Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Answered

Multiple DC server support for the AD Agent

A client has asked that we configure UNIFYConnect to round-robin through a number of DC IP addresses.  I can't find an explicit way to do this in the Agent documentation.

How can I meet this requirement?  Create my own DNS entry with multiple IP addresses?

Answer

Hi Adrian,

There's no explicit support for multiple server entries in the AD Agent. As you've pointed out, the easiest way is to use a DNS entry which contains multiple IP addresses - either on the service side or the customer side.

0
Fixed

Ad Connector Imports fail with: Object reference not set to an instance of an object

Stephen Nguyen 5 years ago in UNIFYBroker/Microsoft Active Directory updated by Andrew Grant 5 years ago 1

The connector is able to push data to AD, but throws an error when performing a change/all import from AD.

Has anyone run into this issue on imports?

20191210,04:34:48,UNIFY Identity Broker,Change detection engine,Information,"Change detection engine import all items started.
Change detection engine import all items for connector Active Directory Connector started.",Normal
20191210,04:34:54,UNIFY Identity Broker,Change detection engine,Error,"Change detection engine import all items failed.
Change detection engine import all items for connector Active Directory Connector failed with reason One or more errors occurred.. Duration: 00:00:05.5141233
Error details:
System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.<actiononlast>d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<getallentitiesasync>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass7_0`1.<createandsendlogentryasync>b__0(Task`1 t)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.<taskcontinuewithexceptionpassthough>b__0(Task`1 t)
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.EventNotifierReadingAsyncConnectorDecoratorBase`1.<getallentitiesasync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.<importallchangeprocess>d__6.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
   at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.RunBase()
   at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
   at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.<run>b__0()
   at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)
---> (Inner Exception #0) System.AggregateException: One or more errors occurred. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.<actiononlast>d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<getallentitiesasync>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass7_0`1.<createandsendlogentryasync>b__0(Task`1 t)
   at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.<taskcontinuewithexceptionpassthough>b__0(Task`1 t)
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.EventNotifierReadingAsyncConnectorDecoratorBase`1.<getallentitiesasync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.<importallchangeprocess>d__6.MoveNext()
---> (Inner Exception #0) System.NullReferenceException: Object reference not set to an instance of an object.
   at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at Unify.Framework.Collections.EnumerableExtensions.<actiononlast>d__10`1.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<getallentitiesasync>b__0()
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()<---
<---
",Normal
</getallentitiesasync></actiononlast></importallchangeprocess></getallentitiesasync></taskcontinuewithexceptionpassthough></createandsendlogentryasync></getallentitiesasync></actiononlast></run></importallchangeprocess></getallentitiesasync></taskcontinuewithexceptionpassthough></createandsendlogentryasync></getallentitiesasync></actiononlast>

0
Not a bug

After the key of an object is changed polling creates a new object but doesn't delete the old one

Adrian Corston 5 years ago in UNIFYBroker/Microsoft Active Directory updated by Adam van Vliet 5 years ago 1

When using polling with the AD connector, a new record is created for objects where any attribute that is part of the key has been changed, and the old object is not removed.  This either means that the polling functionality is not useful, or else the connector cannot be usefully used with any key other than objectGUID.

If this behaviour can't be improved then it really should be mentioned in the documentation for the connector since it's quite important.

Answer
Adam van Vliet 5 years ago
Depending on the specification of the target system we are not always able to retrieve deletions during polling import. This is one of the reasons full imports are scheduled and not just relying on polling. This is unfortunately the case with this connector, as it uses the uSNChanged method, which doesn't surface deletions. I will take a note to update the documentation. Thanks.
0
Answered

UNIFYBroker/AD & dn field type

Adrian Corston 5 years ago in UNIFYBroker/Microsoft Active Directory updated by anonymous 5 years ago 2

I have configured my UNIFYBroker/AD connector to use objectGUID as the key, so I can modify the "dn" attribute to move users between AD OUs.  I configured my "dn" attribute as a "Distinguished Name (DN)" type in the AD connector and I generate an appropriate value for the field in a PowerShell Link Task.  But when I attempt to sync to the AD adapter I see this error:

Image 5296

It looks to me like the UNIFYBroker/AD connector code needs me to configure the "dn" attribute as a String type.  Is that correct?  I'd prefer to have it configured as a Distinguished Name (DN), because that is what it is in AD and I want to use it elsewhere as a Distinguished Name (DN) data type (e.g. when I join to it for use on another user's "manager" attribute).

Answer

Hey Adrian,

Unfortunately that's correct - the AD connector expects the DN field to be a string value type.

This is because the underlying Microsoft library used for integration requires the DN to be a string value, so we enforce that value type further up the chain to ensure we don't cause any strange behaviour doing the conversion ourselves.

0
Planned

When performing a move DN operation in the AD connector, check that the target OU is present first

When the target OU is missing, the error that is currently logged is quite difficult to relate back to the root cause.  If a test of the target OU were made before the move and a specific error logged in this case then it would go a long way to improving the usability of the product.

See https://voice.unifysolutions.net/communities/6/topics/3850-baseline-sync-reports-received-error-code-other-an-unknown-error-occurred for an example of the error that currently occurs.

0
Answered

Broker Plus: Error Exporting to AD

The versions are 5.3.2 for broker and 4.3.0 for AD with a provided patch. Plus is v5.3.0.2.  I'm attempting to export to AD with Broker Plus but getting this unknown error. The permissions in AD are right. The connection is right, Test Connection works and I'm getting user in when I import with the connector. When I run a baseline on the AD to Person link, I wait a while then this error appears in the log. The operations that should be ocurring are a DN rename and some attribute modifies.

Update entities to connector failed.
Update entities [Count:2] to connector Active Directory failed with reason A task faulted. See inner exception for details.. Duration: 00:00:00.0156294
Error details:
System.Exception: A task faulted. See inner exception for details. ---> System.Exception: Received error code Other for item with dn CN=Jane Jones,OU=Win10 Canberra Users,OU=Win10 Users,DC=internal,DC=govt. Message: 00002089: UpdErr: DSID-031B0E6F, problem 5012 (DIR_ERROR), data 2
---> System.DirectoryServices.Protocols.DirectoryOperationException: An unknown error occurred.
Server stack trace:
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)
Exception rethrown at [0]:
at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Connectors.AD.ADAgent.<ErrorCheckRequest>d__24`1.MoveNext()
--- End of inner exception stack trace ---
at Unify.Connectors.AD.ADAgent.ErrorCheckResponse(String dn, DirectoryResponse response, String operationName, Exception originalException)
at Unify.Connectors.AD.ADAgent.<ErrorCheckRequest>d__24`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Connectors.AD.ADAgent.<MoveEntryAsync>d__21.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Connectors.AD.ADConnector.<UpdateEntitiesAsync>d__24.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Product.IdentityBroker.ConnectorToUpdatingAsyncConnectorBridge.<UpdateEntitiesAsync>d__8.MoveNext()
--- End of inner exception stack trace ---
at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass4_0.<TaskContinueWithExceptionPassthough>b__0(Task t)
at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Product.IdentityBroker.EventNotifierUpdatingAsyncConnectorDecorator.<UpdateEntitiesAsync>d__3.MoveNext()

Any ideas?

Answer

Turned out to be a misplaced space in the DN calculation.

0
Not a bug

accountExpires missing when running Request Schema from AD

Adrian Corston 5 years ago in UNIFYBroker/Microsoft Active Directory updated by Adam van Vliet 5 years ago 4

When I run 'Request Schema' on the Broker/AD connector, the 'accessExpires' AD attribute does not appear.

How do I add this attribute to my connector so that I can synchronise it in Broker/Plus?

Answer
Adam van Vliet 5 years ago

It is capable of reading these fields. I've added an item to the backlog to improve usability.

0
Not a bug

Active Directory connector doesn't support AD move operation (dn change) even though UNIFYAssure-Aurion-Sample uses it

UNIFYAssure-Aurion-Sample attempts to move AD user object by modifying the 'dn' attribute on the AD connector, but when it tries to do so this error appears in the log:

Image 5213

Here's the error I see in the UI:

Image 5214

Here's the PowerShell code from UNIFYAssure-Aurion-Sample:

Image 5215

Here are the Adapter config excerpts:

Image 5216

Image 5217

Image 5218

Answer
Adam van Vliet 5 years ago

It might be that this wasn't a use case for the sample configuration. The DN can be changed during the update operation by instead using objectGUID as the key.

0
Fixed

Broker/AD agent doesn't allow setting or save of 'Scope' configuration setting

Adrian Corston 5 years ago in UNIFYBroker/Microsoft Active Directory updated 3 years ago 15

Using Broker/Microsoft Active Directory v5.3.0.0 RTM I tried changing the "Scope" configuration setting from "Base" to "Subtree" using the UI and it immediately reverted back to "Base" after saving.  Looking in the ConnectorEnginePluginKey extensibility file the scope setting appears to be missing altogether, so I can't manually set it:

Image 5179

0
Under review

EntitySchemaValidationException: C could not be parsed into a valid DN

I've created an AD connector to manage AD groups. The groups can export fine from Broker, including members. However when attempting to import the groups again from AD, I get the following error:


Change detection engine import all items failed.
Change detection engine import all items for connector AD Groups failed with reason One or more errors occurred.. Duration: 00:00:00.1718731
Error details:
System.AggregateException: One or more errors occurred. ---> Unify.Product.IdentityBroker.EntitySchemaValidationException: C could not be parsed into a valid DN. ---> System.ArgumentException: String C is not of a proper distinguished name component format. Ensure characters are correctly escaped, and that the format is correct.
 at Unify.Framework.IO.DistinguishedNameComponent.CreateDNComponent(String dnComponentString)
 at Unify.Framework.IO.DistinguishedNameConversionFromString.CreateDistinguishedName()
 at Unify.Product.IdentityBroker.EntityDistinguishedNameTypeSchemaValidator.CreateValue(Object dataValue)
 --- End of inner exception stack trace ---
 at Unify.Product.IdentityBroker.EntityDistinguishedNameTypeSchemaValidator.CreateValue(Object dataValue)
 at Unify.Product.IdentityBroker.EntityMultiValueValidatorFactoryBase`3.<>c__DisplayClass1_0.<GetValidator>b__0(Object value)
 at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
 at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
 at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
 at Unify.Product.IdentityBroker.EntityMultiValueObjectTypeSchemaValidator`3.CreateValue(Object dataValue)
 at Unify.Connectors.AD.LDAPValueTypeOperations.AddValueToEntity(IConnectorEntity connectorEntity, IEntitySchemaFieldDefinition valueType, DirectoryAttribute attribute)
 at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
 at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
 at Unify.Framework.Collections.EnumerableExtensions.<ActionOnLast>d__10`1.MoveNext()
 at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
 at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
 at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<GetAllEntitiesAsync>b__0(IEnumerable`1 entities)
 at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass7_0`1.<CreateAndSendLogEntryAsync>b__0(Task`1 t)
 at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.<TaskContinueWithExceptionPassthough>b__0(Task`1 t)
 at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
 at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
 at Unify.Product.IdentityBroker.EventNotifierReadingAsyncConnectorDecoratorBase`1.<GetAllEntitiesAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
 at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.<ImportAllChangeProcess>d__6.MoveNext()
 --- End of inner exception stack trace ---
 at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
 at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
 at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.RunBase()
 at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
 at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.<Run>b__0()
 at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)
---> (Inner Exception #0) Unify.Product.IdentityBroker.EntitySchemaValidationException: C could not be parsed into a valid DN. ---> System.ArgumentException: String C is not of a proper distinguished name component format. Ensure characters are correctly escaped, and that the format is correct.
 at Unify.Framework.IO.DistinguishedNameComponent.CreateDNComponent(String dnComponentString)
 at Unify.Framework.IO.DistinguishedNameConversionFromString.CreateDistinguishedName()
 at Unify.Product.IdentityBroker.EntityDistinguishedNameTypeSchemaValidator.CreateValue(Object dataValue)
 --- End of inner exception stack trace ---
 at Unify.Product.IdentityBroker.EntityDistinguishedNameTypeSchemaValidator.CreateValue(Object dataValue)
 at Unify.Product.IdentityBroker.EntityMultiValueValidatorFactoryBase`3.<>c__DisplayClass1_0.<GetValidator>b__0(Object value)
 at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
 at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
 at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
 at Unify.Product.IdentityBroker.EntityMultiValueObjectTypeSchemaValidator`3.CreateValue(Object dataValue)
 at Unify.Connectors.AD.LDAPValueTypeOperations.AddValueToEntity(IConnectorEntity connectorEntity, IEntitySchemaFieldDefinition valueType, DirectoryAttribute attribute)
 at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken)
 at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
 at Unify.Framework.Collections.EnumerableExtensions.<ActionOnLast>d__10`1.MoveNext()
 at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
 at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
 at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<GetAllEntitiesAsync>b__0(IEnumerable`1 entities)
 at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass7_0`1.<CreateAndSendLogEntryAsync>b__0(Task`1 t)
 at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.<TaskContinueWithExceptionPassthough>b__0(Task`1 t)
 at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
 at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
 at Unify.Product.IdentityBroker.EventNotifierReadingAsyncConnectorDecoratorBase`1.<GetAllEntitiesAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
 at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.<ImportAllChangeProcess>d__6.MoveNext()<---

The only multi valued field is the members field.