Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Answered

UNIFYBroker/AD & dn field type

Adrian Corston yesterday at 8:55 a.m. in UNIFYBroker/Microsoft Active Directory • updated yesterday at 6:54 p.m. 2

I have configured my UNIFYBroker/AD connector to use objectGUID as the key, so I can modify the "dn" attribute to move users between AD OUs.  I configured my "dn" attribute as a "Distinguished Name (DN)" type in the AD connector and I generate an appropriate value for the field in a PowerShell Link Task.  But when I attempt to sync to the AD adapter I see this error:

It looks to me like the UNIFYBroker/AD connector code needs me to configure the "dn" attribute as a String type.  Is that correct?  I'd prefer to have it configured as a Distinguished Name (DN), because that is what it is in AD and I want to use it elsewhere as a Distinguished Name (DN) data type (e.g. when I join to it for use on another user's "manager" attribute).

Answer
Matthew Davis (Engineering Manager) yesterday at 6:29 p.m.

Hey Adrian,

Unfortunately that's correct - the AD connector expects the DN field to be a string value type.

This is because the underlying Microsoft library used for integration requires the DN to be a string value, so we enforce that value type further up the chain to ensure we don't cause any strange behaviour doing the conversion ourselves.

0

When performing a move DN operation in the AD connector, check that the target OU is present first

When the target OU is missing, the error that is currently logged is quite difficult to relate back to the root cause.  If a test of the target OU were made before the move and a specific error logged in this case then it would go a long way to improving the usability of the product.

See https://voice.unifysolutions.net/communities/6/topics/3850-baseline-sync-reports-received-error-code-other-an-unknown-error-occurred for an example of the error that currently occurs.

0
Answered

Broker Plus: Error Exporting to AD

The versions are 5.3.2 for broker and 4.3.0 for AD with a provided patch. Plus is v5.3.0.2.  I'm attempting to export to AD with Broker Plus but getting this unknown error. The permissions in AD are right. The connection is right, Test Connection works and I'm getting user in when I import with the connector. When I run a baseline on the AD to Person link, I wait a while then this error appears in the log. The operations that should be ocurring are a DN rename and some attribute modifies.

Update entities to connector failed.
Update entities [Count:2] to connector Active Directory failed with reason A task faulted. See inner exception for details.. Duration: 00:00:00.0156294
Error details:
System.Exception: A task faulted. See inner exception for details. ---> System.Exception: Received error code Other for item with dn CN=Jane Jones,OU=Win10 Canberra Users,OU=Win10 Users,DC=internal,DC=govt. Message: 00002089: UpdErr: DSID-031B0E6F, problem 5012 (DIR_ERROR), data 2
---> System.DirectoryServices.Protocols.DirectoryOperationException: An unknown error occurred.
Server stack trace:
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)
Exception rethrown at [0]:
at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Connectors.AD.ADAgent.<ErrorCheckRequest>d__24`1.MoveNext()
--- End of inner exception stack trace ---
at Unify.Connectors.AD.ADAgent.ErrorCheckResponse(String dn, DirectoryResponse response, String operationName, Exception originalException)
at Unify.Connectors.AD.ADAgent.<ErrorCheckRequest>d__24`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Connectors.AD.ADAgent.<MoveEntryAsync>d__21.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Connectors.AD.ADConnector.<UpdateEntitiesAsync>d__24.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Product.IdentityBroker.ConnectorToUpdatingAsyncConnectorBridge.<UpdateEntitiesAsync>d__8.MoveNext()
--- End of inner exception stack trace ---
at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass4_0.<TaskContinueWithExceptionPassthough>b__0(Task t)
at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Product.IdentityBroker.EventNotifierUpdatingAsyncConnectorDecorator.<UpdateEntitiesAsync>d__3.MoveNext()

Any ideas?

Answer

Turned out to be a misplaced space in the DN calculation.

0
Not a bug

accountExpires missing when running Request Schema from AD

When I run 'Request Schema' on the Broker/AD connector, the 'accessExpires' AD attribute does not appear.

How do I add this attribute to my connector so that I can synchronise it in Broker/Plus?

Answer

It is capable of reading these fields. I've added an item to the backlog to improve usability.

0
Not a bug

Active Directory connector doesn't support AD move operation (dn change) even though UNIFYAssure-Aurion-Sample uses it

UNIFYAssure-Aurion-Sample attempts to move AD user object by modifying the 'dn' attribute on the AD connector, but when it tries to do so this error appears in the log:

Here's the error I see in the UI:

Here's the PowerShell code from UNIFYAssure-Aurion-Sample:

Here are the Adapter config excerpts:

Answer

It might be that this wasn't a use case for the sample configuration. The DN can be changed during the update operation by instead using objectGUID as the key.

0
Fixed

Broker/AD agent doesn't allow setting or save of 'Scope' configuration setting

Using Broker/Microsoft Active Directory v5.3.0.0 RTM I tried changing the "Scope" configuration setting from "Base" to "Subtree" using the UI and it immediately reverted back to "Base" after saving.  Looking in the ConnectorEnginePluginKey extensibility file the scope setting appears to be missing altogether, so I can't manually set it:

0
Under review

EntitySchemaValidationException: C could not be parsed into a valid DN

Matthew Davis (Engineering Manager) 10 months ago in UNIFYBroker/Microsoft Active Directory • updated 10 months ago 2

I've created an AD connector to manage AD groups. The groups can export fine from Broker, including members. However when attempting to import the groups again from AD, I get the following error:


Change detection engine import all items failed.
Change detection engine import all items for connector AD Groups failed with reason One or more errors occurred.. Duration: 00:00:00.1718731
Error details:
System.AggregateException: One or more errors occurred. ---> Unify.Product.IdentityBroker.EntitySchemaValidationException: C could not be parsed into a valid DN. ---> System.ArgumentException: String C is not of a proper distinguished name component format. Ensure characters are correctly escaped, and that the format is correct.
 at Unify.Framework.IO.DistinguishedNameComponent.CreateDNComponent(String dnComponentString)
 at Unify.Framework.IO.DistinguishedNameConversionFromString.CreateDistinguishedName()
 at Unify.Product.IdentityBroker.EntityDistinguishedNameTypeSchemaValidator.CreateValue(Object dataValue)
 --- End of inner exception stack trace ---
 at Unify.Product.IdentityBroker.EntityDistinguishedNameTypeSchemaValidator.CreateValue(Object dataValue)
 at Unify.Product.IdentityBroker.EntityMultiValueValidatorFactoryBase`3.<>c__DisplayClass1_0.<GetValidator>b__0(Object value)
 at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
 at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
 at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
 at Unify.Product.IdentityBroker.EntityMultiValueObjectTypeSchemaValidator`3.CreateValue(Object dataValue)
 at Unify.Connectors.AD.LDAPValueTypeOperations.AddValueToEntity(IConnectorEntity connectorEntity, IEntitySchemaFieldDefinition valueType, DirectoryAttribute attribute)
 at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
 at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
 at Unify.Framework.Collections.EnumerableExtensions.<ActionOnLast>d__10`1.MoveNext()
 at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
 at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
 at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<GetAllEntitiesAsync>b__0(IEnumerable`1 entities)
 at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass7_0`1.<CreateAndSendLogEntryAsync>b__0(Task`1 t)
 at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.<TaskContinueWithExceptionPassthough>b__0(Task`1 t)
 at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
 at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
 at Unify.Product.IdentityBroker.EventNotifierReadingAsyncConnectorDecoratorBase`1.<GetAllEntitiesAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
 at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.<ImportAllChangeProcess>d__6.MoveNext()
 --- End of inner exception stack trace ---
 at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
 at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
 at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.RunBase()
 at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
 at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.<Run>b__0()
 at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)
---> (Inner Exception #0) Unify.Product.IdentityBroker.EntitySchemaValidationException: C could not be parsed into a valid DN. ---> System.ArgumentException: String C is not of a proper distinguished name component format. Ensure characters are correctly escaped, and that the format is correct.
 at Unify.Framework.IO.DistinguishedNameComponent.CreateDNComponent(String dnComponentString)
 at Unify.Framework.IO.DistinguishedNameConversionFromString.CreateDistinguishedName()
 at Unify.Product.IdentityBroker.EntityDistinguishedNameTypeSchemaValidator.CreateValue(Object dataValue)
 --- End of inner exception stack trace ---
 at Unify.Product.IdentityBroker.EntityDistinguishedNameTypeSchemaValidator.CreateValue(Object dataValue)
 at Unify.Product.IdentityBroker.EntityMultiValueValidatorFactoryBase`3.<>c__DisplayClass1_0.<GetValidator>b__0(Object value)
 at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
 at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
 at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
 at Unify.Product.IdentityBroker.EntityMultiValueObjectTypeSchemaValidator`3.CreateValue(Object dataValue)
 at Unify.Connectors.AD.LDAPValueTypeOperations.AddValueToEntity(IConnectorEntity connectorEntity, IEntitySchemaFieldDefinition valueType, DirectoryAttribute attribute)
 at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
 at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
 at Unify.Framework.Collections.EnumerableExtensions.<ActionOnLast>d__10`1.MoveNext()
 at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
 at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
 at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<GetAllEntitiesAsync>b__0(IEnumerable`1 entities)
 at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass7_0`1.<CreateAndSendLogEntryAsync>b__0(Task`1 t)
 at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.<TaskContinueWithExceptionPassthough>b__0(Task`1 t)
 at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
 at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
 at Unify.Product.IdentityBroker.EventNotifierReadingAsyncConnectorDecoratorBase`1.<GetAllEntitiesAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
 at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.<ImportAllChangeProcess>d__6.MoveNext()<---

The only multi valued field is the members field. 


0
Answered

Minimal AD delegate rights for UNIFYBroker/Active Directory service account

Huu Tran 11 months ago in UNIFYBroker/Microsoft Active Directory • updated 11 months ago 6

I do not want to give more permission than that is needed (i.e. no Domain Admin right). Hence please advise the minimal AD delegate rights that the UNIFYBroker service account requires to:

- Create new users

- Modify attribute of an existing users

- Move users from one OU to another

- Suspend/activate an user (userAccountControl)

- Set initial password and set users must change password in the next logon

- Reset/ change password for an existing user


Thanks

Answer

Hi Huu,

As you’re probably aware, AD permissions can get extremely complicated and can be done in a number of ways. For example, the topic on Implementing Least-Privilege Administrative Models is a 40 minute read - and it merely introduces the concepts and references countless other articles.

The approach that we recommend for Active Directory is to provide the use cases to the Active Directory administrator - so that they can create an account with least-privileges that works within their security model framework. As with all connectors, if this information can be condensed into a common set of recommendations, we would include this information in our documentation as either a set of prerequisites or as options/guidelines.

Thanks.

0
Fixed

AD Connector One LDAP Modify failed transaction makes all subsequent transaction failed ...

Refer to few thousand of repeating error in the log\

20180803,05:38:08,UNIFY Identity Broker,Connector,Warning,"Update entities to connector failed.
Update entities [Count:3215] to connector AD Users failed with reason Received error code EntryAlreadyExists for item with dn CN=redacted,DC=au. Message: 00002071: UpdErr: DSID-031B0B87, problem 6005 (ENTRY_EXISTS), data 0
. Duration: 00:00:09.5226690
Error details:
System.Exception: Received error code EntryAlreadyExists for item with dn CN=redacted,DC=au. Message: 00002071: UpdErr: DSID-031B0B87, problem 6005 (ENTRY_EXISTS), data 0
 ---> System.DirectoryServices.Protocols.DirectoryOperationException: The object exists. Server stack trace:
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink) Exception rethrown at [0]:
   at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Unify.Connectors.AD.ADAgent.<ErrorCheckRequest>d__24`1.MoveNext()
   --- End of inner exception stack trace ---
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass4_0.<TaskContinueWithExceptionPassthough>b__0(Task t)
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.EventNotifierUpdatingAsyncConnectorDecorator.<UpdateEntitiesAsync>d__3.MoveNext()",Normal
20180803,05:38:08,UNIFY Identity Broker,EntitySaver,Error,"The entity 546564 (e5b5ef1a-46df-4751-9878-e3a8e8fff5c8) for the adapter AD User Adapter (9f73e5e5-30df-4142-b850-db3e31f0a931) failed to update for the following reasons: Received error code EntryAlreadyExists for item with dn CN=redacted,DC=au. Message: 00002071: UpdErr: DSID-031B0B87, problem 6005 (ENTRY_EXISTS), data 0
",Normal
20180803,05:38:08,UNIFY Identity Broker,EntitySaver,Error,"The entity 603085 (b108073b-e6f1-4ffb-8d9b-02c23f7c1efa) for the adapter AD User Adapter (9f73e5e5-30df-4142-b850-db3e31f0a931) failed to update for the following reasons: Received error code EntryAlreadyExists for item with dn CN=redacted,DC=au. Message: 00002071: UpdErr: DSID-031B0B87, problem 6005 (ENTRY_EXISTS), data 0
",Normal
Answer

This dll adds back in the patch from some time ago: Unify.Connectors.AD.dll

0
Completed

Allow configuration of Search Scope for Active Directory connector

From How to filter sub-OUs in AD connector, it would be nice if you could configure the search scope for the Active Directory connector, which is currently hard-coded to Subtree.