Overview#

These are some of the issues we have identified with NetIQ implementation of XDAS.

Can not Identify Server#

The ncpServer entry is not identified in any of the events:
      "Observer" : {"Entity" : {"SysAddr" : "10.24.104.1",
      "SysName" : "server.willeke.com"",
The Observer and SysName appears to be the address of the host machine and not the eDirectory instnace. There is no method to determine which instance of eDirectorey when there are mutliple instances of eDirectory on the same physical host.

Yet the XDAS configuration is specific to the instance of the eDirectory server and NOT the host machine as defined by the nds.conf entry:

n4u.server.xdas-conf=/data/nds/idv/xdasconfig.properties
In this specific customers case there are multipe instnaces of eDirectory running on the same host machine.

Can Not Identify which DRIVER#

Apr 15 06:29:14 IDM : FATAL {"Source" : "IDM",
      "Observer" : {"Entity" : {"SysAddr" : "10.24.104.1",
      "SysName" : "server.willeke.com"",
   "Initiator" : {"Entity" : {"SvcComp" : "\\Driver"",
   "Target" : {"Data" : {"MIME_HINT" : "0",
      "ORIGINATOR_TYPE" : "0",
      "TARGET_TYPE" : "1",
      "TEXT1" : "(-9953) An error occurred while attempting to add attribute 'dcitLevelOneApproved' to the filter: failed, no such attribute (-603).",
      "VALUE1" : "9953",
      "VALUE2" : "0",
      "VALUE3" : "0"",
   "Action" : {"Event" : {"Id" : "0.0.6.0",
      "Name" : "Notification",
      "SubEvent" : "30026"},"Time" : {"Offset" : 1397557754},"Log" : {"Severity" : 3}} } 

Differences with Event Fields#

Why are fields different in an ERROR event vs a WARN event?

The first event we have: (A error event)

      "TEXT1" : "Code(-9046) Invalid password specified for <check-password>.",
      "TEXT2" : ((( DOES NOT EXIST )))
      "TEXT3" : ((( DOES NOT EXIST )))
      "VALUE1" : "9046",
      "VALUE2" : "0",
      "VALUE3" : "0"

The second event we have: (A warn event)

    "TEXT1" : ((( DOES NOT EXIST )))
    "TEXT2" : "Code(-8015) Operation vetoed by filter.",
    "TEXT3" : "Oracle Direct Driver - BPS#Publisher#2449764:095aeb00-ca81-46f4-ad6d-ff4157363c80",
    "VALUE1" : "0",
    "VALUE2" : "0",
    "VALUE3" : "0"

The third event we have: (A warn event)

    "TEXT1" : ((( DOES NOT EXIST )))
    "TEXT2" : "Code(-8015) Operation vetoed by filter.",
    "TEXT3" : "Oracle Direct Driver - BPS#Publisher#2449764:095aeb00-ca81-46f4-ad6d-ff4157363c80",
    "VALUE1" : "0",
    "VALUE2" : "0",
    "VALUE3" : "0"

DISABLE_ACCOUNT#

The description we could find for this event was: "Consider this event relevant for any situation where a particular record in an identifier database is disabled by an administrator or an automated security process such that it can no longer be used until it is re-enabled."

Sample Event we see these every time a partition is updated:

Apr 15 14:36:56 eDirectory : INFO {
"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "WILLEKETREE","Name" : "CN=PIDV06,OU=servers,OU=esc,dc=willeke,dc=com"},"Entity" : {"SysAddr" : "10.24.104.1","SysName" : "server.willeke.com"}},
"Initiator" : {"Account" : {"Domain" : "WILLEKETREE"}},
"Target" : {"Data" : {"Attribute Name" : "Purge Vector","Attribute Value" : "Seconds: 1397587015, Replica Number: 9, Event: 1","ClassName" : "Organizational Unit","Name" : "OU=Sales,OU=B2B,OU=Ext,OU=people,dc=willeke,dc=com","Syntax" : "19"}},
"Action" : {"Event" : {"Id" : "0.0.0.2","Name" : "DISABLE_ACCOUNT","CorrelationID" : "eDirectory#0#7c1cb4c0-5dc1-456e-f0b6-c0b41c7cc15d","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1397587016},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Now what does DISABLE_ACCOUNT have to do with the modification of the "Purge Vector" being changed?

NMAS XDAS Issues#

We see no method to configure which events are logged. XDAS for NAMS is either on or off.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-3) was last changed on 17-Apr-2014 10:31 by jim