Hello,

Trying to sync accounts (with password) from ID Vault to Apple Open
Directory (Basically OpenLDAP), but am getting the following issue
coming up:

In the Driver Trace, the LDAP Add info is shown as follows:

17:34:04 5279E700 Drvrs: LDAP ST:Password synchronization command
detected.
17:34:04 5279E700 Drvrs: LDAP ST:Stripping operation data from input
document
17:34:04 5279E700 Drvrs: LDAP ST:LDAP: LDAPSub.performAddOperation()
Calling getAllSups(inetOrgPerson)
17:34:04 5279E700 Drvrs: LDAP ST:LDAP: LDAP Add:
dn: CN=aaa5,cn=users,dc=macsrv,dc=com (for example)
userpassword: <content suppressed>
givenname: aaa
uid: aaa5
sn: 5
cn: aaa5
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top

17:34:04 5279E700 Drvrs: LDAP ST:LDAP: LDAPInterface.doLDAPAdd() Error:
LDAPException: Object Class Violation (65) Object Class Violation
LDAPException: Server Message: attribute 'authAuthority' not allowed
LDAPException: Matched DN:
17:34:04 5279E700 Drvrs: LDAP ST:Password synchronization command status
detected.
17:34:04 5279E700 Drvrs: LDAP ST:Restoring operation data to output
document
17:34:04 5279E700 Drvrs: LDAP ST:SubscriptionShim.execute() returned:
17:34:04 5279E700 Drvrs: LDAP ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20141001_0717" instance="LDAP"
version="4.0.0.5">Identity Manager Driver for LDAP</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status
event-id="IDM#20150210093404#1#2:71bc044c-37bd-44ab-9ab3-4c04bc71bd37"
level="error">LDAPException: Object Class Violation (65) Object Class
Violation
LDAPException: Server Message: attribute 'authAuthority' not allowed
LDAPException: Matched DN: <operation-data attempt-to-match="true"
unmatched-src-dn="CN=aaa5">
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</status>
</output>
</nds>

And in red text:

17:34:04 5279E700 Drvrs: LDAP ST:
DirXML Log Event -------------------
Driver: \IDMTREE\IDM\DriverSet\LDAP
Channel: Subscriber
Object: \IDMTREE\IDM\Users\Internal\aaa5
Status: Error
Message: LDAPException: Object Class Violation (65) Object Class
Violation
LDAPException: Server Message: attribute 'authAuthority' not allowed
LDAPException: Matched DN:


As far as I know, AOD uses a separate mechanism for storing the
password, so not sure how the password change is achieved via an LDAP
call...the existing user accounts do have "authAuthority" attributes
with info in them relating to "ApplePasswordServer" and "Kerberosv5".

Thanks for any hints!
Regards
GM


--
gmarsh
------------------------------------------------------------------------
gmarsh's Profile: https://forums.netiq.com/member.php?userid=7757
View this thread: https://forums.netiq.com/showthread.php?t=52789