Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
LDAP timeout
I am seeing a repeated error about LDAP timeouts when trying to read in changes from an IDB5 adapter. The error is:
Handling of LDAP change log request from user IdBAPPProxy on connection 127.0.0.1:57970 failed with error "This operation returned because the timeout period expired. (Exception from HRESULT: 0x800705B4)". Duration: 00:14:59.9992614.
That looks suspiciously like a 15 min timeout is set somewhere, but I simply cannot find where it is set.
Any advice would be appreciated
Aurion Security User update - USER_MATCH_VALUE expected
IdB 5.0.4, Aurion Connector v5
The Aurion Security User Import worked perfectly. I am now trying to export changes in the Status value back to Aurion and I get the error "USER_MATCH_VALUE expected" reported as an export error back to the MIM Sync service. There is nothing in the IdB logs (on Verbose setting - I haven't tried Diagnostic).
It sort of sounds like maybe the User_Id value is not being sent to Aurion along with the update - however User_Id is populated in the connector, and it came from the connector import, so is definitely what Aurion has.
Exports were working in the IdB 3 solution. Does v5 do something different? Is there anything that has to be changed in Aurion to support updates?
Hi Carol,
It's referring to the missing user id, which is the user field for the security user connector. This hasn't changed in v5.0. Try adding a new connector and running the schema provider again to see the correct list of fields.
Thanks.
Distinguished Name Generator using key in dn instead of input value
DN being generated inlcudes the users own key, instead of managers:
CN=00069,OU=AurionPerson,DC=Identity Broker
instead of:
CN=00203,OU=AurionPerson,DC=Identity Broker
I expect the Input value to become the key, as it's no longer selectable in the dropdown attribute list. How do I configure this so that the SupervisorWAMI is in the DN?
Attributes:
* SupervisorWAMI: 00203
* Key: 00069
Config:
* Input: SupervisorWAMI
* target: SupervisorDN
* Single Valued: Checked
* Skip Missing: Checked
* DN Template:
- Adapter: Aurion Person
- CN = @Key
Hi Matt,
You should be able to configure the DN template as CN = [SupervisorWAMI].
IdB5 partitions not working correctly
I have 2 OUs stemming from the main IdB partition as follows:
DC=Identity Broker
-- OU=AurionUsers,DC=Identity Broker
-- OU=FutureUsers,DC=Identity Broker
If I target my Full Imort Run Profile at the top of the tree (DC=Identity Broker), I expect to retrieve all objects in sub OUs, but I retrieve nothing. MIM reports completed-no-objects.
This seems like a bug to me. This is a problem, as it means that I need to have 2 MAs when 1 should suffice.
Hi Matt,
On further investigation this appears to be because the agent is being asked at the start of the run profile explicitly to exclude the two sub-containers, even if you explicitly configure it to include them with the "Containers ..." configuration on the "Configure Partitions and Hierarchies" page. This appears to be a bug with how FIM/MIM relays the configuration to the agent (note: I've been testing against FIM2010R2 but you appear to be experiencing the same behaviour).
Is there any functionality that you need that you can't achieve by targeting the two containers as individual partitions, and creating multi-step run profiles to operate on each partition?
Add Detail in Andre's document to FIM IdB5 configuration page
On this page, there is a document which contains vital configuration information missing from the actual page. it would be a good idea to move the content into the page itself.
Hi Matt,
Thanks for the feedback. The Extensible Connectivity 2.0 management agent is referenced in the first sentence of the article, although admittedly it could be clearer on the steps required to get started creating an agent. As such, I have added a section to the top of the article called Agent Creation.
How far off is IdB 5 from having a schema unique to each adapter?
How far off is IdB 5 from having a schema unique to each adapter? Both adapters will have feilds like Person_Number and Given_Names and I want to avoid having to have:
AdapterA_Person_Number
and
AdapterA_Given_Names
If I dont need to. I believe this is the case as it stands with the current version of IdB.
Hi Matthew,
Thanks for the question. The reason behind the single schema was a limitation in Microsoft's generic LDAP MA. Now that we have our own MA there is some flexibility in what parts of the LDAPv3 specification that we support. We have code in the v5.1 branch that we are currently testing which allows for multiple schemas for a single directory (1 per adapter), and it is our intention to have this available in the upcoming v5.1 release.
Thanks.
What format is IdB 5 expecting when trying to match a certificate by thumbprint?
Trying to select a cert by thumbprint. A few options below:
1) 05:0A:A7:C3:5F:85:F0:A8:5B:14:1D:B6:7F:67:8C:60:4F:2D:DE:D3
2) 05 0a a7 c3 5f 85 f0 a8 5b 14 1d b6 7f 67 8c 60 4f 2d de d3
3) 050aa7c35f85f0a85b141db67f678c604f2dded3
What format do I need to use?
Hi Matthew,
The value that comes out of the certificate browser, so number 2. Just be aware that if copied straight out there will be a non-printable character that needs to be removed (don't recall if it's preceding of trailing).
Thanks.
Join with Priority on Date field is picking the older entry
I have multiple Aurion Employee records for each Aurion Person. I joined on the Person Number and then selected Priority and the Date_Commenced field (which is a Date data type in the connector schema). Based on the comment in the UI saying the highest value is picked I expected the record with the latest Date_Commenced to be joined, however it picked the older record. Is this how it's supposed to work? It seems wrong to me.
I have switched to using a status field and telling it to prioritise 'ACTIVE' - however I've been told that status is manually managed in Aurion so had thought the Date_Commenced filed would be a safer option.
No, the use cases have always required it the other way. The recent selection is the only one that prioritises closest to the window. If you'd like me to add this to the backlog please let me know. In the meantime check to see what other implementations are doing and/or do the selection in the solution.
Thanks.
Invalid column name for DB Connector when the column name has a hyphen
I have configured an IdB 5.0.4 DB connector for a SQL table. It is complaining about a column with a "-" in the name:
"Invalid column name 'NUWorkflow'. Invalid column name 'GUID'."
In fact the column name is 'NUWorkflow-GUID' which has been successfully identified by the schema retrieval.
My mistake! I also used the column name in the WHERE clauses and didn't put square brackets around it. Thanks for testing!
When editing Rename Transformation I am only shown the first one
IdB 5.0.4 RTM. In my Adapters I have both Rename transformations and Join transformations. There is a long list of attribute renames in each. I see the list in the UI but when I try to edit the list I am only shown the first one. I have had to go through the XML to make my changes.
Hi Carol,
I was able to reproduce only in IE8. I have tested a fix, and it will be available in the next release. Please either update to a more modern browser, wait until then the next release, or let me know if you'd like me to do up a patch.
Thanks.
Customer support service by UserEcho
