How to Use the msMMS-looseJoinRestriction Attribute (817794)


The information in this article applies to:

  • Microsoft Metadirectory Services 2.2 SP1

SUMMARY

By design, the Microsoft Metadirectory Services (also known as MMS) join of person-class metaverse objects is limited to connector space objects that have relative distinguished names (also known as RDNs) of UID= or CN=. To turn off this safety feature in Microsoft Metadirectory Services 2.2 Service Pack 1 (SP1), you can add the msMMS-LooseJoinRestriction attribute to the management agent (MA). This article describes how to add the msMMS-LooseJoinRestriction attribute.

MORE INFORMATION

The Microsoft Metadirectory Services join is fundamental to the successful flow of attributes from one connected directory to another. Because of the power of the join, you can accidentally join two incompatible objects and flow inappropriate attribute values between them. In particular, flowing attributes that are intended for person-class objects to objects that are not person class can create large scale data corruption. To avoid this type of situation, the join process in Microsoft Metadirectory Services is restricted when joins are performed on person-class objects.

By design, if an attempt is made to join a disconnector to a metaverse object, if the class of the metaverse object is person class, the relative distinguished name of the proposed connector must be either "CN=" or "UID=". If this condition is not met, the join does not proceed and no error messages are logged. When this behavior occurs, the following data is logged in the Zscript log:

CS anchor [msUID=User_name,ou=Software,ma=Contoso MMS Tutorial,DsaName=contoso_mms_server,ou=Applications,ou=sales,o=people,dc=contoso,dc=com]
Proposing for [msUID=User_name,ou=Software,ma=Contoso MMS Tutorial,DsaName=contoso_mms_server,ou=Applications,ou=sales,o=people,dc=contoso,dc=com]
    Criterion [$CN] is [User_name]
>> set $.zcAliasThingObjectName = [msUID=User_name,ou=Software,ou=sales,o=people,dc=contoso,dc=com]

update $cs.zcDsCdHandle [] with [<binary>]

To allow objects that have other relative distinguished names (such as the employeeID object) to join successfully, you must add the msMMS-looseJoinRestriction attribute to the MA and set the value of this attribute to TRUE. After you set this attribute, the join constraint is inoperative and any disconnector can be joined to any other metaverse object regardless of object class compatibility. However, Microsoft recommends that you leave the default Microsoft Metadirectory Services join restrictions in place and that you maintain the naming conventions.

To see the effects of the msMMS-looseJoinRestriction attribute, follow these steps:
  1. In Microsoft Metadirectory Services 2.2 SP1, create a Tutorial management agent.
  2. On the Operate MA action, leave the default settings, and then run the MA.

    A group of organizational units and users are imported to the MA connector space and reflected in the metaverse. Each user object has a unique SMTP mail address.
  3. Create a second MA of the same type.
  4. On the Design MA action, click the Control Metadirectory tab.
  5. Click the Construction templates tab.
  6. Click the Metaverse tab.
  7. Locate the following section:

    $AT.dn = cn=$md.cn(,ou=$AT.ou)(,$MA())
    $dn = cn=$md.cn(,$base_dn())

    Replace this data with the following data:

    $AT.dn = msUID=$md.cn(,ou=$AT.ou)(,$MA())
    $dn = msUID=$md.cn(,$base_dn())

  8. Click OK.
  9. Click the Join action, click the Configure the Join tab, and then type $CN in the Search using these attributes.
  10. Click OK.
  11. On the Operate MA action, leave the default settings, and then run the MA.

    None of the 16 person objects are successfully created. All the metaverse objects will fail. You receive an INDEX DUPLICATION[14105] error each time the connectors try to synchronize with the metaverse. ERROR 14105 has the following return code: DB5_RC_DUPLICATE_INTERNET_NAME. The connectors fail with an CONNECTOR IGNORED[00] error.

    These errors occur because the MA failed when it tried to join the new Tutorial person objects to their (corresponding) existing metaverse objects. The CS object has an relative distinguished name of "msUID=", and it is trying to join to a metaverse person object. This cannot work because of the join restriction. When the join fails, an attempt is made to reflect a new metaverse object instead. Because the SMTP mail value for each proposed object is already in the metaverse (from the original Tutorial MA), the reflection fails.

    If you know the logon ID (the SMTP mail address) and the password for an account that has full administrative privileges in the directory, go to step 13.
  12. Using the Bookmarks action in Compass, go to the Applications organizational unit.
  13. Double-click the server icon listed under the Application organizational unit.

    A person object that is labeled "Administrator" appears under the server icon. This is the Microsoft Metadirectory Services administrator account.
  14. Open the Administrator properties, and then copy the value in the Email box.
  15. Start Ldp.exe, and then connect to the Microsoft Metadirectory Services server using the correct port value. For additional information about how to use Ldp.exe with Microsoft Metadirectory Services, click the following article number to view the article in the Microsoft Knowledge Base:

    288193 How to Use LDP to Connect to a Microsoft Metadirectory Services Server

  16. Go to the second Tutorial MA.
  17. Right-click the second Tutorial MA, and then click Modify.
  18. In the Attribute box, type msMMS-looseJoinRestriction.
  19. In the Values box, type TRUE.
  20. Click Add.
  21. Click the Enter action, and then confirm that the following data appears in the entryList dialog box:

    [Add]msMMS-looseJoinRestriction:TRUE

  22. Click Run.
  23. Use Compass to select the Bookmarks action, and then click Management Agents.
  24. In the right pane, right-click the second Tutorial MA, click View, and then click All Attributes.
  25. In the HTML page that appears, verify that the msMMS-looseJoinRestriction attribute is added to the MA and that it has the value TRUE.
  26. Close the HTML browser.
  27. Click the Operate MA action, and then run the MA.
  28. The failed connectors are successfully created and they are successfully joined to their corresponding "CN=" metaverse object. The following data appears in the Zscript log:

    CS anchor [msUID=User_name,ou=Software,ma=Contoso MMS Tutorial,DsaName=contoso_mms_server,ou=Applications,ou=sales,o=people,dc=contoso,dc=com]
Proposing for [msUID=User_name,ou=Software,ma=Contoso MMS Tutorial,DsaName=contoso_mms_server,ou=Applications,ou=sales,o=people,dc=contoso,dc=com]
    Criterion [$CN] is [User_name] 
    +Proposal[0]: [cn=User_name,ou=Software,ou=sales,o=people,dc=contoso,dc=com]
>> set $.zcAliasThingObjectName = [cn=User_name,ou=Software,ou=sales,o=people,dc=contoso,dc=com]
update $cs.zcDsCdHandle [] with [<binary>]

Modification Type:MajorLast Reviewed:6/23/2003
Keywords:kbhowto KB817794
©2003 Microsoft Corporation. All rights reserved.