Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Aurion Security User User_Name
I'm having a problem with a number of Aurion Security Users getting a UserName (which is actually the Display Name) of only their Surname, instead of "Surname, FirstName". MIM Sync is queuing the correct value to be exported through IdB, but the value does not get changed in Aurion.
I have manually changed someone's UserName in Aurion (as the same account that IdB uses) but it gets reverted to Surname.
I have run a series of Full Import Syncs and Exports with the Verbose logging on. In on case I see this:
Add entities [Count:126] to connector Aurion Security User Connector failed with reason Aurion API error -1: System Status is currently set to Exclusive. Access Denied.. Duration: 00:00:01.0140260
Error details:
System.Exception: Aurion API error -1: System Status is currently set to Exclusive. Access Denied.
at Unify.Communicators.AurionWSCommunicator.Logon(String userName, String password)
at Unify.Communicators.AurionAgent.Open()
at Unify.Connectors.AurionSecurityUserConnector.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)
at Unify.Product.IdentityBroker.EventNotifierUpdatingConnectorDecorator.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)",Normal
But elsewhere I see this, which looks like it should have worked:
Add entities [Count:126] to connector Aurion Security User Connector reported 126 entities saved. Duration: 00:00:10.4522680",Normal
Hi Carol,
Please find attached Aurion Patches.zip which contains two potential patches for this issue. The DLL inside the Quote directory wraps quotes (") around values containing commas (,) and the DLL inside the Bullet directory replaces the delimiter with a bullet (•). Please test both and let us know how they go.
Edit: Carol has confirmed that the bullet works.
Identity Broker as an LDAP proxy?
From reading the documentation, I think this will be possible but I'd like to know if Identity Broker could act as an LDAP proxy, connecting to an LDAP directory and then exposing the data via LDAP. The reason for this is that the source system has unescaped trailing spaces in DNs and One Identity can't handle this (it ignores the entries entirely). So is this possible? And would IdB be able to handle and trim the unescaped trailing spaces in the Distinguished Names?
Yes Identity Broker is able to expose its data via LDAP. However, there is no out-of-the-box LDAP connector, so connectivity to your directory would need to be developed in either PowerShell or .NET.
Timeout for connectors in Identity Broker
Is it possible to implement a timeout function for connectors doing full imports so that if there is some kind of issue that causes the import to hang it can put an error in the logs and continue, rather than cease imports on all connectors.
Hi Tom,
Timeouts are usually handled on a per-connector basis. Is there a particular connector you are interested in?
Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
I'm trying to understand what it error means - I'm seeing this error logged a number of times a day in the IdB logs but having trouble pinning it to a specific connector.
Sometimes the line in the log is this:
20170924,02:35:24,UNIFY Identity Broker,LDAP engine,Error,"Handling of LDAP schema request. Handling of LDAP schema request from user IdBLDAP on connection 127.0.0.1:58252 for the server schema failed with error ""Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection."". Duration: 00:00:06.0373233.",Normal
Sometimes it's this:
20170924,12:14:56,UNIFY Identity Broker,LDAP Engine,Error,"An error occurred on client from 127.0.0.1:60790. More details: Internal Server Error #11: System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection. at System.Array.Reverse(Array array, Int32 index, Int32 length) at System.Collections.Generic.Stack`1.System.Collections.ICollection.CopyTo(Array array, Int32 arrayIndex) at Unify.Framework.Collections.CallContextScope`1.get_CurrentScope() at Unify.Framework.Auditing.AuditTrailScope.Dispose() at Unify.Product.IdentityBroker.RequestHandlerAuditingDecorator.TryRetrieveHandlerReport(IDictionary`2& handlerReports) at Unify.Product.IdentityBroker.LDAPConnection.<RespondToMessageAsync>d__35.MoveNext()",Normal
Things seem to be working fine, however these errors are showing up in monitoring so I'd like to either eradicate the error, or filter it out somehow if it's of no concern.
Reading image binary data using FIMLDIFAdapter service
I currently have a PowerShell Connector that reads in image binary data utilizing the FIMLDIFAdapter service (http://localhost:59990/IdentityBroker/FIMLDIFAdapter.svc). I currently use the ImportAll function provided by this service and it works providing the maximum message size quota for incoming messages is set fairly high (3040032000 bytes to be specific). If i try a lower value (i.e. 2040032000 bytes, this will cause the connector to fail with an exception "The maximum message size quota for incoming messages (2040032000) has been exceeded.").
I was wanting to know if there was a more efficient way to read from this service (another function I've possibly missed?), other than just increasing this value, as the more users that have images in the adapter the larger this quota needs to be.
Thankyou
Yes, there's the OData Gateway. However, all endppoints are going to be subject to size limits/timeout/etc. for security purposes, so check the specifications/documentation.
IdB 4.1.0 support for Aurion 11.30
Working with the following IdB and Aurion connector versions:
I noticed the below statement:
"Aurion v10.1.2.04 MR1 or higher." - https://unifysolutions.jira.com/wiki/spaces/IDBAUR41/pages/54165664/Prerequisites
Want to confirm:
1. Aurion connector version 4.1.2 supports Aurion 11.30
2. Any known issues with the upgrade from Aurion connector version 4.1.0 to 4.1.2.
3. Any known issues with IdB regarding Aurion upgrade to 11.30
- We support versions greater than v10.1.2.04 MR1
- Not unless there's documentation or issues raised (we're improving the known issues section on the release notes in the future to better capture this)
- Yes, see release notes (Aurion 11.16 has a breaking change which we have released a workaround for)
Mapping Aurion security user ExternalMailType
I am trying to set an additional value on the Aurion Security User on provisioning. The Aurion attribute is T803F275_EXTERNAL_MAIL.T803_SECURITY_USER, it is of type String, and needs to be set to the value "10".
I have had this attribute added to the Aurion report and mapped it in the Connector config file (it comes through to me as "Mail"). I can run a connector import and see all the entities with a value of "10" in this field.
When I provision a new connector space object in MIM the value is populated, however on export the export does actually run and the Aurion Security User gets created, however the Mail value is blank. There are no errors at all in the IDB log file.
Hi Carol,
The field is "ExternalMailType" (it comes through the schema provider). Add this field name and map it to the "Mail" attribute from the query results
Thanks.
Baseline & Sync Procedure for IdB Chris21 LITE
When wanting to synchronize IdB Chris21 LITE with and out of sync AD, I am running the following two items:
1. AD Baseline
2. AD Syncronize
Before I run the above tasks, should Chris21 and/or AD Realtime Change Processing be disabled?
UNIFY Identity Broker Management Studio v0.0.5 Revision
Plugins:
* MS AD 4.1.3.0
* Chris 21 Connector 4.1.1.0
Extended Database Connector has "stopped-extension-dll-expection" occur till full import is run
Occasionally delta import to MIM will fail with the “stopped-extension-dll-expection” error. When the error occurs, it will continue over and over until a full import is run.
Event viewer logs:
The extensible extension returned an unsupported error.
The stack trace is:
"Unify.Product.IdentityBroker.LdapOperationException: Error during processing of SearchRequest targetting cn=changelog: Operation timed out while waiting for message queue with id of 10. ---> System.OperationCanceledException: Operation timed out while waiting for message queue with id of 10.
at Unify.Product.IdentityBroker.LdapConnection.GetMessage(Int32 messageId)
at Unify.Product.IdentityBroker.SearchRequest.Send(Func`2 send, Func`2 recv)
at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
--- End of inner exception stack trace ---
at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
at Unify.Product.IdentityBroker.LdapConnectionProxy.<SearchRequestPaged>d__8.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.<GetChangedEntriesPaged>d__30.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Enumerable.<SelectManyIterator>d__14`2.MoveNext()
at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
at Unify.Product.IdentityBroker.ExtensionMethods.<Page>d__3`1.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
Environment:
- Identity Broker v5.1.0 Revision #0
- MIM 4.3.2266.0
Create Agents for Connector within Connector interface
I think IdB would be easier to use if when a configuration object was required but did not exist the user could easily create one without loosing their current object entries.
A good example is how the new Azure Portal works... if you need to create an object that requires another object to be created first; when the option appears to choose the second object you always have the option to make a new object (which if significant configuration is needed brings you to a new sub-screen and back to the original when completed).
The general idea is that users usually start off with a goal in mind and start down that track ("I need a connector!") and along the way they discover detail ("Oh, I also need an Agent, dam it!"); and ensuring the product permits that kind of thinking makes the product far more natural (and so easier) to use.
Unfortunately I don't know enough about web gui's to know how this can be easily accomplished. :/
Thanks for the feedback, Michael.
In the particular case of case of creating a connector with no available agents, the UI does direct you to create an agent, however it doesn't direct you back to the connector afterwards.
This would be quite difficult to implement currently, but we are planning an overhaul to the UI in an upcoming release, so I will add this to the list of desirable workflows that it should support.
Customer support service by UserEcho
