Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Deletion of partition "DC=IdentityBroker"
I have installed IdB 5.2.0.1 on a new Dev server and migrated the config from Production, which has IdB 5.0.4. I created the LDAP gateway and got the MA imported - however when I tried to make any changes to the MA I got a warning that it was going to delete the partitions "DC=IdentityBroker" (previously selected) and "cn=schema" (previously un-selected).
After backing up the MA I let it delete the partitions, and so far everything looks fine - I can run a Full Import and data was imported from the adapters.
So this is just a sanity check - was letting MIM delete that partition from the MA the right thing to do?
Hi Carol,
We changed the way the MIM MA retrieves partitions. It previously used the entries defined in the naming context of the root DSE, but it now uses the OUs underneath DC=IdentityBroker. This was to prevent using DC=IdentityBroker as a partition, as importing from DC=IdentityBroker involves querying multiple adapters and this proved problematic.
I don't believe that the deletion of those partitions should affect your solution, but if you do notice any problems please update this ticket.
Value bp is not a valid hexadecimal number
Running a Delta import and Delta Sync from IdB Sharepoint connector and get the error below. Ran a Full Import and Full Synchronization & the error did not occur. Ran a Delta import and Delta Sync again and error does not occur.
Not sure if I'll be able to replicate again, but raising regardless.
The extensible extension returned an unsupported error.
The stack trace is:
"System.ArgumentException: Value bp is not a valid hexadecimal number.
Parameter name: sourceValue
at Unify.Framework.IO.DNComponentAttributeValueParserAdapter.Transform(String sourceValue)
at Unify.Framework.IO.DistinguishedNameComponent.CreateDNComponent(String dnComponentString)
at Unify.Framework.IO.DistinguishedNameConversionFromString.CreateDistinguishedName()
at Unify.Product.IdentityBroker.ImportProxy.GetContainerName(String dn)
at Unify.Product.IdentityBroker.ImportProxy.TryGetObjectClass(String dn, String& objectClass)
at Unify.Product.IdentityBroker.ImportProxy.<EntryToDeltas>d__25.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__16`2.MoveNext()
at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetImportEntries(GetImportEntriesRunStep importRunStep)
at Unify.Product.IdentityBroker.UnifyLdapConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.4.1459.0"
Hi Matt,
Thanks for raising this. This looks to be the same issue as DN Creation not escaping LDAP Reserved Characters. I've created a new build of the Identity Broker for Microsoft Identity Manager management agent which includes the fix from there, attached here: Unify.IdentityBroker.FIMAdapter.dll. Please update the DLL in the FIM Extensions directory and re-attempt the import.
PowerShell Transformation: Required Attribute
I want to use an attribute created in a PowerShell transformation in the DN, but am getting a "field not required" error. How can I configure this new attribute as required?
Hi Matt,
Good question. Currently there is no way to mark fields added via a PowerShell transformation as Required, but this is something we could look at adding support for. Please note though though that since you can't supply values in Add/Modify requests from an Identity Management platform for these fields (no way to reverse a PowerShell transformation), putting such a field in the Distinguished Name template would effectively block you from provisioning into that adapter.
Error enabling TLS from Management Agent
Hi Gents,
I'm configuring my IDB management agents, and I've noticed the following error being thrown when I try to enable TLS:
I have created a self signed cert and configured it within the interface.
For reference, I used the following command to create my cert:
New-SelfSignedCertificate -Type Custom -Provider "Microsoft RSA SChannel Cryptographic Provider" -Subject "CN=Unify.IdentityBroker" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(5)
Please try Unify.IdentityBroker.FIMAdapter.dll and let me know how it goes.
Restrict access to IIS
I have configured IdB to use IIS, but there is nothing in the doco to suggest that it should be restricted.
http://voice.unifysolutions.net/topics/2943-configuring-identity-broker-for-use-with-iis/
Leaving access open to any authenticated user is potentially a security risk.
I have configured IIS to only listed on 127.0.0.1, but presumably there is something else in IdB to perform this role.
How can IdB be restricted when using IIS?
Hi Matt,
We removed the IDB auth settings from 5.0 as it was unmaintanable. From 5.2 onwards, we provide auth settings through Owin (as seen on this page.)
For 5.0 and 5.1, auth settings can be restricted in IIS through groups etc, using examples such as this one or settings found here. Up to the consultant and client how the restrictions look in line with what the requirements are.
Date handling changes
I have a date attribute in my Aurion Adapter called DateCommenced.
In the IdB UI it appears as 2010-05-24.
When it imports into MIM, it's a string type and is shown in the connector space as:
2010-05-24T00:00:00:000
When I look at FIM, (which we're replacing) it's also a string type, however it's shown in the connector space as:
2010-05-24
Has something changed in the handling of Dates between 3.x and 5.x?
Yes, this is a fix in v4.0 as per http://voice.unifysolutions.net/topics/499-support-date-format-in-ldif-that-is-recognised-by-fim-portal/ and https://unifysolutions.jira.com/browse/IDB-662.
Time Offset Flag Transformation throws error when no data present
The UI is displaying "Specified argument was out of the range of valid values. Parameter name: key" after configuring a Time Offset Flag Transformation. Looking at the data, there is nothing currently in the column, I suspect this might be causing the error.
There are two configured transformations:
<adapter name="TimeOffsetFlag" key="e761c890-313b-4b88-bfcf-272595dcf784">
<Extended offset="-P15DT10H" sourceColumn="DateCommenced" destinationColumn="EmployeeStarted" LesserValue="True" EqualValue="True" GreaterValue="False" NullValue="False" adjustForLocal="false" xmlns="" />
</adapter>
<adapter name="TimeOffsetFlag" key="00eaab5c-89e9-41b4-9728-e7b342d07db8">
<Extended offset="PT10H" sourceColumn="DateTerminated" destinationColumn="EmployeeTerminated" LesserValue="False" EqualValue="True" GreaterValue="False" NullValue="True" adjustForLocal="false" xmlns="" />
</adapter>
The first one foes not throw an error. The second one does.
Hi Matt,
Where is the UI displaying this error? Is it under the Transformations section, between a heading Time Offset Flag and its corresponding description? Please ensure that you don't have duplicate column names in your adapter, i.e. that there isn't already a column named DateTerminated. If there is, either rename the existing column or change the Target for the Time Offset Flag Transformation.
Object reference not set to an instance of an object error when attempting to retrieve schema
When trying to retrieve schema, MIM throws error below.
Log Name: Application Source: FIMSynchronizationService Date: 30/05/2017 8:44:54 AM Event ID: 6801 Task Category: Server Level: Error Keywords: Classic User: N/A Computer: dc1devfim01.dev.apra.gov.au Description: The extensible extension returned an unsupported error. The stack trace is: "Unify.Product.IdentityBroker.LdapOperationException: Object reference not set to an instance of an object. at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request) at Unify.Product.IdentityBroker.LdapConnection.GetSchema(String schemaDn) at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext() at System.Linq.Enumerable.Aggregate[TSource](IEnumerable`1 source, Func`3 func) at Unify.Product.IdentityBroker.LdapConnectionProxy.get_LdapSchema() at Unify.Product.IdentityBroker.LdapConnectionProxy.get_Schema() at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetSchema(KeyedCollection`2 configParameters) at Unify.Product.IdentityBroker.UnifyLdapConnector.GetSchema(KeyedCollection`2 configParameters) Forefront Identity Manager 4.4.1459.0"Error in logs is as follows:
20170529,22:44:53,UNIFY Identity Broker,Security engine,Information,"Require an LDAP access level Request to require LDAP access level Read completed successfully.",Verbose 20170529,22:44:53,UNIFY Identity Broker,LDAP engine,Error,"Handling of LDAP schema request. Handling of LDAP schema request from user mim on connection 127.0.0.1:65135 for the server schema failed with error ""Ob ject reference not set to an instance of an object."". Duration: 00:00:00.",Normal 20170529,22:44:53,UNIFY Identity Broker,LDAP Engine,Error,"An error occurred on client from 127.0.0.1:65135. More detail s: Internal Server Error #11: System.NullReferenceException: Object reference not set to an instance of an object. at Unify.Product.IdentityBroker.SearchRequestHandlerBase.HandleRequest(IRfcLdapMessage message, CancellationToken tok en, Action`1 postAction) at Unify.Product.IdentityBroker.RequestHandlerAuditingDecorator.HandleRequest(IRfcLdapMessage message, CancellationTo ken token, Action`1 postAction) at Unify.Product.IdentityBroker.LDAPRequestHandlerSecurityDecorator.HandleRequest(IRfcLdapMessage message, Cancellati onToken token, Action`1 postAction) at Unify.Product.IdentityBroker.LDAPConnection.<RespondToMessageAsync>d__33.MoveNext()",Normal 20170529,22:44:53,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP unbind request. Handling of LDAP unbind request received on connection mim to connect as user 127.0.0.1:65135 started.",Verbose 20170529,22:44:53,UNIFY Identity Broker,Security engine,Information,"Require an LDAP access level
Hi Matt,
Thanks for the feedback, I agree that the product could handle this more gracefully, and we'll take it into consideration.
For your immediate issue, you should be able to resolve this by removing the container corresponding to the previous container name and re-populating the adapter entity context.
"Sequence contains no elements" trying to retrieve schema
Trying to retrieve schema in MIM & getting the error below in event logs. MIM UI displays error Unable to retrieve schema. Error: Exception from HRESULT: 0x80231343
Log Name: Application
Source: FIMSynchronizationService
Date: 25/05/2017 3:35:21 PM
Event ID: 6801
Task Category: Server
Level: Error
Keywords: Classic
User: N/A
Computer: dc1devfim01.dev.apra.gov.au
Description:
The extensible extension returned an unsupported error.
The stack trace is:
"System.InvalidOperationException: Sequence contains no elements
at System.Linq.Enumerable.Single[TSource](IEnumerable`1 source)
at RegExExtensions.RegExExtensions.Extract(String text, String pattern)
at Unify.Product.IdentityBroker.LdapAttributeDefinition..ctor(String definition)
at Unify.Product.IdentityBroker.LdapSchema.<>c.<.ctor>b__0_0(String attr)
at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
at Unify.Product.IdentityBroker.LdapSchema..ctor(SearchResultEntry entry)
at Unify.Product.IdentityBroker.LdapConnection.GetSchema(String schemaDn)
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Enumerable.Aggregate[TSource](IEnumerable`1 source, Func`3 func)
at Unify.Product.IdentityBroker.LdapConnectionProxy.get_Schema()
at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.4.1459.0"
Install IdB MIM Adapter DLL to appropriate MIM directory
The MIM adapter currently installs to a Unify directory in Program Files, after which it needs to be moved manually into the appropriate MIM Directory.
The installer could install into the appropriate directory, which would result in better end user experience, both in the initial install and in repairs.
The FIM Sync base directory can be retrieved from the registry at:
SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Path
as documented here.
After this \extensions needs to be added to the path value to find the location.
Will be included in the next adapter release.
Customer support service by UserEcho
