Home

Results 1 to 3 of 3

Thread: AdminUA deleted; Role Assignment havoc ensues.

  1. #1
    folboteur NNTP User

    AdminUA deleted; Role Assignment havoc ensues.


    (Replacing Thread wrongly started under Engine/Drivers)
    AdminUA deleted. I rebuilt the security domain for the UserApp and the
    new AdminUA account seems functional. I have, for troubleshooting,
    granted full supervisor rights to the entire tree for AdminUA.

    However, when I add a user a group assigned to a role, and that role has
    5 resources assigned to it... which were 100% functional before the
    deletion of AdminUA... I do not get any of the entitlements assigned,
    with the following error in trace of the Roles and Resources Driver
    (which is security equivalent to ADMIN of the tree):

    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.5.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify cached-time="20150505145118.266Z" class-name="User"
    event-id="CustomerIDV1T-NDS#20150505145118#1#1:f5b47cb0-a5e4-41f9-bdd9-a0c662b9a333"
    qualified-src-dn="O=Customer\OU=Data\OU=Users\CN=ameyer31"
    src-dn="\IDVT\Customer\Data\Users\ameyer31" src-entry-id="73592"
    timestamp="1430837478#1">
    <modify-attr attr-name="Group Membership">
    <add-value>
    <value timestamp="1430837478#1"
    type="dn">\T=IDVT\O=Customer\OU=Data\OU=Groups\OU= Identity
    Types\CN=Primary - EMPLOYEE_IT</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [05/05/15 09:51:18.290]:**RRSD** ST:Applying event transformation
    policies.
    [05/05/15 09:51:18.291]:**RRSD** ST:Applying policy:
    %+C%14CNOVLRSERVB-sub-etp%-C.
    [05/05/15 09:51:18.291]:**RRSD** ST: Applying to modify #1.
    [05/05/15 09:51:18.291]:**RRSD** ST: Evaluating selection criteria for
    rule 'Ignore everything except add, modify, and sync for all classes'.
    [05/05/15 09:51:18.292]:**RRSD** ST: (if-operation not-match
    "add|modify|sync") = FALSE.
    [05/05/15 09:51:18.292]:**RRSD** ST: Rule rejected.
    [05/05/15 09:51:18.293]:**RRSD** ST: Evaluating selection criteria for
    rule 'Cleanup the entitlement results for entitlements granted by NRF'.
    [05/05/15 09:51:18.293]:**RRSD** ST: (if-operation equal "modify") =
    TRUE.
    [05/05/15 09:51:18.294]:**RRSD** ST: (if-op-attr
    'DirXML-EntitlementResult' changing) = FALSE.
    [05/05/15 09:51:18.294]:**RRSD** ST: Rule rejected.
    [05/05/15 09:51:18.294]:**RRSD** ST: Evaluating selection criteria for
    rule 'Convert the event into a custom command to send to the driver'.
    [05/05/15 09:51:18.295]:**RRSD** ST: Rule selected.
    [05/05/15 09:51:18.295]:**RRSD** ST: Applying rule 'Convert the event
    into a custom command to send to the driver'.
    [05/05/15 09:51:18.296]:**RRSD** ST: Action:
    do-set-local-variable("command",scope="policy",token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())).
    [05/05/15 09:51:18.297]:**RRSD** ST:
    arg-string(token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name()))
    [05/05/15 09:51:18.297]:**RRSD** ST:
    token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())
    [05/05/15 09:51:18.298]:**RRSD** ST:
    token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())
    [05/05/15 09:51:18.299]:**RRSD** ST: token-class-name()
    [05/05/15 09:51:18.299]:**RRSD** ST: Token Value: "User".
    [05/05/15 09:51:18.299]:**RRSD** ST: Arg Value: "User".
    [05/05/15 09:51:18.299]:**RRSD** ST: Token Value: "nrf:identity".
    [05/05/15 09:51:18.300]:**RRSD** ST: Arg Value: "nrf:identity".
    [05/05/15 09:51:18.300]:**RRSD** ST: Action:
    do-append-xml-element("$command$","..").
    [05/05/15 09:51:18.301]:**RRSD** ST: Expanded variable reference
    '$command$' to 'nrf:identity'.
    [05/05/15 09:51:18.301]:**RRSD** ST: Action:
    do-set-xml-attr("dn","../nrf:*",token-xpath("@qualified-src-dn")).
    [05/05/15 09:51:18.302]:**RRSD** ST:
    arg-string(token-xpath("@qualified-src-dn"))
    [05/05/15 09:51:18.302]:**RRSD** ST: token-xpath("@qualified-src-dn")
    [05/05/15 09:51:18.302]:**RRSD** ST: Token Value:
    "O=Customer\OU=Data\OU=Users\CN=ameyer31".
    [05/05/15 09:51:18.303]:**RRSD** ST: Arg Value:
    "O=Customer\OU=Data\OU=Users\CN=ameyer31".
    [05/05/15 09:51:18.303]:**RRSD** ST: Action: do-if().
    [05/05/15 09:51:18.307]:**RRSD** ST: Evaluating conditions.
    [05/05/15 09:51:18.308]:**RRSD** ST: (if-op-attr 'nrfChildRoles'
    changing) = FALSE.
    [05/05/15 09:51:18.308]:**RRSD** ST: Action: do-if().
    [05/05/15 09:51:18.308]:**RRSD** ST: Evaluating conditions.
    [05/05/15 09:51:18.309]:**RRSD** ST: (if-op-attr 'nrfAssignedResources'
    changing) = FALSE.
    [05/05/15 09:51:18.309]:**RRSD** ST: Performing else actions.
    [05/05/15 09:51:18.309]:**RRSD** ST: Evaluating selection criteria for
    rule 'Get rid of any association that might be there and veto the
    original event'.
    [05/05/15 09:51:18.310]:**RRSD** ST: Rule selected.
    [05/05/15 09:51:18.310]:**RRSD** ST: Applying rule 'Get rid of any
    association that might be there and veto the original event'.
    [05/05/15 09:51:18.311]:**RRSD** ST: Action: do-if().
    [05/05/15 09:51:18.311]:**RRSD** ST: Evaluating conditions.
    [05/05/15 09:51:18.311]:**RRSD** ST: (if-association available) = FALSE.
    [05/05/15 09:51:18.312]:**RRSD** ST: Performing else actions.
    [05/05/15 09:51:18.312]:**RRSD** ST: Action: do-if().
    [05/05/15 09:51:18.312]:**RRSD** ST: Evaluating conditions.
    [05/05/15 09:51:18.313]:**RRSD** ST: (if-xpath true
    "association/@state='migrate'") = FALSE.
    [05/05/15 09:51:18.313]:**RRSD** ST: Action: do-veto().
    [05/05/15 09:51:18.313]:**RRSD** ST:Policy returned:
    [05/05/15 09:51:18.314]:**RRSD** ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.5.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <nrf:identity dn="O=Customer\OU=Data\OU=Users\CN=ameyer31"
    xmlns:nrf="urn:dirxml:nrf"/>
    </input>
    </nds>
    [05/05/15 09:51:18.315]:**RRSD** ST:Subscriber processing identity for .
    [05/05/15 09:51:18.315]:**RRSD** ST:Submitting unknown event to
    subscriber shim.
    [05/05/15 09:51:18.316]:**RRSD** ST:No command transformation policies.
    [05/05/15 09:51:18.316]:**RRSD** ST:Filtering out notification-only
    attributes.
    [05/05/15 09:51:18.317]:**RRSD** ST:Fixing up association references.
    [05/05/15 09:51:18.317]:**RRSD** ST:No schema mapping policies.
    [05/05/15 09:51:18.317]:**RRSD** ST:No output transformation policies.
    [05/05/15 09:51:18.318]:**RRSD** ST:Submitting document to subscriber
    shim:
    [05/05/15 09:51:18.318]:**RRSD** ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.5.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <nrf:identity dn="O=Customer\OU=Data\OU=Users\CN=ameyer31" event-id="0"
    xmlns:nrf="urn:dirxml:nrf"/>
    </input>
    </nds>
    [05/05/15 09:51:18.320]:**RRSD** ST:: Recalculating roles for identity:
    O=Customer\OU=Data\OU=Users\CN=ameyer31
    [05/05/15 09:51:18.324]:**RRSD** ST:: Role sync operation ignored
    because container is out of scope
    Container DN: O=Customer
    User-Group root DN: Customer\Data
    [05/05/15 09:51:18.340]:**RRSD** ST:: Process Equivalent To Me
    Role: Process Equivalent To Me
    Role: O=Customer\OU=services\CN=DriverSet\CN=UserApplica
    tion\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Lev el30\CN=Primary -
    EMPLOYEE_IT
    Operation: 5
    Identity: O=Customer\OU=Data\OU=Users\CN=ameyer31
    Operation: {1}
    Identity: {2}
    [05/05/15 09:51:18.358]:**RRSD** ST:SubscriptionShim.execute() returned:
    [05/05/15 09:51:18.358]:**RRSD** ST:
    <nds dtdversion="4.0">
    <source>
    <product instance="Role and Resource Service Driver"
    version="4.5.0.0">NetIQ Role Service Driver</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status event-id="0" level="error">Error creating resource request
    DN: O=Customer\OU=services\CN=DriverSet\CN=UserApplica
    tion\CN=AppConfig\CN=RoleConfig\CN=ResourceRequest
    s\CN=20150505095118-a72e18ffdd33454f825bcfa12173c764-0
    Reason: novell.jclient.JCException: createEntry -613
    ERR_SYNTAX_VIOLATION</status>
    <status event-id="0" level="error">Error recalculating roles
    Identity: O=Customer\OU=Data\OU=Users\CN=ameyer31
    Reason: novell.jclient.JCException: createEntry -613
    ERR_SYNTAX_VIOLATION</status>
    </output>
    </nds>

    I have verified my entitlements are all using IDM4 syntax, as they were
    before adminua was deleted. (i.e. I'm pretty sure it's not the
    entitlement config.)

    Any ideas where to look next, or even a simple total fix, appreciated.
    :-)


    --
    folboteur
    ------------------------------------------------------------------------
    folboteur's Profile: https://forums.netiq.com/member.php?userid=3683
    View this thread: https://forums.netiq.com/showthread.php?t=53433


  2. #2
    folboteur NNTP User

    Re: AdminUA deleted; Role Assignment havoc ensues.


    For the record:

    The ROLE gets assigned to the users. The subsequent Resource Request
    fails.

    Assigning a resource directly to an individual user works. The
    entitlement is assigned and the resource Request is created. So the
    entitlement syntax is right.


    --
    folboteur
    ------------------------------------------------------------------------
    folboteur's Profile: https://forums.netiq.com/member.php?userid=3683
    View this thread: https://forums.netiq.com/showthread.php?t=53433


  3. #3
    Join Date
    Jul 2014
    Posts
    21

    Re: AdminUA deleted; Role Assignment havoc ensues.


    This issue has to do with the fact that you recreated a UA admin and the
    original one no longer exists.

    Please, check the following:

    on you Role and resource driver -> driver parameters -> User
    application identity - make sure you are pointing to a correct UA
    admin.

    Update your RR driver in the vault, restart your edir and try the
    assignment again.

    MJ


    folboteur;256885 Wrote:
    > (Replacing Thread wrongly started under Engine/Drivers)
    > AdminUA deleted. I rebuilt the security domain for the UserApp and the
    > new AdminUA account seems functional. I have, for troubleshooting,
    > granted full supervisor rights to the entire tree for AdminUA.
    >
    > However, when I add a user a group assigned to a role, and that role has
    > 5 resources assigned to it... which were 100% functional before the
    > deletion of AdminUA... I do not get any of the entitlements assigned,
    > with the following error in trace of the Roles and Resources Driver
    > (which is security equivalent to ADMIN of the tree):
    >
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.5.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <modify cached-time="20150505145118.266Z" class-name="User"
    > event-id="CustomerIDV1T-NDS#20150505145118#1#1:f5b47cb0-a5e4-41f9-bdd9-a0c662b9a333"
    > qualified-src-dn="O=Customer\OU=Data\OU=Users\CN=ameyer31"
    > src-dn="\IDVT\Customer\Data\Users\ameyer31" src-entry-id="73592"
    > timestamp="1430837478#1">
    > <modify-attr attr-name="Group Membership">
    > <add-value>
    > <value timestamp="1430837478#1"
    > type="dn">\T=IDVT\O=Customer\OU=Data\OU=Groups\OU= Identity
    > Types\CN=Primary - EMPLOYEE_IT</value>
    > </add-value>
    > </modify-attr>
    > </modify>
    > </input>
    > </nds>
    > [05/05/15 09:51:18.290]:**RRSD** ST:Applying event transformation
    > policies.
    > [05/05/15 09:51:18.291]:**RRSD** ST:Applying policy:
    > %+C%14CNOVLRSERVB-sub-etp%-C.
    > [05/05/15 09:51:18.291]:**RRSD** ST: Applying to modify #1.
    > [05/05/15 09:51:18.291]:**RRSD** ST: Evaluating selection criteria for
    > rule 'Ignore everything except add, modify, and sync for all classes'.
    > [05/05/15 09:51:18.292]:**RRSD** ST: (if-operation not-match
    > "add|modify|sync") = FALSE.
    > [05/05/15 09:51:18.292]:**RRSD** ST: Rule rejected.
    > [05/05/15 09:51:18.293]:**RRSD** ST: Evaluating selection criteria for
    > rule 'Cleanup the entitlement results for entitlements granted by NRF'.
    > [05/05/15 09:51:18.293]:**RRSD** ST: (if-operation equal "modify") =
    > TRUE.
    > [05/05/15 09:51:18.294]:**RRSD** ST: (if-op-attr
    > 'DirXML-EntitlementResult' changing) = FALSE.
    > [05/05/15 09:51:18.294]:**RRSD** ST: Rule rejected.
    > [05/05/15 09:51:18.294]:**RRSD** ST: Evaluating selection criteria for
    > rule 'Convert the event into a custom command to send to the driver'.
    > [05/05/15 09:51:18.295]:**RRSD** ST: Rule selected.
    > [05/05/15 09:51:18.295]:**RRSD** ST: Applying rule 'Convert the event
    > into a custom command to send to the driver'.
    > [05/05/15 09:51:18.296]:**RRSD** ST: Action:
    > do-set-local-variable("command",scope="policy",token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())).
    > [05/05/15 09:51:18.297]:**RRSD** ST:
    > arg-string(token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name()))
    > [05/05/15 09:51:18.297]:**RRSD** ST:
    > token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())
    > [05/05/15 09:51:18.298]:**RRSD** ST:
    > token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())
    > [05/05/15 09:51:18.299]:**RRSD** ST: token-class-name()
    > [05/05/15 09:51:18.299]:**RRSD** ST: Token Value: "User".
    > [05/05/15 09:51:18.299]:**RRSD** ST: Arg Value: "User".
    > [05/05/15 09:51:18.299]:**RRSD** ST: Token Value: "nrf:identity".
    > [05/05/15 09:51:18.300]:**RRSD** ST: Arg Value: "nrf:identity".
    > [05/05/15 09:51:18.300]:**RRSD** ST: Action:
    > do-append-xml-element("$command$","..").
    > [05/05/15 09:51:18.301]:**RRSD** ST: Expanded variable reference
    > '$command$' to 'nrf:identity'.
    > [05/05/15 09:51:18.301]:**RRSD** ST: Action:
    > do-set-xml-attr("dn","../nrf:*",token-xpath("@qualified-src-dn")).
    > [05/05/15 09:51:18.302]:**RRSD** ST:
    > arg-string(token-xpath("@qualified-src-dn"))
    > [05/05/15 09:51:18.302]:**RRSD** ST: token-xpath("@qualified-src-dn")
    > [05/05/15 09:51:18.302]:**RRSD** ST: Token Value:
    > "O=Customer\OU=Data\OU=Users\CN=ameyer31".
    > [05/05/15 09:51:18.303]:**RRSD** ST: Arg Value:
    > "O=Customer\OU=Data\OU=Users\CN=ameyer31".
    > [05/05/15 09:51:18.303]:**RRSD** ST: Action: do-if().
    > [05/05/15 09:51:18.307]:**RRSD** ST: Evaluating conditions.
    > [05/05/15 09:51:18.308]:**RRSD** ST: (if-op-attr 'nrfChildRoles'
    > changing) = FALSE.
    > [05/05/15 09:51:18.308]:**RRSD** ST: Action: do-if().
    > [05/05/15 09:51:18.308]:**RRSD** ST: Evaluating conditions.
    > [05/05/15 09:51:18.309]:**RRSD** ST: (if-op-attr 'nrfAssignedResources'
    > changing) = FALSE.
    > [05/05/15 09:51:18.309]:**RRSD** ST: Performing else actions.
    > [05/05/15 09:51:18.309]:**RRSD** ST: Evaluating selection criteria for
    > rule 'Get rid of any association that might be there and veto the
    > original event'.
    > [05/05/15 09:51:18.310]:**RRSD** ST: Rule selected.
    > [05/05/15 09:51:18.310]:**RRSD** ST: Applying rule 'Get rid of any
    > association that might be there and veto the original event'.
    > [05/05/15 09:51:18.311]:**RRSD** ST: Action: do-if().
    > [05/05/15 09:51:18.311]:**RRSD** ST: Evaluating conditions.
    > [05/05/15 09:51:18.311]:**RRSD** ST: (if-association available) =
    > FALSE.
    > [05/05/15 09:51:18.312]:**RRSD** ST: Performing else actions.
    > [05/05/15 09:51:18.312]:**RRSD** ST: Action: do-if().
    > [05/05/15 09:51:18.312]:**RRSD** ST: Evaluating conditions.
    > [05/05/15 09:51:18.313]:**RRSD** ST: (if-xpath true
    > "association/@state='migrate'") = FALSE.
    > [05/05/15 09:51:18.313]:**RRSD** ST: Action: do-veto().
    > [05/05/15 09:51:18.313]:**RRSD** ST:Policy returned:
    > [05/05/15 09:51:18.314]:**RRSD** ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.5.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <nrf:identity dn="O=Customer\OU=Data\OU=Users\CN=ameyer31"
    > xmlns:nrf="urn:dirxml:nrf"/>
    > </input>
    > </nds>
    > [05/05/15 09:51:18.315]:**RRSD** ST:Subscriber processing identity for
    > .
    > [05/05/15 09:51:18.315]:**RRSD** ST:Submitting unknown event to
    > subscriber shim.
    > [05/05/15 09:51:18.316]:**RRSD** ST:No command transformation policies.
    > [05/05/15 09:51:18.316]:**RRSD** ST:Filtering out notification-only
    > attributes.
    > [05/05/15 09:51:18.317]:**RRSD** ST:Fixing up association references.
    > [05/05/15 09:51:18.317]:**RRSD** ST:No schema mapping policies.
    > [05/05/15 09:51:18.317]:**RRSD** ST:No output transformation policies.
    > [05/05/15 09:51:18.318]:**RRSD** ST:Submitting document to subscriber
    > shim:
    > [05/05/15 09:51:18.318]:**RRSD** ST:
    > <nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.5.0.0">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <nrf:identity dn="O=Customer\OU=Data\OU=Users\CN=ameyer31" event-id="0"
    > xmlns:nrf="urn:dirxml:nrf"/>
    > </input>
    > </nds>
    > [05/05/15 09:51:18.320]:**RRSD** ST:: Recalculating roles for identity:
    > O=Customer\OU=Data\OU=Users\CN=ameyer31
    > [05/05/15 09:51:18.324]:**RRSD** ST:: Role sync operation ignored
    > because container is out of scope
    > Container DN: O=Customer
    > User-Group root DN: Customer\Data
    > [05/05/15 09:51:18.340]:**RRSD** ST:: Process Equivalent To Me
    > Role: Process Equivalent To Me
    > Role: O=Customer\OU=services\CN=DriverSet\CN=UserApplica
    > tion\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Lev el30\CN=Primary -
    > EMPLOYEE_IT
    > Operation: 5
    > Identity: O=Customer\OU=Data\OU=Users\CN=ameyer31
    > Operation: {1}
    > Identity: {2}
    > [05/05/15 09:51:18.358]:**RRSD** ST:SubscriptionShim.execute()
    > returned:
    > [05/05/15 09:51:18.358]:**RRSD** ST:
    > <nds dtdversion="4.0">
    > <source>
    > <product instance="Role and Resource Service Driver"
    > version="4.5.0.0">NetIQ Role Service Driver</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <output>
    > <status event-id="0" level="error">Error creating resource request
    > DN: O=Customer\OU=services\CN=DriverSet\CN=UserApplica
    > tion\CN=AppConfig\CN=RoleConfig\CN=ResourceRequest
    > s\CN=20150505095118-a72e18ffdd33454f825bcfa12173c764-0
    > Reason: novell.jclient.JCException: createEntry -613
    > ERR_SYNTAX_VIOLATION</status>
    > <status event-id="0" level="error">Error recalculating roles
    > Identity: O=Customer\OU=Data\OU=Users\CN=ameyer31
    > Reason: novell.jclient.JCException: createEntry -613
    > ERR_SYNTAX_VIOLATION</status>
    > </output>
    > </nds>
    >
    > I have verified my entitlements are all using IDM4 syntax, as they were
    > before adminua was deleted. (i.e. I'm pretty sure it's not the
    > entitlement config.)
    >
    > Any ideas where to look next, or even a simple total fix, appreciated.
    > :-)



    --
    mjendrisek
    ------------------------------------------------------------------------
    mjendrisek's Profile: https://forums.netiq.com/member.php?userid=8294
    View this thread: https://forums.netiq.com/showthread.php?t=53433


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •