Environment
Identity Manager Driver - LDAP 4.0.2.1
Situation
If you attempt to synchronize a group that contains a mix of associated users and un-associated users with the LDAP driver in the subscriber channel, a uniqueMember entry with a NULL value is incorrectly synchronized as well.
Here is an example in the trace log:
Here is an example in the trace log:
-------Trace Snipit--------
[11/07/17 10:17:30.506]:LDAP Driver ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.6.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<add cached-time="20171107171730.424Z" class-name="groupOfUniqueNames" dest-dn="CN=Group2,ou=users,o=data" event-id="denchris18#20171107171730#99#1:cc8ba013-b65f-4cf5-99fc-13a08bcc5fb6" qualified-src-dn="O=data\OU=users\CN=Group2" src-dn="\DENCHRIS18-TREE\data\users\Group2" src-entry-id="33536" timestamp="0#0">
<add-attr attr-name="cn">
<value naming="true" timestamp="1509479552#8" type="string">Group2</value>
</add-attr>
<add-attr attr-name="uniqueMember">
<value association-ref="cn=user3,ou=users,o=data" timestamp="1509479567#1" type="dn">\DENCHRIS18-TREE\data\users\User3</value>
<value timestamp="1509479567#2" type="dn">\DENCHRIS18-TREE\data\users\User4</value>
<value timestamp="1509479869#1" type="dn">\DENCHRIS18-TREE\data\users\User5</value>
</add-attr>
<operation-data attempt-to-match="true" unmatched-src-dn="CN=Group2"/>
</add>
</input>
</nds>
[11/07/17 10:17:30.507]:LDAP Driver ST:Stripping operation data from input document
[11/07/17 10:17:30.508]:LDAP Driver ST:LDAP Driver: LDAPSub.performAddOperation() Calling getAllSups(groupOfUniqueNames)
[11/07/17 10:17:30.508]:LDAP Driver ST:LDAP Driver: LDAPSub.performAddOperation() \DENCHRIS18-TREE\data\users\User4 refers to an unassociated entry. It will be dropped.
[11/07/17 10:17:30.508]:LDAP Driver ST:LDAP Driver: LDAPSub.performAddOperation() \DENCHRIS18-TREE\data\users\User5 refers to an unassociated entry. It will be dropped.
[11/07/17 10:17:30.508]:LDAP Driver ST:LDAP Driver: LDAP Add:
dn: CN=Group2,ou=users,o=data
uniqueMember: cn=user3,ou=users,o=data
uniqueMember:
cn: Group2
objectclass: groupOfUniqueNames
objectclass: Top
--------End Snipit----------
The result of this is a null entry in your ldap destination server. In eDirectory (ldap), that is shown as a [Root] entry in iManager.
TThe issue does not occur if all user objects being synchronized are associated.
Resolution
Issue has been reported to engineering.
The only workaround at this point is to create a policy that will strip out the un-associated users in the group synchronization prior to submitting the document to the LDAP driver shim.
The only workaround at this point is to create a policy that will strip out the un-associated users in the group synchronization prior to submitting the document to the LDAP driver shim.