Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Aurion ESS account Template
I have been asked to find out if the Aurion connector supports specifying a "template" at the point of creating the ESS account. Apparently this will mean that MailType and other options are set according to the template. I know I can set these attributes directly, and this is what I intend to do, but the customer would like to continue to use her template if possible - only if specifying a template is supported by sec_user_add of course.
There is no TEMPLATE
field for the SEC_USER_ADD
function. Have a look at the CopyFromUserId field (COPY_FROM_USER_ID
) to see if it meets your requirements.
Unify.Product.IdentityBroker.LDAPModifyException: Cannot add the value to the existing, non-multivalue field
There's an error being reported in MIM Sync on exports to a particular IdB connector several times a day. I haven't worried too much about it because the export actually works and the error is never exactly repeated (so it's not repeatedly failing to export the same change) - however I'm trying to clean up the monitoring so reported errors are worth looking into.
The error occurs seemingly randomly, as in there is no pattern of specific entity or time of day that I can see. It is always the same adapter, which backs on to a SQL connector talking to a SQL table (not a view). The error is always much the same except the attribute always changes - again I don't see a pattern. None of the attributes are multi-valued in the target table, IdB or MIM.
Here's an example of the error reported in MIM. I'm showing the healthcheck version so you can see the entity specified and the timestamp:
ErrorDN: CN=25600,OU=LANDesk,DC=IdentityBroker
ErrorDetail:
ErrorFirstOccurred: 2017-11-06T07:59:03
ErrorMessage: Internal Server Error #9:
Unify.Product.IdentityBroker.LDAPModifyException: Cannot add the value
41-50-53-34 to the existing, non-multivalue field Classification. at
Unify.Product.IdentityBroker.LDAPModifyRequestToEntityConverter.HandleAttributeValueAdd(IModifyRequestOperation
op, IAdapterEntity entity, IEntitySchema schema) at
Unify.Product.IdentityBroker.LDAPModifyRequestToEntityConverter.Transform(IRfcModifyRequest
sourceValue, IAdapterEntity origEntity) at
Unify.Product.IdentityBroker.ModifyRequestHandler.InnerApplyTransformation(IHandleRequestCoreRequest
request, LDAPModifyRequestToEntityConverter converter)
ErrorSyncType: export-error
ErrorType: Other
HCRecordType: FIMSync_Run_ErrorObject
MVObjectGUID: 540553ea-7e48-e711-80c7-005056a374e3
MaName: LANDesk
RunID: 6e0a6558-280f-4625-b0cc-9aea0ae83564
TimeInErrorDays: 0
_time: 2017-11-06T07:59:03
I've looked at the IdB logs for the same time but there is no error reported there. The logs agree that an export was being run to the expected connector. The only entity specifically mentioned does not match the entity reported in the MIM Sync error:
20171106,07:58:59,UNIFY Identity Broker,LDAP Engine,Information,A client has connected to the LDAP endpoint from address: 127.0.0.1:52744.,Normal 20171106,07:59:04,UNIFY Identity Broker,LDAP Engine,Information,A client has connected to the LDAP endpoint from address: 127.0.0.1:52750.,Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Bulk Start request. Handling of LDAP Bulk Start request received from user IdBLDAP on connection 127.0.0.1:52744 completed successfully. Duration 00:00:18.1411237.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Root DSE request. Handling of LDAP Root DSE request from user IdBLDAP on connection 127.0.0.1:52750 for the Root DSE completed successfully. Duration: 00:00:13.1409918.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP search request. Handling of LDAP search request from user IdBLDAP on connection 127.0.0.1:52750 targeting DC=IdentityBroker with a scope of SingleLevel completed successfully. Duration: 00:00:12.1409653.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Bulk End request. Handling of LDAP Bulk End request received from user IdBLDAP on connection 127.0.0.1:52744 completed successfully with operations failed: 1. Duration 00:00:16.1254477.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Bulk Update request. Handling of LDAP Bulk Update request received from user IdBLDAP on connection 127.0.0.1:52744 completed successfully without results available for logging. Duration 00:00:17.1410874.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP bind request. Handling of LDAP bind request received on connection 127.0.0.1:52750 to connect as user IdBLDAP completed successfully. The bind was successful. Duration: 00:00:14.1410105.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:11.1096809.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP unbind request. Handling of LDAP unbind request received on connection 127.0.0.1:52744 to connect as user IdBLDAP completed successfully. Duration: 00:00:15.1410375.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:09.4690085.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:08.6408457.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP bind request. Handling of LDAP bind request received on connection 127.0.0.1:52744 to connect as user IdBLDAP completed successfully. The bind was successful. Duration: 00:00:19.1411493.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration:<span class="redactor-selection-marker" id="selection-marker-1"></span> 00:00:07.6408392.",Normal dmfjsg 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:06.6251852.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:05.6407763.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Root DSE request. Handling of LDAP Root DSE request from user IdBLDAP on connection 127.0.0.1:52750 for the Root DSE completed successfully. Duration: 00:00:04.6876294.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP change log request. Handling of LDAP change log request from user IdBLDAP on connection 127.0.0.1:52750 completed successfully. Added: 1. Modified: 0. Renamed: 0. Deleted: 0. Total: 1. Duration: 00:00:04.1407369.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP change log request. Handling of LDAP change log request from user IdBLDAP on connection 127.0.0.1:52750 completed successfully. Added: 3. Modified: 2. Renamed: 0. Deleted: 0. Total: 5. Duration: 00:00:03.1407136.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP search request. Handling of LDAP search request from user IdBLDAP on connection 127.0.0.1:52750 targeting CN=25777,OU=LANDesk,DC=IdentityBroker with a scope of BaseObject completed successfully. Results: 1. Duration: 00:00:02.1406773.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP unbind request. Handling of LDAP unbind request received on connection 127.0.0.1:52750 to connect as user IdBLDAP completed successfully. Duration: 00:00:00.0156256.",Normal 20171106,07:59:20,UNIFY Identity Broker,Change detection engine,Information,"Change detection engine import all items started. Change detection engine import all items for connector Aurion Security Records started.",Normal
Hi Carol,
The error "Cannot add the value 41-50-53-34 to the existing, non-multivalue field Classification" indicates that MIM is attempting to export an update to an entity which adds a value to a field for which the entity already has a value, and that field is not multi-valued. This isn't logged in Identity Broker as an error because as far as Identity Broker is concerned, it correctly responded to an invalid request with a failure - there is no error of processing in Identity Broker.
This usually indicates that the data in Identity Broker and the MIM connector space have grown out of sync, and can be resolved with an import + sync cycle. The fact that this issue resolves itself suggests this is likely.
Blocking a transformation for one entity
I expect the answer is No, but worth asking...
Aurion has the head of Dept's position shown as reporting to her EA. This is apparently necessary for some internal Aurion reason. However they don't want her EA appearing as her Manager all over the place (as it currently is, including in the Corporate Directory).
As I can't do an Advanced Flow Rule on a reference attribute I can't selectively block "manager" coming into the Metaverse. (I may have to implement a scoped Sync Rule just for this one flow- yuck!)
If at all possible, is there any way I can exclude one entity on the Join transformation that is generating the Manager attribute inside the IdB Adapter?
Hi Carol,
No, this is not directly possible with the Join transformation. If you're using Identity Broker v5.1 or above, you could consider using the PowerShell Transformation to remove the value (by assigning the value null) to the appropriate field of the target entity.
GUI issue after an update to Aurion IDB Connector 4.1.3
Hi,
After the update of the Aurion IDB Connector 4.1.3 from 4.1.0 on Identity Broker Service 4.1.0.
I have the following web page when I try to configure the connector:
Instead of :
I followed the following guide installation: https://unifysolutions.jira.com/wiki/spaces/IDBAUR41/pages/54165644/Installation
Do you have an idea from the root cause and how to fix it?
Thanks in advance
Regards,
The issue is caused by being on a DEV version of Identity Broker. Either upgrade to the RTM, or the latest v4.1.x.
Check version of WSP installed?
How can I check the version of WSP installed on SharePoint?
Need to know in case we need to revert if upgrade does not go as planned.
As the DLL's are deployed to the GAC, there is no need to roll back that part (strongly named allowing multiple versions to be deployed). The SharePoint administrator should know how to redeploy/upgrade/downgrade the wsp file that you provide.
Aurion Security User User_Name
I'm having a problem with a number of Aurion Security Users getting a UserName (which is actually the Display Name) of only their Surname, instead of "Surname, FirstName". MIM Sync is queuing the correct value to be exported through IdB, but the value does not get changed in Aurion.
I have manually changed someone's UserName in Aurion (as the same account that IdB uses) but it gets reverted to Surname.
I have run a series of Full Import Syncs and Exports with the Verbose logging on. In on case I see this:
Add entities [Count:126] to connector Aurion Security User Connector failed with reason Aurion API error -1: System Status is currently set to Exclusive. Access Denied.. Duration: 00:00:01.0140260
Error details:
System.Exception: Aurion API error -1: System Status is currently set to Exclusive. Access Denied.
at Unify.Communicators.AurionWSCommunicator.Logon(String userName, String password)
at Unify.Communicators.AurionAgent.Open()
at Unify.Connectors.AurionSecurityUserConnector.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)
at Unify.Product.IdentityBroker.EventNotifierUpdatingConnectorDecorator.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)",Normal
But elsewhere I see this, which looks like it should have worked:
Add entities [Count:126] to connector Aurion Security User Connector reported 126 entities saved. Duration: 00:00:10.4522680",Normal
Hi Carol,
Please find attached Aurion Patches.zip which contains two potential patches for this issue. The DLL inside the Quote directory wraps quotes (") around values containing commas (,) and the DLL inside the Bullet directory replaces the delimiter with a bullet (•). Please test both and let us know how they go.
Edit: Carol has confirmed that the bullet works.
Identity Broker as an LDAP proxy?
From reading the documentation, I think this will be possible but I'd like to know if Identity Broker could act as an LDAP proxy, connecting to an LDAP directory and then exposing the data via LDAP. The reason for this is that the source system has unescaped trailing spaces in DNs and One Identity can't handle this (it ignores the entries entirely). So is this possible? And would IdB be able to handle and trim the unescaped trailing spaces in the Distinguished Names?
Yes Identity Broker is able to expose its data via LDAP. However, there is no out-of-the-box LDAP connector, so connectivity to your directory would need to be developed in either PowerShell or .NET.
Timeout for connectors in Identity Broker
Is it possible to implement a timeout function for connectors doing full imports so that if there is some kind of issue that causes the import to hang it can put an error in the logs and continue, rather than cease imports on all connectors.
Hi Tom,
Timeouts are usually handled on a per-connector basis. Is there a particular connector you are interested in?
Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
I'm trying to understand what it error means - I'm seeing this error logged a number of times a day in the IdB logs but having trouble pinning it to a specific connector.
Sometimes the line in the log is this:
20170924,02:35:24,UNIFY Identity Broker,LDAP engine,Error,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:58252 for the server schema failed with error ""Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection."". Duration: 00:00:06.0373233.",Normal
Sometimes it's this:
20170924,12:14:56,UNIFY Identity Broker,LDAP Engine,Error,"An error occurred on client from 127.0.0.1:60790. More details: Internal Server Error #11: System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection. at System.Array.Reverse(Array array, Int32 index, Int32 length) at System.Collections.Generic.Stack`1.System.Collections.ICollection.CopyTo(Array array, Int32 arrayIndex) at Unify.Framework.Collections.CallContextScope`1.get_CurrentScope() at Unify.Framework.Auditing.AuditTrailScope.Dispose() at Unify.Product.IdentityBroker.RequestHandlerAuditingDecorator.TryRetrieveHandlerReport(IDictionary`2& handlerReports) at Unify.Product.IdentityBroker.LDAPConnection.<RespondToMessageAsync>d__35.MoveNext()",Normal
Things seem to be working fine, however these errors are showing up in monitoring so I'd like to either eradicate the error, or filter it out somehow if it's of no concern.
Reading image binary data using FIMLDIFAdapter service
I currently have a PowerShell Connector that reads in image binary data utilizing the FIMLDIFAdapter service (http://localhost:59990/IdentityBroker/FIMLDIFAdapter.svc). I currently use the ImportAll function provided by this service and it works providing the maximum message size quota for incoming messages is set fairly high (3040032000 bytes to be specific). If i try a lower value (i.e. 2040032000 bytes, this will cause the connector to fail with an exception "The maximum message size quota for incoming messages (2040032000) has been exceeded.").
I was wanting to know if there was a more efficient way to read from this service (another function I've possibly missed?), other than just increasing this value, as the more users that have images in the adapter the larger this quota needs to be.
Thankyou
Yes, there's the OData Gateway. However, all endppoints are going to be subject to size limits/timeout/etc. for security purposes, so check the specifications/documentation.
Customer support service by UserEcho