XPSExport fails with error: "Unable to read attribute "CA.SM::<Object Class>.<AttributeName> of Object"

Document ID : KB000004453
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

XPSExport fails with error: "Unable to read attribute "CA.SM::<Object Class>.<AttributeName> of Object"

Environment:
Policy Server: r12.5; r12.51; r12.52Policy Store: LDAP Policy Server OS: ALL
Cause:

The object has an attribute which is essentially a link to another object.  That attribute is populated with an object XID which does not exist in the Policy Store.

EXAMPLE:

Unable to read attribute CA.SM::ServiceProviderUsers.UserPolicyLink[0] of object CA.SM::ServiceProviderUsers@fa85e3b5-adc3-41b0-a21f-e72c51d4ffe4 

The XID of the object is CA.SM::ServiceProviderUsers@fa85e3b5-adc3-41b0-a21f-e72c51d4ffe4.  This object class has an attribute named "UserPolicyLink" (CA.SM::ServiceProviderUsers.UserPolicyLink).  This attribute would normally be populated with the XID of a UserPolicyLink (CA.SM::UserPolicyLink@<OID>).

In this case, the attribute is empty.  In some cases, it can be populated with an XID which doesn't exist. In either case it will need to be fixed in order for the XPSExport to complete successfully.

Resolution:

1. Run XPSExplorer and review the XID of the object (CA.SM::ServiceProviderUsers@fa85e3b5-adc3-41b0-a21f-e72c51d4ffe4).  Verify whether the 'UserPolicyLink' attribute is populated.  If so, search for that XID.  If the field is empty or the XID does not exist, then the object will need to be removed.

2. Attempt to delete the object in XPSExplorer.

3. If the object cannot be deleted in XPSExplorer we will need to delete the object manually.

 

Manually Delete the Object

1) Execute an LDIF export of the policy store using the 3rd party LDAP tools provided by the LDAP Vendor

2) Locate the XID of the object.  Record the Distinguished Name (DN).

3) Locate the XPSNumber of the object.

xpsXID=CA.SM::ServiceProviderUsers@fa85e3b5-adc3-41b0-a21f-e72c51d4ffe4,OU=XPS,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,DC=CA,DC=com 

xpsNumber=0000005579\0ACNF:24d7d641-3e21-44f1-a79d-da78efc924ba,OU=XPS,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,DC=CA,DC=com 

4) Delete the DN's manually