Environment
Novell Identity Manager 3.5.1 Entitlements Service Driver
Novell Identity Manager 3.6 Entitlements Service Driver
Novell Identity Manager 3.6.1 Entitlements Service Driver
Novell Identity Manager 3.6 Entitlements Service Driver
Novell Identity Manager 3.6.1 Entitlements Service Driver
Situation
Entitlements are not being granted nor revoked for certain entitlement policies. When looking at an level 5 IDM trace the following trace message appears for each policy that is not granting/revoking entitlements:
[11/30/09 17:53:14.622]:ESD ST: ignoring empty entitlement policy 'nts\driverset\Entitlement Policies\lab policy 003'
[11/30/09 17:53:14.622]:ESD ST: ignoring empty entitlement policy 'nts\driverset\Entitlement Policies\lab policy 003'
Resolution
The root cause for this problem is that the entitlement policy is missing the DirXML-EntitlementRef attribute. The easiest way to fix this issue is to edit the entitlement policy using the iManager plugin, go to the "Entitlements" tab, remove all entries there, hit the "Apply" button, then add them back and hit "OK".
Additional Information
This issue can be caused by:
- Driver containing the Entitlement Object referenced by the policy was deleted and re-created.
- Entitlement Object referenced by the policy was deleted and re-created.
- DirXML-EntitlementRef attribute was manually removed from the entitlement policy.
- eDirectory corruption damaged either the entitlement object or entitlement policy.
All Entitlement Policies reside in a special container created under the driver set. The container is always named "Entitlement Policies". Each policy has its own eDirectory object below that container, and the policy's name will be the object name. The easiest way of verifying if the DirXML-EntitlementRef attribute is missing on the IDM server is to use iMonitor to inspect the entitlement policy objects.
The Entitlement driver itself uses basically 2 attributes from a entitlement policy: DirXML-EntitlementRef and memberQuery. The IDM plugins in iManager cache the information displayed for the "Membership" tab in the DirXML-SPFilterXML attribute. The IDM plugin cache the information displayed for the "Entitlements" tab in the DirXML-SPDisplayEntitlements attribute. Due to that, it is possible to be missing one of the attributes that the driver uses while the plugin will still show the old (cached) information.
- Driver containing the Entitlement Object referenced by the policy was deleted and re-created.
- Entitlement Object referenced by the policy was deleted and re-created.
- DirXML-EntitlementRef attribute was manually removed from the entitlement policy.
- eDirectory corruption damaged either the entitlement object or entitlement policy.
All Entitlement Policies reside in a special container created under the driver set. The container is always named "Entitlement Policies". Each policy has its own eDirectory object below that container, and the policy's name will be the object name. The easiest way of verifying if the DirXML-EntitlementRef attribute is missing on the IDM server is to use iMonitor to inspect the entitlement policy objects.
The Entitlement driver itself uses basically 2 attributes from a entitlement policy: DirXML-EntitlementRef and memberQuery. The IDM plugins in iManager cache the information displayed for the "Membership" tab in the DirXML-SPFilterXML attribute. The IDM plugin cache the information displayed for the "Entitlements" tab in the DirXML-SPDisplayEntitlements attribute. Due to that, it is possible to be missing one of the attributes that the driver uses while the plugin will still show the old (cached) information.