Hello All,

HELP...

I have over 1000 users been added today to my IDM system (4.0.2, sp7)
from a JDBC source. I have an active Directory driver (4.0.2) that our
users use to login. For some reason the users are not being created.
Part of the trace is shown below :

<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20150311_120000"
instance="\LHU-TREE\lhu\services\LHUDS\Active Directory Driver"
version="4.0.1.0">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status
event-id="idm1#20150804151619#1#1:433ed172-b0a4-47fc-a894-72d13e43a4b0"
level="error" type="driver-general">
<ldap-err ldap-rc="19" ldap-rc-name="LDAP_CONSTRAINT_VIOLATION">
<client-err ldap-rc="19"
ldap-rc-name="LDAP_CONSTRAINT_VIOLATION">Constraint
Violation</client-err>
<server-err>00002081: AtrErr: DSID-031513A5, #1:
0: 00002081: DSID-031513A5, problem 1005 (CONSTRAINT_ATT_TYPE),
data 0, Att 150003 (mail)
</server-err>
<server-err-ex win32-rc="8321"/>
</ldap-err>
<operation-data attempt-to-match="true"
unmatched-src-dn="CN=15000028,OU=Users">
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</status>
<status
event-id="idm1#20150804151619#1#1:433ed172-b0a4-47fc-a894-72d13e43a4b0"
level="warning" type="driver-general">
<ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
<client-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">No
Such Object</client-err>
<server-err>0000208D: NameErr: DSID-0310020A, problem 2001
(NO_OBJECT), data 0, best match of:
'DC=XXX,DC=XXX,DC=XXX,DC=XXX'
</server-err>
<server-err-ex win32-rc="8333"/>
</ldap-err>
<operation-data attempt-to-match="true"
unmatched-src-dn="CN=15000028,OU=Users">
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</status>
</output>
</nds>


To me this looks like its having a problem with the "mail" attribute.
When I look at the record in ConsoleOne its showing as a two valued
attribute. 015000028@XXX.XXX - and that breaks down to 0 and
15000028@XXX.XXX

I need to force these users across so I was thinking of removing the
mail attribute and putting the correct one in, but when i do that it
puts the multi value back and then AD refuses to budge.

Can anyone help me to one, fix the driver so it doesn't do that and two
to force the users over to active directory, even by making a small
change on the record, country for example which isn't used here.

Thanks


--
Stonej
------------------------------------------------------------------------
Stonej's Profile: https://forums.netiq.com/member.php?userid=4156
View this thread: https://forums.netiq.com/showthread.php?t=53969