Environment
Open Enterprise Server Service Pack 1
Open Enterprise Server Service Pack 2
ZENworks Desktop Management - Automatic Workstation Import
Domain Services for Windows
Open Enterprise Server Service Pack 2
ZENworks Desktop Management - Automatic Workstation Import
Domain Services for Windows
Situation
A Workstation Import Policy was defined to import relative to the user's context.
The eDirectory Tree's schema was extended with Domain Services for Windows (DSfW).
The resolution of the container fails and the workstation is not imported/registered.
Error "Could not locate the target container" is reported when manually registering workstations and in the awsi.log.
Extract of awsi.log showing the failure:
{OUlevel2name},{OUlevel1name},{orgname} replaces the original OU and O containers in the following example.
Dec 1, 2010 2:36:33 PM Tree =
Dec 1, 2010 2:36:33 PM Tree =
Dec 1, 2010 2:36:33 PM User context = {OUlevel2Name},{OUlevel1Name},{OrgName}
Dec 1, 2010 2:36:33 PM Login count = 6
Dec 1, 2010 2:36:33 PM ENTER doContainerSearch - WORKSTATIONS,{OUlevel2Name},{OUlevel1Name},{OrgName}
Dec 1, 2010 2:36:33 PM "{OrgName}" is not typed.
Dec 1, 2010 2:36:33 PM "{OrgName}" is not cached.
Dec 1, 2010 2:36:33 PM searchContainer =
Dec 1, 2010 2:36:33 PM filter = (&(name={OrgName})(|(objectclass=Org*)(objectclass=Loc*)(objectclass=Coun*)(objectclass=St*)))
Dec 1, 2010 2:36:33 PM Could not find container workstations,{oulevel2name},{oulevel1name},{orgname}
Dec 1, 2010 2:36:33 PM Could not locate the target container.
Dec 1, 2010 2:36:33 PM Connection closed: /<ws ip address>:1047
If the Workstation Import Policy is modified to point to a specific container, the Workstation Import works successfully.
The eDirectory Tree's schema was extended with Domain Services for Windows (DSfW).
The resolution of the container fails and the workstation is not imported/registered.
Error "Could not locate the target container" is reported when manually registering workstations and in the awsi.log.
Extract of awsi.log showing the failure:
{OUlevel2name},{OUlevel1name},{orgname} replaces the original OU and O containers in the following example.
Dec 1, 2010 2:36:33 PM Tree =
Dec 1, 2010 2:36:33 PM Tree =
Dec 1, 2010 2:36:33 PM User context = {OUlevel2Name},{OUlevel1Name},{OrgName}
Dec 1, 2010 2:36:33 PM Login count = 6
Dec 1, 2010 2:36:33 PM ENTER doContainerSearch - WORKSTATIONS,{OUlevel2Name},{OUlevel1Name},{OrgName}
Dec 1, 2010 2:36:33 PM "{OrgName}" is not typed.
Dec 1, 2010 2:36:33 PM "{OrgName}" is not cached.
Dec 1, 2010 2:36:33 PM searchContainer =
Dec 1, 2010 2:36:33 PM filter = (&(name={OrgName})(|(objectclass=Org*)(objectclass=Loc*)(objectclass=Coun*)(objectclass=St*)))
Dec 1, 2010 2:36:33 PM Could not find container workstations,{oulevel2name},{oulevel1name},{orgname}
Dec 1, 2010 2:36:33 PM Could not locate the target container.
Dec 1, 2010 2:36:33 PM Connection closed: /<ws ip address>:1047
If the Workstation Import Policy is modified to point to a specific container, the Workstation Import works successfully.
Resolution
Workaround
Modify the LDAP Group object for the Import server and any other eDirectory servers that the Import Server may be referred to when making LDAP calls to resolve workstation contexts. Add an attribute mapping for the eDirectory attribute 'name' mapped to the LDAP attribute 'name'.
Example of creating a 'name' attribute mapping using iManager:
Click OK to create the mapping after selecting 'name' in the eDirectory field and typing 'name' in the Primary LDAP Attribute field. Leave the other fields blank and unchecked.
A future update to eDirectory may include a resolution so that manually creating the attribute mapping for 'name' is no longer required.
Modify the LDAP Group object for the Import server and any other eDirectory servers that the Import Server may be referred to when making LDAP calls to resolve workstation contexts. Add an attribute mapping for the eDirectory attribute 'name' mapped to the LDAP attribute 'name'.
Example of creating a 'name' attribute mapping using iManager:
Click OK to create the mapping after selecting 'name' in the eDirectory field and typing 'name' in the Primary LDAP Attribute field. Leave the other fields blank and unchecked.
A future update to eDirectory may include a resolution so that manually creating the attribute mapping for 'name' is no longer required.
Status
Reported to EngineeringAdditional Information
Working Workstation Import Example
When the Workstation Import Policy is modified to point to a specific container the information passed to the Import Service includes a typed context. The following is an example of this configuration's results in the awsi.log:
Dec 1, 2010 2:38:13 PM Tree =
Dec 1, 2010 2:38:13 PM Tree =
Dec 1, 2010 2:38:13 PM User context = {OUlevel2Name},{OUlevel1Name},{OrgName}
Dec 1, 2010 2:38:13 PM Login count = 6
Dec 1, 2010 2:38:13 PM ENTER doContainerSearch - ou=WORKSTATIONS,ou={OUlevel2Name},o={OUlevel1Name},{OrgName}
Dec 1, 2010 2:38:13 PM Container is typed. Done
Dec 1, 2010 2:38:13 PM Workstation Container = ou=WORKSTATIONS,ou={OUlevel2Name},o={OUlevel1Name},{OrgName}
Dec 1, 2010 2:38:13 PM A workstation object with the same name and network address was found in the specified container. The existing object will be used rather than creating a new one.
Dec 1, 2010 2:38:13 PM Connection closed: /<ws ip address>:1047
Cause
When the Workstation Import Policy is modified to point to a specific container the information passed to the Import Service includes a typed context. The following is an example of this configuration's results in the awsi.log:
Dec 1, 2010 2:38:13 PM Tree =
Dec 1, 2010 2:38:13 PM Tree =
Dec 1, 2010 2:38:13 PM User context = {OUlevel2Name},{OUlevel1Name},{OrgName}
Dec 1, 2010 2:38:13 PM Login count = 6
Dec 1, 2010 2:38:13 PM ENTER doContainerSearch - ou=WORKSTATIONS,ou={OUlevel2Name},o={OUlevel1Name},{OrgName}
Dec 1, 2010 2:38:13 PM Container is typed. Done
Dec 1, 2010 2:38:13 PM Workstation Container = ou=WORKSTATIONS,ou={OUlevel2Name},o={OUlevel1Name},{OrgName}
Dec 1, 2010 2:38:13 PM A workstation object with the same name and network address was found in the specified container. The existing object will be used rather than creating a new one.
Dec 1, 2010 2:38:13 PM Connection closed: /<ws ip address>:1047
Cause
The Domain Services for Windows package extends eDirectory schema with additional attributes including the attribute 'name' as an optional attribute for TOP. This can be found in the mdsd.sch file.
{
Operation ADD,
SyntaxID SYN_CI_STRING,
Flags {DS_SINGLE_VALUED_ATTR, DS_SIZED_ATTR, DS_SYNC_IMMEDIATE},
LowerBound 1,
UpperBound 255,
ASN1ObjID {1 2 840 113556 1 4 1}
}
eDirectory does not correctly provide the ' name' attribute value to LDAP searches unless there is an attribute mapping for name created. This can be seen with the use of tools like /opt/novell/eDirectory/bin/ldapsearch or /usr/bin/ldapsearch.
Example:
ldapsearch -x -h 10.10.10.10 -p 389 -D cn=admin,o=novell -w novell -b "o=novell" -s sub '(&(objectClass=user))' dn name
A search to return all attributes on an object returns all valued attributes except 'name' unless the attribute mapping exists.
Operation ADD,
SyntaxID SYN_CI_STRING,
Flags {DS_SINGLE_VALUED_ATTR, DS_SIZED_ATTR, DS_SYNC_IMMEDIATE},
LowerBound 1,
UpperBound 255,
ASN1ObjID {1 2 840 113556 1 4 1}
}
eDirectory does not correctly provide the ' name' attribute value to LDAP searches unless there is an attribute mapping for name created. This can be seen with the use of tools like /opt/novell/eDirectory/bin/ldapsearch or /usr/bin/ldapsearch.
Example:
ldapsearch -x -h 10.10.10.10 -p 389 -D cn=admin,o=novell -w novell -b "o=novell" -s sub '(&(objectClass=user))' dn name
A search to return all attributes on an object returns all valued attributes except 'name' unless the attribute mapping exists.
It has been reported that applying SP2 for OES2 may also extend the schema with this file resulting in the same problem. If the 'name' attribute exists in schema, then the schema has been extended and the workaround will have to be applied to resolve or prevent this problem.