Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Entity in IdB connector and adapter but does not exist in target directory
IdB 5, Powershell connector, target system is RedHat LDAP.
There are three objects which exist as entities in the IdB connector and adapter but do not exist in LDAP. FIM is trying to update them and we're getting "Object does not exist" errors back from LDAP.
Connector Full Imports have been run. I turned on the verbose logging I'd added to the script which lists the DN of every object found by the Import script and these objects are not listed. I can't see any errors in the IdB log and the Full Import appears to have completed successfully.
So the question is, if they were not imported in a connector full import, shouldn't the entities have been removed from IdB?
Looking at the logs shows that there were exported entities during the full import. The import logic is designed to not delete entities that are added whilst an import is occurring, as it has no way of knowing whether the end system is omitting the entry because it was deleted immediately or because it’s just not available yet for the import (e.g. snapshot or read copy/write copy style systems).
Return error to MIM when exporting via a PowerShell connector
Is there a way to return an error to MIM for individual entities while exporting via a PowerShell connector? My export script uses the standard try/catch and pushes failures where an entity fails to export, eg:
try{
#Export entity
}catch{
$components.Failures.Push($entity);
}
Though when an entity fails it returns a very generic error to MIM.
Is there a way to return a more descriptive along with each of the individual failures?
Support for rename operation in PowerShell connector
I am looking to add 'rename' support to a PowerShell connector. According to https://voice.unifysolutions.net/en/knowledge-bases/7/articles/2911-powershell-connector the export update script is passed $components.InputEntities which contains the updated entities. For a rename operation the key field value will have been changed, so how do I identify the record in the external system that needs to be updated? Is the old key available somewhere?
Test Connection operation for PowerShell connectors
Most UNIFYBroker agents have a Test Connection operation, but this can't be configured for PowerShell connectors. This morning my customer's PowerShell connectors were failing because Azure was reporting the MS Graph API to be overloaded and only accepting admin connections (“53300: remaining connection slots are reserved for non-replication superuser connections”).
Add a Test Connection facility to a PowerShell connector. This would tie in with https://voice.unifysolutions.net/en/communities/6/topics/4220-scheduled-execution-of-test-connection-on-agents
Feature Request: Logging from PowerShell Connector
The ability to write directly to the Identity Broker logs - such that any Broker log writer can be employed to pick this up apart from the default - is highly desirable.
Such a feature would avoid the need for the current practice of logging to custom log files using either custom code or various logging libraries.
Hi Bob,
This is already available. See this knowledge page for details:
https://voice.unifysolutions.net/knowledge-bases/7/articles/2917-powershell-connector-logger
Feature Request: Debug Capability for PowerShell Connector
Presently debugging a PowerShell connector script requires extensive use of logging.
While the above is still going to be necessary, the ability to attach a PowerShell ISE session to a PowerShell process to allow step-throughs and breakpoints is highly desirable.
# The following approach allows you to debug a PowerShell connector or adapter transform in IdB # See the following for background: # - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/wait-debugger?view=powershell-6 # - https://stackoverflow.com/questions/42731150/how-to-pause-a-powershell-script-until-a-debugger-attaches # Prerequisite: PowerShell v5, IdB 5.*, PS connector or adapter transform # 1. Edit the PowerShell code and set a pause in your PowerShell code - long enough to intercept the process and enter debug mode: # you can use wait-debugger, but for now Matt showed me by using start-sleep instead #Wait-Debugger -Timeout 10 Start-Sleep 30 # 2. Find the process ID Get-Runspace # 3. Attach the ISE Enter-PSHostProcess -Name Unify.Service.Connect # 4. Debug the process Debug-Runspace -Id xx
Duplicate Error on DN in PowerShell script
I have a PowerShell connector that is pulling two attributes, DN and another one. DN is the key and it's throwing errors saying "An item with the same key has already been added". This isn't possible because DN is unique. Here is the Import All script:
import-module ActiveDirectory
$server = "Dcbr2wdc1"
$searchBase = "ou=Users,ou=dams,dc=internaldmz-dev,dc=local"
$users = get-aduser -Server $server -SearchBase $searchBase -Properties DistinguishedName, msDS-UserPasswordExpiryTimeComputed -Filter {PasswordNeverExpires -eq $false}
foreach($user in $users)
{
$entity=$entities.Create()
$entity["ADDN"] = $user.DistinguishedName
$entity["ComputedPasswordExpiry"] = $user.'msDS-UserPasswordExpiryTimeComputed'
$entity.Commit()
}
and here is the schema
New-Field 'ADDN' 'string' $true $false $true;
New-Field 'ComputedPasswordExpiry' 'string' $false $false $false;
# name type key read-only required
I tried writing the DNs to a file in the script and just got a list of DNs, no obvious duplicate. Attached the log and connector config.
Import from connector failed with reason User Not Found. User: None
Hi is there any guidance on what this error means? I'm getting it on imports on a powershell connector. I assumed that it meant it's trying to commit an entity that's missing some attribute but the code seems to be correct. Snippet and error follow.
Only ID is a required attribute.
Relevant part of import.ps1
if ($msoluser.ImmutableID)
{
## Create or update IdB entity
$entity = $entities.Create()
$entity['ID'] = $msoluser.ImmutableID
$entity['UPN'] = $msoluser.UserPrincipalName
$entity['isLicensed'] = $msoluser.isLicensed
$entity['Alumni'] = $Alumni
$entity['UserStatus'] = $UserStatus
$entity['CheckLicense'] = $CheckLicense
$entity.Commit()
}
Error in IDB logs:
Import changes from connector Office 365 Student Connector failed with reason User Not Found. User: none.. Duration: 00:45:45.8101253 Error details: Microsoft.Online.Administration.Automation.MicrosoftOnlineException: User Not Found. User: none. at Unify.Product.IdentityBroker.PowerShellConnector.d__30.MoveNext() at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext() at Unify.Framework.Collections.ActionOnExceptionEnumerator`1.MoveNext() at Unify.Framework.Collections.EnumerableExtensions.d__10`1.MoveNext() at System.Linq.Buffer`1..ctor(IEnumerable`1 source) at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source) at Unify.Product.IdentityBroker.ChangeDetectionEntityPollJob.RunBase() at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run() at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass33_0.b__0() at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)",Normal
Hi Tom, based of the exception type it looks like an exception generated by the Microsoft code that's fetching a user.
Microsoft.Online.Administration.Automation.MicrosoftOnlineException: User Not Found. User: none.
Using the PowerShell logger to add additional logging around keep parts of the script should help you confirm this and debug further.
Error occurs once per page "Cannot access destination table 'EntityValueOrigin'"
Once per page on export the following error occurs.There doesn't appear to be any impact from the error as the user is provisioned correctly by powershell and they also appear correctly in UNIFYBroker. They also appear in both the "adds" section of MIM and the "errors" section under "unexpected-error". The following stack trace appears in the Identity Broker logs.
We very recently upgraded from 5.0.3 but we are unsure if that's related.
UNIFYBroker Version: 5.1.0 Revision #2
MIM Version: 4.4.1749.0
System.InvalidOperationException: Cannot access destination table 'EntityValueOrigin'. ---> System.Data.SqlClient.SqlException: Invalid object name 'EntityValueOrigin'.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
at System.Data.SqlClient.SqlBulkCopy.RunParser(BulkCopySimpleResultSet bulkCopyHandler)
at System.Data.SqlClient.SqlBulkCopy.CreateAndExecuteInitialQueryAsync(BulkCopySimpleResultSet& result)
at System.Data.SqlClient.SqlBulkCopy.WriteToServerInternalRestAsync(CancellationToken cts, TaskCompletionSource`1 source)
--- End of inner exception stack trace ---
at System.Data.SqlClient.SqlBulkCopy.WriteToServerInternalRestAsync(CancellationToken cts, TaskCompletionSource`1 source)
at System.Data.SqlClient.SqlBulkCopy.WriteToServerInternalAsync(CancellationToken ctoken)
at System.Data.SqlClient.SqlBulkCopy.WriteRowSourceToServerAsync(Int32 columnCount, CancellationToken ctoken)
at System.Data.SqlClient.SqlBulkCopy.WriteToServer(DataTable table, DataRowState rowState)
at Unify.Product.IdentityBroker.EntityValueOriginContext.InsertItems(ISet`1 addedItems, EntityValueOriginDataContext sourceContext, SqlConnection connection)
at Unify.Framework.Data.LinqContextConversionBase`4.SubmitChanges()
at Unify.Product.IdentityBroker.OriginInformationProcessor.RunBase()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)",Normal
Please run the Database upgrade script, located in the Database sub-directory of the Identity Broker installation directory.
Powershell Connector continuing to run script after MIM says run is complete
It looks like a Powershell MA's script is continuing to run well after the MA in MIM says the run has been completed. Is this a known thing which happens or is intended or is it a bug?
UNIFY Broker Version: v5.1.0 Revision #2MIM Version 4.4.17849.0
AddUser powershell code: D:\ADProvisioning.Powershell\UserAdd.ps1
Note: The code was previously "& D:\ADProvisioning.Powershell\UserAdd.ps1" but I changed it because I didn't understand the intent of running it as a separate process and to simplify the problem solving process. The issue still occurred when
Before running the export:
No log in file explorer yet for the AD Provisioning Export.
After running the export
All the errors are ma-extension-error, which may be genuine as the script I'm writing is still being worked on.
Here's the number of users steadily increasing
Here's the export log continuing to be updated after the run has been finished.
I can make the script I'm running available on request.
The issue turned out to be that the MIM Agent is timing out. Please see https://voice.unifysolutions.net/knowledge-bases/7/articles/3364-unifybrokermicrosoft-identity-manager-configuration for details on configuring the timeout. Please note in particular that bulk exports use only a single request per page (the Page Size setting), so you will need to either decrease the page size, increase the timeout, or improve the performance of the PowerShell script.
Customer support service by UserEcho