times and the value is the same for the users that did get
processed. I even checked for trailing and leading whitespace, which
shouldn't exist anyway since the values were populated by an automated
system and there shouldn't be any typos. I restarted the driver as well
and it still did not work. When I disable that policy and try migrating
a user again it works fine but when I reenable it it again evaluates
'UserRols' not-equal to 'STANDARD' even though it is. Any ideas as to
what is going on?


--
bobbintb
------------------------------------------------------------------------
bobbintb's Profile: https://forums.netiq.com/member.php?userid=5629
View this thread: https://forums.netiq.com/showthread.php?t=52726