Environment
Novell Identity Manager Identity Manager 3.0
Novell Identity Manager Driver- Active Directory Driver
Situation
Implemented the AD driver using the sample pre-config that
comes with IDM 3.0.1 and group synchronization.
Groups synchronize fine to eDirectory, but they don't
synchronize back from AD.
An IDM trace shows the following error message:
DirXML Log Event -------------------
Driver:
\NTS-LAB-TREE\NOVELL\DRIVERSET\Active Directory sample driver
Channel: Publisher
Object: CN=Test
Group,OU=Groups,DC=lab,DC=com (NOVELL\Groups\Test Group)
Status: Error
Message: Code(-9131) Error in
vnd.nds.stream://NTS-LAB-TREE/NOVELL/DRIVERSET/Active Directory
sample driver/Publisher/Command Transform#XmlData:88 : Error
evaluating XPATH expression'token-xpath("query:readObject($destQueryProcessor, "",
$memberDN,"", "")[not(association/text())]")' :
com.novell.xml.xpath.XPathEvaluationException: function'query:readObject' not found.
If the trace level is 3 or above, its possible to see that
this happens in the 'Publisher' channel, within the 'Command
Transformation policy set', in the 'Command Transform' policy, rule'Prevent unassociated users from being removed from groups'
Search: 9131
Resolution
This is being caused by the policy itself missing a namespace
declaration, that need to be added to the
element.
Steps to fix:
01. Go to iManager
02. Click on 'Identity Manager', then 'Identity Manager Overview'
03. Click the Magnifing glass icon, browse to and select the driver set container
04. Hit the 'Search' button
05. Click on the icon for the Active Directory Driver
06. When the page ' Identity Manager Driver Overview' finish loading, click on the Publisher's 'Command Transformation Policies'
01. Go to iManager
02. Click on 'Identity Manager', then 'Identity Manager Overview'
03. Click the Magnifing glass icon, browse to and select the driver set container
04. Hit the 'Search' button
05. Click on the icon for the Active Directory Driver
06. When the page ' Identity Manager Driver Overview' finish loading, click on the Publisher's 'Command Transformation Policies'
07. In the pop-up window, select the 'Command Transform' and
click Edit
08. Another pop-up window will open. Click on the 'Edit XML' link on the top of the page
09. Select the check box 'Enable XML Editing'
10. Replace the first line shown there with the one in step 11. The original line is:
08. Another pop-up window will open. Click on the 'Edit XML' link on the top of the page
09. Select the check box 'Enable XML Editing'
10. Replace the first line shown there with the one in step 11. The original line is:
<?xml version="1.0" encoding="UTF-8"?><policy>
11. This is the correct line:
<?xml version="1.0" encoding="UTF-8"?><policy
xmlns:query="https://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQueryProcessor">
12. Click the OK button. At this point the fix is in place,
restarting the driver will make it work properly.
Additional Information
This is a problem in the AD sample pre-config driver from IDM 3.0.1
media. The one that comes with Designer 2.0 RC2 has this fix in it
already.