Topic
10 replies Latest Post - ‏2014-01-16T16:17:07Z by SravanKumarR
SravanKumarR
SravanKumarR
41 Posts
ACCEPTED ANSWER

Pinned topic Reconcilation issue

‏2013-12-23T12:33:27Z |
Hi All,
We are provisioining two accounts from TIM.
We have around 50 custom attributes, most of them are single-valued attributes.
 
While doing reconcilation of that service, we are getting below exception
[LDAP: error code 65 - Object Class Violation]; Remaining name: 'DN",  "message": "[LDAP: error code 65 - Object Class Violation]",  "class": "javax.naming.directory.SchemaViolationException" }
 
In slapd logs, we are seeing it is try to modify the resource with add operation instead of replace operation for that attribute. 

Because of this, account becomes non-compliant and it is becoming big issue.

 
Where exactly this opeartion should be used in resource is mentioned from TIM?
Is it in profile jar? If so, we haven't mention any other attributes to use replace operation but it is throwing for only few attributes.
 
Please let us know how to rectify this issue.
 

TIM Version: 5.1.0.11

Build number: 201206140341

Maintenance level: FP0011
 
 
Thanks,
Sravan
Updated on 2013-12-23T12:37:32Z at 2013-12-23T12:37:32Z by SravanKumarR
  • SravanKumarR
    SravanKumarR
    41 Posts
    ACCEPTED ANSWER

    Re: Reconcilation issue

    ‏2013-12-26T15:36:49Z  in response to SravanKumarR

    Anyone facing this kind of issue?

    • franzw
      franzw
      325 Posts
      ACCEPTED ANSWER

      Re: Reconcilation issue

      ‏2013-12-26T19:24:56Z  in response to SravanKumarR

      It is not very clear from you post what you are really doing - that is probably a reason - beside Christmas - that response rate is rather low.

      So I theorize a little here - I assume you have developed a custom adapter for some ldap resource - and during reconciliation - with service set to "correct compliance" you get the mentioned objectclass violations.

      If this is the case you probably have - at least - 2 problems.

      One problem is that there may be difference between the data definition in ITIM - single vs. multivalue - secondly your policies are not handling the values correct (multivalue defaults to "join" policy where single value defaults to "priority".

      You may also have problems with your custom adapter code - but there is no meaningful way to judge that  based on your report.

      My advice is to try to test the adapter with some very well defined usecases so that you can find the root cause for any problem you see - you should never expect that you can test an adapter by running only a full scale test....

      HTH

      Regards

      Franz Wolfhagen

      • SravanKumarR
        SravanKumarR
        41 Posts
        ACCEPTED ANSWER

        Re: Reconcilation issue

        ‏2013-12-26T19:37:53Z  in response to franzw

        Thanks Franz for your reply.

        Data wise I don't see any difference between ITIM and resource for those attributes (in both places it is single-value attribute)

        In Ldap profile, we don't have much customization. LDAPModify xml output map has *=* mapping.

        Service  enforcement policy we have set as correct and are there any other way to handling this as you said?

        While reconciling of accounts with all attributes, it is trying to delete and then adding few attributes in ITIM LDAP and then try to do the same eventough no changes happened to these attributes and there it is failing with those kind of exceptions.

        Can you please help me here to figure out where the exact problem is.

         

        Thanks,

        Sravan.

        • franzw
          franzw
          325 Posts
          ACCEPTED ANSWER

          Re: Reconcilation issue

          ‏2013-12-26T19:51:18Z  in response to SravanKumarR

          There is no magic involved in finding the problem here - only hard work and debugging.

          The best help you can give is really to start be accurate in your description of the problem instead of speaking in vague descriptions.

          I can now understand that you have an extended ldap adapter - but I cannot know WHAT you have done....  - you seem to be very limited in your understanding of provisioning policies - you have not told anything of how they are setup or how many you have - this is crucial to understand your problem.

          You need to reduce you problem - you could (only one option out of many) start defining an account with few attributes - reconcile that (debug on relevant things e.g. dataservices and policies - but be prepared for massive data - and then change the account to get some expected outcome and analyze the case.

          This is pretty standard debugging procedures.

          I believe your biggest problem is that you cannot explain to the community here what is going on - because you do not really understand it yourself - you have understand we know ONLY what you tell us - so any information MUST be accurate and complete - we are not mindreaders (although a couple of experienced people here could look like they are :-))

          So - I am pretty sure when you know to put forward your problem in a an understandable manner you may probably also understand what your problem is.... - this is one of the big relevations of debugging :-)

          HTH

          Regards

          Franz Wolfhagen

        • yn2000
          yn2000
          1085 Posts
          ACCEPTED ANSWER

          Re: Reconcilation issue

          ‏2014-01-02T17:28:46Z  in response to SravanKumarR

          I agree with Franz. It seems that you are learning TIM by analyzing the behavior in TDS. You might have missed small basic things, here and there, which makes us difficult to help, because we may have assumed that you have set those basic things properly. For example: you might have missed or typo when changing the schema.dsml, before even talking about 'correct', 'prov. pol', or delete and recreate' which may or may not involve 'orphan accounts' discussion.

          Rgds. YN.

  • StarbucksGirl
    StarbucksGirl
    8 Posts
    ACCEPTED ANSWER

    Re: Reconcilation issue

    ‏2014-01-06T04:02:39Z  in response to SravanKumarR

    Have you checked whether mandatory TDS field (if any) receive any value from ITIM? You may also want to check the policy or settings for the field in TDS. Whatever value you pass to TDS from ITIM, you have to ensure it is valid.

    • SravanKumarR
      SravanKumarR
      41 Posts
      ACCEPTED ANSWER

      Re: Reconcilation issue

      ‏2014-01-06T04:15:22Z  in response to StarbucksGirl

      Yes.Value is setting via provisioning policy.

      You mean to say LDAP adapter modify setting for the attribute?

      We have placed *=* in the output map of ldapmodify AL in the profile jar.

       

      Thanks,

      Sravan.

      • StarbucksGirl
        StarbucksGirl
        8 Posts
        ACCEPTED ANSWER

        Re: Reconcilation issue

        ‏2014-01-06T04:23:18Z  in response to SravanKumarR

        I mean policy or configuration in the TDS . I'm assuming you are configuring custom Adapter. Sometimes this error is caused by a simple thing that we overlook for example missing value for a mandatory TDS field. In this case is the DN. Value for DN may not be passed to the TDS that will trigger TDS to return the error. DN should never be null. Has this problem ever happened before? You may need to start troubleshooting from ITIM log and check if the DN is passed correctly.

        • yn2000
          yn2000
          1085 Posts
          ACCEPTED ANSWER

          Re: Reconcilation issue

          ‏2014-01-06T16:56:48Z  in response to StarbucksGirl

          Hi Sravan,

          Everyone assumed that you have configured schema.dsml file, because that is the basic thing that you need to do before modifying the existing (IBM provided) LDAP adapter. You did not answer StarbucksGirl analysis about "mandatory TDS field (if any)" which defined in that schema.dsml file. Twice you posted "*=* in the output map", which is not the answer.

          I guess my magic crystal ball recommending you to double check your schema.dsml file. That file should contain the list of 50 custom attributes that you are adding. If the 50 custom attributes is already defined in the person entity, at least, you still need to add them in the LDAP account entity objectclass.

          Rgds. YN.

          • SravanKumarR
            SravanKumarR
            41 Posts
            ACCEPTED ANSWER

            Re: Reconcilation issue

            ‏2014-01-16T16:17:07Z  in response to yn2000

            Sorry for late reply.

            We don't have custom attributes in schema.dsml  of profile jar.

            But it is part of person object class.

            We have hierarchy like below

            top

            ABCPerson

            erXYZAccount

            We have added attributes into both object classes (ABCPerson and erXYZAccount), Is it causing problem while updating into ITIM Account and in resource? If so, what will be workaround for it.

             

            Thanks,

            Sravan