Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

+1
Answered

Entity in IdB connector and adapter but does not exist in target directory

Carol Wapshere 9 years ago in PowerShell connector updated by anonymous 9 years ago 3

IdB 5, Powershell connector, target system is RedHat LDAP.


There are three objects which exist as entities in the IdB connector and adapter but do not exist in LDAP. FIM is trying to update them and we're getting "Object does not exist" errors back from LDAP.


Connector Full Imports have been run. I turned on the verbose logging I'd added to the script which lists the DN of every object found by the Import script and these objects are not listed. I can't see any errors in the IdB log and the Full Import appears to have completed successfully.


So the question is, if they were not imported in a connector full import, shouldn't the entities have been removed from IdB?

Answer
anonymous 9 years ago

Looking at the logs shows that there were exported entities during the full import. The import logic is designed to not delete entities that are added whilst an import is occurring, as it has no way of knowing whether the end system is omitting the entry because it was deleted immediately or because it’s just not available yet for the import (e.g. snapshot or read copy/write copy style systems).

0
Under review

Return error to MIM when exporting via a PowerShell connector

Hayden Gray 2 weeks ago in PowerShell connector updated 2 weeks ago 2

Is there a way to return an error to MIM for individual entities while exporting via a PowerShell connector? My export script uses the standard try/catch and pushes failures where an entity fails to export, eg:
try{
     #Export entity
}catch{
     $components.Failures.Push($entity);
}

Though when an entity fails it returns a very generic error to MIM.

Image 6931

Is there a way to return a more descriptive along with each of the individual failures?

0
Planned

Support for rename operation in PowerShell connector

Adrian Corston 3 years ago in PowerShell connector updated by Matthew Davis (Technical Product Manager) 2 years ago 8

I am looking to add 'rename' support to a PowerShell connector.  According to https://voice.unifysolutions.net/en/knowledge-bases/7/articles/2911-powershell-connector the export update script is passed $components.InputEntities which contains the updated entities.  For a rename operation the key field value will have been changed, so how do I identify the record in the external system that needs to be updated?  Is the old key available somewhere?

0

Test Connection operation for PowerShell connectors

Adrian Corston 4 years ago in PowerShell connector updated by Matthew Davis (Technical Product Manager) 3 years ago 0

Most UNIFYBroker agents have a Test Connection operation, but this can't be configured for PowerShell connectors.  This morning my customer's PowerShell connectors were failing because Azure was reporting the MS Graph API to be overloaded and only accepting admin connections (“53300: remaining connection slots are reserved for non-replication superuser connections”).

Add a Test Connection facility to a PowerShell connector.  This would tie in with https://voice.unifysolutions.net/en/communities/6/topics/4220-scheduled-execution-of-test-connection-on-agents

0
Completed

Feature Request: Logging from PowerShell Connector

Bob Bradley 6 years ago in PowerShell connector updated 6 years ago 2

The ability to write directly to the Identity Broker logs - such that any Broker log writer can be employed to pick this up apart from the default - is highly desirable.

Such a feature would avoid the need for the current practice of logging to custom log files using either custom code or various logging libraries.

Answer

Hi Bob, 

This is already available. See this knowledge page for details:

https://voice.unifysolutions.net/knowledge-bases/7/articles/2917-powershell-connector-logger

0
Completed

Feature Request: Debug Capability for PowerShell Connector

Bob Bradley 6 years ago in PowerShell connector updated by Adrian Corston 5 years ago 3

Presently debugging a PowerShell connector script requires extensive use of logging.

While the above is still going to be necessary, the ability to attach a PowerShell ISE session to a PowerShell process to allow step-throughs and breakpoints is highly desirable.

Answer
# The following approach allows you to debug a PowerShell connector or adapter transform in IdB
# See the following for background:
# - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/wait-debugger?view=powershell-6
# - https://stackoverflow.com/questions/42731150/how-to-pause-a-powershell-script-until-a-debugger-attaches
# Prerequisite: PowerShell v5, IdB 5.*, PS connector or adapter transform
# 1. Edit the PowerShell code and set a pause in your PowerShell code - long enough to intercept the process and enter debug mode:
# you can use wait-debugger, but for now Matt showed me by using start-sleep instead
#Wait-Debugger -Timeout 10
Start-Sleep 30
# 2. Find the process ID
Get-Runspace
# 3. Attach the ISE 
Enter-PSHostProcess -Name Unify.Service.Connect
# 4. Debug the process
Debug-Runspace -Id xx

0
Fixed

Duplicate Error on DN in PowerShell script

I have a PowerShell connector that is pulling two attributes, DN and another one. DN is the key and it's throwing errors saying "An item with the same key has already been added". This isn't possible because DN is unique. Here is the Import All script:

import-module ActiveDirectory

$server = "Dcbr2wdc1"

$searchBase = "ou=Users,ou=dams,dc=internaldmz-dev,dc=local"

$users = get-aduser -Server $server -SearchBase $searchBase -Properties DistinguishedName, msDS-UserPasswordExpiryTimeComputed -Filter {PasswordNeverExpires -eq $false}

foreach($user in $users)

{

$entity=$entities.Create()

$entity["ADDN"] = $user.DistinguishedName

$entity["ComputedPasswordExpiry"] = $user.'msDS-UserPasswordExpiryTimeComputed'

$entity.Commit()

}

and here is the schema

New-Field 'ADDN' 'string' $true $false $true;

New-Field 'ComputedPasswordExpiry' 'string' $false $false $false;

# name type key read-only required

I tried writing the DNs to a file in the script and just got a list of DNs, no obvious duplicate. Attached the log and connector config.

0
Answered

Import from connector failed with reason User Not Found. User: None

Hi is there any guidance on what this error means? I'm getting it on imports on a powershell connector. I assumed that it meant it's trying to commit an entity that's missing some attribute but the code seems to be correct. Snippet and error follow.

Only ID is a required attribute.

Relevant part of import.ps1


if ($msoluser.ImmutableID)

{

## Create or update IdB entity

$entity = $entities.Create()

$entity['ID'] = $msoluser.ImmutableID

$entity['UPN'] = $msoluser.UserPrincipalName

$entity['isLicensed'] = $msoluser.isLicensed

$entity['Alumni'] = $Alumni

$entity['UserStatus'] = $UserStatus

$entity['CheckLicense'] = $CheckLicense

$entity.Commit()

}

Error in IDB logs:

Import changes from connector Office 365 Student Connector failed with reason User Not Found.  User: none.. Duration: 00:45:45.8101253
Error details:
Microsoft.Online.Administration.Automation.MicrosoftOnlineException: User Not Found.  User: none.
   at Unify.Product.IdentityBroker.PowerShellConnector.d__30.MoveNext()
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.ActionOnExceptionEnumerator`1.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.ChangeDetectionEntityPollJob.RunBase()
   at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
   at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass33_0.b__0()
   at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)",Normal
Answer

Hi Tom, based of the exception type it looks like an exception generated by the Microsoft code that's fetching a user.

Microsoft.Online.Administration.Automation.MicrosoftOnlineException: User Not Found.  User: none.

Using the PowerShell logger to add additional logging around keep parts of the script should help you confirm this and debug further.

0
Answered

Error occurs once per page "Cannot access destination table 'EntityValueOrigin'"

Tom Parker 6 years ago in PowerShell connector updated 6 years ago 5

Once per page on export the following error occurs.There doesn't appear to be any impact from the error as the user is provisioned correctly by powershell and they also appear correctly in UNIFYBroker. They also appear in both the "adds" section of MIM and the "errors" section under "unexpected-error". The following stack trace appears in the Identity Broker logs.

We very recently upgraded from 5.0.3 but we are unsure if that's related.

UNIFYBroker Version: 5.1.0 Revision #2

MIM Version: 4.4.1749.0


System.InvalidOperationException: Cannot access destination table 'EntityValueOrigin'. ---> System.Data.SqlClient.SqlException: Invalid object name 'EntityValueOrigin'.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
at System.Data.SqlClient.SqlBulkCopy.RunParser(BulkCopySimpleResultSet bulkCopyHandler)
at System.Data.SqlClient.SqlBulkCopy.CreateAndExecuteInitialQueryAsync(BulkCopySimpleResultSet& result)
at System.Data.SqlClient.SqlBulkCopy.WriteToServerInternalRestAsync(CancellationToken cts, TaskCompletionSource`1 source)
--- End of inner exception stack trace ---
at System.Data.SqlClient.SqlBulkCopy.WriteToServerInternalRestAsync(CancellationToken cts, TaskCompletionSource`1 source)
at System.Data.SqlClient.SqlBulkCopy.WriteToServerInternalAsync(CancellationToken ctoken)
at System.Data.SqlClient.SqlBulkCopy.WriteRowSourceToServerAsync(Int32 columnCount, CancellationToken ctoken)
at System.Data.SqlClient.SqlBulkCopy.WriteToServer(DataTable table, DataRowState rowState)
at Unify.Product.IdentityBroker.EntityValueOriginContext.InsertItems(ISet`1 addedItems, EntityValueOriginDataContext sourceContext, SqlConnection connection)
at Unify.Framework.Data.LinqContextConversionBase`4.SubmitChanges()
at Unify.Product.IdentityBroker.OriginInformationProcessor.RunBase()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)",Normal

Answer
Curtis Lusmore 6 years ago

Please run the Database upgrade script, located in the Database sub-directory of the Identity Broker installation directory.

0
Answered

Powershell Connector continuing to run script after MIM says run is complete

Tom Parker 6 years ago in PowerShell connector updated by Bob Bradley 6 years ago 4

It looks like a Powershell MA's script is continuing to run well after the MA in MIM says the run has been completed. Is this a known thing which happens or is intended or is it a bug?

UNIFY Broker Version: v5.1.0 Revision #2
MIM Version 4.4.17849.0

AddUser powershell code: D:\ADProvisioning.Powershell\UserAdd.ps1

Note: The code was previously "& D:\ADProvisioning.Powershell\UserAdd.ps1" but I changed it because I didn't understand the intent of running it as a separate process and to simplify the problem solving process. The issue still occurred when


Before running the export:

Image 5002

No log in file explorer yet for the AD Provisioning Export.

After running the export

All the errors are ma-extension-error, which may be genuine as the script I'm writing is still being worked on.

Image 5006

Here's the number of users steadily increasing

Image 5007

Here's the export log continuing to be updated after the run has been finished.


Image 5005


I can make the script I'm running available on request.

Answer
Curtis Lusmore 6 years ago

The issue turned out to be that the MIM Agent is timing out. Please see https://voice.unifysolutions.net/knowledge-bases/7/articles/3364-unifybrokermicrosoft-identity-manager-configuration for details on configuring the timeout. Please note in particular that bulk exports use only a single request per page (the Page Size setting), so you will need to either decrease the page size, increase the timeout, or improve the performance of the PowerShell script.