Novell eDir-to-eDir Driver Code (-8015) Operation Vetoed by Filter
If you ever find yourself working an eDir-to-eDir driver and run up against the “Code (-8015) Operation vetoed by filter” wall please allow me to help.
If you search Google (or whatever you search provider of choice is) you will undoubtedly find several postings across a variety of websites from many people who have run into the same error. While I won’t discourage you from reading those postings I will say don’t be too upset if you don’t find the answer you are looking for among them.
Most online posts regarding this error talk about bad or missing association values or remote loader logs for other drivers; like the Active Directory driver. While those are good things to know odds are your eDir-to-eDir driver doesn’t use a remote loader, you have checked the input document for malformed tags or values, and have generally already done a lot of the basic troubleshooting methods.
When dealing with the eDir-to-eDir driver it is important to remember that you are actually dealing with TWO drivers, not just one. It is easy to forget that when dealing with an eDir-to-eDir connection that there are two filters, two publisher channels, and two subscriber channels that have to be coordinated to avoid issues. With this particular error it is typically caused by an attribute or class being set to synch in one driver filter but not the other filter.
To make matters even more confusing, the error appears in the log for the driver that has the attribute in the filter. Usually when a developer sees an error in a driver log that mentions the driver filter they assume the error is referring to that driver. In this situation that is simply not the case. It is the companion driver that is vetoing the event because the data being passed isn’t in its filter so the transaction is thus rejected by the companion driver’s filter and the message is returned and captured by the originating driver. Confusing at a minimum.
The solution to this error when using an eDir-to-eDir driver is to check the filter on BOTH eDir-to-eDir drivers to make sure that both filters have the necessary attributes with the proper settings and correct any differences that are necessary (remember to restart the driver after making changes!).
As a note: Transactions cross from one eDirectory instance to the other eDirectory instance using the eDir-to-eDir drivers, the transaction flips channels, so it is important to keep that in mind when building policies on connecting drivers. Events that start in “Vault 1” goes through the subscriber channel of “eDir Driver A” and when that driver hands the transaction off to “eDir Driver B” the transaction is now on the publisher channel before ending in “Vault 2”. Unfortunately, this is another easy to make mistake when dealing with this “daisy chain” type connection between Novell eDirectories.
Questions, comments or concerns? Feel free to reach out to us below or at IDMWORKS