Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
A user interface could not be located for this agent type
I have installed the following:
UNIFY Identity Broker Service v5.2.1 RTM
UNIFY Identity Broker for Microsoft Identity Manager v5.1.0 RTM
UNIFY Identity Broker for Aurion v5.0.1 x64
When I try to create an Aurion agent it is listed in the drop-down as an option but then when I click "Create Agent" I get this:
A user-interface could not be located for this agent type. The list of known types are:
- Unify.Agent.FTP (FTP Agent)
- Unify.Agent.SqlServerDatabase (SQL Server Database Agent)
- Unify.Agent.OracleDb (Oracle Database Agent)
- Unify.Agent.OleDb (Ole Database Agent)
- Unify.Agent.Aurion (Aurion agent)
I have tried restarting the service and rebooting.
Is that set of installed versions correct? You'll need to update the Identity Broker for Aurion to v5.2 (https://voice.unifysolutions.net/forums/7-identity-broker-knowledge/topics/3419-identity-broker-for-aurion-downloads/).
accountExpires in AD User Connector
How can I retrieve accountExpires field in AD User Connector? I could not find the field in the schema provider but LDP search shows it.
I manually added the field into schema, trying with different types: Date, Timestamp, Long but Import All does not return any value.
Hi Huu,
It should be importable as "accountExpires" as a Timestamp. However, the value will not be set on the entity for "never".
How deprovisioning work in IDB Plus?
It is outgoing provisioning and deprovisioning: Locker-AD Link-AD Adapter - AD User Connector - AD OU
Assume that Locker has 2000 users and there are 3000 users in AD OU--> 3000 in AD Adapter.
After Import All in AD User Connector and Baseline Sync in AD Link, 1500 users in Locker join 1500 in AD Adapter.
In this case, 500 new users will be created in AD because of outgoing provisioning. How about 1500 not-joined users in AD, will they be removed due to outgoing deprovisioning?
Hi Huu,
No, such entities shouldn't be deprovisioned during a baseline. A baseline effectively simulates a change to every entity on both sides of the link, but deprovisioning only occurs when an entity is removed from the source context (i.e. a change is registered against an entity that no longer exists in the context).
Cannot retreive schema for Chris21 USR connector
Chris21 USR Connector is configured as follow:
However, retrieving schema failed with the below error in the log:
20180116,23:15:53,UNIFY Identity Broker,Connector Engine,Error,"The schema for 'Chris21 USR Connector' connector was not updated for the following reason: System.AggregateException: One or more errors occurred. ---> System.Exception: No schema fields retrieved for the configured form. Please confirm the connector configuration.
at Unify.Product.IdentityBroker.Chris21ConnectorBase.<GetSchemaFields>d__42.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Unify.Product.IdentityBroker.Chris21ConnectorSchemaProvider.GetSchema(ISchemaProviderFactoryInformation factoryInformation)
at Unify.Product.IdentityBroker.ConnectorEngine.SchemaProviderResult(IOperationalConnector`1 operationalConnector, Func`2 selector)
---> (Inner Exception #0) System.Exception: No schema fields retrieved for the configured form. Please confirm the connector configuration.
at Unify.Product.IdentityBroker.Chris21ConnectorBase.<GetSchemaFields>d__42.MoveNext()<---
",Normal
20180116,23:15:53,UNIFY Identity Broker,Connector engine,Warning,"Request to retrieve schema provider application result.
Request to retrieve schema provider application result for connector 2851de9a-a6f5-4026-8f63-9c4637633001 failed with message One or more errors occurred.. Provider: Unify.Connectors.Frontier.Chris21.AllFields. Duration: 00:00:01.8901441
Error details:
System.AggregateException: One or more errors occurred. ---> System.Exception: No schema fields retrieved for the configured form. Please confirm the connector configuration.
at Unify.Product.IdentityBroker.Chris21ConnectorBase.<GetSchemaFields>d__42.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Unify.Product.IdentityBroker.Chris21ConnectorSchemaProvider.GetSchema(ISchemaProviderFactoryInformation factoryInformation)
at Unify.Product.IdentityBroker.ConnectorEngine.SchemaProviderResult(IOperationalConnector`1 operationalConnector, Func`2 selector)
at Unify.Product.IdentityBroker.ConnectorEngine.SchemaProviderApplicationResult(String providerName, Guid connectorId)
at Unify.Product.IdentityBroker.ConnectorEngineAuditingDecorator.SchemaProviderApplicationResult(String providerName, Guid connectorId)
at Unify.Product.IdentityBroker.ConnectorEngineNotifierDecorator.SchemaProviderApplicationResult(String providerName, Guid connectorId)
at Unify.Product.IdentityBroker.ConnectorEngineAccessor.SchemaProviderApplicationResult(String providerName, Guid connectorId)
at Unify.Product.IdentityBroker.IdentityServiceCollector.SchemaProviderApplicationResult(String providerName, Guid connectorId)
at SyncInvokeSchemaProviderApplicationResult(Object , Object[] , Object[] )
at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
---> (Inner Exception #0) System.Exception: No schema fields retrieved for the configured form. Please confirm the connector configuration.
at Unify.Product.IdentityBroker.Chris21ConnectorBase.<GetSchemaFields>d__42.MoveNext()<---
",Verbose
The field that chris21 is specifying as the key (usrlogonid) is missing from the set of returned field names. Could you please try the following request and let me know if the response changes?
cbr="componentlist",screen="USR",showtranslation="s"
If the key field comes through, update the show translation setting on the connector and try again.
How to export to other Chris21 table other than DET Connector
In the standard Chris21 configuration, I have DET connector is the base connector for Chris21 Adapter and I can make the field workPhone exportable (readonly box not ticked) --> All good!
In the Chris21 Adapter, there is a join transformation with POS connector in which the field detemailad is exportable. it is mapped to the ADEmail field in Adapter. However, ADEmail field in the adapter is read-only --> not exportable?
So if I want to write back to detemailad field, do I need to create a separate adapter which have POS connector as the base connector?
It is a schema provider issue. I added "detemailad" to DET connector manually. Do import and data is polulated
How to filter sub-OUs in AD connector
An AD connector will search objects in an OU in sub-tree mode. This means it looks through all sub-OUs.
What to do if only objects in few selected sub-OUs need to be imported? i.e.
Based Container: OU=User, DC=company, DC=com
only objects in 2 sub-OU needed to be import:
OU=Staff,OU=User, DC=company, DC=com
OU=Disabled_Staff,OU=User, DC=company, DC=com
Allow for IdB 5.2.1 Plus to be deployed without a Database Connection to support Container based deployments
Most Container based orchestration solutions, including Kubernetes and Docker Compose with Swarm, provide almost no ability to modify the contents of the files in Volumes mounted within Server nodes they deploy.
To simplify deployments, without needing to resort to tools like Puppet, Chef or Ansible to carry out post provisioning tasks such as modifying Connection Strings in XML files, it would be useful to allow IdB to have the Connection String configurable via it's Management API.
Supported with containerization attached volumes.
Feature request: credential passthrough for authentication to Broker's LDAP interface from within powershell connector
It would be helpful if a valid username/password (or other authentication credential object) was made available to the powershell connector, for the purpose of submitting LDAP queries back into Broker for complex data manipulation operations.
The solution outlined here currently has to store and pass the broker LDAP query credentials manually.
Hi Adrian,
This is not possible, as the passwords are encrypted in a format that cannot be reversed.
Feature request: Identity Broker 5.2 object filtering facility
I needed to filter a subset of objects from one connector or adapter (i.e. All Organisation Unit objects) to create separate connectors or adapters for just those objects (i.e. All Business Units).
There does not seem to be any way to filter using Broker's built-in functionality, so the solution I chose was to write a powershell script to perform an LDAP query against Broker and populate a new connector based on the selected subset of objects.
Please consider adding this functionality (or something equivalent) to the base Identity Broker product.
Identity Broker 5.2 LDAP interface timeout when another connector is running
In my solution, when one of my connectors is running I see timeouts when performing LDAP queries against Identity Broker containers.
My solution is a simple powershell script invoked from a Broker powershell connector, so it won't retry and the Import will fail (and presumably log an error in Broker).
You could consider adding retry logic to the PowerShell script. See this blog post as an example.
However when MIM connects to Identity Broker, it uses the same LDAP interface, so that would causes the MIM import to fail as well and report a connection error.
That seems like a significant issue to me - having Identity Broker unavailable for any queries while a connector is running is a poor situation. Can I confirm that you're effectively saying that practically speaking, Identity Broker is single-threaded?! What is the situation if the connector takes a long time to complete - is it unavailable for requests for the majority of that time?
The connector operations are performed in pages, and the lock should only be held for a single page, giving other operations a chance to run between pages. LDAP queries are similarly performed in pages, meaning the sequence of pages might end up being interleaved. Other factors such as the health of the database and hardware specifications of the server can also impact the duration that database locks are held. Please see Identity Broker Database Recommendations.
I agree that failed imports are not ideal, but solutions need to be resilient to failing operations for a number of other reasons as well. That said, we have work in the pipeline to improve database performance and context isolation to improve this situation.
Customer support service by UserEcho