Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Fixed

One Identity error connecting to LDAP gateway

When attempting to connect to the LDAP gateway from One Identity's LDAP connector, One Identity is throwing an error regarding it:


2018-07-13 00:50:51.1156 FATAL UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Error parsing condition.
syntax error!
Value "" was found, but one of the following values expected.

Unfortunately it's not a very helpful error.


The full logs of what One Identity is doing are as follows:


2018-07-13 00:50:46.7972 TRACE UFY-1IM-WEB01\UFYAdmin (SqlLog ) : -- Connection 1 switched from Working to Available 
2018-07-13 00:50:50.8968 TRACE UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Simple LdapSearch BaseDN: '', SearchScope: 'Base', Filter: '(objectclass=*)', RequestAttributes: 'subschemaSubentry' 
2018-07-13 00:50:50.9594 TRACE UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : LdapSearchResult code: 'Success' entries: '1' 
2018-07-13 00:50:50.9594 TRACE UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Schema DN is 'cn=schema' 
2018-07-13 00:50:50.9594 TRACE UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Simple LdapSearch BaseDN: 'cn=schema', SearchScope: 'Base', Filter: '(objectclass=*)', RequestAttributes: 'ldapSyntaxes,attributeTypes,matchingRules,matchingRuleUse,objectClasses' 
2018-07-13 00:50:51.0062 TRACE UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Got 16 elements of type 'ldapsyntaxes' 
2018-07-13 00:50:51.0843 TRACE UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Got 34 elements of type 'matchingrules' 
2018-07-13 00:50:51.1156 FATAL UFY-1IM-WEB01\UFYAdmin (SystemConnector ) : Error parsing condition.
syntax error!
Value "" was found, but one of the following values expected.


In the logs, we can see that it's requesting certain attributes from Broker:

'ldapSyntaxes,attributeTypes,matchingRules,matchingRuleUse,objectClasses'

And this can also be seen from a wireshark trace:

Image 4875


But when Broker responds, we're only sending back 4 attributes:


Image 4876


I'm unsure if that's the cause of the issue, as One Identity doesn't provide any more information regarding the connection. But it's the only discrepancy that I can see.


The pcap file is also attached for reference.

Output.pcap

Answer

Here's a patch which corrects the format of the matchingrule attribute. There was a few missing parameters, one of which was required, so I'm hoping this is the fix.

Unify.IdentityBroker.LDAP.dll

0
Fixed

Case Sensitive DN Error in LDAP Gateway

Matthew Davis (Technical Product Manager) 7 years ago updated by Adam van Vliet 7 years ago 2 1 duplicate

When generating a DN with a non-keyed field in an adapter, if duplicate DNs are generated, a reflection error is thrown regarding the duplicate.


However, if the DN field being used has case-insensitive duplicates, reflection runs without issues, but an error is thrown on the LDAP gateway while attempting to perform a delta import:

An error occurred for gateway LDAP Gateway (6210ccad-9e16-419e-85aa-b3bf94bfacfd) on client from 127.0.0.1:56636. More details:
Internal Server Error #11: System.Exception: A task faulted. See inner exception for details. ---> System.ArgumentException: An item with the same key has already been added.
at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
at Unify.Product.IdentityBroker.CachedAdapterContext.GetEntitiesByKeyValues(IEnumerable`1 values)
at Unify.Product.IdentityBroker.ChangeLogRequestHandler.<>c__DisplayClass9_3.<normalsearch>b__3(IGrouping`2 group)
at Unify.Framework.Visitor.Visit[T](IEnumerable`1 visitCollection, Action`2 visitor)
at Unify.Product.IdentityBroker.ChangeLogRequestHandler.<>c__DisplayClass9_2.<normalsearch>b__1()
at System.Lazy`1.CreateValue()
at System.Lazy`1.LazyInitValue()
at Unify.Product.IdentityBroker.ChangeLogToLDAPEntryConverter.EntryUuidAttributeValue(IChangeLogItem sourceValue, IDictionary`2 partialAttributes)
at Unify.Product.IdentityBroker.ChangeLogToLDAPEntryConverter.Transform(IChangeLogItem sourceValue)
at Unify.Product.IdentityBroker.ChangeLogRequestHandler.<normalsearch>d__9.MoveNext()
at Unify.Product.IdentityBroker.ForwardLookingEnumerator`1.MoveNext()
at Unify.Product.IdentityBroker.LDAPEngineExtensions.<takefromenumerator>d__1`1.MoveNext()
at Unify.Product.IdentityBroker.SearchRequestHandlerBase.<finalizesearchresults>d__12.MoveNext()
at Unify.Framework.Visitor.Visit[T](IEnumerable`1 visitCollection, Action`2 visitor)
at Unify.Product.IdentityBroker.SearchRequestHandlerBase.HandleRequest(IRfcLdapMessage message, CancellationToken token, Action`1 postAction)
at Unify.Product.IdentityBroker.ChangeLogRequestHandler.<handlerequest>d__4.MoveNext()
--- End of inner exception stack trace ---
at Unify.Framework.Auditing.AuditingExtensions.<>c__DisplayClass4_0.<taskcontinuewithexceptionpassthough>b__0(Task t)
at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Unify.Product.IdentityBroker.LDAPConnection.<respondtomessageasync>d__35.MoveNext()</respondtomessageasync></taskcontinuewithexceptionpassthough></handlerequest></finalizesearchresults></takefromenumerator></normalsearch></normalsearch></normalsearch>

It would be good if, upon DN generation, a case-insensitive comparison was done to ensure that no duplicates are present (since case sensitive DN's are not treated as different objects in consuming LDAP applications).

Answer

Done. Will be included in next release.

0
Completed

Allow UNIFYBroker to run as an executable in an environment that doesn't have a console

Adam Bradley 7 years ago updated by Adam van Vliet 7 years ago 5

Service will not run in a Windows Kubernetes container without this capability

Answer
Adam van Vliet 7 years ago

Will be in the next v5.3 release.

0
Answered

time offset and sliding date window

Jerry Natarajan 7 years ago in UNIFYBroker/Frontier ichris/chris21 updated by Adam van Vliet 7 years ago 4

Unify.Product.IdentityBroker.AdapterEnginePlugInKey.extensibility.config.xml

Hi,

I need some help with 2 items : time offset and sliding date window in IdB Adapter transformations for a customer. They have chris21 as the source system.

IdB version: 4.1

Q1: Sliding Date Window

When an employee starts on a new position from a specific date (i.e 05 June 2018) the data flows in the connector and the data transformation is applied a day earlier(i.e on 04th June 2018). The implication is the job title is changed the day before the correct date. the customer wants to know whats wrong.

The transformation as configured: 

Image 4863


Q2: Time offset

When a user is terminated in chris21, he gets a termdate set and a simple transformation is applied to set the terminated flag as "True"/"False". But for example if a user has term date is 02 july 2018, by logic, it should add 24 hrs and set terminated flag to "true" 03 july 2018 midnight, but the terminated flag is set to "true" only around mid next day(i.e 04 july 2018 midday). Need some help fixing this issue.


Image 4865


Please help me to know where the issue is, thanks. really appreciate and thanks in advance


I have attached the Adapter xml, if you want for reference. Thanks.


Answer

A1: What are the values for posstart and posend fields? A Broker Date field is a timestamp with the time component forced to 00:00:00, so even if the timestamp value from chris is 4-6-2018 23:59:59, the corresponding date value in Broker will be 4-6-2018. Use the offset fields to adjust.

A2: Looking at your configuration, the sliding date window from Q1 is configured for local date values but the time offset flag transformation is not. Figure out what the correct setting should be, then if the flag is still being set incorrectly, follow the same process from A1. Also, offset used should be whole days for date fields due to the explanation above.

0
Fixed

Connector Groups duplicating membership

Matthew Davis (Technical Product Manager) 7 years ago updated by Adam van Vliet 7 years ago 3

Group ID's are being duplicated on connectors when modifying group membership, and not being removed on deletion.


Reproduction steps:

  1. Create multiple connectors
  2. Create connector group
  3. Add a few connectors to group. Save group
    1. At this point, note the configuration file adds the group ID to the connector configs
  4. Modify group again, adding another connector
    1. At this point, note that the original connectors added to the group now have two entries for group ID in the connector config. The new connector has one entry for group ID.
  5. Modify group again, removing one of the original connectors
    1. At this point, note that only one of the ID's is removed from the configuration
  6. Modify group again
    1. At this point, note that the connector removed in the previous step is still marked as being a member of the group
  7. Delete group
    1. At this point, note that group ID's do not get removed from the connector configuration.



Answer
Adam van Vliet 7 years ago

Available in the next v5.3.x release.

0
Fixed

Join Transformation won't save with no attributes mapped

Matthew Davis (Technical Product Manager) 7 years ago updated by Curtis Lusmore 7 years ago 3

When attempting to create and save a join transformation, the following error presents when attempting to save the transform without any attributes mapped:

Image 4859

If I edit the configuration to remove the mappings, the transformation performs as expected, which confirms that they are not actually required by the service.
The transformation should let you configure and save without any mapped attributes.

Answer
Curtis Lusmore 7 years ago

Hi Matt,

Please try again with the following patch placed into the appropriate Web/bin directory:Unify.Connect.Web.Transformations.dll

0
Fixed

Adapter DN / container change not displaying warning

Matthew Davis (Technical Product Manager) 7 years ago updated 6 months ago 2

As per the documentation ( https://voice.unifysolutions.net/knowledge-bases/7/articles/2873-adapter-overview ), a change in the DN template for an adapter, should generate a warning for clearing precalculated entities and generating changes again to ensure entities are updated appropriately. 

There appears to be a bug in 5.3.1, where changing the DN template does not generate a warning on the UI or in the logs. 

It would be good if the warning could be also generated for a change in the adapter object class or container name, if appropriate.

Answer

This has been implemented and is available in the release of UNIFYConnect V6, which will be made available shortly.

DN template warning shows on the homepage. 

Change in adapter object class or container name will force the adapter to be cleared upon saving.

0
Declined

Dates viewing and exposing in different formats

Matthew Davis (Technical Product Manager) 7 years ago updated 6 years ago 3

When a date field is configured on a connector / adapter in UNIFYBroker, it displays in the entity view table in a friendly format (such as 04/Jul/2014). However, when exposed into a PowerShell transformation or downstream, it is exposed in a different format (2014-07-04T00:00:00.000)

This is also true for the Timestamp field, which displays in the entity view table as something like 04/07/2014 12:00:00 AM

It would be good if you could see the raw date format as exposed by the gateways, as well as a formatted date for easier reading.

It would also be good to get some consistency across the formats that are displayed in the entity view tables.

0
Completed

Validate CSV File exists on connector creation

Matthew Davis (Technical Product Manager) 7 years ago updated 6 months ago 3
If you add a CSV connector, and in the file path you put a CSV that doesn't exist, the workflow is a bit unfriendly. It creates the connector (which isn't obvious), but redirects you to the homepage with the following screen:

Image 4846


This seems to happen because it tries to load the CSV file to get the schema but can't.
I feel like it would be better to validate the file exists when creating the connector. If it doesn't, either throw an error that stops creation - or still show the connector page but show a schema error further down.

On another funny note, if you navigate to the connector page after creation, this is what displays:

Image 4847


It has trouble loading the connector image URL - it puts something really really funny into the image link:
<img alt="Unify.Connectors.CSV - The CSV connector allows for manipulation of a source CSV file. Useful for solution testing." class="AutoThumbnail" src="1b175bc1-da20-4064-9d74-d43e5744931f.connector" style="vertical-align: middle;" title="Unify.Connectors.CSV - The CSV connector allows for manipulation of a source CSV file. Useful for solution testing.">

Only fixes when you go into "edit connector" and "save". Saves successfully and shows the correct image after (even if the csv file still doesn't exist).

Answer

This has been implemented and is available in the release of UNIFYConnect V6, which will be made available shortly.

0
Answered

Error -2147467259: failed to create SQL database: UnifyIdentityBroker, error detail: unknown error.

Matthew Davis (Technical Product Manager) 7 years ago updated by Adam van Vliet 7 years ago 3

On installing UNIFYBroker with the database server being remote, the following is logged by the installer:

CreateDatabase:  Error 0x80004005: failed to create to database: 'UnifyIdentityBroker', error: unknown error
MSI (s) (2C!88) [11:12:22:654]: Product: UNIFYBroker/Service v5.3.1 RC1 -- Error 26201. Error -2147467259: failed to create SQL database: UnifyIdentityBroker, error detail: unknown error.

Error 26201. Error -2147467259: failed to create SQL database: UnifyIdentityBroker, error detail: unknown error.
CustomAction CreateDatabase returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Answer
Adam van Vliet 7 years ago

Thanks Adam.

Turns out the SQL Server Browser service was disabled by default from the SQL installer. Enabling and starting it resolved the issue.