Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Under review

AD connector Import Changes doesn't pick up changes to multivalued attribute (Import All does) for AD object type 'group' attribute 'member'

With the following AD connector configured:

When I use AD Users & Computers to change the DN of one of the objects in the 'member' attribute of a group and then run Import Changes the corresponding connector entity's member field is not updated and the old DN value is retained.

When I run Import All, the member attribute updates correctly with the new DN value.

0
Not a bug

Inconsistent import/export treatment of accountExpires AD attribute values

When I import accountExpires for an AD user object as a Date field type the value I see matches the value in AD Users & Computers:

However when I export a value to that field (from a locker via a link in UNIFYBroker/Plus) it is set to the previous date in AD:

The Import and Export behaviours should match, or else there will be a repeated set/read/set/read loop of the value because the value read back on import won't ever match the value set on export.

For reference, for most HR systems the "end date" or "termination date" is the last date on which an employee has access, which matches the behaviour seen here for Import.

Answer

Using Timestamp is the best approach.  It must be in UTC to work correctly, however.  To achieve this, I had to import my date field as a string, then use the following adapter transform to generate EndDate (for use in Time Offset Flag transforms) and EndTimestampUTC (for mapping to accountExpires on an AD connector):

foreach ($Entity in $entities)
{
    $EndDateString = $Entity["EndDateString"].Value
    $EndDate = $Null
    $EndTimestamp = $Null
    if ($EndDateString) {
        # EndDate is a [DateTime] object of kind "Unspecified"
        # Its value is midnight at the start of the last day of the employee's access, as interpreted in the local timezone
        # Note: Adjust this if $EndDateString is not in m/d/yyyy format.
        $EndDate = [DateTime]::ParseExact($EndDateString, "M/d/yyyy", [System.Globalization.CultureInfo]::InvariantCulture)

        # EndTimestamp is a [DateTime] object of kind "Utc"
        # Its value is the UTC (GMT) representation of the exact second when the user account should be disabled -
        # in this case midnight in the local timezone at the start of the day after the End Date. If you need access to be terminated earlier than this
        # (e.g. 5pm in the local timezone on their last day) then change the .AddDays(1) accordingly.
        # Make sure the timezone specified is correct for the End Date specified.
        $EndTimestampUTC = [TimeZoneInfo]::ConvertTimeToUtc($EndDate, [TimeZoneInfo]::FindSystemTimeZoneById('AUS Eastern Standard Time')).AddDays(1)
    }
    $Entity["EndDate"] = $EndDate
    $Entity["EndTimestampUTC"] = $EndTimestampUTC
}

0
Answered

Error on AD group provisioning: System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection

The following error is occuring when I provision an AD group using the Active Directory connector.  The group provisions just fine, but the following error is logged:

I will put the UNIFYConnect customer environment details in the next message, for access to the log files and config.

Answer

Hi Adrian

You'll need to set the Primary Object Class configuration on the connector to "Group", instead of "User". This field is used in the filter of a confirmation search request made after an entity is added to AD.

0

AD Agent default destination port should be 636 if SSL is selected

In the ActiveDirectory agent the default destination port is 389.  This can be overridden by appending a colon and an explicit port to the Server configuration.

In AD, port 389 is conventionally used for non-SSL traffic and port 636 is used for SSL traffic.  The default port should reflect the SSL setting, in order to avoid confusion and reduce the risk of inadvertent configuration error.

0
Answered

Managing AD user account distinguished name/organisational unit from UNIFYBroker (The connector does not support anchor modification)

Using UNIFYBroker and the Active Directory agent/connector I can set a new user account's organisational unit via their distinguishedName during account creation, but when I subsequently try to modify it this error is logged:

UnifyLog20201207.csv:14572:System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> System.NotSupportedException: The connector AD Users does not support anchor modification.

My customer's solution requires that an employee's OU be managed.  Do you have any suggestions how I could achieve this?

Answer

Hi Adrian

The "anchor" in the error message is in reference to the connector schema field/s which are marked as Key. Use a different, unique field which doesn't change as the connector key instead. Moving a user between OUs with the AD connector works, and has been done a lot in the past, so there should be plenty of PS resources you can reference.

0
Answered

Multiple DC server support for the AD Agent

A client has asked that we configure UNIFYConnect to round-robin through a number of DC IP addresses.  I can't find an explicit way to do this in the Agent documentation.

How can I meet this requirement?  Create my own DNS entry with multiple IP addresses?

Answer

Hi Adrian,

There's no explicit support for multiple server entries in the AD Agent. As you've pointed out, the easiest way is to use a DNS entry which contains multiple IP addresses - either on the service side or the customer side.

0
Fixed

Ad Connector Imports fail with: Object reference not set to an instance of an object

The connector is able to push data to AD, but throws an error when performing a change/all import from AD.

Has anyone run into this issue on imports?

20191210,04:34:48,UNIFY Identity Broker,Change detection engine,Information,"Change detection engine import all items started.
Change detection engine import all items for connector Active Directory Connector started.",Normal
20191210,04:34:54,UNIFY Identity Broker,Change detection engine,Error,"Change detection engine import all items failed.
Change detection engine import all items for connector Active Directory Connector failed with reason One or more errors occurred.. Duration: 00:00:05.5141233
Error details:
System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.<actiononlast>d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<getallentitiesasync>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass7_0`1.<createandsendlogentryasync>b__0(Task`1 t)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.<taskcontinuewithexceptionpassthough>b__0(Task`1 t)
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.EventNotifierReadingAsyncConnectorDecoratorBase`1.<getallentitiesasync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.<importallchangeprocess>d__6.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
   at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.RunBase()
   at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
   at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.<run>b__0()
   at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)
---> (Inner Exception #0) System.AggregateException: One or more errors occurred. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.<actiononlast>d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<getallentitiesasync>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass7_0`1.<createandsendlogentryasync>b__0(Task`1 t)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.<taskcontinuewithexceptionpassthough>b__0(Task`1 t)
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.EventNotifierReadingAsyncConnectorDecoratorBase`1.<getallentitiesasync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.<importallchangeprocess>d__6.MoveNext()
---> (Inner Exception #0) System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.<actiononlast>d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<getallentitiesasync>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()<---
<---
",Normal
</getallentitiesasync></actiononlast></importallchangeprocess></getallentitiesasync></taskcontinuewithexceptionpassthough></createandsendlogentryasync></getallentitiesasync></actiononlast></run></importallchangeprocess></getallentitiesasync></taskcontinuewithexceptionpassthough></createandsendlogentryasync></getallentitiesasync></actiononlast>

0
Not a bug

After the key of an object is changed polling creates a new object but doesn't delete the old one

When using polling with the AD connector, a new record is created for objects where any attribute that is part of the key has been changed, and the old object is not removed.  This either means that the polling functionality is not useful, or else the connector cannot be usefully used with any key other than objectGUID.

If this behaviour can't be improved then it really should be mentioned in the documentation for the connector since it's quite important.

Answer
Depending on the specification of the target system we are not always able to retrieve deletions during polling import. This is one of the reasons full imports are scheduled and not just relying on polling. This is unfortunately the case with this connector, as it uses the uSNChanged method, which doesn't surface deletions. I will take a note to update the documentation. Thanks.
0
Answered

UNIFYBroker/AD & dn field type

Adrian Corston 2 years ago in UNIFYBroker/Microsoft Active Directory updated by anonymous 2 years ago 2

I have configured my UNIFYBroker/AD connector to use objectGUID as the key, so I can modify the "dn" attribute to move users between AD OUs.  I configured my "dn" attribute as a "Distinguished Name (DN)" type in the AD connector and I generate an appropriate value for the field in a PowerShell Link Task.  But when I attempt to sync to the AD adapter I see this error:

It looks to me like the UNIFYBroker/AD connector code needs me to configure the "dn" attribute as a String type.  Is that correct?  I'd prefer to have it configured as a Distinguished Name (DN), because that is what it is in AD and I want to use it elsewhere as a Distinguished Name (DN) data type (e.g. when I join to it for use on another user's "manager" attribute).

Answer

Hey Adrian,

Unfortunately that's correct - the AD connector expects the DN field to be a string value type.

This is because the underlying Microsoft library used for integration requires the DN to be a string value, so we enforce that value type further up the chain to ensure we don't cause any strange behaviour doing the conversion ourselves.

0
Planned

When performing a move DN operation in the AD connector, check that the target OU is present first

When the target OU is missing, the error that is currently logged is quite difficult to relate back to the root cause.  If a test of the target OU were made before the move and a specific error logged in this case then it would go a long way to improving the usability of the product.

See https://voice.unifysolutions.net/communities/6/topics/3850-baseline-sync-reports-received-error-code-other-an-unknown-error-occurred for an example of the error that currently occurs.