Environment
NetIQ eDirectory
NetIQ Identity Manager 4.0
NetIQ Identity Manager 4.0.1
NetIQ Identity Manager Roles Based Provisioning Module
NetIQ Identity Manager 4.0
NetIQ Identity Manager 4.0.1
NetIQ Identity Manager Roles Based Provisioning Module
Situation
Receiving -699 errors in eDirectory synchronization on user object syncing outbound from IDM server to other servers in the ring. (see errors below)
This particular user is key User Application administrator.
Removing the replica from Server1, rebacklinking Server and adding the replica back cleared the error for a few days, but the error came back on the same user object.
Partition: .[Root].
Replica on server: .Server2.services
Replica: .Server2.services 06-15-2012 13:26:16
Replica on server: .Server3.services
Replica: .Server3.services 06-15-2012 13:26:15
Replica on server: .Server4.services
Replica: .Server4.services 06-15-2012 13:26:14
Replica on server: .Server1.services
Replica: .Server1.services 06-15-2012 06:10:25
Server: CN=Server2.O=services 06-15-2012 13:26:10 -699 Local
Object: CN=JLee.OU=users.O=vault
Server: CN=Server3.O=services 06-15-2012 13:26:11 -699 Local
Object: CN=JLee.OU=users.O=vault
Server: CN=Server4.O=services 06-15-2012 13:26:12 -699 Local
Object: CN=JLee.OU=users.O=vault
All servers synchronized up to time: 06-15-2012 06:10:25
This particular user is key User Application administrator.
Removing the replica from Server1, rebacklinking Server and adding the replica back cleared the error for a few days, but the error came back on the same user object.
Partition: .[Root].
Replica on server: .Server2.services
Replica: .Server2.services 06-15-2012 13:26:16
Replica on server: .Server3.services
Replica: .Server3.services 06-15-2012 13:26:15
Replica on server: .Server4.services
Replica: .Server4.services 06-15-2012 13:26:14
Replica on server: .Server1.services
Replica: .Server1.services 06-15-2012 06:10:25
Server: CN=Server2.O=services 06-15-2012 13:26:10 -699 Local
Object: CN=JLee.OU=users.O=vault
Server: CN=Server3.O=services 06-15-2012 13:26:11 -699 Local
Object: CN=JLee.OU=users.O=vault
Server: CN=Server4.O=services 06-15-2012 13:26:12 -699 Local
Object: CN=JLee.OU=users.O=vault
All servers synchronized up to time: 06-15-2012 06:10:25
Resolution
There is a known issue with the srvprvUserPrefs attribute and User Application, as noted in the IDM 4 Readme. (see additional Notes below)
Workaround:
Delete the srvprvUserPrefs attribute from the problem user with iManager. The attribute will be recreated when the user saves their preferences again in User Application.
Resolutions:
The srvprvUserPrefs attribute will be stored differently in eDirectory in the next release of IDM, and some additional cleanup of the attribute as it is being done as it is stored. The fix is in IDM 4.0.2 Advanced Edition or later.
Workaround:
Delete the srvprvUserPrefs attribute from the problem user with iManager. The attribute will be recreated when the user saves their preferences again in User Application.
Resolutions:
The srvprvUserPrefs attribute will be stored differently in eDirectory in the next release of IDM, and some additional cleanup of the attribute as it is being done as it is stored. The fix is in IDM 4.0.2 Advanced Edition or later.
Cause
The srvprvUserPrefs attribute is used to store user preferences in the User Application workspace. Things like columns to display and even the filter are being stored in XML in that attribute. The attribute in 4.0.1 or earlier is a eDirectory single valued attribute. When the attribute grows above 33,000 characters (roughly), eDirectory will start throwing -649 errors and eventually -699 errors in replica synchronization, as it cannot handle such a large single value on an attribute.
IDM 4.0.2 moves that attribute to a stream file, which does not have a size limit on eDirectory replica synchronization, and does some cleanup on the attribute as it is being stored or updated.
IDM 4.0.2 moves that attribute to a stream file, which does not have a size limit on eDirectory replica synchronization, and does some cleanup on the attribute as it is being stored or updated.
Additional Information
From IDM 4 Readme
---------------------------
srvprvUserPrefs attribute must be cleaned up manually
Values that are saved into the srvprvUserPrefs attribute are not fully removed when a user removes or change their filters or customization entries.
The attribute srvprvUserPrefs is a single values, synchronize immediately, string in eDirectory. It is limited to about 33,000 total characters. Once the attribute reaches the maximum size, users will not be able to save filter and customization entries into this attribute. To work around this issue, an Administrator would need to clean up the attribute manually with iManager or an LDAP Browser.
-----------------------------------
Search: 699 uaadmin userapp user app
---------------------------
srvprvUserPrefs attribute must be cleaned up manually
Values that are saved into the srvprvUserPrefs attribute are not fully removed when a user removes or change their filters or customization entries.
The attribute srvprvUserPrefs is a single values, synchronize immediately, string in eDirectory. It is limited to about 33,000 total characters. Once the attribute reaches the maximum size, users will not be able to save filter and customization entries into this attribute. To work around this issue, an Administrator would need to clean up the attribute manually with iManager or an LDAP Browser.
-----------------------------------
Search: 699 uaadmin userapp user app