Modifications of logonHours attribute cause a fatal error that shuts down the driver

  • 3006061
  • 23-Aug-2007
  • 26-Apr-2012


Novell Identity Manager 3.0
Novell Identity Manager driver for Active Directory version 3.1


Fatal Error: "Internal: current ldap wrapper"

Driver shuts down right after what looked like a normal driver startup

The default Active Directory driver allows the synchronization between the eDirectory attribute called "Login Allowed Time Map" which is mapped in Active Direcotry to "logonHours". This is a binary value and you need a special function to convert the format used in eDirectory to the one used in Active Directory.

Initial population of the value from eDirectory to Active Directory works fine. It also works fine to change the value as many times as you want in Active Directory. The problem happens if you modify the value for a second time in eDirectory, making this a modification in Active Directory.


If your driver is not starting due to this problem, you can simply go around it by removing the eDirectory attribute "Login Allowed Time Map" from the subscriber filter.
This way when the driver starts up, the modification that is causing the driver to abort will be discarded and the driver will be able to start again.
To remove the attribute "Login Allowed Time Map" from the filter follow these steps:
1 - Login to an iManager instance with the Identity Manager plugins installed
2 - In the Identity Manager - Identity Manager Overview, search for your driver set
3 - Edit the properties of your Active Directory Driver. Pick then the Filter link in the Identity Manager tab (you can achieve the same by clicking in the Filter in the graphical display of the driver)
4 - Find the "Login Allowed Time Map" attribute in the list of attributes for the User. Click on it
5 - In the left column it will show that the application name for it is "logonHours". For the Subscriber channel, select the option"Ignore"
6 - Click OK to save the changes and attempt to start the driver again. It should remain loaded this time.
Keep in mind that after following these steps the attribute "Login Allowed Time Map" will not be synchronized from eDirectory into Active Directory

Another approach to this problem would be to add a policy that works around this problem. You can add the following code as the last rule of your existing Output Transformation Policy:

Remove the clearing of logonHours in AD


NOTE: This rule is provided AS IS. Test extensively in your environment to make sure that this doesn't affect the business logic you already have in place.
To apply this rule, copy the above code just after the last "" tag and before the closing "" tag in your Output Transformation policy.
Update: the addriver.dll that comes with Novell Identity Manager 3.5 fixes that problem so that you can synchronize the attribute normally.


Reported to Engineering