Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Answered

A user interface could not be located for this agent type

Carol Wapshere 7 years ago in UNIFYBroker/Aurion updated by Adam van Vliet 7 years ago 2

I have installed the following:

UNIFY Identity Broker Service v5.2.1 RTM

UNIFY Identity Broker for Microsoft Identity Manager v5.1.0 RTM

UNIFY Identity Broker for Aurion v5.0.1 x64

When I try to create an Aurion agent it is listed in the drop-down as an option but then when I click "Create Agent" I get this:


A user-interface could not be located for this agent type. The list of known types are:

  • Unify.Agent.FTP (FTP Agent)
  • Unify.Agent.SqlServerDatabase (SQL Server Database Agent)
  • Unify.Agent.OracleDb (Oracle Database Agent)
  • Unify.Agent.OleDb (Ole Database Agent)
  • Unify.Agent.Aurion (Aurion agent)


I have tried restarting the service and rebooting.

Answer
Adam van Vliet 7 years ago

Is that set of installed versions correct? You'll need to update the Identity Broker for Aurion to v5.2 (https://voice.unifysolutions.net/forums/7-identity-broker-knowledge/topics/3419-identity-broker-for-aurion-downloads/).

0
Answered

accountExpires in AD User Connector

Huu Tran 7 years ago in UNIFYBroker/Microsoft Active Directory updated by Curtis Lusmore 7 years ago 1

How can I retrieve accountExpires field in AD User Connector? I could not find the field in the schema provider but LDP search shows it.

Image 4685

I manually added the field into schema, trying with different types: Date, Timestamp, Long but Import All does not return any value.

Answer
Curtis Lusmore 7 years ago

Hi Huu,

It should be importable as "accountExpires" as a Timestamp. However, the value will not be set on the entity for "never".

0
Answered

How deprovisioning work in IDB Plus?

Huu Tran 7 years ago in UNIFYBroker/Plus updated by Curtis Lusmore 7 years ago 1

It is outgoing provisioning and deprovisioning: Locker-AD Link-AD Adapter - AD User Connector - AD OU

Assume that Locker has 2000 users and there are 3000 users in AD OU--> 3000 in AD Adapter.

After Import All in AD User Connector and Baseline Sync in AD Link, 1500 users in Locker join 1500 in AD Adapter.

In this case, 500 new users will be created in AD because of outgoing provisioning. How about 1500 not-joined users in AD, will they be removed due to outgoing deprovisioning?

Answer
Curtis Lusmore 7 years ago

Hi Huu,

No, such entities shouldn't be deprovisioned during a baseline. A baseline effectively simulates a change to every entity on both sides of the link, but deprovisioning only occurs when an entity is removed from the source context (i.e. a change is registered against an entity that no longer exists in the context).

0
Answered

Cannot retreive schema for Chris21 USR connector

Huu Tran 7 years ago in UNIFYBroker/Frontier ichris/chris21 updated by Adam van Vliet 7 years ago 6

Chris21 USR Connector is configured as follow:

Image 4683



However, retrieving schema failed with the below error in the log:


20180116,23:15:53,UNIFY Identity Broker,Connector Engine,Error,"The schema for 'Chris21 USR Connector' connector was not updated for the following reason: System.AggregateException: One or more errors occurred. ---> System.Exception: No schema fields retrieved for the configured form. Please confirm the connector configuration.
   at Unify.Product.IdentityBroker.Chris21ConnectorBase.<GetSchemaFields>d__42.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Unify.Product.IdentityBroker.Chris21ConnectorSchemaProvider.GetSchema(ISchemaProviderFactoryInformation factoryInformation)
   at Unify.Product.IdentityBroker.ConnectorEngine.SchemaProviderResult(IOperationalConnector`1 operationalConnector, Func`2 selector)
---> (Inner Exception #0) System.Exception: No schema fields retrieved for the configured form. Please confirm the connector configuration.
   at Unify.Product.IdentityBroker.Chris21ConnectorBase.<GetSchemaFields>d__42.MoveNext()<---
",Normal
20180116,23:15:53,UNIFY Identity Broker,Connector engine,Warning,"Request to retrieve schema provider application result.
Request to retrieve schema provider application result for connector 2851de9a-a6f5-4026-8f63-9c4637633001 failed with message One or more errors occurred.. Provider: Unify.Connectors.Frontier.Chris21.AllFields. Duration: 00:00:01.8901441
Error details:
System.AggregateException: One or more errors occurred. ---> System.Exception: No schema fields retrieved for the configured form. Please confirm the connector configuration.
   at Unify.Product.IdentityBroker.Chris21ConnectorBase.<GetSchemaFields>d__42.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at Unify.Product.IdentityBroker.Chris21ConnectorSchemaProvider.GetSchema(ISchemaProviderFactoryInformation factoryInformation)
   at Unify.Product.IdentityBroker.ConnectorEngine.SchemaProviderResult(IOperationalConnector`1 operationalConnector, Func`2 selector)
   at Unify.Product.IdentityBroker.ConnectorEngine.SchemaProviderApplicationResult(String providerName, Guid connectorId)
   at Unify.Product.IdentityBroker.ConnectorEngineAuditingDecorator.SchemaProviderApplicationResult(String providerName, Guid connectorId)
   at Unify.Product.IdentityBroker.ConnectorEngineNotifierDecorator.SchemaProviderApplicationResult(String providerName, Guid connectorId)
   at Unify.Product.IdentityBroker.ConnectorEngineAccessor.SchemaProviderApplicationResult(String providerName, Guid connectorId)
   at Unify.Product.IdentityBroker.IdentityServiceCollector.SchemaProviderApplicationResult(String providerName, Guid connectorId)
   at SyncInvokeSchemaProviderApplicationResult(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
---> (Inner Exception #0) System.Exception: No schema fields retrieved for the configured form. Please confirm the connector configuration.
   at Unify.Product.IdentityBroker.Chris21ConnectorBase.<GetSchemaFields>d__42.MoveNext()<---
",Verbose

Answer
Adam van Vliet 7 years ago

The field that chris21 is specifying as the key (usrlogonid) is missing from the set of returned field names. Could you please try the following request and let me know if the response changes?

cbr="componentlist",screen="USR",showtranslation="s"

If the key field comes through, update the show translation setting on the connector and try again.

0
Answered

How to export to other Chris21 table other than DET Connector

Huu Tran 7 years ago in UNIFYBroker/Frontier ichris/chris21 updated 7 years ago 3

In the standard Chris21 configuration, I have DET connector is the base connector for Chris21 Adapter and I can make the field workPhone exportable (readonly box not ticked) --> All good!

In the Chris21 Adapter, there is a join transformation with POS connector in which the field detemailad is exportable. it is mapped to the ADEmail field in Adapter. However, ADEmail field in the adapter is read-only --> not exportable?

So if I want to write back to detemailad field, do I need to create a separate adapter which have POS connector as the base connector?

 

Answer
Huu Tran 7 years ago

It is a schema provider issue. I added "detemailad" to DET connector manually. Do import and data is polulated

0
Answered

How to filter sub-OUs in AD connector

Huu Tran 7 years ago in UNIFYBroker/Microsoft Active Directory updated by Adam van Vliet 7 years ago 8

An AD connector will search objects in an OU in sub-tree mode. This means it looks through all sub-OUs.

What to do if only objects in few selected sub-OUs need to be imported? i.e.

Based Container: OU=User, DC=company, DC=com

only objects in 2 sub-OU needed to be import:

OU=Staff,OU=User, DC=company, DC=com

OU=Disabled_Staff,OU=User, DC=company, DC=com

Answer
Adam van Vliet 7 years ago

See v5.3.0.

0
Declined

Allow for IdB 5.2.1 Plus to be deployed without a Database Connection to support Container based deployments

Adam Bradley 7 years ago updated by Matthew Davis (Technical Product Manager) 4 years ago 4 1 duplicate

Most Container based orchestration solutions, including Kubernetes and Docker Compose with Swarm, provide almost no ability to modify the contents of the files in Volumes mounted within Server nodes they deploy.

To simplify deployments, without needing to resort to tools like Puppet, Chef or Ansible to carry out post provisioning tasks such as modifying Connection Strings in XML files, it would be useful to allow IdB to have the Connection String configurable via it's Management API.

Answer

Supported with containerization attached volumes.

0
Declined

Feature request: credential passthrough for authentication to Broker's LDAP interface from within powershell connector

Adrian Corston 7 years ago updated by Curtis Lusmore 7 years ago 1

It would be helpful if a valid username/password (or other authentication credential object) was made available to the powershell connector, for the purpose of submitting LDAP queries back into Broker for complex data manipulation operations.

The solution outlined here currently has to store and pass the broker LDAP query credentials manually.

Answer
Curtis Lusmore 7 years ago

Hi Adrian,

This is not possible, as the passwords are encrypted in a format that cannot be reversed.

0
Under review

Feature request: Identity Broker 5.2 object filtering facility

Adrian Corston 7 years ago updated by Matthew Davis (Technical Product Manager) 2 years ago 10

I needed to filter a subset of objects from one connector or adapter (i.e. All Organisation Unit objects) to create separate connectors or adapters for just those objects (i.e. All Business Units).

There does not seem to be any way to filter using Broker's built-in functionality, so the solution I chose was to write a powershell script to perform an LDAP query against Broker and populate a new connector based on the selected subset of objects.

Please consider adding this functionality (or something equivalent) to the base Identity Broker product.

0
Completed

Identity Broker 5.2 LDAP interface timeout when another connector is running

Adrian Corston 7 years ago updated by Curtis Lusmore 7 years ago 4

In my solution, when one of my connectors is running I see timeouts when performing LDAP queries against Identity Broker containers.

Answer
Curtis Lusmore 7 years ago
My solution is a simple powershell script invoked from a Broker powershell connector, so it won't retry and the Import will fail (and presumably log an error in Broker).

You could consider adding retry logic to the PowerShell script. See this blog post as an example.

However when MIM connects to Identity Broker, it uses the same LDAP interface, so that would causes the MIM import to fail as well and report a connection error.
That seems like a significant issue to me - having Identity Broker unavailable for any queries while a connector is running is a poor situation.  Can I confirm that you're effectively saying that practically speaking, Identity Broker is single-threaded?!  What is the situation if the connector takes a long time to complete - is it unavailable for requests for the majority of that time?

The connector operations are performed in pages, and the lock should only be held for a single page, giving other operations a chance to run between pages. LDAP queries are similarly performed in pages, meaning the sequence of pages might end up being interleaved. Other factors such as the health of the database and hardware specifications of the server can also impact the duration that database locks are held. Please see Identity Broker Database Recommendations.

I agree that failed imports are not ideal, but solutions need to be resilient to failing operations for a number of other reasons as well. That said, we have work in the pipeline to improve database performance and context isolation to improve this situation.