Environment
Identity Manager 4.5
Identity Manager Driver - Active Directory
Identity Manager Driver - Active Directory
Situation
A modify event going from the Identity Vault (IDV) via Identity Manager (IDM) typically includes a class-name property in the operation document. While sending an event to microsoft active directory (MAD) through the driver/shim, a customer noticed that the event did not seem to make it to MAD, as confirmed by not seeing the result via standard tools like Apache Directory Studio. No error was returned from MAD, the shim, or the engine, so there was no way to detect the lost event without checking explicitly.
Non-custom events, which all included a class-name, worked properly, including for both the user and group classes of objects.
Non-custom events, which all included a class-name, worked properly, including for both the user and group classes of objects.
Resolution
The event being sent to the shim was incomplete, in that it was missing what the MAD shim deems is a required field. The event being sent is shown below:
The Remote Loader (RL) trace shows the following text indicating the event was seen, but the class-name is missing, giving a clue as to the problem of the missing required data:
This is resolved by adding a class-name of "group" when synthesizing the custom event in IDM policy. This field is normally optional because most events do not require it, or in the case of a non-direct event, it would be redundant as the change is added to an existing event with the property present, but in this case the property is required and, since this was not part of an existing event (a user modification started the operation), it must be added..
<modify dest-dn="cn=FACSN Users,ou=FACSN users,OU=Units,DC=its,DC=cads,DC=ORG" event-id="testserver01#20171016161104#1#1:4f1bc979-33b2-43bb-84ea-79c91b4fb233">
<modify-attr attr-name="member">
<add-value>
<value type="string">cn=testuser,ou=FACSN users,OU=Units,DC=its,DC=cads,DC=ORG<
DirXML: [10/16/17 10:11:04.41]: /value>
</add-value>
</modify-attr>
</modify>
The Remote Loader (RL) trace shows the following text indicating the event was seen, but the class-name is missing, giving a clue as to the problem of the missing required data:
DirXML: [10/16/17 10:11:04.55]: ADDriver: parse command
className
destDN cn=FACSN Users,ou=FACSN users,OU=Units,DC=its,DC=cads,DC=ORG
eventId testserver01#20171016161104#1#1:4f1bc979-33b2-43bb-84ea-79c91b4fb233
association
DirXML: [10/16/17 10:11:04.55]: ADDriver: parse modify class =
DirXML: [10/16/17 10:11:04.57]: Loader: subscriptionShim->execute() returned:
DirXML: [10/16/17 10:11:04.57]: Loader: XML Document:
DirXML: [10/16/17 10:11:04.57]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="4.0.2.1" asn1id="" build="20170106_120000" instance="\ORG-IDV\ORG\services\ORG-VaultDriverSet\ORG-CADS">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<add-association dest-dn="\ORG-IDV\ORG\data\users\employees\testuser" dest-entry-id="342222" event-id="testserver01#20171016161104#1#1:4f1bc979-33b2-43bb-84ea-79c91b4fb233">52b7c854d68c2a439be0bbb8fa597332</add-association>
<status level="success" event-id="testserver01#20171016161104#1#1:4f1bc979-33b2-43bb-84ea-79c91b4fb233"/>
<status level="success" event-id="testserver01#20171016161104#1#1:4f1bc979-33b2-43bb-84ea-79c91b4fb233"/>
</output>
</nds>
This is resolved by adding a class-name of "group" when synthesizing the custom event in IDM policy. This field is normally optional because most events do not require it, or in the case of a non-direct event, it would be redundant as the change is added to an existing event with the property present, but in this case the property is required and, since this was not part of an existing event (a user modification started the operation), it must be added..
Cause
The lack of an error from the shim has been reported as Bug# 1063880 to make this clearer and to avoid losing events that are incomplete, rather than returning "success" when in fact data are being lost.
Bug Number
1063880