Quote Originally Posted by geoffc View Post
>> (https-jsse-nio-8443-exec-10) [RBPM] VDA.getEntityResultList query
>> filter:
>> (&(|(objectClass=DirXML-Resource))(DirXML-ContentType=text/vnd.novell.idm.entitlementConfiguration+xml))
>>> 2019-05-02 16:22:31,514 ERROR

>> [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10)
>> [RBPM] Unable to complete the CODE MAP refresh for entitlement:
>> cn=useraccount,cn=activedirectory,cn=driverset1,o= system.
>>> com.novell.idm.nrf.exception.NrfException: Error occurred

>> populating code map table(s) for entitlement:
>> cn=useraccount,cn=activedirectory,cn=driverset1,o= system. The most
>> likely cause is that the IDM driver containing the entitlement is not
>> started, or there is a communication issue between the remote loader and
>> driver. Refer to the following stack trace for more details. A NDS trace
>> log may help with driver related issues.
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.populat eFromEntitlementQuery(PopulateCodeMap.java:394)
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.populat eFromEntitlementQuery(PopulateCodeMap.java:154)
>>> at

>> com.novell.idm.nrf.service.ProvisioningCodeMapServ ice.populateCodeMapTablesFromQuery(ProvisioningCod eMapService.java:801)
>>> at

>> com.novell.idm.nrf.service.ProvisioningCodeMapServ ice.updateViewFromEntitlement(ProvisioningCodeMapS ervice.java:307)
>>> at

>> com.novell.idm.nrf.service.ProvisioningCodeMapServ ice.refreshViewFromEntitlement(ProvisioningCodeMap Service.java:101)
>>> at

>> com.novell.idm.nrf.service.CodeMapEngine.updateEnt itlementToCodeMapView(CodeMapEngine.java:387)
>>> at

>> com.novell.idm.nrf.service.CodeMapEngine.refreshCo deMap(CodeMapEngine.java:245)
>>> at

>> com.netiq.idm.rest.catalog.CodeMapRefreshService.e ntitlementRefresh(CodeMapRefreshService.java:154)
>>> at sun.reflect.GeneratedMethodAccessor771.invoke(Unkn own Source)
>>> at

>> sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at

>> com.sun.jersey.server.impl.model.method.dispatch.A bstractResourceMethodDispatchProvider$ResponseOutI nvoker._dispatch(AbstractResourceMethodDispatchPro vider.java:168)
>>> at

>> com.sun.jersey.server.impl.model.method.dispatch.R esourceJavaMethodDispatcher.dispatch(ResourceJavaM ethodDispatcher.java:67)
>>> at

>> com.sun.jersey.server.impl.uri.rules.HttpMethodRul e.accept(HttpMethodRule.java:259)
>>> at

>> com.sun.jersey.server.impl.uri.rules.RightHandPath Rule.accept(RightHandPathRule.java:133)
>>> at

>> com.sun.jersey.server.impl.uri.rules.ResourceClass Rule.accept(ResourceClassRule.java:83)
>>> at

>> com.sun.jersey.server.impl.uri.rules.RightHandPath Rule.accept(RightHandPathRule.java:133)
>>> at

>> com.sun.jersey.server.impl.uri.rules.RootResourceC lassesRule.accept(RootResourceClassesRule.java:71)
>>> at

>> com.sun.jersey.server.impl.application.WebApplicat ionImpl._handleRequest(WebApplicationImpl.java:990 )
>>> at

>> com.sun.jersey.server.impl.application.WebApplicat ionImpl.handleRequest(WebApplicationImpl.java:941)
>>> at

>> com.sun.jersey.server.impl.application.WebApplicat ionImpl.handleRequest(WebApplicationImpl.java:932)
>>> at

>> com.sun.jersey.spi.container.servlet.WebComponent. service(WebComponent.java:384)
>>> at

>> com.sun.jersey.spi.container.servlet.ServletContai ner.service(ServletContainer.java:451)
>>> at

>> com.sun.jersey.spi.container.servlet.ServletContai ner.service(ServletContainer.java:632)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet .java:742)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:231)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
>>> at

>> com.netiq.idm.rest.catalog.RestAuthFilter.doFilter (RestAuthFilter.java:100)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
>>> at com.novell.common.auth.JAASFilter.doFilter(JAASFil ter.java:145)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.auth.saml.AuthTokenGeneratorFilt er.doFilter(AuthTokenGeneratorFilter.java:108)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.auth.sso.SSOFilter.doFilter(SSOF ilter.java:125)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.soa.common.i18n.BestLocaleServletFilter .doFilter(BestLocaleServletFilter.java:241)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
>>> at

>> org.apache.tomcat.websocket.server.WsFilter.doFilt er(WsFilter.java:52)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
>>> at

>> org.apache.catalina.filters.HttpHeaderSecurityFilt er.doFilter(HttpHeaderSecurityFilter.java:124)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.ForceNoCacheFilter.doFilter(Forc eNoCacheFilter.java:69)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.CrossScriptingFilter.doFilter(Cr ossScriptingFilter.java:53)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
>>> at

>> com.novell.common.HttpSecurityHeadersFilter.doFilt er(HttpSecurityHeadersFilter.java:132)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:193)
>>> at

>> org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:166)
>>> at

>> org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:198)
>>> at

>> org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:96)
>>> at

>> org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:496)
>>> at

>> org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:140)
>>> at

>> org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:81)
>>> at

>> org.apache.catalina.valves.AbstractAccessLogValve. invoke(AbstractAccessLogValve.java:650)
>>> at

>> org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:87)
>>> at

>> org.apache.catalina.ha.tcp.ReplicationValve.invoke (ReplicationValve.java:322)
>>> at

>> org.apache.catalina.ha.session.JvmRouteBinderValve .invoke(JvmRouteBinderValve.java:193)
>>> at

>> org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:342)
>>> at

>> org.apache.coyote.http11.Http11Processor.service(H ttp11Processor.java:803)
>>> at

>> org.apache.coyote.AbstractProcessorLight.process(A bstractProcessorLight.java:66)
>>> at

>> org.apache.coyote.AbstractProtocol$ConnectionHandl er.process(AbstractProtocol.java:790)
>>> at

>> org.apache.tomcat.util.net.NioEndpoint$SocketProce ssor.doRun(NioEndpoint.java:1459)
>>> at

>> org.apache.tomcat.util.net.SocketProcessorBase.run (SocketProcessorBase.java:49)
>>> at

>> java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1149)
>>> at

>> java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
>>> at

>> org.apache.tomcat.util.threads.TaskThread$Wrapping Runnable.run(TaskThread.java:61)
>>> at java.lang.Thread.run(Thread.java:748)
>>> Caused by: com.novell.idm.nrf.exception.NrfException: Error

>> occurred running the entitlement/nds queries for entitlement Dn:
>> cn=useraccount,cn=activedirectory,cn=driverset1,o= system, Query XML:
>> <?xml version="1.0" encoding="UTF-8"?><nds dtdversion="2.0">
>>> <input>
>>> <query class-name="ADDomain" scope="subtree">
>>> <search-class class-name="ADDomain"/>
>>> <read-attr attr-name="ADDomainValue"/>
>>> <read-attr attr-name="ADDomainDisplayName"/>
>>> <read-attr attr-name="ADDomainDescription"/>
>>> </query>
>>> </input>
>>> </nds>
>>>
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.queryDr iver(PopulateCodeMap.java:2018)
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.populat eFromEntitlementQuery(PopulateCodeMap.java:262)
>>> ... 75 more
>>> Caused by: javax.naming.NamingException: [LDAP: error code 80 -

>> invalid request (-641)]; remaining name ''
>>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.jav a:3198)
>>> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCt x.java:3100)
>>> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCt x.java:2891)
>>> at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCt x.java:3279)
>>> at sun.reflect.GeneratedMethodAccessor699.invoke(Unkn own Source)
>>> at

>> sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at

>> com.sssw.fw.directory.realm.impl.jndildap.EboLdapC ontextProxyHandler.invokeMethod(EboLdapContextProx yHandler.java:145)
>>> at

>> com.sssw.fw.directory.realm.impl.jndildap.EboLdapC ontextProxyHandler.invoke(EboLdapContextProxyHandl er.java:86)
>>> at com.sun.proxy.$Proxy27.extendedOperation(Unknown Source)
>>> at

>> com.novell.idm.nrf.persist.PopulateCodeMap.queryDr iver(PopulateCodeMap.java:2009)
>>> ... 76 more
>>> 2019-05-02 16:22:31,526 INFO

>> [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10)
>> [RBPM] CODE MAP refresh on entitlement:
>> [cn=useraccount,cn=activedirectory,cn=driverset1,o= system] failed.
>>> 2019-05-02 16:22:31,526 DEBUG

>> [com.novell.idm.nrf.service.CodeMapEngine] (https-jsse-nio-8443-exec-10)
>> [RBPM] Setting m_refreshInProgress to false after refresh.
>>
>> 641 means, you tried a DirXML related action that is 'illegal' or not
>> allowed at this time.
>>
>> So on the first hand you would expect the AD driver to not be running,
>> which is needed to Inject XDS driver to driver which is how the query
>> is
>> injected.
>>
>> Silly question, is your User App driver running? It is injected via
>> the
>> UA driver into the AD driver, and both need to be running. This is one
>> of the few actual uses of the UA driver in terms of actual 'work'.

>
> Hi Geoff!
>
> There is no such thing as a silly question
>
> Yes, User App driver is running and the AD driver is running. I see no
> activity on User App driver (trace lvl 10) when I try code map refresh
> (maybe not expected?), and no activity on the AD driver either.
>
> The error does seem to imply an error returned on the LDAP-call, is that
> routed somehow to the User App driver witch in turn sends the query to
> the connected system driver (AD driver in this case)?
>
> I also verified that the AD driver is fully up by changing an attribute
> in IDV and verify in AD, and it is all good.
>
> As this is a test environment I have also tried restarting all services
> (eDir and Identity Applications) and also clearing out work and temp in
> Tomcat. Should probably not make a difference, but worth a try.


So in the AD trace if it worked, you would see Injecting XDS... and then
the query. Do you have any other entitlements in other drivers, and are
they working?
Hi.

Yes, there are about 15 entitlements in this environment, and 5 of them are actually working. The other has worked before, but I have no clue on what has caused them to stop working.

Also, this is the test environment, and the same drivers/entitlements are working in production. It is the same version of IDM also.

I have compared between production and test, but I cannot find any odd difference (GCV's and such diffs of course) on the driver level.

I have also verified that Identity Applications is using the same IDVault server as the User App driver is running. It makes no difference if the AD-driver is running on the same server as the User App driver or not.

Best regards
Marcus