Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Answered
Tom Parker 2 weeks ago in Identity Broker Plus • updated 4 days ago 5
Hi, I'm seeing this error when doing a baseline sync from a locker to AD.
This solution has previously had "An item with the same key has already been added." errors but I'm not sure what this error means.

Unify.Framework.UnifyDataException: Duplicate key calculating target to source id lookup: 138db3b0-4197-4bee-bd1a-010830bebd1d
   at Unify.Product.Plus.DeprovisioningExecutor`2.TargetIdToSourceIdLookupKeyClash(Guid key, Guid value, IConnection original)
   at Unify.Framework.Collections.EnumerableExtensions.ToDictionaryWithKeyClashError[TKey,TValue,TOriginal](IEnumerable`1 originalEnumerable, Func`2 keySelector, Func`2 valueSelector, Action`3 duplicateAction)
   at Unify.Product.Plus.DeprovisioningExecutor`2.Execute(IEnumerable`1 page)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.Plus.AdapterToLockerProvisioner.Execute(Func`3 generateAndMapTarget, IDictionary`2 changesDict)
   at Unify.Product.Plus.LinkSynchronizer`2.JoinAndMap(IEnumerable`1 filterResult, IDictionary`2 changesDict)
   at Unify.Product.Plus.Link.SynchronizeChanges[TSourceEntity,TTargetEntity](IEnumerable`1 changes, IEnumerable`1 syncTasks, Func`1 getTargetContextAccessor, IConnectionsContext connectionContext, ISynchronizationHelper`2 helper, IProvisioner`2 provisioner)
   at Unify.Product.Plus.Link.SynchronizeAdapterChanges(IEnumerable`1 changes)
   at Unify.Product.Plus.LinkNotifierDecorator.<>c__DisplayClass42_0.<SynchronizeAdapterChanges>b__0()
   at Unify.Framework.Notification.NotifierDecoratorBase.Notify[TResult](ITaskNotificationFactory notificationFactory, Func`1 function)
   at Unify.Product.Plus.LinkNotifierDecorator.SynchronizeAdapterChanges(IEnumerable`1 changes)
   at Unify.Product.Plus.LinkAuditingDecorator.SynchronizeAdapterChanges(IEnumerable`1 changes)
   at Unify.Product.Plus.AdapterToLockerSynchronizationJob.RunBase()
   at Unify.Product.Plus.SynchronizationJobExecutor.<ThreadAction>d__8.MoveNext()",Normal


Answer
Curtis Lusmore 7 days ago

Hi Tom,

This error indicates that there are multiple connections registered for the locker entity with id 138db3b0-4197-4bee-bd1a-010830bebd1d. If you recently deleted or otherwise cleaned up the duplicate adapter entities, these connections could be associated with those duplicates and are no longer valid.

0
Answered
Tom Parker 3 weeks ago in Identity Broker Plus • updated by Adam van Vliet (Product Manager) 3 weeks ago 1

I was able to find the change log for adapters and I was able to find the source log for lockers, but I couldn't find the change log for lockers (containing previous states of entities in lockers). Does one exist, and if so where would it be?

Thanks,
Tom

Answer

No, as there was no requirement to be able to query it directly. See http://voice.unifysolutions.net/topics/2929-auditing/ for details on how to keep track of this information (among other changes).

0
Answered
Tom Parker 3 weeks ago in Identity Broker Plus • updated by Curtis Lusmore 3 weeks ago 1

According to https://unifysolutions.jira.com/wiki/display/IDBPLUS51/Priority, data sources with unset priority are considered lowest priority.

Based on that, what is the expected behavior of an attribute in an adapter which has only 2 data sources, both of which are unset priority?


In this example, Person is a locker and Active Directory Person is a bidirectional link between the active directory adapter (the screen this screenshot was taken from) and the Person locker.

In the case of the attribute being changed in the source system and coming into the adapter through the connector: will it override what's already in there from person, or will it thrown away and have the data from the Person locker push back out to the connector?

Thanks,

Tom
Answer
Curtis Lusmore 3 weeks ago

Hi Tom,

In cases where both the existing value and the new value in an update are both from un-prioritised sources, the newest value (the update) is taken - last write wins.

0
Answered
Daniel Walters 3 weeks ago in Identity Broker Plus • updated by Adam van Vliet (Product Manager) 3 weeks ago 1

Does anyone know of any projects that used IdBPlus and configured Exchange Provisioning? My initial investigation suggests it's more complicated than a simple enable-mailbox -identity x in a post-provisioning task.

Answer

The base script that I'd recommend starting with and adapting is as follows. It can be run unlimited times without duplication as it checks for users in AD that haven't been enabled. This particular script uses the default Exchange rules for mailbox name, but can be adapted by changing the arguments supplied to the Enable-Mailbox command:

# STEP 1
#   The first step involves securing the password to Exchange.
#   The following command should be run in a PowerShell console, changing the out-file to the desired location:
#     read-host -assecurestring | convertfrom-securestring | out-file C:\securestring.txt
#   Enter the password to Exchange. A file should be written to the desired location.
#   If a permission error was shown, try running the script as administrator, or select a new location.
# STEP 2
#   Configure the following settings:
#     ExchangeServer - Configure the URL to the PowerShell virtual directory on the Exchange machine.
#     AdminAccount   - The name of the account being used to connect to the Exchange machine.
#     SearchBase     - The deepest container that holds all items being managed.
#     Filter         - The LDAP filter to select items that have not been mail enabled. This will probably not need to be updated.
#     Password       - The file path should be updated to the file created in STEP 1.
$ExchangeServer = http://exchange/PowerShell/
$AdminAccount = "DOMAIN\Administrator"
$SearchBase = "OU=RootContainer,DC=organization"
$Filter = "(&(objectCategory=user)(objectClass=user)(!msExchHomeServerName=*))"
$Password = cat C:\securestring.txt | convertto-securestring
# END OF CONFIGURABLE SECTION #
$UserCredential =  New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $AdminAccount,$Password
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ExchangeServer -Authentication Kerberos -Credential $UserCredential
Import-PSSession $Session
Add-Type -Assembly Microsoft.ActiveDirectory.Management
Import-Module ActiveDirectory
$users = get-aduser -LDAPFilter $Filter -searchbase $SearchBase -searchscope "Subtree"
if ($users -ne $null) 
{
    foreach ($user in $users)
    {
        Enable-Mailbox $user.SamAccountName | Set-Mailbox -SingleItemRecoveryEnabled $true
    }
}
#Exit-PSSession
Remove-PSSession -session $Session
0
Answered
Daniel Walters 3 weeks ago in Identity Broker Plus • updated by Curtis Lusmore 3 weeks ago 1

When you set a Sync Schedule in IdBPlus does the schedule define how often it checks the adapter for changes or does it override the connector schedule?

Answer
Curtis Lusmore 3 weeks ago

Hi Daniel,

They relate to how often it checks for changes in adapters. The basic process is as follows:

  1. Connector import (manual or scheduled)
  2. Change detection process detects changed connector entities
    1. Entries created in changes register to indicate connector entities which have changed
  3. Reflection runs (scheduled every few seconds), processes changed connector entities and updates adapter entities
    1. Entries created in sync changes register to indicate adapter entities which have changed
  4. Synchronization runs (manual or scheduled), processes changed adapter entities and updates locker entities
0
Answered
Daniel Walters 1 month ago in Identity Broker Plus • updated 1 month ago 2

Do we have schemas for the Chris21 forms somewhere?

Does IdB plus have a concept of initial flow only? For password

For provisioning mailboxes via IdB plus, would I just write a PowerShell script in the post-provisioning step? Does post-provisioning only run on creation or also on synchronisation?

How does syncing the manager attribute to AD in IdB Plus work? Do I generate a DN in the transformation and flow that or is there something special with reference attributes especially to do with the order of provisioning (manager not provisioned/joined yet but a reference is flowed)?

What triggers a synchronisation on a specific user? Because in Chris21 the manager is in a position and if the person filling that position changes it will need to update the manager attribute on all users whose manager just changed.

I'm also not sure where DN calculation should take place since it needs to be ensured unique. Do I have access to the entities in a pre-provisioning script like I have in a PowerShell adapter transformation so that I can check for uniqueness then set it back to the entity and have that flow out on provision? Same for sAMAccountName.


Answer
Do we have schemas for the Chris21 forms somewhere?

Yes, it's one of our most widely used connectors, check out any of the other projects or fire up a demo machine.

Does IdB plus have a concept of initial flow only? For password

Yes, for connectors that support password sync they often have a concept of an initial password script.

For provisioning mailboxes via IdB plus, would I just write a PowerShell script in the post-provisioning step? Does post-provisioning only run on creation or also on synchronisation?

https://unifysolutions.jira.com/wiki/display/IDBPLUS51/Tasks

How does syncing the manager attribute to AD in IdB Plus work? Do I generate a DN in the transformation and flow that or is there something special with reference attributes especially to do with the order of provisioning (manager not provisioned/joined yet but a reference is flowed)?

This has been done before, check out another solution.

What triggers a synchronisation on a specific user? Because in Chris21 the manager is in a position and if the person filling that position changes it will need to update the manager attribute on all users whose manager just changed.

https://unifysolutions.jira.com/wiki/display/IDBPLUS51/Synchronization

I'm also not sure where DN calculation should take place since it needs to be ensured unique. Do I have access to the entities in a pre-provisioning script like I have in a PowerShell adapter transformation so that I can check for uniqueness then set it back to the entity and have that flow out on provision? Same for sAMAccountName.

https://unifysolutions.jira.com/wiki/display/IDBPLUS51/Tasks