Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Delta Imports timeout - can it be changed?
I am seeing timeout issues while trying to perform a delta import from Identity Broker. MIM just reports stopped-extension-dll-exception with no other detail, but in event viewer I see event id 6803.
The management agent "XXXXXX" failed on run profile "DI" because the server encountered errors.
Then event ID 6801:
The extensible extension returned an unsupported error.
The stack trace is:
"Unify.Product.IdentityBroker.LdapOperationException: Error during processing of SearchRequest targetting cn=changelog: Operation timed out while waiting for message queue with id of 14. ---> System.OperationCanceledException: Operation timed out while waiting for message queue with id of 14.
at Unify.Product.IdentityBroker.LdapConnection.GetMessage(Int32 messageId)
at Unify.Product.IdentityBroker.SearchRequest.Send(Func`2 send, Func`2 recv)
at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
--- End of inner exception stack trace ---
at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
at Unify.Product.IdentityBroker.LdapConnectionProxy.<SearchRequestPaged>d__8.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.<GetChangedEntriesPaged>d__30.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext()
at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.3.2266.0"
The corresponding time in IDB log has
26/Sep/2018 10:11:17
Information
LDAP engine Handling of LDAP unbind request.
Handling of LDAP unbind request received on connection 127.0.0.1:61732 to connect as user ******** completed successfully. Duration: 00:00:00.
Is there a setting somewhere that will let me increase IDB LDAP timeouts? I could not find one, but it has been a few years since I used the product.
What web services have to be set up to support provisioning/sync of users and locations to HPRM 8.3?
I am looking at https://voice.unifysolutions.net/knowledge-bases/7-unifybroker-knowledge/categories/95-unifybrokermicro-focus-content-manager/articles but it is not clear what the customer has to set up to allow me to fulfill the following requirements for provisioning and sync to HPRM 8.3:
- Add/sync location
- Assign a location to a parent location
- Add sync user
- Assign a user to a location
Hi Bob
I've updated the prerequisites page to hopefully be more clear.
Does this answer your question?
EntitySchemaValidationException: C could not be parsed into a valid DN
I've created an AD connector to manage AD groups. The groups can export fine from Broker, including members. However when attempting to import the groups again from AD, I get the following error:
Change detection engine import all items failed. Change detection engine import all items for connector AD Groups failed with reason One or more errors occurred.. Duration: 00:00:00.1718731 Error details: System.AggregateException: One or more errors occurred. ---> Unify.Product.IdentityBroker.EntitySchemaValidationException: C could not be parsed into a valid DN. ---> System.ArgumentException: String C is not of a proper distinguished name component format. Ensure characters are correctly escaped, and that the format is correct. at Unify.Framework.IO.DistinguishedNameComponent.CreateDNComponent(String dnComponentString) at Unify.Framework.IO.DistinguishedNameConversionFromString.CreateDistinguishedName() at Unify.Product.IdentityBroker.EntityDistinguishedNameTypeSchemaValidator.CreateValue(Object dataValue) --- End of inner exception stack trace --- at Unify.Product.IdentityBroker.EntityDistinguishedNameTypeSchemaValidator.CreateValue(Object dataValue) at Unify.Product.IdentityBroker.EntityMultiValueValidatorFactoryBase`3.<>c__DisplayClass1_0.<GetValidator>b__0(Object value) at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext() at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source) at Unify.Product.IdentityBroker.EntityMultiValueObjectTypeSchemaValidator`3.CreateValue(Object dataValue) at Unify.Connectors.AD.LDAPValueTypeOperations.AddValueToEntity(IConnectorEntity connectorEntity, IEntitySchemaFieldDefinition valueType, DirectoryAttribute attribute) at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken) at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext() at Unify.Framework.Collections.EnumerableExtensions.<ActionOnLast>d__10`1.MoveNext() at System.Linq.Buffer`1..ctor(IEnumerable`1 source) at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source) at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<GetAllEntitiesAsync>b__0(IEnumerable`1 entities) at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass7_0`1.<CreateAndSendLogEntryAsync>b__0(Task`1 t) at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.<TaskContinueWithExceptionPassthough>b__0(Task`1 t) at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke() at System.Threading.Tasks.Task.Execute() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Unify.Product.IdentityBroker.EventNotifierReadingAsyncConnectorDecoratorBase`1.<GetAllEntitiesAsync>d__1.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.<ImportAllChangeProcess>d__6.MoveNext() --- End of inner exception stack trace --- at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions) at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken) at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.RunBase() at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run() at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.<Run>b__0() at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state) ---> (Inner Exception #0) Unify.Product.IdentityBroker.EntitySchemaValidationException: C could not be parsed into a valid DN. ---> System.ArgumentException: String C is not of a proper distinguished name component format. Ensure characters are correctly escaped, and that the format is correct. at Unify.Framework.IO.DistinguishedNameComponent.CreateDNComponent(String dnComponentString) at Unify.Framework.IO.DistinguishedNameConversionFromString.CreateDistinguishedName() at Unify.Product.IdentityBroker.EntityDistinguishedNameTypeSchemaValidator.CreateValue(Object dataValue) --- End of inner exception stack trace --- at Unify.Product.IdentityBroker.EntityDistinguishedNameTypeSchemaValidator.CreateValue(Object dataValue) at Unify.Product.IdentityBroker.EntityMultiValueValidatorFactoryBase`3.<>c__DisplayClass1_0.<GetValidator>b__0(Object value) at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext() at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source) at Unify.Product.IdentityBroker.EntityMultiValueObjectTypeSchemaValidator`3.CreateValue(Object dataValue) at Unify.Connectors.AD.LDAPValueTypeOperations.AddValueToEntity(IConnectorEntity connectorEntity, IEntitySchemaFieldDefinition valueType, DirectoryAttribute attribute) at Unify.Connectors.AD.ADConnector.TransformEntry(ADAgent agent, SearchResultEntry searchResultEntry, Int64& uSNChangedToken) at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext() at Unify.Framework.Collections.EnumerableExtensions.<ActionOnLast>d__10`1.MoveNext() at System.Linq.Buffer`1..ctor(IEnumerable`1 source) at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source) at Unify.Product.IdentityBroker.AuditReadingAsyncConnectorDecorator.<>c__DisplayClass1_0.<GetAllEntitiesAsync>b__0(IEnumerable`1 entities) at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass7_0`1.<CreateAndSendLogEntryAsync>b__0(Task`1 t) at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass5_0`1.<TaskContinueWithExceptionPassthough>b__0(Task`1 t) at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke() at System.Threading.Tasks.Task.Execute() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Unify.Product.IdentityBroker.EventNotifierReadingAsyncConnectorDecoratorBase`1.<GetAllEntitiesAsync>d__1.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Unify.Product.IdentityBroker.ChangeDetectionImportAllAsyncJob.<ImportAllChangeProcess>d__6.MoveNext()<---
The only multi valued field is the members field.
Difference Report on Pending Changes for Full Sync
As part of an upgrade activity on an MA, we were required to deliver a difference report on the data as it would appear pre vs post synchronisation of the upgrade MA. This was done to better understand and review what attributes would be updated when a full sync of the upgraded MA would occur in PROD.
We were able to achieve this deliverable by exporting two csv's of the data pre & post synchronisation, and doing a data comparison in a third party app. This could be simplified if Identity Broker Plus could generate a difference report for full syncs to ensure that the MA update is producing clean data.
This report could vary in detail, but as a first pass being able to see a count of the new and updated identities and attributes would be preferable.
HPRM provisioning error
UNIFYBroker 5.3.1
HP Trim Connector 5.3.0.0
Currently getting the following error on user provision to HPRM:
System.ArgumentException: Could not parse uri string "genericuser" to long value for setting uri of reference field LocationUseProfileOf. at Unify.Product.IdentityBroker.RequestFactory`2.SetLocationPropertyRefValue[TRef](PropertyIds propertyId, IConnectorEntity data, Func`1 createRef, Action`1 assign) at Unify.Product.IdentityBroker.LocationRequestFactory.CreateComponent(ILocationRequestFactoryInformation info) at Unify.Product.IdentityBroker.HPTrimV8WebRequests.AddLocationRequest(IConnectorEntity data) at Unify.Product.IdentityBroker.HPTrimV8WebCommunicator.AddLocations(IEnumerable`1 data, Guid connectorId, IWebServiceCommunicatorInformation information, CancellationToken cancellationToken) at Unify.Product.IdentityBroker.HPTrimWebCommunicatorDecorator.AddLocations(IEnumerable`1 data, Guid connectorId, IWebServiceCommunicatorInformation information, CancellationToken cancellationToken) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Unify.Product.IdentityBroker.HPTrimWebCommunicatorDecorator.AddLocations(IEnumerable`1 data, Guid connectorId, IWebServiceCommunicatorInformation information, CancellationToken cancellationToken)
I suspect that this is due to a user with the URI of 'genericuser' not existing within HPRM.
Can you please confirm.
All objects reported as changed on import
When a Full Import on a Connecter is performed all entities are reported as having changed data every time the import is run. This is causing issues as processing time is longer than necessary and Adapter processing can queue up during peak times.
The Connector in question has a large number of attributes including several multivalued fields. All multivalued fields are sorted and uniqueness is enforced so I do not believe any attributes are changing.
I have cleared the Adapter and Connector and it still occurs, the same Connector and Adapter is run on another server and does not experience the same issue.
Is there a way to determine which attribute is being reported as changed?
Baseline sync error: Execution Timeout Expired
Keep getting the below error for link's baseline outgoing sync to AD. I have tried to restart IdB service but no improvement. I don't have DB Admin right as it is PROD env and Shared SQL cluster. Just wonder what can I do to troubleshoot it?
Synchronization job failed syncing 40800 changes on the 'AD Link' link from the locker to adapter with the reason Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding.. Job ID: e6165705-b8bf-4e86-953e-c1394ae692c8 Duration: 00:16:54.3542205
Error details:
System.Data.SqlClient.SqlException (0x80131904): Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding. ---> System.ComponentModel.Win32Exception (0x80004005): The wait operation timed out
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.SqlDataReader.TrySetMetaData(_SqlMetaDataSet metaData, Boolean moreInfo)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData()
at System.Data.SqlClient.SqlDataReader.get_MetaData()
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption)
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
at System.Data.Linq.SqlClient.SqlProvider.Execute(Expression query, QueryInfo queryInfo, IObjectReaderFactory factory, Object[] parentArgs, Object[] userArgs, ICompiledSubQuery[] subQueries, Object lastResult)
at System.Data.Linq.SqlClient.SqlProvider.ExecuteAll(Expression query, QueryInfo[] queryInfos, IObjectReaderFactory factory, Object[] userArguments, ICompiledSubQuery[] subQueries)
at System.Data.Linq.SqlClient.SqlProvider.System.Data.Linq.Provider.IProvider.Execute(Expression query)
at System.Data.Linq.DataQuery`1.System.Collections.Generic.IEnumerable<T>.GetEnumerator()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Framework.Data.LinqWhereQuery`5.GetEnumerator()
at Unify.Framework.QueryableExtensions.<AutoStream>d__2`1.MoveNext()
at System.Linq.Lookup`2.Create[TSource](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
at System.Linq.Enumerable.ToLookup[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector)
at Unify.Framework.QueryableExtensions.StreamToLookup[TKey,TElement](IOrderedQueryable`1 collection, Func`2 keySelector, Int32 pageSize)
at Unify.Product.Plus.JoinExecutor`2.Execute(IEnumerable`1 sourceEntities, IQueryable`1 targetEntities)
at Unify.Product.Plus.LinkSynchronizer`2.JoinAndMap(IEnumerable`1 filterResult, IDictionary`2 changesDict)
at Unify.Product.Plus.Link.SynchronizeLockerChanges(IEnumerable`1 changes)
at Unify.Framework.Notification.NotifierDecoratorBase.Notify[TResult](ITaskNotificationFactory notificationFactory, Func`1 function)
at Unify.Product.Plus.LinkAuditingDecorator.SynchronizeLockerChanges(IEnumerable`1 changes)
at Unify.Product.Plus.LockerToAdapterSynchronizationJob.RunBase()
at Unify.Product.Plus.SynchronizationJobExecutor.<ThreadAction>d__8.MoveNext()
ClientConnectionId:e4b00f30-9b86-4cae-a54c-a96f2f4dc552
Error Number:-2,State:0,Class:11",Normal
20180904,07:19:04,UNIFY Identity Broker,"Void OnError(System.Data.SqlClient.SqlException, Boolean, System.Action`1[System.Action])",Error,".Net SqlClient Data Provider:
System.Data.SqlClient.SqlException (0x80131904): Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding. ---> System.ComponentModel.Win32Exception (0x80004005): The wait operation timed out
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
Queuing a baseline synchronization job requires generating sync changes for all entities on both sides of the link, which again is a SQL-heavy operation. Do you know the hardware specifications of the SQL Server cluster or any of its configuration settings that might impact SQL performance? Do you know of any differences between how it's configured between this environment and the previous environment?
PowerShell connector intermittently haning on Polling import
I have an intermittent problem with particular PowerShell connectors that intermittently hang on the Polling import - in that the connector displays as running the polling import for days, from the logs nothing is happening, and the only way to stop it is to restart the IDB service.
I have three connectors that connect to Exchange (two different Exchange environments), and we have seen the problem on all three connectors, in all three environments (dev, test, prod). I have other PowerShell connectors that do not have this problem. We have also never seen the problem on the Import All.
The three connectors run the same script, just with different parameters. I have added detailed logging for Polling runs and can't find a pattern - the log files stop at different places. Sometimes it's while collecting data from Exchange, but just as often it's after the script has closed the connection to Exchange and is looping through updating the entities in IDB.
Is there any way to enforce a timeout in the Powershell connector?
Minimal AD delegate rights for UNIFYBroker/Active Directory service account
I do not want to give more permission than that is needed (i.e. no Domain Admin right). Hence please advise the minimal AD delegate rights that the UNIFYBroker service account requires to:
- Create new users
- Modify attribute of an existing users
- Move users from one OU to another
- Suspend/activate an user (userAccountControl)
- Set initial password and set users must change password in the next logon
- Reset/ change password for an existing user
Thanks
Hi Huu,
As you’re probably aware, AD permissions can get extremely complicated and can be done in a number of ways. For example, the topic on Implementing Least-Privilege Administrative Models is a 40 minute read - and it merely introduces the concepts and references countless other articles.
The approach that we recommend for Active Directory is to provide the use cases to the Active Directory administrator - so that they can create an account with least-privileges that works within their security model framework. As with all connectors, if this information can be condensed into a common set of recommendations, we would include this information in our documentation as either a set of prerequisites or as options/guidelines.
Thanks.
Attributes with the same name - Read-Only problem in MIM
UNIFYBroker v5.3.1
Aurion API Connector v5.3.0
MIM 2016SP1 - 4.4.1749.0
Problem:
I have an 'Aurion Person' adapter and an 'Aurion ESS' adapter - each with an attribute called PersonNumber.
In 'Aurion Person' the attribute is read-only, in 'Aurion ESS' the attribute is not read-only.
Broker settings - Single Schema mode is false.
When I create the Aurion ESS Management Agent in MIM and attempt to setup an export attribute flow to PersonNumber, MIM reports that the attribute is read-only.
It makes no difference if I create the ESS management agent before the Person management agent (even in a vanilla MIM database).
If I apply a rename transform to the PersonNumber in the ESS adapter I am able to setup an export attribute flow to the renamed attribute (i.e., ESSPersonNumber).
Question:
Is it a specific requirement for Broker to maintain unique attribute names throughout different adapters?
Closing as LDAP was providing the correct information to MIM, and no other information was provided. Feel free to re-open if the issue persists or resurfaces.
Customer support service by UserEcho