IDM trace shows -601 from eDirectory when trying to create an object

  • 7009348
  • 12-Jun-2012
  • 12-Jun-2012

Environment

Novell Identity Manager

Situation

-601 trying to create users in production tree.  The trace returns a -9010 along with a nested -601 from eDirectory when attempting to create objects with Identity Manager (IDM) in eDirectory.  An example of the trace follows:

[06/11/12 13:58:10.677]:my_v PT:Adding entry \MY_TREE\org\users\c1\c2\test0.
[06/11/12 13:58:10.677]:my_v PT:Creating RDN test0 in context \MY_TREE\org\users\c1\c2.
[06/11/12 13:58:10.678]:my_v PT:--JCLNT-- \MY_TREE\system\service\idm\driverset0\my_v_edir_driver - Publisher : Calling free on tempContext = 459472935
[06/11/12 13:58:10.811]:my_v PT:
DirXML Log Event -------------------
     Driver:   \MY_TREE\ag\idm\driverset0\my_v_edir_driver
     Channel:  Publisher
     Object:   \OTHER_TREE\data\users\c1\c2\test0 (\MY_TREE\org\users\c1\c2\test0)
     Status:   Error
     Message:  Code(-9010) An exception occurred: novell.jclient.JCException: nameToID -601 ERR_NO_SUCH_ENTRY



Resolution

Ensure that the container exists.  In the trace sample above, \MY-TREE\org\users\c1\c2 would need to exist in order for 'test0' to be created within that container.

Ensure that the IDM server holds a replica of the container into which the object will be created.  This partition could be defined at several points higher in the tree but either way the server needs a replica of the container or a -601 will be returned when eDirectory tries to access that container locally.

Cause

There are multiple reasons this could happen.  At first glance it appears that eDirectory may be erroring because of a failure creating the object, and since -601 means that an object does not exist on the server that would make sense since you cannot create what is already there.  The message, though, means that some part of the context in which the object would be created is missing from the server.

Usually this happens because of a bad placement rule, or if seen elsewhere in a trace maybe another bad rule.  For example, if the driver config specified the location to place objects as \tree\org\contexts and it should be \tree\org\context then it is possible that the incorrect location will not exist and the placement will fail.

An alternative is that the context is completely correct and the container does exist in eDirectory, but dies not exist on this server.  Identity Manager requires that any objects created, accessed, or modified exist locally on the IDM server.  If a replica of the partition holding the \tree\org\context container does not exist on the IDM server then this will fail when trying to create an object in this container.