eDirectory Agent unable to be created with Basic authentication
I just shared a remote desktop session with Henry and his customer and he showed me what he described as a problem whereby the eDir and AD agent dialogs were seemingly being confused. This is hard to explain - basically when he had set up an eDir agent and tried to view the details, the labels were what you would expect for an AD agent, and vice versa.
Firstly I am logging this call on Henry's behalf because he doesn't yet have an Atlassian ID (he told me that Shane Day had organised something and that he should have had an email from the website by now, but there has been no email, and there is certainly no evidence of a Henry.Schleichardt user id). Henry has promised to email me with the details, but until he does, this issue serves as a placeholder for that further info.
What I then did was tell Henry to save a backup of his Extensibility folder, and then to delete all agents/connectors/groups - which he did. I then got him to recreate the FIM agent, then the AD agent, and check that it worked and fired the correct AD MA in FIM - which it did (although we couldn't get this working with Authentication type = Secure, and had to use Basic ... but that is another issue entirely - right now working with Basic was adequate).
So then with this working I got him to examine the created configuration and check that all the details were as expected - inspecting the LISTENER and the CHANGES settings for the first AD MA.
I then got him to repeat the exercise for eDir - and here is the first evidence of the problem ... when we chose "LDAP Agent" from the list of agents and clicked CREATE AGENT, Henry entered the name of the agent and the server DNS name ... then when he selected "Basic" from the drop-down list we were presented with the following fields to complete:
- Repeat Password
The problem of course is that the first property "Domain" is redundant here, since the user name being entered is in its full DN format (Henry's screenshots will show you this - details as he is using in the eDir MA's connection details itself). Since this field is shown as MANDATORY, we had to enter SOMETHING - I suggested that this looks like a bug but for the time being we could re-enter the server DNS name. This was accepted but of course when we enabled the operation it failed.
So at this point we are stuck with not being able to configure the agent correctly for eDir. We also tried anonymous, but this didn't work in this case either (we weren't sure if some level of anonymous was allowed, but it appears not - it was a long shot regardless!).
For the time being I have advised Henry to simply delete the check operation and to run the eDir DI/DS run profile at intervals of say 10 minutes.
Could you please have a look at this Agent with an eDir instance (I believe Eddie Kirkman has a working instance of one if you need one) and see if you can see the same problem? Ideally then get back to Henry asap with either advice on what he/we have done incorrectly or a patch to fix what could be a bug.
Customer support service by UserEcho
Email to Henry and Christian:
When Eddie Kirkman gets back from leave we might be able to learn more about this.
Hi Patrick Johannessen, could you please update this with the latest information?
Fix pushed to
INFOWAN-2branch. Shouldn't be applied to the main branch - we instead need to upgrade it in the next version to support more configurable options so that it's more cross-platform.
EB-652for a permanent fix in future.
From Christian, 06/08/13: