Environment
NetIQ Identity Manager 4.0
NetIQ Identity Manager 4.5
NetIQ Identity Manager Driver - LDAP
NetIQ Identity Manager 4.5
NetIQ Identity Manager Driver - LDAP
Situation
Moving an object on the connected system to an unassociated container result in "No association for parent for move operation."
It can be common to move inactive accounts to an inactive container, which normally is not associated to a container in the vault as it does not exist there. Then when an account becomes inactive it will be moved to the inactive container, where by the error "No association for parent for move operation." occur.
[15/48/16 23:05:31.933]:LDAP Directory ST:LDAP Directory: LDAPSub.performMoveOperation() No association for parent for move operation.
[15/48/16 23:05:31.933]:LDAP Directory ST:SubscriptionShim.execute() returned:
[15/48/16 23:05:31.933]:LDAP Directory ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20141001_0717" instance="LDAP Directory" version="4.0.0.5">Identity Manager Driver for LDAP</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="1234567890" level="error">No association for parent for move operation.</status>
</output>
</nds>
It can be common to move inactive accounts to an inactive container, which normally is not associated to a container in the vault as it does not exist there. Then when an account becomes inactive it will be moved to the inactive container, where by the error "No association for parent for move operation." occur.
[15/48/16 23:05:31.933]:LDAP Directory ST:LDAP Directory: LDAPSub.performMoveOperation() No association for parent for move operation.
[15/48/16 23:05:31.933]:LDAP Directory ST:SubscriptionShim.execute() returned:
[15/48/16 23:05:31.933]:LDAP Directory ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20141001_0717" instance="LDAP Directory" version="4.0.0.5">Identity Manager Driver for LDAP</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="1234567890" level="error">No association for parent for move operation.</status>
</output>
</nds>
Resolution
Normally a move will look like:
<move class-name="<class>" event-id="<event-id>" qualified-src-dn="<user>" src-dn="<user>" src-entry-id="<entryid>">
<association> <association value> </association>
<parent dest-dn="<destination DN>"/>
</move>
This requires that the destination DN is associated to a container in the Vault.
As the destination is an unassociated container the move need to be rewritten to:
<move class-name="<class>" event-id="<event-id>" qualified-src-dn="<user>" src-dn="<user>" src-entry-id="<entryid>">
<association> <association value> </association>
<parent>
<association> <destination DN> </association>
</parent>
</move>
Notice the change of the parent from being a DN to an Association.
<move class-name="<class>" event-id="<event-id>" qualified-src-dn="<user>" src-dn="<user>" src-entry-id="<entryid>">
<association> <association value> </association>
<parent dest-dn="<destination DN>"/>
</move>
This requires that the destination DN is associated to a container in the Vault.
As the destination is an unassociated container the move need to be rewritten to:
<move class-name="<class>" event-id="<event-id>" qualified-src-dn="<user>" src-dn="<user>" src-entry-id="<entryid>">
<association> <association value> </association>
<parent>
<association> <destination DN> </association>
</parent>
</move>
Notice the change of the parent from being a DN to an Association.
Additional Information
A possible way to rewrite the move would be to add an policy to the Subscriber Output Transformation, which does something like:
(EXAMPLE, NOT TESTED, NOR SUPPORTED)
<rule>
<description>Change Parent on Move to Association</description>
<conditions>
<and>
<if-class-name mode="regex" op="equal">User|inetOrgPerson</if-class-name>
<if-operation mode="nocase" op="equal">move</if-operation>
</and>
</conditions>
<actions>
<do-set-local-variable name="lv_destDN" scope="policy">
<arg-string>
<token-xpath expression="./parent/@dest-dn"/>
</arg-string>
</do-set-local-variable>
<do-strip-xpath expression="self::move/parent"/>
<do-append-xml-element expression="self::move" name="parent"/>
<do-append-xml-element expression="self::move/parent" name="association"/>
<do-append-xml-text expression="self::move/parent/association">
<arg-string>
<token-text xml:space="preserve">$lv_destDN$</token-text>
</arg-string>
</do-append-xml-text>
</actions>
</rule>
(EXAMPLE, NOT TESTED, NOR SUPPORTED)
<rule>
<description>Change Parent on Move to Association</description>
<conditions>
<and>
<if-class-name mode="regex" op="equal">User|inetOrgPerson</if-class-name>
<if-operation mode="nocase" op="equal">move</if-operation>
</and>
</conditions>
<actions>
<do-set-local-variable name="lv_destDN" scope="policy">
<arg-string>
<token-xpath expression="./parent/@dest-dn"/>
</arg-string>
</do-set-local-variable>
<do-strip-xpath expression="self::move/parent"/>
<do-append-xml-element expression="self::move" name="parent"/>
<do-append-xml-element expression="self::move/parent" name="association"/>
<do-append-xml-text expression="self::move/parent/association">
<arg-string>
<token-text xml:space="preserve">$lv_destDN$</token-text>
</arg-string>
</do-append-xml-text>
</actions>
</rule>