Environment
Novell Identity Manager 3.0
Novell Identity Manager driver for Active Directory version 3.1
Novell Identity Manager driver for Active Directory version 3.1
Situation
Fatal Error: "Internal: current ldap wrapper"
Driver shuts down right after what looked like a normal driver
startup
The default Active Directory driver allows the synchronization
between the eDirectory attribute called "Login Allowed Time Map"
which is mapped in Active Direcotry to "logonHours". This is a
binary value and you need a special function to convert the format
used in eDirectory to the one used in Active Directory.
Initial population of the value from eDirectory to Active Directory
works fine. It also works fine to change the value as many times as
you want in Active Directory. The problem happens if you modify the
value for a second time in eDirectory, making this a modification
in Active Directory.
Resolution
If your driver is not starting due to this problem, you can
simply go around it by removing the eDirectory attribute "Login
Allowed Time Map" from the subscriber filter.
This way when the driver starts up, the modification that is causing the driver to abort will be discarded and the driver will be able to start again.
To remove the attribute "Login Allowed Time Map" from the filter follow these steps:
1 - Login to an iManager instance with the Identity Manager plugins installed
2 - In the Identity Manager - Identity Manager Overview, search for your driver set
3 - Edit the properties of your Active Directory Driver. Pick then the Filter link in the Identity Manager tab (you can achieve the same by clicking in the Filter in the graphical display of the driver)
4 - Find the "Login Allowed Time Map" attribute in the list of attributes for the User. Click on it
5 - In the left column it will show that the application name for it is "logonHours". For the Subscriber channel, select the option"Ignore"
6 - Click OK to save the changes and attempt to start the driver again. It should remain loaded this time.
Keep in mind that after following these steps the attribute "Login Allowed Time Map" will not be synchronized from eDirectory into Active Directory
Another approach to this problem would be to add a policy that works around this problem. You can add the following code as the last rule of your existing Output Transformation Policy:
Remove the
clearing of logonHours in AD
modify
NOTE: This rule is provided AS IS. Test extensively in your environment to make sure that this doesn't affect the business logic you already have in place.
To apply this rule, copy the above code just after the last "" tag and before the closing "" tag in your Output Transformation policy.
This way when the driver starts up, the modification that is causing the driver to abort will be discarded and the driver will be able to start again.
To remove the attribute "Login Allowed Time Map" from the filter follow these steps:
1 - Login to an iManager instance with the Identity Manager plugins installed
2 - In the Identity Manager - Identity Manager Overview, search for your driver set
3 - Edit the properties of your Active Directory Driver. Pick then the Filter link in the Identity Manager tab (you can achieve the same by clicking in the Filter in the graphical display of the driver)
4 - Find the "Login Allowed Time Map" attribute in the list of attributes for the User. Click on it
5 - In the left column it will show that the application name for it is "logonHours". For the Subscriber channel, select the option"Ignore"
6 - Click OK to save the changes and attempt to start the driver again. It should remain loaded this time.
Keep in mind that after following these steps the attribute "Login Allowed Time Map" will not be synchronized from eDirectory into Active Directory
Another approach to this problem would be to add a policy that works around this problem. You can add the following code as the last rule of your existing Output Transformation Policy:
NOTE: This rule is provided AS IS. Test extensively in your environment to make sure that this doesn't affect the business logic you already have in place.
To apply this rule, copy the above code just after the last "" tag and before the closing "" tag in your Output Transformation policy.
Update: the addriver.dll that comes with Novell Identity
Manager 3.5 fixes that problem so that you can synchronize the
attribute normally.