Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Feature request: credential passthrough for authentication to Broker's LDAP interface from within powershell connector
It would be helpful if a valid username/password (or other authentication credential object) was made available to the powershell connector, for the purpose of submitting LDAP queries back into Broker for complex data manipulation operations.
The solution outlined here currently has to store and pass the broker LDAP query credentials manually.
Hi Adrian,
This is not possible, as the passwords are encrypted in a format that cannot be reversed.
Feature request: Identity Broker 5.2 object filtering facility
I needed to filter a subset of objects from one connector or adapter (i.e. All Organisation Unit objects) to create separate connectors or adapters for just those objects (i.e. All Business Units).
There does not seem to be any way to filter using Broker's built-in functionality, so the solution I chose was to write a powershell script to perform an LDAP query against Broker and populate a new connector based on the selected subset of objects.
Please consider adding this functionality (or something equivalent) to the base Identity Broker product.
Identity Broker 5.2 LDAP interface timeout when another connector is running
In my solution, when one of my connectors is running I see timeouts when performing LDAP queries against Identity Broker containers.
My solution is a simple powershell script invoked from a Broker powershell connector, so it won't retry and the Import will fail (and presumably log an error in Broker).
You could consider adding retry logic to the PowerShell script. See this blog post as an example.
However when MIM connects to Identity Broker, it uses the same LDAP interface, so that would causes the MIM import to fail as well and report a connection error.
That seems like a significant issue to me - having Identity Broker unavailable for any queries while a connector is running is a poor situation. Can I confirm that you're effectively saying that practically speaking, Identity Broker is single-threaded?! What is the situation if the connector takes a long time to complete - is it unavailable for requests for the majority of that time?
The connector operations are performed in pages, and the lock should only be held for a single page, giving other operations a chance to run between pages. LDAP queries are similarly performed in pages, meaning the sequence of pages might end up being interleaved. Other factors such as the health of the database and hardware specifications of the server can also impact the duration that database locks are held. Please see Identity Broker Database Recommendations.
I agree that failed imports are not ideal, but solutions need to be resilient to failing operations for a number of other reasons as well. That said, we have work in the pipeline to improve database performance and context isolation to improve this situation.
Schedule "Generate Changes" for an Adapter in Identity Broker
Hi,
I'm looking for scheduling "Generate Changes" for an Adapter that is using PowerShell transformation.
I had a look at using Scheduled Jobs PowerShell activity, the documentation online don't really show examples or if it is possible.
Please can you direct me with some examples?
Hi Alan,
As you suggested, this should be possible with a Scheduled Job similar to the following
$adapterId = [Guid]'00000000-0000-0000-0000-000000000000'
$components.AdapterEngine.SimulateChanges($adapterId)
I'm curious what your specific use case is, because I think ultimately there's a better solution to this problem. Do you know at the time that the transformation runs when future changes will be required for each entity?
Violation of UNIQUE KEY constraint 'DF_CollectionKey_Caption'.
Identity Broker v5.2.1.0
When running an import on a connector, if you have a schema field in your connector that is the same as another connector or adapter, but only differing in casing, the import fails with the following error:
Connector processing failed. Connector Processing page 1 for connector Test2Csv failed with reason Violation of UNIQUE KEY constraint 'DF_CollectionKey_Caption'. Cannot insert duplicate key in object 'dbo.CollectionKey'. The duplicate key value is (MySecond). The statement has been terminated.. Duration: 00:00:00.0725432. Error details: System.Data.SqlClient.SqlException (0x80131904): Violation of UNIQUE KEY constraint 'DF_CollectionKey_Caption'. Cannot insert duplicate key in object 'dbo.CollectionKey'. The duplicate key value is (MySecond). The statement has been terminated. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption) at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) at System.Data.Linq.SqlClient.SqlProvider.Execute(Expression query, QueryInfo queryInfo, IObjectReaderFactory factory, Object[] parentArgs, Object[] userArgs, ICompiledSubQuery[] subQueries, Object lastResult) at System.Data.Linq.SqlClient.SqlProvider.ExecuteAll(Expression query, QueryInfo[] queryInfos, IObjectReaderFactory factory, Object[] userArguments, ICompiledSubQuery[] subQueries) at System.Data.Linq.SqlClient.SqlProvider.System.Data.Linq.Provider.IProvider.Execute(Expression query) at System.Data.Linq.ChangeDirector.StandardChangeDirector.DynamicInsert(TrackedObject item) at System.Data.Linq.ChangeProcessor.SubmitChanges(ConflictMode failureMode) at System.Data.Linq.DataContext.SubmitChanges(ConflictMode failureMode) at Unify.Product.IdentityBroker.Repository.EntityLinqQueryConverterUtilitiesBase`4.GetCollectionKeyData(TEntityKey key, EntityDataContext sourceContext) at Unify.Product.IdentityBroker.Repository.EntitySingleValueDataUtilityBase`2.CreateEntityValue(TEntityKey key, IValue value, IEntityCollectionKeyUtility`1 collectionKeyUtility, EntityDataSet set, __EntityInsertRow row, EntityDataContext sourceContext) at Unify.Product.IdentityBroker.Repository.KnownEntityContextBase`4.ConvertEntityValueToDataValue(KeyValuePair`2 entityValueAndKey, __EntityInsertRow row, EntityDataSet entityDataSet, EntityDataContext sourceContext) at Unify.Product.IdentityBroker.Repository.KnownEntityContextBase`4.<>c__DisplayClass31_0.<convertitemtovalues>b__0(KeyValuePair`2 entityValueAndKey) at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext() at System.Linq.Enumerable.<selectmanyiterator>d__17`2.MoveNext() at Unify.Framework.Visitor.Visit[T](IEnumerable`1 visitCollection, Action`2 visitor) at Unify.Product.IdentityBroker.Repository.KnownEntityContextBase`4.InsertItems(ISet`1 addedItems, EntityDataContext sourceContext, SqlConnection connection) at Unify.Framework.Data.LinqContextConversionBase`4.SubmitChanges() at Unify.Product.IdentityBroker.SaveChangedEntitiesTransformationUnit.Transform(IDictionaryTwoPassDifferenceReport`4 input) at Unify.Product.IdentityBroker.ConnectorEntityChangeProcessor.ProcessEntities(IEnumerable`1 connectorEntities, IEnumerable`1 repositoryEntities, IEntityChangesReportGenerator`2 reportGenerator) at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.PerformChangeDetectionOnConnectorEntityPage(IEnumerable`1 connectorEntities, Int32& index, Int32 entitiesProcessedSoFar, IEntityChangesReportGenerator`2 reportGenerator, IHashSet`1 seenKeys) at Unify.Product.IdentityBroker.RepositoryChangeDetectionWorkerBase.<>c__DisplayClass11_0.<performchangedetection>b__0(IEnumerable`1 page) at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.ThreadsafeItemEvaluator.Evaluate() ClientConnectionId:f57bfe7a-c01b-4101-87a7-e2809963b2e8 Error Number:2627,State:1,Class:14
To Reproduce:
Create two CSV connectors with duplicate schema, case sensitive. Run an import on both, recognise that the import succeeds.
Modify the schema of one of the connectors, changing only the casing of a field name. Re-run the import, and notice it fails with the exception above.
I've noticed this now across both the CSV connector and a custom connector. It also happens if you've got a field in the adapter with the same name, but differing in casing. You can test this by creating a constant field in one adapter that is the same as a unique schema field on your second connector, but only differing in casing. Run the connector import and the same error throws.
This issue is caused by the default SQL collation not matching that in code. Please use the workaround of changing field name to not clash.
If anyone comes up against this issue please let us know. Our current approach will be to add in support for new data layers, unless we get some new use cases.
Unify.Product.IdentityBroker.LDAPModifyException: Cannot add the value to the existing, non-multivalue field
There's an error being reported in MIM Sync on exports to a particular IdB connector several times a day. I haven't worried too much about it because the export actually works and the error is never exactly repeated (so it's not repeatedly failing to export the same change) - however I'm trying to clean up the monitoring so reported errors are worth looking into.
The error occurs seemingly randomly, as in there is no pattern of specific entity or time of day that I can see. It is always the same adapter, which backs on to a SQL connector talking to a SQL table (not a view). The error is always much the same except the attribute always changes - again I don't see a pattern. None of the attributes are multi-valued in the target table, IdB or MIM.
Here's an example of the error reported in MIM. I'm showing the healthcheck version so you can see the entity specified and the timestamp:
ErrorDN: CN=25600,OU=LANDesk,DC=IdentityBroker
ErrorDetail:
ErrorFirstOccurred: 2017-11-06T07:59:03
ErrorMessage: Internal Server Error #9:
Unify.Product.IdentityBroker.LDAPModifyException: Cannot add the value
41-50-53-34 to the existing, non-multivalue field Classification. at
Unify.Product.IdentityBroker.LDAPModifyRequestToEntityConverter.HandleAttributeValueAdd(IModifyRequestOperation
op, IAdapterEntity entity, IEntitySchema schema) at
Unify.Product.IdentityBroker.LDAPModifyRequestToEntityConverter.Transform(IRfcModifyRequest
sourceValue, IAdapterEntity origEntity) at
Unify.Product.IdentityBroker.ModifyRequestHandler.InnerApplyTransformation(IHandleRequestCoreRequest
request, LDAPModifyRequestToEntityConverter converter)
ErrorSyncType: export-error
ErrorType: Other
HCRecordType: FIMSync_Run_ErrorObject
MVObjectGUID: 540553ea-7e48-e711-80c7-005056a374e3
MaName: LANDesk
RunID: 6e0a6558-280f-4625-b0cc-9aea0ae83564
TimeInErrorDays: 0
_time: 2017-11-06T07:59:03
I've looked at the IdB logs for the same time but there is no error reported there. The logs agree that an export was being run to the expected connector. The only entity specifically mentioned does not match the entity reported in the MIM Sync error:
20171106,07:58:59,UNIFY Identity Broker,LDAP Engine,Information,A client has connected to the LDAP endpoint from address: 127.0.0.1:52744.,Normal 20171106,07:59:04,UNIFY Identity Broker,LDAP Engine,Information,A client has connected to the LDAP endpoint from address: 127.0.0.1:52750.,Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Bulk Start request. Handling of LDAP Bulk Start request received from user IdBLDAP on connection 127.0.0.1:52744 completed successfully. Duration 00:00:18.1411237.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Root DSE request. Handling of LDAP Root DSE request from user IdBLDAP on connection 127.0.0.1:52750 for the Root DSE completed successfully. Duration: 00:00:13.1409918.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP search request. Handling of LDAP search request from user IdBLDAP on connection 127.0.0.1:52750 targeting DC=IdentityBroker with a scope of SingleLevel completed successfully. Duration: 00:00:12.1409653.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Bulk End request. Handling of LDAP Bulk End request received from user IdBLDAP on connection 127.0.0.1:52744 completed successfully with operations failed: 1. Duration 00:00:16.1254477.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Bulk Update request. Handling of LDAP Bulk Update request received from user IdBLDAP on connection 127.0.0.1:52744 completed successfully without results available for logging. Duration 00:00:17.1410874.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP bind request. Handling of LDAP bind request received on connection 127.0.0.1:52750 to connect as user IdBLDAP completed successfully. The bind was successful. Duration: 00:00:14.1410105.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:11.1096809.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP unbind request. Handling of LDAP unbind request received on connection 127.0.0.1:52744 to connect as user IdBLDAP completed successfully. Duration: 00:00:15.1410375.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:09.4690085.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:08.6408457.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP bind request. Handling of LDAP bind request received on connection 127.0.0.1:52744 to connect as user IdBLDAP completed successfully. The bind was successful. Duration: 00:00:19.1411493.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration:<span class="redactor-selection-marker" id="selection-marker-1"></span> 00:00:07.6408392.",Normal dmfjsg 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:06.6251852.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:05.6407763.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Root DSE request. Handling of LDAP Root DSE request from user IdBLDAP on connection 127.0.0.1:52750 for the Root DSE completed successfully. Duration: 00:00:04.6876294.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP change log request. Handling of LDAP change log request from user IdBLDAP on connection 127.0.0.1:52750 completed successfully. Added: 1. Modified: 0. Renamed: 0. Deleted: 0. Total: 1. Duration: 00:00:04.1407369.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP change log request. Handling of LDAP change log request from user IdBLDAP on connection 127.0.0.1:52750 completed successfully. Added: 3. Modified: 2. Renamed: 0. Deleted: 0. Total: 5. Duration: 00:00:03.1407136.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP search request. Handling of LDAP search request from user IdBLDAP on connection 127.0.0.1:52750 targeting CN=25777,OU=LANDesk,DC=IdentityBroker with a scope of BaseObject completed successfully. Results: 1. Duration: 00:00:02.1406773.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP unbind request. Handling of LDAP unbind request received on connection 127.0.0.1:52750 to connect as user IdBLDAP completed successfully. Duration: 00:00:00.0156256.",Normal 20171106,07:59:20,UNIFY Identity Broker,Change detection engine,Information,"Change detection engine import all items started. Change detection engine import all items for connector Aurion Security Records started.",Normal
Hi Carol,
The error "Cannot add the value 41-50-53-34 to the existing, non-multivalue field Classification" indicates that MIM is attempting to export an update to an entity which adds a value to a field for which the entity already has a value, and that field is not multi-valued. This isn't logged in Identity Broker as an error because as far as Identity Broker is concerned, it correctly responded to an invalid request with a failure - there is no error of processing in Identity Broker.
This usually indicates that the data in Identity Broker and the MIM connector space have grown out of sync, and can be resolved with an import + sync cycle. The fact that this issue resolves itself suggests this is likely.
Blocking a transformation for one entity
I expect the answer is No, but worth asking...
Aurion has the head of Dept's position shown as reporting to her EA. This is apparently necessary for some internal Aurion reason. However they don't want her EA appearing as her Manager all over the place (as it currently is, including in the Corporate Directory).
As I can't do an Advanced Flow Rule on a reference attribute I can't selectively block "manager" coming into the Metaverse. (I may have to implement a scoped Sync Rule just for this one flow- yuck!)
If at all possible, is there any way I can exclude one entity on the Join transformation that is generating the Manager attribute inside the IdB Adapter?
Hi Carol,
No, this is not directly possible with the Join transformation. If you're using Identity Broker v5.1 or above, you could consider using the PowerShell Transformation to remove the value (by assigning the value null) to the appropriate field of the target entity.
Identity Broker as an LDAP proxy?
From reading the documentation, I think this will be possible but I'd like to know if Identity Broker could act as an LDAP proxy, connecting to an LDAP directory and then exposing the data via LDAP. The reason for this is that the source system has unescaped trailing spaces in DNs and One Identity can't handle this (it ignores the entries entirely). So is this possible? And would IdB be able to handle and trim the unescaped trailing spaces in the Distinguished Names?
Yes Identity Broker is able to expose its data via LDAP. However, there is no out-of-the-box LDAP connector, so connectivity to your directory would need to be developed in either PowerShell or .NET.
Timeout for connectors in Identity Broker
Is it possible to implement a timeout function for connectors doing full imports so that if there is some kind of issue that causes the import to hang it can put an error in the logs and continue, rather than cease imports on all connectors.
Hi Tom,
Timeouts are usually handled on a per-connector basis. Is there a particular connector you are interested in?
Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
I'm trying to understand what it error means - I'm seeing this error logged a number of times a day in the IdB logs but having trouble pinning it to a specific connector.
Sometimes the line in the log is this:
20170924,02:35:24,UNIFY Identity Broker,LDAP engine,Error,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:58252 for the server schema failed with error ""Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection."". Duration: 00:00:06.0373233.",Normal
Sometimes it's this:
20170924,12:14:56,UNIFY Identity Broker,LDAP Engine,Error,"An error occurred on client from 127.0.0.1:60790. More details: Internal Server Error #11: System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection. at System.Array.Reverse(Array array, Int32 index, Int32 length) at System.Collections.Generic.Stack`1.System.Collections.ICollection.CopyTo(Array array, Int32 arrayIndex) at Unify.Framework.Collections.CallContextScope`1.get_CurrentScope() at Unify.Framework.Auditing.AuditTrailScope.Dispose() at Unify.Product.IdentityBroker.RequestHandlerAuditingDecorator.TryRetrieveHandlerReport(IDictionary`2& handlerReports) at Unify.Product.IdentityBroker.LDAPConnection.<RespondToMessageAsync>d__35.MoveNext()",Normal
Things seem to be working fine, however these errors are showing up in monitoring so I'd like to either eradicate the error, or filter it out somehow if it's of no concern.
Customer support service by UserEcho
