0
Not a bug

IdB check operation issue

Matthew Woolnough 12 months ago • updated by anonymous 11 months ago 20
Topic collaborators

I have configured an Aurion Employee import operation with a check operation. 

Either the:

  • Check is not detecting that there are changes to import; or
  • The run profile isn't being started when the objects are detected.

We manually ran an import in the MIM MA and there were 65 updates were imported. 

Will add config shortly.

Answer

Answer
Not a bug

No response (here or via email).

Right-o.


  • What am I trying to do? 
  • Schedule import of data from IdB into MIM with a check operation before an MIM Operation.

  • What do I think should happen? What are the inputs to the process and what do I expect to be the outputs?
  • EvB should see that there are changes pending and start an import.

  • What behaviour am I observing instead? How is this different to what I expected?
  • EvB does not start MA import run profile. EvB should start MA import run profile.

  • Does this behaviour always occur or only intermittently? Is there any pattern to when it occurs?
  • On all IDB Checks as far as I am aware.

  • If this process applies to several entities, does the issue occur to all entities involved or only some? Is there anything in common between the affected entities?
  • N/A

  • Has this ever worked in the past? If yes, when did it stop working? What has changed since then?
  • I don't believe it has ever worked in prod. 

  • Does this work in another environment? If yes, what is different between the two environments, such as configuration, volume of data or frequency of operation? Can I reproduce this in another environment?
  • I believe it did work in other environments. I have asked for a change to be made in Aurion in order to check, but this might take days.

  • Have I tested this in isolation? Is it possible to disable other operations or components to narrow down the number of potential causes? If the issue is triggered by a request from an external system, is it possible to replicate the request to test manually? If the issue occurs making a request to an external system, is it possible to replicate the request to test manually?
  • N/A.  The issue is between IdB and EvB.

  • What have I attempted so far to diagnose the cause of the issue? Are there any error messages logged? Have I read the error messages carefully and attempted to resolve any issues they describe?
  • I have not seen any errors. I have turned on Diagnostic debugging, left it run for an hour or so and provided the logs along with the configuration to the product team for review.



    Under review

    Hi Matt,

    I've just had a quick look through your config and logs. Based on both the operation configuration and the logs you provided, it says that the Identity Broker listen operation for Aurion Employees adapter is disabled.

    The operation ID is 1d8ef480-216b-4bcd-85c2-396a4e535e4e

    Can you please double check which operation you're referring to, and confirm whether it is enabled? If it is, try to capture some logs when changes are available in the adapter.

    I've tried enabling & disabling. At that point in time, it was disabled.

    How can I tell if changes are available?  Is that a non zero value in "Pending Changes" in the Adapter?


    Pending changes are no longer what is checked, they represent the entities that are yet to be process during change detection/reflection. The change log and an internal flag are what is checked by MIM Event Broker. To maintain backwards compatibility across all Identity Broker versions, the service contract wasn't updated - a limitation of which is that the operation is destructive and further checks will result in a false being returned for whether there are changes available.

    So how can I check the change log and the internal flag? How do I tell if EvB should be detecting a change?

    When there has been a change since the last true result, evident in the change processing logs.

    Sorry, I don't understand. What am I looking for in the logs? 

    E.g.

    20170808,01:24:12,UNIFY Identity Broker,Adapter,Information,"Request to reflect change entities of the adapter.
    Request to reflect change entities of the Something (2551d598-b7b3-4f63-9d9b-bbcd1f76bd63) adapter completed with 0 adds, 11 updates and 0 deletes across 1 pages. Duration: 00:00:00.5505563",Normal

    Setup

    1. Installed Event Broker Service
    2. Installed Event Broker Web
    3. Disabled inbuilt web server
    4. Configured IIS for EvB
    5. Changed binding to IPv6 localhost [::0]

    Migration

    1. Copy Following files to new server:

    • C:\Program Files\UNIFY Solutions\Event Broker\Services\Unify.Service.Event.exe.config 
    • Event Broker Extension Files.

    2. Start Service

    3. Update MIM Agent to use correct DB Server

    4. Update AD Agent to use production DCs & prod service account.

    5. Edit each Operation to ensure the Check Operation & the Import/Export is on the correct MA.


    Not sure why this last step is necessary, but after the migration, the Operations had incorrect MAs. 

    ie. MIM Agent Aurion Schedules MA Incoming  was checking Aurion Employees MA instead of Schedules. This occurred in both test and prod.

    This means your MIM configuration wasn't migrated properly - i.e. the guid's do not match between environments. MIM Event Broker attempts to find the closest match of MA and run profile names (using a variation of the Damerau-Levenshtein distance algorithm).

    Everything in MIM is working fine, so not sure that it's fair to say that it wasn't migrated properly. 

    Line 3298: Request to reflect change entities of the Aurion Employees (a1a52f76-06ae-43ea-9583-1937a3e899b0) adapter completed with 0 adds, 0 updates and 0 deletes across 0 pages. Duration: 00:00:00.0156196",Verbose

    Then when I manually run an import, an object update is detected.

    Line 3213:  Handling of LDAP search request from user mim on connection 127.0.0.1:50171 targeting UID=3824,OU=AurionEmployees,DC=IdentityBroker with a scope of BaseObject completed successfully. Results: 1. Duration: 00:00:00.0937461.",Normal


    IdB Logs.txt

    The run import operation didn't run, even though there was an update pending.

    Were there any other reflected objects since the last EB IdB check was run? If there weren't any updates as far as Identity Broker was concerned, then there wouldn't be anything for EB to pick up.

    Also, what was the change that EB picked up? Is it a change that you made to the ohject? What is the sequence of events that you performed?

    I did nothing for a few days, then manually ran an Delta Import and Delta Sync on the Aurion Employees MA.  A single update was detected. 

    The previous time it had run an import was 6:30 in the morning. Not sure if this was manually run, or Event Broker ran it. 

    My expectation was that Event Broker would have detected the pending change & ran an import, but it looks in the logs in the following line as though it didn't detect it. 

    Line 3298: Request to reflect change entities of the Aurion Employees (a1a52f76-06ae-43ea-9583-1937a3e899b0) adapter completed with 0 adds, 0 updates and 0 deletes across 0 pages. Duration: 00:00:00.0156196",Verbose


    I pointed out that log so that you could test the object update and MIM Event Broker detection in isolation. It shows that a change was calculated in Identity Broker, it's not the call that is logged when MIM Event Broker detects a change.

    Found the following in the logs. The suspicion is that the operation tried to run, but was blocked. Have implemented retries with 1min delay & 5 retries across all MAs.


    20171027,01:10:57,UNIFY MIM Event Broker,Operations,Error,"Operation Run Profile Operation - Run Profile: DIDS with id a828dd71-7b33-4926-be7c-13676c899057 failed in the operation list MIM Agent Aurion Employees MA Incoming with id 1d8ef480-216b-4bcd-85c2-396a4e535e4e for the following reason. This is retry number 0: System.Runtime.Remoting.ServerException: Operation for management agent with id 40329f6e-19a2-4d34-a4b9-7606d28d8488 with name DIDS failed with result call-failure:0x8023063D
       at Unify.Product.EventBroker.MIMAgent.ExecuteRunProfile(Guid agentId, Guid managementAgentDetailsKey, Guid runProfileDetailsKey)
       at Unify.EventBroker.Agents.Audit.MIMAgentAuditingDecorator.ExecuteRunProfile(Guid agentId, Guid managementAgentKey, Guid runProfileKey)
       at Unify.Product.EventBroker.RunProfilePlugIn.Execute()
       at Unify.EventBroker.PlugIn.Audit.OperationAuditingDecorator.Execute()
       at Unify.Product.EventBroker.OperationListExecutorBase.RunNextOperations(IEnumerator`1 operationEnumerator)",Normal
    Answer
    Not a bug

    No response (here or via email).