Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Completed

Install IdB MIM Adapter DLL to appropriate MIM directory

The MIM adapter currently installs to a Unify directory in Program Files, after which it needs to be moved manually into the appropriate MIM Directory.

The installer could install into the appropriate directory, which would result in better end user experience, both in the initial install and in repairs.

The FIM Sync base directory can be retrieved from the registry at: 

SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\Path

as documented here.

After this \extensions needs to be added to the path value to find the location.

Answer

Will be included in the next adapter release.

0
Fixed

Unable to retrieve schema

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 8 years ago 15

MIMs IdB MA is unable to retrieve schema from IdB during implmentation. Error returned is:

-------------------------------------------
Synchronization Service Manager

Unable to retrieve schema. Error: Exception from HRESULT: 0x80231343
-------------------------------------------


Event Log contains the following:

-------------------------------------------

The extensible extension returned an unsupported error.
 The stack trace is:
 
 Unify.Product.IdentityBroker.LdapOperationException: Object reference not set to an instance of an object.
   at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
   at Unify.Product.IdentityBroker.LdapConnection.GetSchema(String schemaDn)
   at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
   at System.Linq.Enumerable.Aggregate[TSource](IEnumerable`1 source, Func`3 func)
   at Unify.Product.IdentityBroker.LdapConnectionProxy.get_Schema()
   at Unify.Product.IdentityBroker.UnifyLdapConnectorTypeProxy.GetSchema(KeyedCollection`2 configParameters)
Forefront Identity Manager 4.4.1459.0

-------------------------------------------



Answer
anonymous 8 years ago

Thanks Matt,

It looks like you have an entry in the [Container] table left over from an adapter with a container name of users. These should be removed automatically when you delete the adapter, or if you delete it directly from the xml config, at service startup. I'm not sure how it's managed to stay in there for you if you don't have any such adapter. You can manually delete the entry from the [Container] table where the [DistinguishedName] column has the value OU=users,DC=IdentityBroker to resolve this issue, and I'll re-raise this as bug in our backlog.

You should be able remove the patches supplied on this issue as well.

0
Not a bug

Missing object class in IdB 5.1

Matthew Woolnough 8 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 8 years ago 22

Configuring IdB5.1 for the first time with SharePoint connector and MIM. MIM does not see the object class that the Adapter is presenting, but it does see the container.

IdB for MIM 5.1 RC2 is the version I have installed.

Answer
anonymous 8 years ago

I forgot that the installer doesn't put the DLL into the right directory. 🤦

The 5.0 version was in an responding to requests. 

I'm getting a different error now, but will open a new issue for that one. 


0
Not a bug

PowerShell Connector handling of DN.multi attributes where there is a single value

Boyd Bostock 8 years ago in PowerShell connector updated by anonymous 8 years ago 4

The PowerShell Connector treats DN.multi attributes with a single value differently to how it treats string.multi attributes with a single value. This can be overcome in the script however unnecessarily complicates import the script.

Error if handled the same as a string.multi (appears to take first char rather than first array entry):

DN.multi Error.txt

Script that will handle the single value: StudentParentRelationshipsImport.ps1

DN.multi attribute: ParentRelationshipDNs

String.multi attribute: ParentIDLIST


Identity Broker: v5.0.5


Answer
anonymous 8 years ago

Hi Boyd,

This appears to be a peculiarity with PowerShell.

$array = @('A')
$array.GetType() # Object[]
$sort = $array | Sort
$sort.GetType() # String
$sort = @($array | Sort)
$sort.GetType() # Object[]

Please make sure that you force your value into an array before assigning to multi-valued fields.

0
Fixed

Adapter object doesn't have corresponding object in Connector resulting in "duplicate-objects error"

Tom Parker 8 years ago updated by anonymous 8 years ago 4

This is related to http://voice.unifysolutions.net/topics/2674-idb-51-returning-duplicate-objects-that-only-exist-once-in-the-adapterconnector/ although the bug is now exhibiting new characteristics and the work around is no longer working.

Image 4007

Drilling down on one of these records we can see that they exist twice in IdB adaptor but only once in the connector:

Image 4008

Image 4009

The second entry in the adaptor was once correct but has since been removed from the source system (as this is to do with student enrollments that's a normal procedure). According to Andrew Silcock's notes in the linked job, previously the entries only existed in the adaptor once.



0
Declined

Cannot create a DN in the format UID=-12345

Bob Bradley 8 years ago updated by anonymous 8 years ago 4

It would be great to be able to extend the definition of a valid IdB DN to include the "-".

The following error is raised when attempting to export a new record to an underlying SQL entity via IdB4:

Log Name:      Application
Source:        FIMSynchronizationService
Date:          13/04/2017 3:07:52 PM
Event ID:      6801
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      CENTRELINK-FIM.unifyfim.unifytest.local
Description:
The extensible extension returned an unsupported error.
 The stack trace is:
 
 "System.Exception: Error occurred when attempting to save entity with distinguished name

UID=-281283620

Error:

1 items failed schema validation during Adapter operation.  Check log for validation errors.
   at Unify.Product.IdentityBroker.Adapter.GetReverseTransformedEntities(IEnumerable`1 entities)
   at Unify.Product.IdentityBroker.Adapter.AddEntities(IEnumerable`1 entities, EntityToConnectorEntityBridge[]& backwardAdapterEntities)
   at Unify.Product.IdentityBroker.Adapter.AddEntities(IEnumerable`1 entities)
   at Unify.Product.IdentityBroker.AdapterNotifierDecoratorBase`1.AddEntity(IAdapterEntity entity)
   at Unify.Product.IdentityBroker.AdapterNotifierDecoratorBase`1.AddEntity(IAdapterEntity entity)
   at Unify.Product.IdentityBroker.LDIFAdapterBase.HandleExportAdd(IAdapter adapter, IAdapterEntitySaveChange pendingAdd)
   at Unify.Product.IdentityBroker.LDIFAdapterBase.ExportChanges(ExportedLDIFForAdapter exportedLdifForAdapter)
   at SyncInvokeExportChanges(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
   at Unify.Product.IdentityBroker.IdentityBrokerManagementAgentProxy.ExportEntry(ModificationType modificationType, String[] changedAttributes, CSEntry csentry)
   at Unify.Product.IdentityBroker.IdentityBrokerManagementAgent.ExportEntry(ModificationType modificationType, String[] changedAttributes, CSEntry csentry)
Forefront Identity Manager 4.0.3732.2"
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="FIMSynchronizationService" />
    <EventID Qualifiers="49152">6801</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-04-13T05:37:52.000000000Z" />
    <EventRecordID>2307483</EventRecordID>
    <Channel>Application</Channel>
    <Computer>CENTRELINK-FIM.unifyfim.unifytest.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>System.Exception: Error occurred when attempting to save entity with distinguished name

UID=-281283620

Error:

1 items failed schema validation during Adapter operation.  Check log for validation errors.
   at Unify.Product.IdentityBroker.Adapter.GetReverseTransformedEntities(IEnumerable`1 entities)
   at Unify.Product.IdentityBroker.Adapter.AddEntities(IEnumerable`1 entities, EntityToConnectorEntityBridge[]& backwardAdapterEntities)
   at Unify.Product.IdentityBroker.Adapter.AddEntities(IEnumerable`1 entities)
   at Unify.Product.IdentityBroker.AdapterNotifierDecoratorBase`1.AddEntity(IAdapterEntity entity)
   at Unify.Product.IdentityBroker.AdapterNotifierDecoratorBase`1.AddEntity(IAdapterEntity entity)
   at Unify.Product.IdentityBroker.LDIFAdapterBase.HandleExportAdd(IAdapter adapter, IAdapterEntitySaveChange pendingAdd)
   at Unify.Product.IdentityBroker.LDIFAdapterBase.ExportChanges(ExportedLDIFForAdapter exportedLdifForAdapter)
   at SyncInvokeExportChanges(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
   at Unify.Product.IdentityBroker.IdentityBrokerManagementAgentProxy.ExportEntry(ModificationType modificationType, String[] changedAttributes, CSEntry csentry)
   at Unify.Product.IdentityBroker.IdentityBrokerManagementAgent.ExportEntry(ModificationType modificationType, String[] changedAttributes, CSEntry csentry)
Forefront Identity Manager 4.0.3732.2</Data>
  </EventData>
</Event>

I don't see why this should be an invalid DN - e.g. it is perfectly acceptable in ADLDS.

The reason for wanting to do this was in a test scenario where I need to enforce uniqueness so I don't clash with an existing range of identities - so flipping the sign was the simplest way to achieve this.

In the end I was able to come up with another way of generating a unique ID, but I thought this deserved consideration anyhow.

Answer
anonymous 8 years ago

Closed, not enough information provided.

0
Not a bug

BadImageFormatException on service startup

Matthew Woolnough 8 years ago updated by anonymous 8 years ago 4

Attempting new install of IdB 5.1 on Windows 2016. Installing Aurion connector 5.0.1 and trying to create the agent. The configuration section of the Agent is missing.

Error below is seen in logs:

20170502,22:32:16,UNIFY Identity Broker,Service Engine,Warning,"An error occurred whilst coordinating the plug-in engine. The error was:
System.BadImageFormatException: Could not load file or assembly 'file:///C:\Program Files\UNIFY Solutions\Identity Broker\Services\Unify.Service.Connect32.exe' or one of its dependencies. An attempt was made to load a program with an incorrect format.
File name: 'file:///C:\Program Files\UNIFY Solutions\Identity Broker\Services\Unify.Service.Connect32.exe'

How can I get the configuration section displayed so I can configure it?

Answer
anonymous 8 years ago

That gets logged with Verbose logging - there's nothing actually wrong. It may be fixed in v5.2.

To use v5.1 you'll have to install a v5.1.x connector.

0
Declined

Separation of Signature and SendAs

Boyd Bostock 8 years ago in UNIFYBroker/Google Apps updated by anonymous 8 years ago 3

The signature is currently combined in the same attribute as the SendAs field. Is it possible to separate these attributes?

Signature in UI showing linkage to default SendAs

Image 3925

Signature in UI showing linkage to non-default SendAs

Image 3926

<SendAs name="" address="bbostock@cns.catholic.edu.au" replyTo="" signature="<div dir="ltr"><div>Regards</div><div>My Name</div><div><br></div><div>My Title2</div><div>My Department2</div><div>My Company2</div><div>p: 0400 000 000</div><div>e: <a href="mailto:myemail@mycompany2.com" target="_blank">myemail@mycompany2.com</a></div></div>" default="false" />, <SendAs name="Boyd Bostock" address="bbostock@sscc.qld.edu.au" replyTo="" signature="<div dir="ltr">Regards<div>My Name</div><div><br></div><div>My Title</div><div>My Department</div><div>My Company</div><div>p: 0400 000 000</div><div>e: <a href="mailto:myemail@mycompany.com" target="_blank">myemail@mycompany.com</a></div><div><br></div></div>" default="true" />

Answer
anonymous 8 years ago

I think it will be problematic as email addresses will change if people transfer between schools. For my purposes I will configure the MIM Rule Extension to preserve the signature if present.

0
Not a bug

Google Groups: External Members email address case mismatch

Boyd Bostock 8 years ago in UNIFYBroker/Google Apps updated by anonymous 8 years ago 2

I have found issues with differences in case between MIM and Google is causing unnecessary exports. To overcome this I have ensured all email addresses exports are in lowercase, the exports are successful but a subsequent import from Google returns the addresses in the original case.

I have found an anomaly in Google where one view shows the addresses in lowercase and another in mixed case. I suspect that although the email address case changes successfully it is not synchronised everywhere.

Admin Console View

Image 3909

Google Groups View

Image 3910

  • Is there another membership attribute that can be used instead?
  • Is there a transformation that can convert to lowercase (multi-valued field)? MIM cannot do this for confirming imports.
  • Is it possible/appropriate to add an option to the Connector to import all email addresses as lowercase?
Answer
anonymous 8 years ago

No response.

0
Completed

Gmail Settings remove Lables

Boyd Bostock 8 years ago in UNIFYBroker/Google Apps updated by anonymous 8 years ago 1

Labels is one of the settings available in the GMail API and results in a large amount of data being retuned. As there is not IAM requirement for Labels settings I would recommend it is removed from the Google User/GMail Settings Connector.

Answer
anonymous 8 years ago

Remove any non-required fields from the schema - that way the call won't be made as each of the fields are done as separate calls.