Using iManager or LDAP to remove an IDM association - LDAP_UNWILLING_TO_PERFORM fix

  • 7016704
  • 23-Jul-2015
  • 23-Jul-2015


NetIQ Identity Manager


There are some instances where a user object is deleted in the connected system, but not in the identity vault.   When this occurs normally, the driver association should be removed when the delete event occurs.   However, if that driver association is not removed, any subsequent modify events on that object through the driver will fail, as it assumes there is already an object on the connected side with an association.   

The error received during that failure with the Active Directory driver is: LDAP_UNWILLING_TO_PERFORM
----------------Sample Error------------------------
<nds dtdversion="1.1" ndsversion="8.7">
    <product asn1id="" build="20120330_120000" instance="\DENCHRIS11-TREE\mountain\DriverSet\denchris12-AD Driver" version="">AD</product>
    <contact>Novell, Inc.</contact>
    <status event-id="denchris11#20150723145656#1#1:acbb6349-2f90-43cb-2384-4963bbac902f" level="error" type="driver-general">
      <ldap-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">
        <client-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">Unwilling To Perform</client-err>
        <server-err>00000057: LdapErr: DSID-0C0420EB, comment: Error in attribute conversion operation, data 0, v1db1</server-err>
        <server-err-ex win32-rc="87"/>
----------------End Sample Error-----------------------


The fix is to remove the invalid association to missing user on the connected side.

This can be done by editing the user object, selecting the Identity Manager tab, checking the association you want to remove, then clicking delete, then OK to save

Another way to remove the association is to us LDAP.

To do this, you have to export the association value, create a modify ldif file to remove the association, then run modify.

Here are some examples using eDirectory's ldapsearch and ldapmodify tools.    The syntax for these may or may not work the same as the default linux ldapsearch and ldapmodify tools.

Example on exporting the current value on user denchris5:
/opt/novell/eDirectory/bin/ldapsearch -h <IPAddressOfServer> -D cn=admin,o=context "cn=denchris5" -s sub Dirxml-Associations -w <password> > outputfilename.ldif

-----------------Output from Command------------
version: 1

# filter: cn=denchris5
# requesting: Dirxml-Associations

# denchris5,users,mountain
dn: cn=denchris5,ou=users,o=mountain
Dirxml-Associations: cn=denchris12-AD Driver,cn=DriverSet,o=mountain#1#468128d
Dirxml-Associations: cn=eDir 11to10 Bi-directional,cn=DriverSet,o=mountain#1#B
Dirxml-Associations: cn=eDir11-13,cn=DriverSet,o=mountain#1#{FBA15EB0-D23D-4b4

# search result
# search: 2
# result: 0 Success

# numResponses: 2
# numEntries: 1
----------------End Output from Command--------------------

Now you have the output, you need to convert it to a LDIF file to remove the value you want to remove.   In this case I will remove the AD Driver association

----------------Revised delete LDIF Document-------------------

dn: cn=denchris5,ou=users,o=mountain
changetype: modify
delete: DirXML-Associations
DirXML-Associations: cn=denchris12-AD Driver,cn=DriverSet,o=mountain#1#468128d
----------------End Revised delete LDIF Document-------------------

Then you can use LDAP Modify to remove that association
/opt/novell/eDirectory/bin/ldapmodify -h <IPAddressOfServer> -D cn=admin,o=context -f InputFilename.ldif -w <password>

It should return:    modifying entry cn=denchris5,ou=users,o=mountain
And the association should be removed.

You can also add an association value, by changing the delete action in the ldif file to an add action:
--------------- Add LDIF Document-------------------
dn: cn=denchris5,ou=users,o=mountain
changetype: modify
add: DirXML-Associations
DirXML-Associations: cn=denchris12-AD Driver,cn=DriverSet,o=mountain#1#468128d
----------------End Add LDIF Document-------------------

-You cannot use wildcards to remove an association, you must have the exact attribute value for it to delete the value from the attribute.
- Make sure time is in sync accross your eDirectory servers, or it may fail to delete the attribute value.
-  Use extreme caution when manipulating associations, and always preform tests in a lab environment first prior to ever implementing in a production environment.

Additional Information

What is Identity Manager association?
It is a unique link to the object in the connected side.
It contains the Driver DN plus the unique identifier to the object on the connected side.   Such as a object ID or GUID, which is defined by each driver.
Identity Manager creates associations to be able to update the object directly without having to search for and find the object each time.   Certain operations require an association to be present, like password synchronization, and Group membership changes as well as others.