Novell Identity Manager 3.6.1 на OES2 linux проблемы

Сейчас проверил.
Если создать пользователя в nwadmin32 с обязательными Login name & Last name, то в AD он не создаётся.
Если заполнить ему Given name - то сразу появляется в AD.
При создании через iManager всё проходит, т.е в AD появляется.

**$erg** » 03 фев 2010, 18:27

У меня при заполнении этих полей ничего не происходит.
а что у Вас в политаках указано.
Что то я набаловался с политиками что уже и в обратную сторону не идет

**$erg** » 04 фев 2010, 13:10

Кто-нибудь может поделиться свими политиками?

Какие политики нужны?

**$erg** » 04 фев 2010, 15:01

может для начала creation policy которые в Subscriber Channel

Creation.Subscriber.Active Directory.AD_driver_set.netsl

<?xml version="1.0" encoding="UTF-8"?><policy>
<rule>
<description>Create User objects</description>
<comment>Special processing for users. A DirXML-ADAliasName is generated which becomes the NT logon name (sAMAccountName) in Active Directory. Also, a default password is generated. If the user has a distribution password and you have enabled password sync, the distribution password will override the password generated here. The generated password passes the default Active Directory '3 of 4' rule by appending 'Dirxml1' to the password. You can make this more secure by using data that varies by user.</comment>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-veto-if-op-attr-not-available name="Full Name"/>
<do-set-dest-attr-value name="DirXML-ADAliasName">
<arg-value type="string">
<token-substring length="20">
<token-replace-all regex="^a-zA-Z0-9\x21\x23-\x29\x2d\x2e\x40\x5e-\x60\x7b\x7d\x7e\xc0-\xf6\xf8-\xff\x410-\x44f" replace-with="">
<token-src-name/>
</token-replace-all>
</token-substring>
</arg-value>
</do-set-dest-attr-value>
<do-add-src-attr-value class-name="User" name="Object Class">
<arg-value>
<token-text xml:space="preserve">DirXML-ApplicationAttrs
</token-text>
</arg-value>
</do-add-src-attr-value>
<do-set-src-attr-value name="DirXML-ADAliasName">
<arg-value type="string">
<token-substring length="20">
<token-replace-all regex="^a-zA-Z0-9\x21\x23-\x29\x2d\x2e\x40\x5e-\x60\x7b\x7d\x7e\xc0-\xf6\xf8-\xff\x410-\x44f" replace-with="">
<token-src-name/>
</token-replace-all>
</token-substring>
</arg-value>
</do-set-src-attr-value>
<do-set-dest-password>
<arg-string>
<token-op-attr name="Surname"/>
<token-text xml:space="preserve">Dirxml1</token-text>
</arg-string>
</do-set-dest-password>
</actions>
</rule>
<rule>
<description>map user name to Windows logon name</description>
<comment>Windows logon name mapping: When userPrincipalName is configured to follow the eDirectory user name, set userPrincipalName to the eDirectory object name plus the name of the Active Directory domain.</comment>
<conditions>
<and>
<if-global-variable name="UpnMap" op="equal">edir-name-auth</if-global-variable>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-dest-attr-value class-name="User" name="userPrincipalName">
<arg-value type="string">
<token-src-name/>
<token-text xml:space="preserve">@</token-text>
<token-text xml:space="preserve">netslcomp.loc</token-text>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
<rule>
<description>Create Group objects</description>
<comment>assign an NT group name to the group. by default this value is capped at 20 characters to meet mixed-mode domain requirements. this number can be increased if your domain functional level allows longer names.</comment>
<conditions>
<and>
<if-class-name op="equal">Group</if-class-name>
</and>
</conditions>
<actions>
<do-add-dest-attr-value name="DirXML-ADAliasName">
<arg-value type="string">
<token-substring length="20">
<token-src-name/>
</token-substring>
</arg-value>
</do-add-dest-attr-value>
</actions>
</rule>
<rule>
<description>Identity Vault accounts are enabled if Login Disabled does not exist</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-op-attr name="Login Disabled" op="not-available"/>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="Login Disabled">
<arg-value type="string">
<token-text xml:space="preserve">false</token-text>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
<rule>
<description>default Exchange assignment</description>
<comment>Provision Exchange mailbox</comment>
<conditions>
<and>
<if-global-variable mode="nocase" name="ExchMailboxPolicy" op="equal">policy</if-global-variable>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="homeMDB">
<arg-value type="string">
<token-global-variable name="exch-default-mdb"/>
</arg-value>
</do-set-dest-attr-value>
<do-set-dest-attr-value name="mailNickname">
<arg-value type="string">
<token-substring length="20">
<token-replace-all regex="[^a-zA-Z0-9\x21\x23-\x29\x2d\x2e\x40\x5e-\x60\x7b\x7d\x7e\xc0-\xf6\xf8-\xff\x410-\x44f]">
<token-src-name/>
</token-replace-all>
</token-substring>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>
</policy>

**$erg** » 04 фев 2010, 16:34

Группы переносятся, OU переносятся а вот с юзерами опять 25:

Thu Feb 04 14:30:32 EET 2010
Error
status event-id="oes-test#20100204123032#1#1" level="error" type="driver-general"
ldap-err ldap-rc="34" ldap-rc-name="LDAP_INVALID_DN_SYNTAX"
client-err ldap-rc="34" ldap-rc-name="LDAP_INVALID_DN_SYNTAX" Invalid DN Syntax /client-err
server-err 00002081: NameErr: DSID-03050AE0, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:
'CN= ,ou,dc,dc,dc'
/server-err
server-err-ex win32-rc="8321"/
/ldap-err
operation-data AccountTracking-AccountStatusChanged="true" AccountTracking-AppAccountStatus="-" AccountTracking-IdvAccountStatus="A" AccountTracking-LDAPDN="CN=лапух Иванов,ou,dc,dc,dc" AccountTracking-ObjectDN="\OES_TREE\org\TESTUSER" AccountTracking-Operation="add" AccountTracking-sAMAccountName="TESTUSER" AccountTracking-userPrincipalName="TESTUSER@netslcomp.loc" attempt-to-match="true" unmatched-src-dn="CN=TESTUSER"
password-subscribe-status
association/
/password-subscribe-status
/operation-data
application DirXML /application
module ad-test /module
object-dn \OES_TREE\org\TESTUSER /object-dn
component Subscriber /component
/status
\OES_TREE\org\TESTUSER

Откуда у вас там userPrincipalName="TESTUSER@netslcomp.loc"??
netslcomp.loc - это - же МОЙ домен!

В Global Config Values у меня стоит:
User Principal Name Mapping: Follow Identity Vault Name

**$erg** » 04 фев 2010, 18:43

Пересоздал драйвер заново, т.к. сильно много наменял в нем.
сейчас говорит

Thu Feb 04 16:40:19 EET 2010
Warning
status level="warning" Code(-8016) Operation vetoed by object matching policy. application DirXML /application
module ad_drv /module
object-dn \OES_TREE\org\wwwrun /object-dn
component Subscriber /component
/status
\OES_TREE\org\wwwrun

Это со стандартными политиками пытается создать пользователя на AD

**$erg** » 04 фев 2010, 19:00

Veto есть только в одной из всех MATCHING политик:
<policy xmlns:jstring="http://www.novell.com/nxsl/java/java.lang.String">
<description>Find matching object in Active Directory</description>
<rule>
<description>veto out-of-scope events</description>
<comment>When scoping by container, events outside of the Identity Vault containers defined in the above rule will not have a unmatched-src-dn operational property and will be vetoed. If you do not want to use container based scoping, this rule should be modified or removed.</comment>
<conditions>
<or>
<if-op-property name="attempt-to-match" op="not-available"/>
<if-op-property mode="nocase" name="attempt-to-match" op="equal">false</if-op-property>
</or>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>

Novell Identity Manager 3.6.1 на OES2 linux проблемы

Кто сейчас на конференции