Solved

trying to veto all objects not in Active Dir org unit using IM2

Posted on 2006-07-17
14
594 Views
Last Modified: 2012-08-13
Hi there,

i am trying to create a rule that Veto's changes to all objects not in a particular subtree in my AD domain to ensure they are not synced back into the edir tree. Although i am having problems.

the rule i have setup is as follows

                 <rule>
            <description>Veto all not in specified here</description>
            <conditions>
                  <and>
                        <if-src-dn op="not-in-subtree">OU=Company,DC=domain,DC=local</if-src-dn>
                  </and>
            </conditions>
            <actions>
                  <do-veto/>
            </actions>
      </rule>

everytime i try to start the driver after having created this rule i get the following error in DSTRACE

15:04:13 4FDCE4A0 Drvrs: Active Directory PT:
DirXML Log Event -------------------
Driver: \tree\company\Services\IDM\driverset1\Active Directory
Channel: Publisher
Status: Fatal
Message: Unable to validate that there is a non-empty driver object password (a Publisher-channel Policy may be incorrect)
15:04:13 4FDCE4A0 Drvrs: Active Directory PT:
DirXML Log Event -------------------
Driver: \\tree\company\IDM\driverset1\Active Directory
Channel: Publisher
Status: Fatal
Message: Code(-9005) The driver returned a "fatal" status indicating that the driver should be shut down. Detail from driver: Unable to validate that there is a non-empty driver object password (a Publisher-channel Policy may be incorrect)<application>DirXML</application>
<module>Active Directory</module>
<object-dn></object-dn>
<component>Publisher</component>

does anyone have any ideas?

thanks
0
Comment
Question by:huziy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
14 Comments
 
LVL 35

Expert Comment

by:ShineOn
ID: 17122559
Have you applied the SOAP driver patch?

Here's the TID: http://support.novell.com/cgi-bin/search/searchtid.cgi?2972643.htm
0
 

Author Comment

by:huziy
ID: 17122835
no i hadnt.. i added the 2 x .jar files into the lib dir on both the netware server and the 2003 server and restarted the remote loader service on the 2003 server..

unfortunatley still the same error
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 17123975
There's an AD driver patch, too, that I hadn't thought of, that may or may not apply to this (since it IS the AD driver load that's throwing the error.)

Or, there's something wrong with the driver object, its password entry, or something in the policy as relates to the object and/or password, as the error message states.  Hard to say from this vantage point.

Everything's working OK until you try to use this rule, but the driver load throws the error when this rule is applied?
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Author Comment

by:huziy
ID: 17124711
Yes as soon as i add this rule it throws the error.. otherwise i have two way sync without any problems

0
 
LVL 35

Expert Comment

by:ShineOn
ID: 17126156
I'm stuck - I don't know enough about IM rules.  I'll be watching, though...
0
 

Author Comment

by:huziy
ID: 17127972
so will I!...
0
 
LVL 6

Expert Comment

by:dotENG
ID: 17130395
Could you run post the outcome of your DSTRACE.LOG, use:

DSTRACE SCREEN ON
DSTRACE FILE ON
DSTRACE -ALL
DSTRACE +DXML
DSTRACE +DVRS
0
 
LVL 19

Expert Comment

by:alextoft
ID: 17131785
Which policy group did you put this rule in? The syntax is fine. As mentioned, make sure you have all the latest driver updates for IDM2. There were a lot, especially for AD, and they fixed a lot of bugs.

Obviously it wants to be fairly high up the list as it's a veto rule. No point processing right through the whole lot only to ve veto'd at the end.

I'd put it in the Event Transformation policies before it hits the filter. Don't forget, you want it to go AFTER the schema mapping policies, so don't put it in Input Transformation.
0
 

Author Comment

by:huziy
ID: 17132905
ok.. i fixed this one.. took a while though!

it seems on driver startup an XML document passes through the channel.. im sure someone can tell me what this is.. but by having a rule that Vetoed everything not in a particular OU it stopped this doc getting through.

Therefore i added another entry in the same rule that asked if Source DN existed in the XML document. If this was true and it didnt exist in the set OU then the Veto came into place. If it didnt have a source DN then it must be that first doc and it allowed it to passthrough.

this assumes that every doc will have a source DN.. which i assume must be correct?

 
0
 
LVL 6

Expert Comment

by:dotENG
ID: 17133391
Please give us some more information about this file,
how did you "catch" it?
anything about it's content...
0
 
LVL 19

Expert Comment

by:alextoft
ID: 17133528
I have to ask actually, if you only want a certain subtree in AD to sync, why not simply make that the root of your driver? Would make sense...
0
 

Author Comment

by:huziy
ID: 17136193
that would make sense although actually there are a number of subtree's -  but i see your point.. It is also usefull when testing to be able to limit the objects synced to a single test OU which i am using this rule for at the moment
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
ID: 17399771
PAQ / Refund
ee ai construct, community support moderator
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
We asked our MSP customer base what their favorite tools were and how they help them serve clients. We focused our questions on favorite tools in the following categories: >PSA tools >RMM tools >Alert management tools >Communication tools and Mo…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question