Solved

trying to veto all objects not in Active Dir org unit using IM2

Posted on 2006-07-17
14
588 Views
Last Modified: 2012-08-13
Hi there,

i am trying to create a rule that Veto's changes to all objects not in a particular subtree in my AD domain to ensure they are not synced back into the edir tree. Although i am having problems.

the rule i have setup is as follows

                 <rule>
            <description>Veto all not in specified here</description>
            <conditions>
                  <and>
                        <if-src-dn op="not-in-subtree">OU=Company,DC=domain,DC=local</if-src-dn>
                  </and>
            </conditions>
            <actions>
                  <do-veto/>
            </actions>
      </rule>

everytime i try to start the driver after having created this rule i get the following error in DSTRACE

15:04:13 4FDCE4A0 Drvrs: Active Directory PT:
DirXML Log Event -------------------
Driver: \tree\company\Services\IDM\driverset1\Active Directory
Channel: Publisher
Status: Fatal
Message: Unable to validate that there is a non-empty driver object password (a Publisher-channel Policy may be incorrect)
15:04:13 4FDCE4A0 Drvrs: Active Directory PT:
DirXML Log Event -------------------
Driver: \\tree\company\IDM\driverset1\Active Directory
Channel: Publisher
Status: Fatal
Message: Code(-9005) The driver returned a "fatal" status indicating that the driver should be shut down. Detail from driver: Unable to validate that there is a non-empty driver object password (a Publisher-channel Policy may be incorrect)<application>DirXML</application>
<module>Active Directory</module>
<object-dn></object-dn>
<component>Publisher</component>

does anyone have any ideas?

thanks
0
Comment
Question by:huziy
  • 5
  • 3
  • 2
  • +2
14 Comments
 
LVL 35

Expert Comment

by:ShineOn
ID: 17122559
Have you applied the SOAP driver patch?

Here's the TID: http://support.novell.com/cgi-bin/search/searchtid.cgi?2972643.htm
0
 

Author Comment

by:huziy
ID: 17122835
no i hadnt.. i added the 2 x .jar files into the lib dir on both the netware server and the 2003 server and restarted the remote loader service on the 2003 server..

unfortunatley still the same error
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 17123975
There's an AD driver patch, too, that I hadn't thought of, that may or may not apply to this (since it IS the AD driver load that's throwing the error.)

Or, there's something wrong with the driver object, its password entry, or something in the policy as relates to the object and/or password, as the error message states.  Hard to say from this vantage point.

Everything's working OK until you try to use this rule, but the driver load throws the error when this rule is applied?
0
 

Author Comment

by:huziy
ID: 17124711
Yes as soon as i add this rule it throws the error.. otherwise i have two way sync without any problems

0
 
LVL 35

Expert Comment

by:ShineOn
ID: 17126156
I'm stuck - I don't know enough about IM rules.  I'll be watching, though...
0
 

Author Comment

by:huziy
ID: 17127972
so will I!...
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 6

Expert Comment

by:dotENG
ID: 17130395
Could you run post the outcome of your DSTRACE.LOG, use:

DSTRACE SCREEN ON
DSTRACE FILE ON
DSTRACE -ALL
DSTRACE +DXML
DSTRACE +DVRS
0
 
LVL 19

Expert Comment

by:alextoft
ID: 17131785
Which policy group did you put this rule in? The syntax is fine. As mentioned, make sure you have all the latest driver updates for IDM2. There were a lot, especially for AD, and they fixed a lot of bugs.

Obviously it wants to be fairly high up the list as it's a veto rule. No point processing right through the whole lot only to ve veto'd at the end.

I'd put it in the Event Transformation policies before it hits the filter. Don't forget, you want it to go AFTER the schema mapping policies, so don't put it in Input Transformation.
0
 

Author Comment

by:huziy
ID: 17132905
ok.. i fixed this one.. took a while though!

it seems on driver startup an XML document passes through the channel.. im sure someone can tell me what this is.. but by having a rule that Vetoed everything not in a particular OU it stopped this doc getting through.

Therefore i added another entry in the same rule that asked if Source DN existed in the XML document. If this was true and it didnt exist in the set OU then the Veto came into place. If it didnt have a source DN then it must be that first doc and it allowed it to passthrough.

this assumes that every doc will have a source DN.. which i assume must be correct?

 
0
 
LVL 6

Expert Comment

by:dotENG
ID: 17133391
Please give us some more information about this file,
how did you "catch" it?
anything about it's content...
0
 
LVL 19

Expert Comment

by:alextoft
ID: 17133528
I have to ask actually, if you only want a certain subtree in AD to sync, why not simply make that the root of your driver? Would make sense...
0
 

Author Comment

by:huziy
ID: 17136193
that would make sense although actually there are a number of subtree's -  but i see your point.. It is also usefull when testing to be able to limit the objects synced to a single test OU which i am using this rule for at the moment
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
ID: 17399771
PAQ / Refund
ee ai construct, community support moderator
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office Picture Manager was included in Office 2003, 2007, and 2010, but not in Office 2013. Users had hopes that it would be in Office 2016/Office 365, but it is not. Fortunately, the same zero-cost technique that works to install it with …
Note: This is the third blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   We’ve been talki…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now