Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
IdB search logging on Diagnostic instead of Verbose
With the Powershell connector I add lots of logging into my scripts. When troubleshooting I want to bump the log level up to Verbose so I can see my Information logs - however IdB UI search logging also seems to run at this level. So if I put "My Powershell script" as a search in the IdB Logs UI it fills up with lots of logging about that particular search string, making it hard for me to track my own logs. Could the IdB search logging be moved to a Diagnostic setting?
This has been implemented and is available in the release of UNIFYConnect V6, which will be made available shortly.
Workday Identity Broker information
Hi,
I would like to know somethings about the Workday Identity Broker.
1. Does the Identity Broker honor the Workday +7 hrs time difference or does it ignore it?
2. What data gets imported via the Delta stages when it Imports it from Workday?
Would anyone be able to assist in finding out those questions
Kind Regards
Werner
Hi Werner,
1. Are you referring to the buggy/inconsistent handling of time-zones by Workday? If so, the connector accounts for it where we have noticed it being an issue. Currently this is on the Polling import calls (Worker and Organization - using the timezone offset setting), as well as the comparison against hire date and seniority date (uses a date comparison instead of time based).
2. I've added a note to the Usage section on the Workday Worker Connector.
Thanks.
Aurion ESS account Template
I have been asked to find out if the Aurion connector supports specifying a "template" at the point of creating the ESS account. Apparently this will mean that MailType and other options are set according to the template. I know I can set these attributes directly, and this is what I intend to do, but the customer would like to continue to use her template if possible - only if specifying a template is supported by sec_user_add of course.
There is no TEMPLATE field for the SEC_USER_ADD function. Have a look at the CopyFromUserId field (COPY_FROM_USER_ID) to see if it meets your requirements.
Unify.Product.IdentityBroker.LDAPModifyException: Cannot add the value to the existing, non-multivalue field
There's an error being reported in MIM Sync on exports to a particular IdB connector several times a day. I haven't worried too much about it because the export actually works and the error is never exactly repeated (so it's not repeatedly failing to export the same change) - however I'm trying to clean up the monitoring so reported errors are worth looking into.
The error occurs seemingly randomly, as in there is no pattern of specific entity or time of day that I can see. It is always the same adapter, which backs on to a SQL connector talking to a SQL table (not a view). The error is always much the same except the attribute always changes - again I don't see a pattern. None of the attributes are multi-valued in the target table, IdB or MIM.
Here's an example of the error reported in MIM. I'm showing the healthcheck version so you can see the entity specified and the timestamp:
ErrorDN: CN=25600,OU=LANDesk,DC=IdentityBroker
ErrorDetail:
ErrorFirstOccurred: 2017-11-06T07:59:03
ErrorMessage: Internal Server Error #9:
Unify.Product.IdentityBroker.LDAPModifyException: Cannot add the value
41-50-53-34 to the existing, non-multivalue field Classification. at
Unify.Product.IdentityBroker.LDAPModifyRequestToEntityConverter.HandleAttributeValueAdd(IModifyRequestOperation
op, IAdapterEntity entity, IEntitySchema schema) at
Unify.Product.IdentityBroker.LDAPModifyRequestToEntityConverter.Transform(IRfcModifyRequest
sourceValue, IAdapterEntity origEntity) at
Unify.Product.IdentityBroker.ModifyRequestHandler.InnerApplyTransformation(IHandleRequestCoreRequest
request, LDAPModifyRequestToEntityConverter converter)
ErrorSyncType: export-error
ErrorType: Other
HCRecordType: FIMSync_Run_ErrorObject
MVObjectGUID: 540553ea-7e48-e711-80c7-005056a374e3
MaName: LANDesk
RunID: 6e0a6558-280f-4625-b0cc-9aea0ae83564
TimeInErrorDays: 0
_time: 2017-11-06T07:59:03
I've looked at the IdB logs for the same time but there is no error reported there. The logs agree that an export was being run to the expected connector. The only entity specifically mentioned does not match the entity reported in the MIM Sync error:
20171106,07:58:59,UNIFY Identity Broker,LDAP Engine,Information,A client has connected to the LDAP endpoint from address: 127.0.0.1:52744.,Normal 20171106,07:59:04,UNIFY Identity Broker,LDAP Engine,Information,A client has connected to the LDAP endpoint from address: 127.0.0.1:52750.,Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Bulk Start request. Handling of LDAP Bulk Start request received from user IdBLDAP on connection 127.0.0.1:52744 completed successfully. Duration 00:00:18.1411237.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Root DSE request. Handling of LDAP Root DSE request from user IdBLDAP on connection 127.0.0.1:52750 for the Root DSE completed successfully. Duration: 00:00:13.1409918.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP search request. Handling of LDAP search request from user IdBLDAP on connection 127.0.0.1:52750 targeting DC=IdentityBroker with a scope of SingleLevel completed successfully. Duration: 00:00:12.1409653.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Bulk End request. Handling of LDAP Bulk End request received from user IdBLDAP on connection 127.0.0.1:52744 completed successfully with operations failed: 1. Duration 00:00:16.1254477.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Bulk Update request. Handling of LDAP Bulk Update request received from user IdBLDAP on connection 127.0.0.1:52744 completed successfully without results available for logging. Duration 00:00:17.1410874.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP bind request. Handling of LDAP bind request received on connection 127.0.0.1:52750 to connect as user IdBLDAP completed successfully. The bind was successful. Duration: 00:00:14.1410105.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:11.1096809.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP unbind request. Handling of LDAP unbind request received on connection 127.0.0.1:52744 to connect as user IdBLDAP completed successfully. Duration: 00:00:15.1410375.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:09.4690085.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:08.6408457.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP bind request. Handling of LDAP bind request received on connection 127.0.0.1:52744 to connect as user IdBLDAP completed successfully. The bind was successful. Duration: 00:00:19.1411493.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration:<span class="redactor-selection-marker" id="selection-marker-1"></span> 00:00:07.6408392.",Normal dmfjsg 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:06.6251852.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:52750 for the server schema completed successfully. Duration: 00:00:05.6407763.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP Root DSE request. Handling of LDAP Root DSE request from user IdBLDAP on connection 127.0.0.1:52750 for the Root DSE completed successfully. Duration: 00:00:04.6876294.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP change log request. Handling of LDAP change log request from user IdBLDAP on connection 127.0.0.1:52750 completed successfully. Added: 1. Modified: 0. Renamed: 0. Deleted: 0. Total: 1. Duration: 00:00:04.1407369.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP change log request. Handling of LDAP change log request from user IdBLDAP on connection 127.0.0.1:52750 completed successfully. Added: 3. Modified: 2. Renamed: 0. Deleted: 0. Total: 5. Duration: 00:00:03.1407136.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP search request. Handling of LDAP search request from user IdBLDAP on connection 127.0.0.1:52750 targeting CN=25777,OU=LANDesk,DC=IdentityBroker with a scope of BaseObject completed successfully. Results: 1. Duration: 00:00:02.1406773.",Normal 20171106,07:59:19,UNIFY Identity Broker,LDAP engine,Information,"Handling of LDAP unbind request. Handling of LDAP unbind request received on connection 127.0.0.1:52750 to connect as user IdBLDAP completed successfully. Duration: 00:00:00.0156256.",Normal 20171106,07:59:20,UNIFY Identity Broker,Change detection engine,Information,"Change detection engine import all items started. Change detection engine import all items for connector Aurion Security Records started.",Normal
Hi Carol,
The error "Cannot add the value 41-50-53-34 to the existing, non-multivalue field Classification" indicates that MIM is attempting to export an update to an entity which adds a value to a field for which the entity already has a value, and that field is not multi-valued. This isn't logged in Identity Broker as an error because as far as Identity Broker is concerned, it correctly responded to an invalid request with a failure - there is no error of processing in Identity Broker.
This usually indicates that the data in Identity Broker and the MIM connector space have grown out of sync, and can be resolved with an import + sync cycle. The fact that this issue resolves itself suggests this is likely.
Blocking a transformation for one entity
I expect the answer is No, but worth asking...
Aurion has the head of Dept's position shown as reporting to her EA. This is apparently necessary for some internal Aurion reason. However they don't want her EA appearing as her Manager all over the place (as it currently is, including in the Corporate Directory).
As I can't do an Advanced Flow Rule on a reference attribute I can't selectively block "manager" coming into the Metaverse. (I may have to implement a scoped Sync Rule just for this one flow- yuck!)
If at all possible, is there any way I can exclude one entity on the Join transformation that is generating the Manager attribute inside the IdB Adapter?
Hi Carol,
No, this is not directly possible with the Join transformation. If you're using Identity Broker v5.1 or above, you could consider using the PowerShell Transformation to remove the value (by assigning the value null) to the appropriate field of the target entity.
GUI issue after an update to Aurion IDB Connector 4.1.3
Hi,
After the update of the Aurion IDB Connector 4.1.3 from 4.1.0 on Identity Broker Service 4.1.0.
I have the following web page when I try to configure the connector:
Instead of :
I followed the following guide installation: https://unifysolutions.jira.com/wiki/spaces/IDBAUR41/pages/54165644/Installation
Do you have an idea from the root cause and how to fix it?
Thanks in advance
Regards,
The issue is caused by being on a DEV version of Identity Broker. Either upgrade to the RTM, or the latest v4.1.x.
Check version of WSP installed?
How can I check the version of WSP installed on SharePoint?
Need to know in case we need to revert if upgrade does not go as planned.
As the DLL's are deployed to the GAC, there is no need to roll back that part (strongly named allowing multiple versions to be deployed). The SharePoint administrator should know how to redeploy/upgrade/downgrade the wsp file that you provide.
Aurion Security User User_Name
I'm having a problem with a number of Aurion Security Users getting a UserName (which is actually the Display Name) of only their Surname, instead of "Surname, FirstName". MIM Sync is queuing the correct value to be exported through IdB, but the value does not get changed in Aurion.
I have manually changed someone's UserName in Aurion (as the same account that IdB uses) but it gets reverted to Surname.
I have run a series of Full Import Syncs and Exports with the Verbose logging on. In on case I see this:
Add entities [Count:126] to connector Aurion Security User Connector failed with reason Aurion API error -1: System Status is currently set to Exclusive. Access Denied.. Duration: 00:00:01.0140260
Error details:
System.Exception: Aurion API error -1: System Status is currently set to Exclusive. Access Denied.
at Unify.Communicators.AurionWSCommunicator.Logon(String userName, String password)
at Unify.Communicators.AurionAgent.Open()
at Unify.Connectors.AurionSecurityUserConnector.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)
at Unify.Product.IdentityBroker.EventNotifierUpdatingConnectorDecorator.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)",Normal
But elsewhere I see this, which looks like it should have worked:
Add entities [Count:126] to connector Aurion Security User Connector reported 126 entities saved. Duration: 00:00:10.4522680",Normal
Hi Carol,
Please find attached Aurion Patches.zip which contains two potential patches for this issue. The DLL inside the Quote directory wraps quotes (") around values containing commas (,) and the DLL inside the Bullet directory replaces the delimiter with a bullet (•). Please test both and let us know how they go.
Edit: Carol has confirmed that the bullet works.
Identity Broker as an LDAP proxy?
From reading the documentation, I think this will be possible but I'd like to know if Identity Broker could act as an LDAP proxy, connecting to an LDAP directory and then exposing the data via LDAP. The reason for this is that the source system has unescaped trailing spaces in DNs and One Identity can't handle this (it ignores the entries entirely). So is this possible? And would IdB be able to handle and trim the unescaped trailing spaces in the Distinguished Names?
Yes Identity Broker is able to expose its data via LDAP. However, there is no out-of-the-box LDAP connector, so connectivity to your directory would need to be developed in either PowerShell or .NET.
Timeout for connectors in Identity Broker
Is it possible to implement a timeout function for connectors doing full imports so that if there is some kind of issue that causes the import to hang it can put an error in the logs and continue, rather than cease imports on all connectors.
Hi Tom,
Timeouts are usually handled on a per-connector basis. Is there a particular connector you are interested in?
Customer support service by UserEcho
