Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

+1
Fixed

NotAllowedOnRdn error and adapter export fails and the object is renamed but not updated in AD

Customer PII has been redacted or anonymised in the screen snapshots of this topic.

Initial adapter entity:

Image 6352


I changed the user's first name from "Alarinka" to "Blarinka" and allowed normal processing to occur with the AD import schedule disabled so I could check the adapter entity after export.  Here's the failed export to the AD adapter, including a dump of the entity being updated (via a PowerShell reverse transform):

Image 6353

Adapter entity after the update is unchanged:

Image 6354


In AD, the rename was successful but the givenName and displayName update were not:

Image 6355

Image 6356


After a subsequent import on the AD connector (to update the adapter entity) and a Baseline Sync on the outbound locker the AD givenName and displayName details are updated correctly:

Adapter entity after AD connector import:

Image 6357


Baseline Sync log shows successful update:

Image 6358


Adapter entity after Baseline Sync:

Image 6359


I am pretty confident that the code that does the AD object export is renaming the AD user first, then attempting to update its attributes using the old DN rather than the new one.  The rename succeeds, but the attribute updates fail.

I suspect this bug has been mysteriously frustrating me for a long long time so if you could fix it then I would be incredibly grateful.

0
Under review

AD User import: System.NullReferenceException: Object reference not set to an instance of an object.

The following error is occurring on both Full imports and Delta imports from Active Directory, in a customer UNIFYConnect environment:

20230512,02:28:25,UNIFYBroker,Change detection engine,Error,"Change detection engine import changes failed.
Change detection engine import changes for connector AD User failed with reason One or more errors occurred.. Duration: 00:00:02.9714687
Error details:
System.AggregateException: One or more errors occurred. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.AuditEntityPollingAsyncConnectorDecorator.<>c__DisplayClass1_0.b__0(IEnumerable`1 entities)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass8_0`1.b__0(Task`1 t)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.b__0(Task`1 t)
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.EventNotifierEntityPollingAsyncConnectorDecorator.d__1.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Unify.Product.IdentityBroker.ChangeDetectionEntityPollAsyncJob.RunBase()
   at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
   at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.b__0()
   at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)
---> (Inner Exception #0) System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.AuditEntityPollingAsyncConnectorDecorator.<>c__DisplayClass1_0.b__0(IEnumerable`1 entities)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass8_0`1.b__0(Task`1 t)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.b__0(Task`1 t)
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.EventNotifierEntityPollingAsyncConnectorDecorator.d__1.MoveNext()<---
",Normal
0
Not a bug

UNIFYConnect - Duplicate Account - Stops Sync

When a manual account creation occurs in AD, Broker's sync stops, and all other changes do not flow. 

Why would this occur: 

  • A user maybe needed quickly and hence the manual intervention occurs. 

This is causing issues for multiple customers, who are performing this activity and unknowingly breaking the sync and causing an outage on the system. 

Can this be configured so that all changes are not halted? 

Thanks

Answer

If multiple entries were created, then the solution is performing as expected based on the configuration. Broker expects that the defined unique key stays unique according to the data source output. If this key stops being unique, processing will stop to ensure unintended behaviour doesn't happen against the data. 

If supporting duplicates is needed, the solution configuration may need to be modified to support this scenario. Otherwise, some education exercises with the customer may be necessary to assist in this area to avoid the problem reoccurring. 

We've got a backlog item to review some better resiliency around joins and handling duplicates, however this is a large item that involves a significant number of edge cases and is therefore scheduled for investigation before our next major product version release.

0
Not a bug

Active Directory User Connector Failed to Import at Monash Health

Hi, 

Monash Health  reported an issue with AD user creation. 

Following is the product installed, there have been no recent changes to the configuration.

UNIFYBroker v5.3.2 Revision #0

Plug-in Version Details
Plugin Key Version
Microsoft Active Directory 5.3.0.0
Chris21 Connector 5.3.0.0
Sync Changes 5.3.0.2
Plus Change Tracking 5.3.0.2
Connections 5.3.0.2
Links 5.3.0.2
Link Statistics 5.3.0.2
Lockers 5.3.0.2
Locker Statistics 5.3.0.2
Provisioning 5.3.0.2
Plus 5.3.0.2

Answer
Rizwan Ahmed 2 years ago

The otherMobile attribute was causing when importing data from Active Directory. We have updated the attribute from String to Multi Valued String. The sync job is running at the moment the data appears to be fine, will check in few hours if mentioned accounts are created.

Error details:

System.AggregateException: One or more errors occurred. ---> Unify.Product.IdentityBroker.EntitySchemaValidationException: Provided value System.Object[] failed validation for type String ---> System.InvalidCastException: Object must implement IConvertible.

0
Fixed

When an AD rename failes with "UpdErr: DSID-031B0E6F, problem 5012 (DIR_ERROR)" the AD connector aborts and doesn't attempt to save any other updates in the batch

After an AD record rename fails (in my case due to an invalid OU) the entire batch of all other AD updates is aborted:

20211201,02:01:06,UNIFYBroker,Connector,Warning,"Update entities to connector failed.
Update entities [Count:1336] to connector AD User failed with reason A task faulted. See inner exception for details.. Duration: 00:00:00.0903295
Error details:
System.Exception: A task faulted. See inner exception for details. ---> System.Exception: Received error code Other for item with dn CN=Customer User,OU=Location Name,OU=Customer Locations,OU=Users,OU=Customer Name,DC=customer,DC=com. Message: 00002089: UpdErr: DSID-031B0E6F, problem 5012 (DIR_ERROR), data 2
---> System.DirectoryServices.Protocols.DirectoryOperationException: An unknown error occurred.

Server stack trace:
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)

Exception rethrown at [0]:
at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Connectors.AD.ADAgent.d__24`1.MoveNext()
--- End of inner exception stack trace ---
at Unify.Connectors.AD.ADAgent.ErrorCheckResponse(String dn, DirectoryResponse response, String operationName, Exception originalException)
at Unify.Connectors.AD.ADAgent.d__24`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Unify.Connectors.AD.ADAgent.d__21.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Unify.Connectors.AD.ADConnector.d__24.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Product.IdentityBroker.ConnectorToUpdatingAsyncConnectorBridge.d__8.MoveNext()
--- End of inner exception stack trace ---
at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass4_0.b__0(Task t)
at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Product.IdentityBroker.EventNotifierUpdatingAsyncConnectorDecorator.d__3.MoveNext()",Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 143471 (b9e8dea3-2aa0-4edc-bc8f-b40ab0a95250) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145095 (a14daa52-6c57-4fd3-aa8a-f73be5d47301) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 142960 (297f0bbf-ec3a-46b8-a355-90cb4520af4b) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145766 (68f36cfa-0a5b-4211-8150-df9196331bbc) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145919 (1f57b3db-c2b2-4bd5-8d08-95083976e8f3) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 1883 (5b8886d7-ce77-4714-b634-e4175554c660) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145395 (602ca35a-d708-40e4-99a2-15b666810a8a) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 144904 (95260bbc-9344-49e4-994d-8ca1fd1a3442) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 144060 (f11080cc-95dc-4375-9f09-65b8f8c55227) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145692 (f7883a73-ab23-442d-b388-6b0006288506) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 144767 (6603418a-e7c2-4b33-951b-3eb4417e1ac5) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 143176 (7fd6ee8f-43f2-42e8-a7a0-ea40cd1a0e56) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145666 (de6101ca-d184-4bf0-88b3-eea6c48edba7) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145112 (33b23a3f-f82c-46c0-bcaf-278c1a2e3a39) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 141673 (21a3cd55-616c-4559-8385-a4b407209d68) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal
20211201,02:01:10,UNIFYBroker,EntitySaver,Error,The entity 145668 (e34a0f5e-18cc-40d0-bd44-027adbd49e1f) for the adapter AD User (c80b76c8-40e9-4e4e-a7ff-00c4cc5b919f) failed to update for the following reasons: A task faulted. See inner exception for details.,Normal

(etc etc)

In this instance after the one AD record update fails all the other updates should still be attempted, since the error on this one record has no relevance to the other record updates which are likely to succeed.

This is impacting my customer since no changes to AD are currently being synchronised.  As a workaround I will correct the OU on the impacted user.

0
Not a bug

AD connector Import Changes doesn't pick up changes to multivalued attribute (Import All does) for AD object type 'group' attribute 'member'

With the following AD connector configured:

Image 5968

Image 5969

When I use AD Users & Computers to change the DN of one of the objects in the 'member' attribute of a group and then run Import Changes the corresponding connector entity's member field is not updated and the old DN value is retained.

When I run Import All, the member attribute updates correctly with the new DN value.

0
Not a bug

Inconsistent import/export treatment of accountExpires AD attribute values

When I import accountExpires for an AD user object as a Date field type the value I see matches the value in AD Users & Computers:

Image 5946

Image 5947

However when I export a value to that field (from a locker via a link in UNIFYBroker/Plus) it is set to the previous date in AD:

Image 5948

Image 5949

Image 5950

The Import and Export behaviours should match, or else there will be a repeated set/read/set/read loop of the value because the value read back on import won't ever match the value set on export.

For reference, for most HR systems the "end date" or "termination date" is the last date on which an employee has access, which matches the behaviour seen here for Import.

Answer

Using Timestamp is the best approach.  It must be in UTC to work correctly, however.  To achieve this, I had to import my date field as a string, then use the following adapter transform to generate EndDate (for use in Time Offset Flag transforms) and EndTimestampUTC (for mapping to accountExpires on an AD connector):

foreach ($Entity in $entities)
{
    $EndDateString = $Entity["EndDateString"].Value
    $EndDate = $Null
    $EndTimestamp = $Null
    if ($EndDateString) {
        # EndDate is a [DateTime] object of kind "Unspecified"
        # Its value is midnight at the start of the last day of the employee's access, as interpreted in the local timezone
        # Note: Adjust this if $EndDateString is not in m/d/yyyy format.
        $EndDate = [DateTime]::ParseExact($EndDateString, "M/d/yyyy", [System.Globalization.CultureInfo]::InvariantCulture)

        # EndTimestamp is a [DateTime] object of kind "Utc"
        # Its value is the UTC (GMT) representation of the exact second when the user account should be disabled -
        # in this case midnight in the local timezone at the start of the day after the End Date. If you need access to be terminated earlier than this
        # (e.g. 5pm in the local timezone on their last day) then change the .AddDays(1) accordingly.
        # Make sure the timezone specified is correct for the End Date specified.
        $EndTimestampUTC = [TimeZoneInfo]::ConvertTimeToUtc($EndDate, [TimeZoneInfo]::FindSystemTimeZoneById('AUS Eastern Standard Time')).AddDays(1)
    }
    $Entity["EndDate"] = $EndDate
    $Entity["EndTimestampUTC"] = $EndTimestampUTC
}

0
Answered

Error on AD group provisioning: System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection

The following error is occuring when I provision an AD group using the Active Directory connector.  The group provisions just fine, but the following error is logged:

Image 5944

I will put the UNIFYConnect customer environment details in the next message, for access to the log files and config.

Answer

Hi Adrian

You'll need to set the Primary Object Class configuration on the connector to "Group", instead of "User". This field is used in the filter of a confirmation search request made after an entity is added to AD.

0

AD Agent default destination port should be 636 if SSL is selected

In the ActiveDirectory agent the default destination port is 389.  This can be overridden by appending a colon and an explicit port to the Server configuration.

In AD, port 389 is conventionally used for non-SSL traffic and port 636 is used for SSL traffic.  The default port should reflect the SSL setting, in order to avoid confusion and reduce the risk of inadvertent configuration error.

0
Answered

Managing AD user account distinguished name/organisational unit from UNIFYBroker (The connector does not support anchor modification)

Using UNIFYBroker and the Active Directory agent/connector I can set a new user account's organisational unit via their distinguishedName during account creation, but when I subsequently try to modify it this error is logged:

UnifyLog20201207.csv:14572:System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> System.NotSupportedException: The connector AD Users does not support anchor modification.

My customer's solution requires that an employee's OU be managed.  Do you have any suggestions how I could achieve this?

Answer

Hi Adrian

The "anchor" in the error message is in reference to the connector schema field/s which are marked as Key. Use a different, unique field which doesn't change as the connector key instead. Moving a user between OUs with the AD connector works, and has been done a lot in the past, so there should be plenty of PS resources you can reference.