Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
FIM export with required field as null fails silently
If FIM exports to an adapter whose connector has a non-key field set as required but the FIM MA does not (ie connector changed after xMA was generated) and that field in FIM is null, the export action will not be successful but no notification or error message is generated.
Export from FIM EmployeePosition Placeholder into EmployeePosition Placeholder Adapter result in error
I have a EmployeePosition Connector that has two keys specified, employee_code and position_no.
In the EmployeePosition Adapter configuration I did not specified the <dnComponent> as I cannot find any documentation on how this would be achieved such that FIM will see all the object coming through this adapter as unique objects. Thus is left it to the default GUID to be generated.
I also have a Position Placeholder Connector and Adapter for Provisioning (exporting) the EmployeePosition objects from the EmployeePosition Adapter into it so that it could be used to generate the Positions membership and other multi-values attributes.
The Position Placeholder Connector is using the same two keys as in the Position Connector, employee_code and position_no.
The Position Placeholder Adapter configuration using the default GUID as <dnComponent>
- I can bring the bring the EmployeePosition Adapter data into FIM EmployeePosition MA Connector Space successfully
- I can synchronise FIM EmployeePosition MA Connector Space to FIM EmployeePosition Placeholder MA Connector Space successfully.
- However when I perform the FIM Export on EmployeePosition Placeholder MA I got the below error.
20110404,05:19:12,Adapter request to save entity to adapter space.,Adapter,Information,Adapter request to save entity 17ece84f-6e81-4ecd-9f3e-aa06faf84be1 to adapter space c17d93f7-ad7c-4a4a-aded-892125a3731d.,Normal 20110404,05:19:12,An entity failed validation.,Adapter,Warning,The entity 17ece84f-6e81-4ecd-9f3e-aa06faf84be1 on connector b112daa3-e9aa-43a8-9615-2c20626dddc6 failed validation 1 times for the following reasons: EmployeeCode is a required field and is not present.,Normal 20110404,05:19:12,Adapter request to save entity to adapter space failed.,Adapter,Warning,"Adapter request to save entity 17ece84f-6e81-4ecd-9f3e-aa06faf84be1 to adapter space c17d93f7-ad7c-4a4a-aded-892125a3731d failed with reason 1 items failed schema validation during Adapter operation. Check log for validation errors.. Duration: 00:00:00.0341775 Error details: Unify.Framework.AdapterSchemaException: 1 items failed schema validation during Adapter operation. Check log for validation errors. at Unify.Framework.Adapter.SaveEntities(IEnumerable`1 entities, Boolean reflect) at Unify.Framework.Adapter.SaveEntity(IAdapterEntity entity, Boolean reflect) at Unify.Framework.Adapter.SaveEntity(IAdapterEntity entity) at Unify.Framework.AdapterNotifierDecorator.SaveEntity(IAdapterEntity entityToSave) at Unify.Framework.LDIFAdapter.ExportAdapterEntity(IAdapterEntity adapterEntity, Guid adapterId) at Unify.Framework.LDIFAdapterServiceHostDecorator.ExportAdapterEntity(IAdapterEntity adapterEntity, Guid adapterId) at SyncInvokeExportAdapterEntity(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage3(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage2(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage1(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)",Normal
When Codeless Framework configuration for provisioning to the EmployeePosition Placeholder is
<ma name="Positions Placeholder">
<systemtype>IdentityBroker</systemtype>
<datasource>
<connectionString>HTTP://localhost</connectionString>
<Port>59999</Port>
<UserName></UserName>
<Password></Password>
</datasource>
<provisioning enabled="true"/>
<deprovisioning enabled="true"/>
<cs-deletes-enabled enabled="true"/>
<cd-deletes-enabled enabled="false"/>
<object type="Position" csobjecttype="person" anchorattribute="dn">
<provisioning>
<enabled>true</enabled>
<dnprefix>UID=</dnprefix>
<allowfilters switch="or">
<filter priority="1">
<attribute>PositionTile</attribute>
<compareType>ne</compareType>
<compareValue>Casual</compareValue>
</filter>
</allowfilters>
<defaults>
<default name="EmployeeCode">
<type>csentry</type>
<attribute>EmployeeCode</attribute>
<value>EmployeeCode</value>
<mvaction></mvaction>
</default>
<default name="PositionNumber">
<type>csentry</type>
<attribute>PositionNumber</attribute>
<value>PositionNumber</value>
<mvaction></mvaction>
</default>
<default name="IdBID">
<type>csentry</type>
<attribute>IdBID</attribute>
<value>IdBID</value>
<mvaction></mvaction>
</default>
</defaults>
<uniquename>
<namerule priority="1">
<maxlength>64</maxlength>
<minlength>1</minlength>
<pad-with></pad-with>
<namecomponent priority="1">
<type>attribute</type>
<value>IdBID</value>
<attributeseparator></attributeseparator>
<pad-with></pad-with>
<maxlength>64</maxlength>
<minlength>1</minlength>
<alphanumericsonly>true</alphanumericsonly>
</namecomponent>
</namerule>
<datasource-attributename></datasource-attributename>
<verify-against>
<connectionString></connectionString>
<Port></Port>
<UserName></UserName>
<Password></Password>
</verify-against>
</uniquename>
</provisioning>
.
.
.
The Identity Broker for Empower Connectors and Adapter configuration file attached. Attached also the Codeless Framework configuration file to Provisioning of the "Position Placeholder" MA.
The Identity Broker error log file is also attached.
Peter, would you be able to assist with this issue. Perhaps this is best to obtain the help from the Product team.
On the Container search - receive Unable to get the hierarchy from the LDAP server.ExtensibleExtensionException: (87) Filter Error Server Message: The search filter is invalid
Created a new Adapter in Identity Broker for the Department with a DN - CN=Name,OU=Group. The objectclass is ADVDepartment.
The Adapter is created successfully and the Processed Entity Count is 16.
I create the Generic LDAP (Microsoft) MA successfully and could import the objects.
When I select the Containers from the Configure Partitions and Hierarchies pane off the MA properties I receive the following errors:
The error in the Event viewer is:
The extensible extension returned an unsupported error. The stack trace is: "Microsoft.MetadirectoryServices.ExtensibleExtensionException: Unable to get the hierarchy from the LDAP server.ExtensibleExtensionException: (87) Filter Error Server Message: The search filter is invalid. Matched DN: RootCauseException: ---> System.DirectoryServices.Protocols.LdapException: The search filter is invalid. at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) at Microsoft.IdentityManagement.Connector.GenericLdap.Channel.DirectoryContext.GetDirectoryEntries(String namingContext, SearchScope scope, DirectoryControlCollection directoryControls, String filter, String[] attributes) at Microsoft.IdentityManagement.Connector.GenericLdap.Proxy.HierarchyProxy.GetHierarchy(HierarchyNode parent, LdapDirectory directoryName) at Microsoft.IdentityManagement.Connector.GenericLdap.ConfigStrategy.GetHierarchy(HierarchyNode parent) at Microsoft.IdentityManagement.Connector.GenericLdap.GenericLdapConnector.GetHierarchy(KeyedCollection`2 configParameters, HierarchyNode parent) --- End of inner exception stack trace --- at Microsoft.IdentityManagement.Connector.GenericLdap.ExceptionManager.ExceptionHelper.MapExceptionType(Exception exception) at Microsoft.IdentityManagement.Connector.GenericLdap.ExceptionManager.ExceptionHelper.SetConnectorException(Exception baseException, String errorMessage, String distinguishedName) at Microsoft.IdentityManagement.Connector.GenericLdap.GenericLdapConnector.ReportErrorToSyncService(String errorMessage, Exception exception) at Microsoft.IdentityManagement.Connector.GenericLdap.GenericLdapConnector.GetHierarchy(KeyedCollection`2 configParameters, HierarchyNode parent) Forefront Identity Manager 4.1.3599.0"
screenshot-1.png
Remove ability to save xMA to services directory
It was decided that the xMA Generator should not allow users to save xMAs to the Service directory of Identity Broker, as this may involve writing to and cluttering an applications drive. This feature should be removed from the generator, with the FIM Instance and Download Locally options providing more than enough flexibility.
Investigate handling of inconsistent casing in container objects
QDET-97, IDBSP-29, IDBSP-36 and IDBFIM300:The distinguished name and reference value attributes of a management agent seem to change case inexplicably all detail issues that arise due to inconsistent casing in container objects retrieved from a target system, usually where the key field is a self-reference (such as Microsoft SharePoint). Microsoft FIM does not handle inconsistently cased container objects with great finesse, prompting the renaming and updating of all reference value fields and distinguished names in a connector space. Investigate if any appropriate measures can be introduced on the Identity Broker side to alleviate or address this issue.
Improve handling of composite adapter lookup in LDIF adapter ExportChanges
See SSICT-101. An environment with a composite adapter containing three adapters - 50000 entities in the first, 38000 in the second, and 50000 in the third. The third was requiring an update to a single field and was taking 4-9 seconds per object. This was alleviated by changing the order of the adapters such that the third adapter was made the first.
This is because the LDIF reading in the LDIF adapter relies on TryGetEntityByDN to get the object class of the object. This is done because LDIF spec does not contain the objectclass field for updates. An improvement to this interface is required in order to allow exports in larger, time-sensitive environments to run in an efficient manner.
MA property not supported message to be improved or fixed
Refer to https://unifysolutions.jira.com/wiki/display/IDBFIM300/An+export+to+Identity+Broker+fails+with+an+ma-extension-error+and+the+Windows+Application+Event+Log+cites+an+InvalidOperationException+as+the+reason. In the cases where this error occurs, the error message should be improved to state that the generated distinguished name on the Identity Broker side is not matching the provisioning logic (or is not present).
Cannot provision incorrect DN.png
Changing container fails with "need-full-object" on delta-import.
Changing container fails with "need-full-object" on delta-import.
The following actions were taken to hit this issue:
- Connector with field decimal (not key, not required, not readonly)
- Change the value
- Delta import on an adapter with a format of CN=schemaKey,CN=decimal
The following LDIF is generated:
version: 1 dn: CN=c0fd28b9-5a8f-45ca-b3b9-69a60aa69c2b changetype: moddn newrdn: CN=c0fd28b9-5a8f-45ca-b3b9-69a60aa69c2b deleteoldrdn: 1 dn: CN=c0fd28b9-5a8f-45ca-b3b9-69a60aa69c2b,CN=2 changetype: modify replace: decimal decimal: 2 - dn: CN=2 changetype: add objectClass: container
Failing the delta import with "need-full-object".
PDF documentation can't be opened on a server
After deploying UNIFY Identity Broker for Microsoft FIM v3.0.0 (x86).msi from https://unifysolutions.jira.com/wiki/display/SUBIDBFIM/Downloads and completing my IdB 3.0.6 DEEWR configuration, I was ready to create an instance of the IdB FIM xMA ...
After installing using the default options, I found that:
(a) PDF files cannot normally be opened on a server - we might want to think of an alternative format that can say be opened in Wordpad which is (almost) guaranteed to be there ... I got around this by mailing myself the file from my DEEWR email account which was the only way I could get hold of the file over a VPN. Of course I could have installed this to my XP laptop ...
UNIFY Identity Broker for Microsoft FIM v3.0.0 Configuration Guide.pdf
ILM2 option on xMA export does not work
After deploying UNIFY Identity Broker for Microsoft FIM v3.0.0 (x86).msi from https://unifysolutions.jira.com/wiki/display/SUBIDBFIM/Downloads and completing my IdB 3.0.6 DEEWR configuration, I was ready to create an instance of the IdB FIM xMA ...
After installing using the default options, I found that:
(b) Exported the "ILM xMA" file ... using the IdB Management studio my first choice was to select the third ILM 2 option (since this is the name that FIM was originally known). This was a mistake because the MA config pointed to a Unify.Adapters.* dll which I could not locate on the server. Figuring that the PDF and naming conventions were focused on ILM2007 FP1, I re-exported using this option and found this generated an MA config which referenced the same DLL deployed by this package (Unify.Framework.ILM2007FP1Adapter.dll). This means that either (a) there is a DLL which is missing from the install, or (b) the IdB console needs to be changed to remove the third option, or (c) the generated xMA is using the wrong DLL.
I believe we should actually retain the third option but rename it to FIM 2010 ... even if it generates a file of the same format as ILM2007 ... as it is going to confuse otherwise. If so the PDF file needs to be updated to accommodate all (3?) supported versions (maybe we need to lose MIIS SP2?).
This work may well have been earmarked for future attention, but I couldn't find anything in JIRA about this already.
Customer support service by UserEcho
