Background:

I'm connecting an eDir instance to my idvault via the bi-directional
edir driver.
Due to the extremely large amount of groups in eDir we are not syncing
groups from eDir to the idvault.
I have a subset of groups in eDir that are managed via
roles/resources/entitlements in UserApp.

Problem:

I would like to have IDM remove users from all groups that aren't
managed via entitlements. I'm able to successfully query my eDir
instance and get group membership back but the driver keeps trying to
resolve the association references and then drops the query results.
From a trace:


Code:
--------------------
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20160425_0222" instance="IGS" version="4.0.2.0">Identity Manager Bi-directional Driver for eDirectory</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<instance class-name="User" event-id="0" src-dn="cn=si6005,ou=users,ou=ho,o=sgi">
<association state="associated">443CF239E3043B4EAAB9443CF239E30 4</association>
<attr attr-name="Group Membership">
<value association-ref="27F5239BF11B0A4FA3BB27F5239BF11B" type="dn">cn=IDM-Remove-Me,ou=idm,o=sgi</value>
<value association-ref="2812D5BEAF1786406AA72812D5BEAF17" type="dn">cn=IDM-Dept-83500,ou=idm,o=sgi</value>
</attr>
</instance>
<status event-id="0" level="success"/>
</output>
</nds>
[04/10/17 08:41:44.409]:IGS ST: Resolving association references.
[04/10/17 08:41:44.410]:IGS ST:
DirXML Log Event -------------------
Driver: \SGIDEVIDVAULT\system\Driver Set\IGS
Channel: Subscriber
Object: \SGIDEVIDVAULT\data\users\si6005
Status: Warning
Message: Code(-8003) Unable to synchronize reference to cn=IDM-Remove-Me,ou=idm,o=sgi from attribute Group Membership.
[04/10/17 08:41:44.421]:IGS ST:
DirXML Log Event -------------------
Driver: \SGIDEVIDVAULT\system\Driver Set\IGS
Channel: Subscriber
Object: \SGIDEVIDVAULT\data\users\si6005
Status: Warning
Message: Code(-8003) Unable to synchronize reference to cn=IDM-Dept-83500,ou=idm,o=sgi from attribute Group Membership.
[04/10/17 08:41:44.422]:IGS ST: Query from policy result
[04/10/17 08:41:44.424]:IGS ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20160425_0222" instance="IGS" version="4.0.2.0">Identity Manager Bi-directional Driver for eDirectory</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<instance class-name="User" event-id="0" src-dn="cn=si6005,ou=users,ou=ho,o=sgi">
<association state="associated">443CF239E3043B4EAAB9443CF239E30 4</association>
</instance>
<status event-id="0" level="success"/>
</output>
</nds>

--------------------




I'm not sure why the driver is trying to resolve the associations. The
filter is set to not synchronize group objects or the Group Membership
attribute on user objects.

Does anyone have any suggestions on where to start?


--
pkoochin
------------------------------------------------------------------------
pkoochin's Profile: https://forums.netiq.com/member.php?userid=169
View this thread: https://forums.netiq.com/showthread.php?t=57785