Solved

trying to veto all objects not in Active Dir org unit using IM2

Posted on 2006-07-17
14
587 Views
Last Modified: 2012-08-13
Hi there,

i am trying to create a rule that Veto's changes to all objects not in a particular subtree in my AD domain to ensure they are not synced back into the edir tree. Although i am having problems.

the rule i have setup is as follows

                 <rule>
            <description>Veto all not in specified here</description>
            <conditions>
                  <and>
                        <if-src-dn op="not-in-subtree">OU=Company,DC=domain,DC=local</if-src-dn>
                  </and>
            </conditions>
            <actions>
                  <do-veto/>
            </actions>
      </rule>

everytime i try to start the driver after having created this rule i get the following error in DSTRACE

15:04:13 4FDCE4A0 Drvrs: Active Directory PT:
DirXML Log Event -------------------
Driver: \tree\company\Services\IDM\driverset1\Active Directory
Channel: Publisher
Status: Fatal
Message: Unable to validate that there is a non-empty driver object password (a Publisher-channel Policy may be incorrect)
15:04:13 4FDCE4A0 Drvrs: Active Directory PT:
DirXML Log Event -------------------
Driver: \\tree\company\IDM\driverset1\Active Directory
Channel: Publisher
Status: Fatal
Message: Code(-9005) The driver returned a "fatal" status indicating that the driver should be shut down. Detail from driver: Unable to validate that there is a non-empty driver object password (a Publisher-channel Policy may be incorrect)<application>DirXML</application>
<module>Active Directory</module>
<object-dn></object-dn>
<component>Publisher</component>

does anyone have any ideas?

thanks
0
Comment
Question by:huziy
  • 5
  • 3
  • 2
  • +2
14 Comments
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
Have you applied the SOAP driver patch?

Here's the TID: http://support.novell.com/cgi-bin/search/searchtid.cgi?2972643.htm
0
 

Author Comment

by:huziy
Comment Utility
no i hadnt.. i added the 2 x .jar files into the lib dir on both the netware server and the 2003 server and restarted the remote loader service on the 2003 server..

unfortunatley still the same error
0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
There's an AD driver patch, too, that I hadn't thought of, that may or may not apply to this (since it IS the AD driver load that's throwing the error.)

Or, there's something wrong with the driver object, its password entry, or something in the policy as relates to the object and/or password, as the error message states.  Hard to say from this vantage point.

Everything's working OK until you try to use this rule, but the driver load throws the error when this rule is applied?
0
 

Author Comment

by:huziy
Comment Utility
Yes as soon as i add this rule it throws the error.. otherwise i have two way sync without any problems

0
 
LVL 35

Expert Comment

by:ShineOn
Comment Utility
I'm stuck - I don't know enough about IM rules.  I'll be watching, though...
0
 

Author Comment

by:huziy
Comment Utility
so will I!...
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 6

Expert Comment

by:dotENG
Comment Utility
Could you run post the outcome of your DSTRACE.LOG, use:

DSTRACE SCREEN ON
DSTRACE FILE ON
DSTRACE -ALL
DSTRACE +DXML
DSTRACE +DVRS
0
 
LVL 19

Expert Comment

by:alextoft
Comment Utility
Which policy group did you put this rule in? The syntax is fine. As mentioned, make sure you have all the latest driver updates for IDM2. There were a lot, especially for AD, and they fixed a lot of bugs.

Obviously it wants to be fairly high up the list as it's a veto rule. No point processing right through the whole lot only to ve veto'd at the end.

I'd put it in the Event Transformation policies before it hits the filter. Don't forget, you want it to go AFTER the schema mapping policies, so don't put it in Input Transformation.
0
 

Author Comment

by:huziy
Comment Utility
ok.. i fixed this one.. took a while though!

it seems on driver startup an XML document passes through the channel.. im sure someone can tell me what this is.. but by having a rule that Vetoed everything not in a particular OU it stopped this doc getting through.

Therefore i added another entry in the same rule that asked if Source DN existed in the XML document. If this was true and it didnt exist in the set OU then the Veto came into place. If it didnt have a source DN then it must be that first doc and it allowed it to passthrough.

this assumes that every doc will have a source DN.. which i assume must be correct?

 
0
 
LVL 6

Expert Comment

by:dotENG
Comment Utility
Please give us some more information about this file,
how did you "catch" it?
anything about it's content...
0
 
LVL 19

Expert Comment

by:alextoft
Comment Utility
I have to ask actually, if you only want a certain subtree in AD to sync, why not simply make that the root of your driver? Would make sense...
0
 

Author Comment

by:huziy
Comment Utility
that would make sense although actually there are a number of subtree's -  but i see your point.. It is also usefull when testing to be able to limit the objects synced to a single test OU which i am using this rule for at the moment
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
Comment Utility
PAQ / Refund
ee ai construct, community support moderator
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now