Quote Originally Posted by geoffc View Post
On 5/2/2019 10:34 AM, marcus jonsson wrote:
>
> Hi!
>
> I have a problem with code map refresh. This occurs on all drivers (and
> yes, they are up and running, nothing shows in the driver traces).
>
> IDM 4.7.1
>
> The main error I see in catalina is:
> LDAP: error code 80 - invalid request (-641)]
>
> But I cannot figure out what causes this.
>
> Any ideas to help me is appreciated.
>
>
> Code:
> --------------------
>
> 2019-05-02 16:22:31,257 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataMode l] (https-jsse-nio-8443-exec-10) [RBPM] VDM.getEntityDefinition(String, Locale):sys-nrf-entitlement
> 2019-05-02 16:22:31,257 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntity: cn=useraccount,cn=activedirectory,cn=driverset1,o= system
> 2019-05-02 16:22:31,258 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getLdapAttributes Attributes and values
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] Attribute ID: modifyTimestamp
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] 20180419124321Z
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] Attribute ID: objectClass
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] Top
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] DirXML-Entitlement
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] DirXML-PkgItemAux
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] Attribute ID: XmlData
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] <?xml version="1.0" encoding="UTF-8"?><entitlement conflict-resolution="union" description="The User Account entitlement grants or denies an account in Active Directory for the user. When granted, the user is given an enabled logon account. When revoked, the logon account is either disabled or deleted depeding on how the drive is configured." display-name="User Account Entitlement">
> <values multi-valued="false">
> <query-app>
> <query-xml>
> <nds dtdversion="2.0">
> <input>
> <query class-name="ADDomain" scope="subtree">
> <search-class class-name="ADDomain"/>
> <read-attr attr-name="ADDomainValue"/>
> <read-attr attr-name="ADDomainDisplayName"/>
> <read-attr attr-name="ADDomainDescription"/>
> </query>
> </input>
> </nds>
> </query-xml>
> <result-set>
> <display-name>
> <token-attr attr-name="ADDomainDisplayName"/>
> </display-name>
> <description>
> <token-attr attr-name="ADDomainDescription"/>
> </description>
> <ent-value>
> <token-attr attr-name="ADDomainValue"/>
> </ent-value>
> </result-set>
> </query-app>
> </values>
> </entitlement>
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] VDA.checking if object instance contains the required objectClass per DAL definition: sys-nrf-entitlement
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] VDA.does contain required (search=true or auxilliary=false) objectClassirXML-Entitlement
> 2019-05-02 16:22:31,259 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] VDA.object instance is correct type
> 2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntityResultList
> 2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataMode l] (https-jsse-nio-8443-exec-10) [RBPM] VDM.getEntityDefinition(String, Locale):sys-nrf-idmresource
> 2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataMode l] (https-jsse-nio-8443-exec-10) [RBPM] VDM.getEntityDefinition(String, Locale):sys-nrf-idmresource
> 2019-05-02 16:22:31,270 DEBUG [com.novell.srvprv.impl.vdata.model.VirtualDataAcce ss] (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntityResultList query filter: (&(|(objectClass=DirXML-Resource))(DirXML-ContentType=text/vnd.novell.idm.entitlementConfiguration+xml))
> 2019-05-02 16:22:31,514 ERROR [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10) [RBPM] Unable to complete the CODE MAP refresh for entitlement: cn=useraccount,cn=activedirectory,cn=driverset1,o= system.
> com.novell.idm.nrf.exception.NrfException: Error occurred populating code map table(s) for entitlement: cn=useraccount,cn=activedirectory,cn=driverset1,o= system. The most likely cause is that the IDM driver containing the entitlement is not started, or there is a communication issue between the remote loader and driver. Refer to the following stack trace for more details. A NDS trace log may help with driver related issues.
> at com.novell.idm.nrf.persist.PopulateCodeMap.populat eFromEntitlementQuery(PopulateCodeMap.java:394)
> at com.novell.idm.nrf.persist.PopulateCodeMap.populat eFromEntitlementQuery(PopulateCodeMap.java:154)
> at com.novell.idm.nrf.service.ProvisioningCodeMapServ ice.populateCodeMapTablesFromQuery(ProvisioningCod eMapService.java:801)
> at com.novell.idm.nrf.service.ProvisioningCodeMapServ ice.updateViewFromEntitlement(ProvisioningCodeMapS ervice.java:307)
> at com.novell.idm.nrf.service.ProvisioningCodeMapServ ice.refreshViewFromEntitlement(ProvisioningCodeMap Service.java:101)
> at com.novell.idm.nrf.service.CodeMapEngine.updateEnt itlementToCodeMapView(CodeMapEngine.java:387)
> at com.novell.idm.nrf.service.CodeMapEngine.refreshCo deMap(CodeMapEngine.java:245)
> at com.netiq.idm.rest.catalog.CodeMapRefreshService.e ntitlementRefresh(CodeMapRefreshService.java:154)
> at sun.reflect.GeneratedMethodAccessor771.invoke(Unkn own Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at com.sun.jersey.server.impl.model.method.dispatch.A bstractResourceMethodDispatchProvider$ResponseOutI nvoker._dispatch(AbstractResourceMethodDispatchPro vider.java:168)
> at com.sun.jersey.server.impl.model.method.dispatch.R esourceJavaMethodDispatcher.dispatch(ResourceJavaM ethodDispatcher.java:67)
> at com.sun.jersey.server.impl.uri.rules.HttpMethodRul e.accept(HttpMethodRule.java:259)
> at com.sun.jersey.server.impl.uri.rules.RightHandPath Rule.accept(RightHandPathRule.java:133)
> at com.sun.jersey.server.impl.uri.rules.ResourceClass Rule.accept(ResourceClassRule.java:83)
> at com.sun.jersey.server.impl.uri.rules.RightHandPath Rule.accept(RightHandPathRule.java:133)
> at com.sun.jersey.server.impl.uri.rules.RootResourceC lassesRule.accept(RootResourceClassesRule.java:71)
> at com.sun.jersey.server.impl.application.WebApplicat ionImpl._handleRequest(WebApplicationImpl.java:990 )
> at com.sun.jersey.server.impl.application.WebApplicat ionImpl.handleRequest(WebApplicationImpl.java:941)
> at com.sun.jersey.server.impl.application.WebApplicat ionImpl.handleRequest(WebApplicationImpl.java:932)
> at com.sun.jersey.spi.container.servlet.WebComponent. service(WebComponent.java:384)
> at com.sun.jersey.spi.container.servlet.ServletContai ner.service(ServletContainer.java:451)
> at com.sun.jersey.spi.container.servlet.ServletContai ner.service(ServletContainer.java:632)
> at javax.servlet.http.HttpServlet.service(HttpServlet .java:742)
> at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:231)
> at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
> at com.netiq.idm.rest.catalog.RestAuthFilter.doFilter (RestAuthFilter.java:100)
> at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
> at com.novell.common.auth.JAASFilter.doFilter(JAASFil ter.java:145)
> at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
> at com.novell.common.auth.saml.AuthTokenGeneratorFilt er.doFilter(AuthTokenGeneratorFilter.java:108)
> at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
> at com.novell.common.auth.sso.SSOFilter.doFilter(SSOF ilter.java:125)
> at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
> at com.novell.soa.common.i18n.BestLocaleServletFilter .doFilter(BestLocaleServletFilter.java:241)
> at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
> at org.apache.tomcat.websocket.server.WsFilter.doFilt er(WsFilter.java:52)
> at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
> at org.apache.catalina.filters.HttpHeaderSecurityFilt er.doFilter(HttpHeaderSecurityFilter.java:124)
> at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
> at com.novell.common.ForceNoCacheFilter.doFilter(Forc eNoCacheFilter.java:69)
> at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
> at com.novell.common.CrossScriptingFilter.doFilter(Cr ossScriptingFilter.java:53)
> at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
> at com.novell.common.HttpSecurityHeadersFilter.doFilt er(HttpSecurityHeadersFilter.java:132)
> at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
> at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
> at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:198)
> at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:96)
> at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:496)
> at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:140)
> at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:81)
> at org.apache.catalina.valves.AbstractAccessLogValve. invoke(AbstractAccessLogValve.java:650)
> at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:87)
> at org.apache.catalina.ha.tcp.ReplicationValve.invoke (ReplicationValve.java:322)
> at org.apache.catalina.ha.session.JvmRouteBinderValve .invoke(JvmRouteBinderValve.java:193)
> at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:342)
> at org.apache.coyote.http11.Http11Processor.service(H ttp11Processor.java:803)
> at org.apache.coyote.AbstractProcessorLight.process(A bstractProcessorLight.java:66)
> at org.apache.coyote.AbstractProtocol$ConnectionHandl er.process(AbstractProtocol.java:790)
> at org.apache.tomcat.util.net.NioEndpoint$SocketProce ssor.doRun(NioEndpoint.java:1459)
> at org.apache.tomcat.util.net.SocketProcessorBase.run (SocketProcessorBase.java:49)
> at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
> at org.apache.tomcat.util.threads.TaskThread$Wrapping Runnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: com.novell.idm.nrf.exception.NrfException: Error occurred running the entitlement/nds queries for entitlement Dn: cn=useraccount,cn=activedirectory,cn=driverset1,o= system, Query XML: <?xml version="1.0" encoding="UTF-8"?><nds dtdversion="2.0">
> <input>
> <query class-name="ADDomain" scope="subtree">
> <search-class class-name="ADDomain"/>
> <read-attr attr-name="ADDomainValue"/>
> <read-attr attr-name="ADDomainDisplayName"/>
> <read-attr attr-name="ADDomainDescription"/>
> </query>
> </input>
> </nds>
>
> at com.novell.idm.nrf.persist.PopulateCodeMap.queryDr iver(PopulateCodeMap.java:2018)
> at com.novell.idm.nrf.persist.PopulateCodeMap.populat eFromEntitlementQuery(PopulateCodeMap.java:262)
> ... 75 more
> Caused by: javax.naming.NamingException: [LDAP: error code 80 - invalid request (-641)]; remaining name ''
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.jav a:3198)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCt x.java:3100)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCt x.java:2891)
> at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCt x.java:3279)
> at sun.reflect.GeneratedMethodAccessor699.invoke(Unkn own Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at com.sssw.fw.directory.realm.impl.jndildap.EboLdapC ontextProxyHandler.invokeMethod(EboLdapContextProx yHandler.java:145)
> at com.sssw.fw.directory.realm.impl.jndildap.EboLdapC ontextProxyHandler.invoke(EboLdapContextProxyHandl er.java:86)
> at com.sun.proxy.$Proxy27.extendedOperation(Unknown Source)
> at com.novell.idm.nrf.persist.PopulateCodeMap.queryDr iver(PopulateCodeMap.java:2009)
> ... 76 more
> 2019-05-02 16:22:31,526 INFO [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10) [RBPM] CODE MAP refresh on entitlement: [cn=useraccount,cn=activedirectory,cn=driverset1,o= system] failed.
> 2019-05-02 16:22:31,526 DEBUG [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10) [RBPM] Setting m_refreshInProgress to false after refresh.


641 means, you tried a DirXML related action that is 'illegal' or not
allowed at this time.

So on the first hand you would expect the AD driver to not be running,
which is needed to Inject XDS driver to driver which is how the query is
injected.

Silly question, is your User App driver running? It is injected via the
UA driver into the AD driver, and both need to be running. This is one
of the few actual uses of the UA driver in terms of actual 'work'.
Hi Geoff!

There is no such thing as a silly question

Yes, User App driver is running and the AD driver is running. I see no activity on User App driver (trace lvl 10) when I try code map refresh (maybe not expected?), and no activity on the AD driver either.

The error does seem to imply an error returned on the LDAP-call, is that routed somehow to the User App driver witch in turn sends the query to the connected system driver (AD driver in this case)?

I also verified that the AD driver is fully up by changing an attribute in IDV and verify in AD, and it is all good.

As this is a test environment I have also tried restarting all services (eDir and Identity Applications) and also clearing out work and temp in Tomcat. Should probably not make a difference, but worth a try.

Any other ideas?

Best regards
Marcus