This is my first time attempting to post so I hope I am in the right place. Please direct me to where I need to be if I am not.

We run IDM 3.0 with eDirectory 8.9.x. We have a production tree and a stand alone IDM tree on its own server. The drivers attached to IDM are eDirectory, Active Directory and the (AS/400) I5OS 2.0 driver. We use IDM primarily to create users in AD and synchronize account passwords. We are a fairly straight out of the box, vanilla implementation with structured trees everywhere except our AS/400 systems, (Flat by necessity).

Problem: I get the following when the i5OS Driver attempts to sync a user’s password.

Status: Error Message: Code(-9063) Object matching policy found an object that is already associated

My issue arises, (I think), because when importing users in IDM we added users from our production tree across to the IDM Vault and to AD. However, the i5OS drivers for our AS/400 systems allowed only a subset of users via the Event Transformation Policy so, (please correct me if I am wrong), it seems no associations were generated with any AS/400 objects except those originally allowed by the policy. I think this because that subset of users seems to be working.

Now I am trying to do password updates across to our AS/400 systems and the i5OS driver is rejecting them because the command comes across, (from the meta-directory engine?), as an ‘Add’ but the driver matching policy, (on the Subscriber channel?), which simply matches on User CN, finds a match and thinks the association exists, so it kicks back a -9063 message.

How can I get the IDM to create or fix an association to the object on the AS/400? Please keep in mind I know very little XML coding and use the Policy Builder in IDM to generate all of my policies and rules. I’m basically a "newbie" in this area.

Maybe the better (easier) question is: How can I conditionally change an “Add” command to a “Modify” command?

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

Leave a Comment

By: dpmartell
Aug 21, 2008
10:23 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow