Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Identity Broker for FIM/ILM default run profiles to be deprecated by Microsoft due to stopped-server errors
The default run profiles installed when you deploy an instance of any Identity Broker 3.* MA for FIM include combined "single step" run profiles as has been "best practice" dating back to MIIS days (see http://social.technet.microsoft.com/wiki/contents/articles/1147.aspx#Single_step_vs_multistep).
However, advice from Jeff Nelson recently after explaining anecdotal evidence of "stopped-server" problems experienced @ DEEWR, is that the Microsoft FIM Product Group is planning to deprecate support for this model entirely in favour of combined "multi step" run profiles. I spoke directly to Andreas Kjellman (MS Sync engine product lead) last month and he backed this up ... the bugs that they are now aware of with this style of run profile are "too much to even try fixing", and so they're going to remove support for them. They claim that they are the main cause of the stopped-server errors @ DEEWR, and I can vouch for this with my own experience, particularly with the FIM MA.
While the above sounds very much like a cop-out, there is certainly pros and cons of both approaches. The very BIG downside of losing the single step model entirely is the corresponding additional overhead that will be incurred in any CS where there is a large number of disconnectors (since a single step model was the only way until now of avoiding repeated reprocessing of these disconnectors with every DI/DS). Now we have to live with this overhead, it will become beholdent on FIM solution designers to minimise the number of disconnectors, which in itself is already an established best practice anyhow.
Needless to say, with this in mind, and the increasing likelihood of UNIFY PS staff running into the same error themselves, it would be a good idea to change the default run profile definitions installed by the Identity Broker MA wizard assp.
On the subject of this same error, there are many potential causes, and this is only one of them. Another is trying to run ANY OTHER RUN PROFILE while a FIM MA run profile is already executing - this will almost always cause the FIM MA run profile to fail!
In the meantime I have already ensured that I have manually changed all FIM run profiles to adapt to this new multi-step standard.
FIM export with required field as null fails silently
If FIM exports to an adapter whose connector has a non-key field set as required but the FIM MA does not (ie connector changed after xMA was generated) and that field in FIM is null, the export action will not be successful but no notification or error message is generated.
Export from FIM EmployeePosition Placeholder into EmployeePosition Placeholder Adapter result in error
I have a EmployeePosition Connector that has two keys specified, employee_code and position_no.
In the EmployeePosition Adapter configuration I did not specified the <dnComponent> as I cannot find any documentation on how this would be achieved such that FIM will see all the object coming through this adapter as unique objects. Thus is left it to the default GUID to be generated.
I also have a Position Placeholder Connector and Adapter for Provisioning (exporting) the EmployeePosition objects from the EmployeePosition Adapter into it so that it could be used to generate the Positions membership and other multi-values attributes.
The Position Placeholder Connector is using the same two keys as in the Position Connector, employee_code and position_no.
The Position Placeholder Adapter configuration using the default GUID as <dnComponent>
- I can bring the bring the EmployeePosition Adapter data into FIM EmployeePosition MA Connector Space successfully
- I can synchronise FIM EmployeePosition MA Connector Space to FIM EmployeePosition Placeholder MA Connector Space successfully.
- However when I perform the FIM Export on EmployeePosition Placeholder MA I got the below error.
20110404,05:19:12,Adapter request to save entity to adapter space.,Adapter,Information,Adapter request to save entity 17ece84f-6e81-4ecd-9f3e-aa06faf84be1 to adapter space c17d93f7-ad7c-4a4a-aded-892125a3731d.,Normal 20110404,05:19:12,An entity failed validation.,Adapter,Warning,The entity 17ece84f-6e81-4ecd-9f3e-aa06faf84be1 on connector b112daa3-e9aa-43a8-9615-2c20626dddc6 failed validation 1 times for the following reasons: EmployeeCode is a required field and is not present.,Normal 20110404,05:19:12,Adapter request to save entity to adapter space failed.,Adapter,Warning,"Adapter request to save entity 17ece84f-6e81-4ecd-9f3e-aa06faf84be1 to adapter space c17d93f7-ad7c-4a4a-aded-892125a3731d failed with reason 1 items failed schema validation during Adapter operation. Check log for validation errors.. Duration: 00:00:00.0341775 Error details: Unify.Framework.AdapterSchemaException: 1 items failed schema validation during Adapter operation. Check log for validation errors. at Unify.Framework.Adapter.SaveEntities(IEnumerable`1 entities, Boolean reflect) at Unify.Framework.Adapter.SaveEntity(IAdapterEntity entity, Boolean reflect) at Unify.Framework.Adapter.SaveEntity(IAdapterEntity entity) at Unify.Framework.AdapterNotifierDecorator.SaveEntity(IAdapterEntity entityToSave) at Unify.Framework.LDIFAdapter.ExportAdapterEntity(IAdapterEntity adapterEntity, Guid adapterId) at Unify.Framework.LDIFAdapterServiceHostDecorator.ExportAdapterEntity(IAdapterEntity adapterEntity, Guid adapterId) at SyncInvokeExportAdapterEntity(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage3(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage2(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage1(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)",Normal
When Codeless Framework configuration for provisioning to the EmployeePosition Placeholder is
<ma name="Positions Placeholder">
<systemtype>IdentityBroker</systemtype>
<datasource>
<connectionString>HTTP://localhost</connectionString>
<Port>59999</Port>
<UserName></UserName>
<Password></Password>
</datasource>
<provisioning enabled="true"/>
<deprovisioning enabled="true"/>
<cs-deletes-enabled enabled="true"/>
<cd-deletes-enabled enabled="false"/>
<object type="Position" csobjecttype="person" anchorattribute="dn">
<provisioning>
<enabled>true</enabled>
<dnprefix>UID=</dnprefix>
<allowfilters switch="or">
<filter priority="1">
<attribute>PositionTile</attribute>
<compareType>ne</compareType>
<compareValue>Casual</compareValue>
</filter>
</allowfilters>
<defaults>
<default name="EmployeeCode">
<type>csentry</type>
<attribute>EmployeeCode</attribute>
<value>EmployeeCode</value>
<mvaction></mvaction>
</default>
<default name="PositionNumber">
<type>csentry</type>
<attribute>PositionNumber</attribute>
<value>PositionNumber</value>
<mvaction></mvaction>
</default>
<default name="IdBID">
<type>csentry</type>
<attribute>IdBID</attribute>
<value>IdBID</value>
<mvaction></mvaction>
</default>
</defaults>
<uniquename>
<namerule priority="1">
<maxlength>64</maxlength>
<minlength>1</minlength>
<pad-with></pad-with>
<namecomponent priority="1">
<type>attribute</type>
<value>IdBID</value>
<attributeseparator></attributeseparator>
<pad-with></pad-with>
<maxlength>64</maxlength>
<minlength>1</minlength>
<alphanumericsonly>true</alphanumericsonly>
</namecomponent>
</namerule>
<datasource-attributename></datasource-attributename>
<verify-against>
<connectionString></connectionString>
<Port></Port>
<UserName></UserName>
<Password></Password>
</verify-against>
</uniquename>
</provisioning>
.
.
.
The Identity Broker for Empower Connectors and Adapter configuration file attached. Attached also the Codeless Framework configuration file to Provisioning of the "Position Placeholder" MA.
The Identity Broker error log file is also attached.
Peter, would you be able to assist with this issue. Perhaps this is best to obtain the help from the Product team.
On the Container search - receive Unable to get the hierarchy from the LDAP server.ExtensibleExtensionException: (87) Filter Error Server Message: The search filter is invalid
Created a new Adapter in Identity Broker for the Department with a DN - CN=Name,OU=Group. The objectclass is ADVDepartment.
The Adapter is created successfully and the Processed Entity Count is 16.
I create the Generic LDAP (Microsoft) MA successfully and could import the objects.
When I select the Containers from the Configure Partitions and Hierarchies pane off the MA properties I receive the following errors:
The error in the Event viewer is:
The extensible extension returned an unsupported error. The stack trace is: "Microsoft.MetadirectoryServices.ExtensibleExtensionException: Unable to get the hierarchy from the LDAP server.ExtensibleExtensionException: (87) Filter Error Server Message: The search filter is invalid. Matched DN: RootCauseException: ---> System.DirectoryServices.Protocols.LdapException: The search filter is invalid. at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.IdentityManagement.Connector.GenericLdap.Channel.DirectoryContext.GetDirectoryEntries(String namingContext, SearchScope scope, DirectoryControlCollection directoryControls, String filter, String[] attributes) at Microsoft.IdentityManagement.Connector.GenericLdap.Proxy.HierarchyProxy.GetHierarchy(HierarchyNode parent, LdapDirectory directoryName) at Microsoft.IdentityManagement.Connector.GenericLdap.ConfigStrategy.GetHierarchy(HierarchyNode parent) at Microsoft.IdentityManagement.Connector.GenericLdap.GenericLdapConnector.GetHierarchy(KeyedCollection`2 configParameters, HierarchyNode parent) --- End of inner exception stack trace --- at Microsoft.IdentityManagement.Connector.GenericLdap.ExceptionManager.ExceptionHelper.MapExceptionType(Exception exception) at Microsoft.IdentityManagement.Connector.GenericLdap.ExceptionManager.ExceptionHelper.SetConnectorException(Exception baseException, String errorMessage, String distinguishedName) at Microsoft.IdentityManagement.Connector.GenericLdap.GenericLdapConnector.ReportErrorToSyncService(String errorMessage, Exception exception) at Microsoft.IdentityManagement.Connector.GenericLdap.GenericLdapConnector.GetHierarchy(KeyedCollection`2 configParameters, HierarchyNode parent) Forefront Identity Manager 4.1.3599.0"
screenshot-1.png
Remove ability to save xMA to services directory
It was decided that the xMA Generator should not allow users to save xMAs to the Service directory of Identity Broker, as this may involve writing to and cluttering an applications drive. This feature should be removed from the generator, with the FIM Instance and Download Locally options providing more than enough flexibility.
Investigate handling of inconsistent casing in container objects
QDET-97, IDBSP-29, IDBSP-36 and IDBFIM300:The distinguished name and reference value attributes of a management agent seem to change case inexplicably all detail issues that arise due to inconsistent casing in container objects retrieved from a target system, usually where the key field is a self-reference (such as Microsoft SharePoint). Microsoft FIM does not handle inconsistently cased container objects with great finesse, prompting the renaming and updating of all reference value fields and distinguished names in a connector space. Investigate if any appropriate measures can be introduced on the Identity Broker side to alleviate or address this issue.
Improve handling of composite adapter lookup in LDIF adapter ExportChanges
See SSICT-101. An environment with a composite adapter containing three adapters - 50000 entities in the first, 38000 in the second, and 50000 in the third. The third was requiring an update to a single field and was taking 4-9 seconds per object. This was alleviated by changing the order of the adapters such that the third adapter was made the first.
This is because the LDIF reading in the LDIF adapter relies on TryGetEntityByDN to get the object class of the object. This is done because LDIF spec does not contain the objectclass field for updates. An improvement to this interface is required in order to allow exports in larger, time-sensitive environments to run in an efficient manner.
MA property not supported message to be improved or fixed
Refer to https://unifysolutions.jira.com/wiki/display/IDBFIM300/An+export+to+Identity+Broker+fails+with+an+ma-extension-error+and+the+Windows+Application+Event+Log+cites+an+InvalidOperationException+as+the+reason. In the cases where this error occurs, the error message should be improved to state that the generated distinguished name on the Identity Broker side is not matching the provisioning logic (or is not present).
Cannot provision incorrect DN.png
Changing container fails with "need-full-object" on delta-import.
Changing container fails with "need-full-object" on delta-import.
The following actions were taken to hit this issue:
- Connector with field decimal (not key, not required, not readonly)
- Change the value
- Delta import on an adapter with a format of CN=schemaKey,CN=decimal
The following LDIF is generated:
version: 1 dn: CN=c0fd28b9-5a8f-45ca-b3b9-69a60aa69c2b changetype: moddn newrdn: CN=c0fd28b9-5a8f-45ca-b3b9-69a60aa69c2b deleteoldrdn: 1 dn: CN=c0fd28b9-5a8f-45ca-b3b9-69a60aa69c2b,CN=2 changetype: modify replace: decimal decimal: 2 - dn: CN=2 changetype: add objectClass: container
Failing the delta import with "need-full-object".
PDF documentation can't be opened on a server
After deploying UNIFY Identity Broker for Microsoft FIM v3.0.0 (x86).msi from https://unifysolutions.jira.com/wiki/display/SUBIDBFIM/Downloads and completing my IdB 3.0.6 DEEWR configuration, I was ready to create an instance of the IdB FIM xMA ...
After installing using the default options, I found that:
(a) PDF files cannot normally be opened on a server - we might want to think of an alternative format that can say be opened in Wordpad which is (almost) guaranteed to be there ... I got around this by mailing myself the file from my DEEWR email account which was the only way I could get hold of the file over a VPN. Of course I could have installed this to my XP laptop ...
UNIFY Identity Broker for Microsoft FIM v3.0.0 Configuration Guide.pdf
Customer support service by UserEcho
