MIM Event Broker Forum
Welcome to the community forum for MIM Event Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Identity Broker PowerShell Connector begin/process/end sections
Further to an email thread with Adam van Vliet 2 days ago, and the linked issue MCS-30, the following is an idea on how export performance for the PowerShell connector might be improved.
FYI only - the script below is the O365 update connector script from QBE hosted by Soren’s PowerShell MA. The 3 outer section headings correspond to the FIM MA SDK methods (BEGIN=Initialize, PROCESS=Export, END=Terminate).
I am thinking that the IdB PowerShell connector could be substantially improved if it were to adopt the same approach for exports, whereby the overhead of setting up/tearing down a single export each time (establishing connections, loading libraries, etc.) can be done once per export batch instead.
param
(
$Username = "",
$Password = "",
$AccountSkuId = "qbetest:ENTERPRISEPACK",
$LogFilePath = "E:\Packages\FIM.Synchronisation\SvN\FIM2\Operations\Scripts\Logs",
$LogFileName = ""
)
BEGIN
{
Import-Module MSOnline -Force
$ErrHandle = ""
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
$Creds = New-Object System.Management.Automation.PSCredential $Username, $SecurePassword
Connect-MsolService -Credential $Creds
if ($ErrHandle -ne "")
{
# handle any logon errors
$message = 'Could not log on O365 with ' + $($Username) + ' to update licenses. ' + $ErrHandle
exit
}
#List of Service Plans
#ServicePlan ProvisioningStatus
#----------- ------------------
#YAMMER_ENTERPRISE Success
#RMS_S_ENTERPRISE Success
#OFFICESUBSCRIPTION Success
#MCOSTANDARD Success
#SHAREPOINTWAC Success
#SHAREPOINTENTERPRISE Success
#EXCHANGE_S_ENTERPRISE Success
# Create MsolLicenseOptions only for OFFICESUBSCRIPTION
#$O365Licences = New-MsolLicenseOptions $AccountSkuId -DisabledPlans SHAREPOINTWAC, SHAREPOINTENTERPRISE
$MAName = "PowerShell Connector"
$FIMRegKey = "hklm:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters"
$FIMParameters = Get-ItemProperty $FIMRegKey
$cacheFileName = "cachedExports.xml"
$office365MappingFile = "office365LicenseProfileGroupMapping.xml"
# Set up hash table of cached exports for loading exported MemberOf property (to obsolete export)
$cachePath = [System.IO.Path]::Combine($FIMParameters.Path, "MaData", $MAName, $cacheFileName)
$office365MappingPath = [System.IO.Path]::Combine($FIMParameters.Path, "Extensions", $office365MappingFile)
[xml]$office365Mapping = Get-Content -Path $office365MappingPath
$cachedExports = @{}
if (Test-Path $cachePath)
{
$cachedExports = Import-Clixml -Path $cachePath
}
}
PROCESS
{
function log( $message )
{
if ( $LogFileName -and $message )
{
$message | out-file ([System.IO.Path]::Combine($LogFilePath, $LogFileName)) -append
}
}
#Initialise values
$Errorstatus = "success"
$ErrorDetail = $null
$IsLicensed = $null
$IsLicensedChg = $null
#Get UPN of the user
$Anchor = $_."[Anchor]"
#Get Identifier
$Identifier = $_."[Identifier]"
#Get Group Membership
$MemberOf = $_.MemberOf
#Get Object Modification Type
$Action = $_."[ObjectModificationType]"
$IsLicensedChg = $_.IsLicensed
#$IsLicensedChg = $false
#log $_
$error.clear()
try
{
$msoluser = Get-MsolUser -userprincipalname $Anchor -ErrorAction SilentlyContinue
$IsLicensed = $msoluser.IsLicensed
# Loop through each of the registered DNs in the hash table at the top of this script to find a match
$profileToAssign = "none"
# Loop through each configured profile to find a match in the MemberOf dn collection
foreach ($group in $office365Mapping.o365LicenseProfiles.profiles.profile.group) {
if ($MemberOf.Contains($group.dn)) {
#$IsLicensedChg = $true
$_.IsLicensed = $true
$profileToAssign = $group.parentNode.name
break;
}
}
#foreach ($dn in $defaultProfileGroupDNs.Keys) {
# if ($MemberOf.Contains($dn)) {
# $IsLicensedChg = $true
# break;
# }
#}
log ("IsLicensed:" + $IsLicensed)
log ("IsLicensedChg:" + $IsLicensedChg)
#region unsupported operations
if ($Action -eq 'Add')
{
throw "Add is not supported. Will be processed when Active Directory user is added/joined."
}
if ($Action -eq 'Delete')
{
throw "Delete is not supported. Will be processed when Active Directory user is removed."
}
#endregion
if ($Action -eq 'Replace')
{
if($IsLicensedChg)
{
if(!$IsLicensed)
{
## Execute to get the list of SKU's for the client environment
$Skus = Get-MsolAccountSku
switch ($profileToAssign) {
"default" {
$O365Licences = New-MsolLicenseOptions -AccountSkuId $Skus[0].AccountSkuId -DisabledPlans $Skus[0].ServiceStatus[4].ServicePlan.ServiceName, `
$Skus[0].ServiceStatus[5].ServicePlan.ServiceName
Set-MsolUserLicense -UserPrincipalName $Anchor -AddLicenses $AccountSkuId -LicenseOptions $O365Licences
#Assigned new license
log "Assigned new license"
}
"TBA" {
# TODO: Copy the "default" section above and adjust according to the name configured in the xml mapping file
}
"none" {
# Do nothing
}
default {
throw "undefined Office 365 License Profile configured: $profileToAssign"
}
}
}
else
{
#Already licensed
log "Already assigned license"
}
}
else
{
log "No change ..."
if($IsLicensed)
{
#Remove any Previous Licenses
Set-MsolUserLicense -UserPrincipalName $Anchor -RemoveLicenses $msoluser.Licenses.AccountSkuId
log "Removed any Previous Licenses"
}
}
# Cache export
if (-not $cachedExports.ContainsKey($Anchor)) {
log ("Caching new export" + $Anchor)
$cachedExports.Add($Anchor, @{})
$cachedExports.($Anchor).Add("MemberOf", $MemberOf)
$cachedExports.($Anchor).Add("PendingDelta", $true)
} else {
log ("Caching existing export " + $Anchor)
$cachedExports.($Anchor).("MemberOf") = $MemberOf
$cachedExports.($Anchor).("PendingDelta") = $true
}
}
}
catch
{
$Errorstatus = "powershell-script-error"
$ErrorDetail = $error[0]
}
# return status about export operation
$status = @{}
$status."[Anchor]" = $Anchor
$status."[Identifier]" = $Identifier
$status."[ErrorDetail]" = $ErrorDetail
}
END
{
$cachedExports | Export-Clixml -Path $cachePath
}
Event Broker 3.2 Logon as a service not being added
After selecting "Add log on as a service rights" tick box on the service account install page the service would not start with error "Error 1069: The Service did not start due to a logon failure"
Generic LDAP Listener configuration
The Monash Directory Service is an Oracle LDAP Directory.
We are creating a Generic LDAP Listener as part of the Event Broker implementation to detect changes and trigger operation lists on our MDS MA.
We are unable to complete the creation of the LDAP Directory Agent as it states that 'Domain' is a mandatory field if left blank and returns an error, regardless of the helper test stating that it is not.
Please advise
EvB - LDAP Listener.jpg
Unify.EventBroker.Agents.Web.dll
Typo for FIM Event Broker Confgure MA wizard
Operation lists are now being generated with the text <MA> Agemt <xxx>
Handle case changes for Modify Anchor
Consider using the logging engine to catch and report errors, or simply do not perform the modify anchor in these cases.
Migration Failure Message.png
Step-by-step sample for creating and configuring Event Broker v3.0.0 Agent, Operations List, Schedule, Check Operation, Operations and Group
I find it a bit hard getting start with Event Broker v3.0.0.1, dispite of the Getting Started
I believe a step-by-step sample for creating and configuring Event Broker v3.0.0 Agent, Operations List, Schedule, Check Operation, Operations and Group would make this much easier. It also took me a fair bit of effort to find where each different components are located or can be configured.
I believe something along the line of would help
1 - Create and configure Agent in the Agents tab
2 - Create an Operation List in the Operations tab
3 - Configure an Operation List in the Operations tab by click on that particular Operation List. Note: Ensure that Operation List is "disabled" as only disabled Operation List can be configured.
4 - If required, click on the icon next to the Schedule to add the schedule for this operation list
5 - If required, click on the icon next to the Check Operation to add Check Operation to the operation list
6 - Click on the icon next to the Operations to add Operation to the operation list. Repeat this step if addition Operation is required.
7 - If required, create Group in the Groups tab
8 - Add the Operation List to the Group as required.
When editing an Operation List's schedule through the Edit Schedule, the submission button says "Create" rather than "Update"
When editing an Operation List's schedule through the Edit Schedule, the submission button says "Create" rather than "Update".
This is a bit confusing and inconstent with other Editing functionality.
Outgoing provisioning detection could be made more efficient
The outgoing provisioning pending detection should be made more efficient, as it can easily blow out in larger systems. You really only need to check to see if even one record exists as a pending export in an MA - there is an attribute (mms_connectorspace.export_operation) that flags a particular record as needing an export, and this can be queried quite quickly. Worth investigating for next EB version - there may be an even faster way to find exports
Also on this, this query times out after 30 seconds, and no exports will fire if execution exceeds this timeout.
The query execution time can be improved by adding a custom index to the ILM database, but this
Listen operation lost when operation list updated.
Listen operation lost when operation list updated.
With EB 3, how do you run a powershell script with parameters?
I am attempting to run a powershell script with parameters. If I was running it from the powershell command line I would do this:
E:\scripts\truncate-table.ps1 -server "localhost" -database "FIMData" -table "View500ADReporting_Delta"
I have tried to use the Powershell Function Operation.
First I am confused by "Module path" which sounds like might mean a PSSnapin. I assume this is supposed to mean script and enter "E:\scripts\truncate-table.ps1"
Next I am confused by "Function name". In the documentation there is a picture where the word "Execute" has been entered here. I tried that but wasn't too surprised when I got an error. I also cannot leave it blank.
Finally I enter this for the parameters:
server:"localhost";database:"FIMData";table:"View500ADReporting_Delta"
So the question is: how am I supposed to fill in the fields so it calls the script with the parameters?
I think the documentation may need clarity. Also the form should be redesigned so someone who knows about powershell scripts, but not about "modules", can figure it out.
Thanks
Customer support service by UserEcho
