Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
chris21 Import All fails with "Access has been denied"
When the Identity Broker is accessed, all the Connectors are currently Red and the errors in the log are as follows:
Change detection engine import all items failed.
Change detection engine import all items for connector Chris21 POS failed with reason Line type is recognized but not valid Command. Line: GTR:cbr="logon",logonapplication="breoption",user="REDACTED",password="REDACTED",credentialsrequired="Y",error01="BRE029:Unable to access interface. Contact your Security Officer.",error02="BRE103:Access has been denied.",status="fail". Duration: 00:00:01.4218568
Error details:
System.IO.InvalidDataException: Line type is recognized but not valid Command. Line: GTR:cbr="logon",logonapplication="breoption",user="REDACTED",password="REDACTED",credentialsrequired="Y",error01="BRE029:Unable to access interface. Contact your Security Officer.",error02="BRE103:Access has been denied.",status="fail"
at Unify.Product.IdentityBroker.Chris21Agent.CheckLoginResult(IChris21Record loginResultRecord, Action`1 pre)
at Unify.Product.IdentityBroker.Chris21Agent.GetLoginToken(IChris21ConnectorInformation connectorRequest)
at Unify.Product.IdentityBroker.Chris21Agent.List(IEnumerable`1 keyColumnNames, IChris21ConnectorInformation connectorRequest)
at Unify.Product.IdentityBroker.Chris21ConnectorBase.GetAllEntities(IStoredValueCollection storedValueState)
at Unify.Product.IdentityBroker.ConnectorToReadingConnectorBridge.GetAllEntities(IStoredValueCollection storedValueState)
at Unify.Product.IdentityBroker.EventNotifierReadingConnectorDecoratorBase`1.GetAllEntities(IStoredValueCollection storedValues)
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.ImportAllChangeProcess()
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.RunBase()
at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c_DisplayClass29.<Run>b_27()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)
Looks like a permissions issue at this point with the BRE, but we need to know where we should be looking.
Misleading Error Message when doing Full Import on Placeholder with no entities.
When doing a full import on a placeholder connector with no entities, the following error is returned. This should probably be captured, reported and not classed as an error (its not actually broken, its just a fact of data).
Timestamp Severity Source Module Message
14/01/2011 9:33:00 AM Warning Change detection engine import all items failed. Change detection engine "Change detection engine import all items for connector Organisation Unit mapping failed with reason An error occurred while evaluating a task on a worker thread. See the inner exception details for information.. Duration: 00:00:01.8906734
Error details:
Unify.Framework.EvaluatorVisitorException: An error occurred while evaluating a task on a worker thread. See the inner exception details for information. ---> System.IndexOutOfRangeException: Index was outside the bounds of the array.
at Unify.Repository.EntityExpressionQueryVisitor`3.CreateMultiValueRangeExpression(IMultiKey`1 multiKey, IEnumerable`1 sourceValueList, IQueryable`1 sourceQueryable)
at Unify.Repository.EntityExpressionQueryVisitor`3.VisitMethodWhereWithMultiValueEnumerableContains(MethodCallExpression expression)
at Unify.Repository.EntityExpressionQueryVisitor`3.VisitMethodCall(MethodCallExpression m)
at Unify.Framework.ExpressionVisitorBase`11.Visit(Expression exp)
at Unify.Framework.LinqContextConversionExpressionVisitorBase`5.ConvertExpression(Expression partitionExpression)
at Unify.Framework.LinqQueryConversionProvider`5.GetOrderedQuery(Expression businessExpression, IQueryable`1 sourceQueryable, TContext sourceContext)
at Unify.Framework.LinqWhereQuery`5.EvaluateQuery(TContext context)
at Unify.Framework.LinqWhereQuery`5.GetEnumerator()
at System.Linq.Enumerable.ToDictionaryTSource,TKey,TElement(IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
at System.Linq.Enumerable.ToDictionaryTSource,TKey,TElement(IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector)
at Unify.Repository.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, IQueryable`1 sourceEntities, Guid connectorId, IEnumerable`1 originalEntities)
at Unify.Repository.EntityRepositoryExtensions.ConvertConnectorEntitiesWithRepositoryEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, IQueryable`1 sourceEntities, Guid connectorId)
at Unify.Framework.RepositoryChangeDetectionWorkerBase.PerformChangeDetectionOnConnectorEntityPage(IEnumerable`1 connectorEntities, Int32 index)
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.ThreadsafeItemEvaluator.Evaluate()
— End of inner exception stack trace —
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.CheckForException()
at Unify.Framework.Visitor.ThreadsafeVisitorEvaluator`1.Visit()
at Unify.Framework.Visitor.VisitEvaluateOnThreadPoolT(IEnumerable`1 visitCollection, Action`2 visitor, Int32 maxThreads)
at Unify.Framework.RepositoryChangeDetectionWorkerBase.PerformChangeDetection(IEnumerable`1 connectorEntities)
at Unify.Framework.ChangeDetectionImportAllJob.ImportAllChangeProcess()
at Unify.Framework.ChangeDetectionImportAllJob.RunBase()
at Unify.Framework.JobBase.Run()
at Unify.Framework.MutexJobDecorator.Run()
at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)"
Allow non case sensitive LDAP search comparrison capabilities
I'm building a Powershell based connector that integrates with a system with a few thousand records. Each record has a User Name which must be unique, however not all users are to be imported into FIM. The IdB Powershell MA has to be provisioned to, so as part of that a unique User Name has to be generated.
This has lead me down the route of developing extension code to perform an LDAP lookup on the Identity Broker 5 LDAP interface to check whether a user name is available or not (as I can't compare with the metaverse since the end system isn't fully represented there). I've found that the string attributes exposed by the Identity Broker 5 LDAP interface have an Equality rule of 'caseExactMatch'. I can't guarantee what the case is of data in that end system unless I manipulate it on import to Identity Broker (have my Powershell MA cast to Upper case for example). As a result, any query against the LDAP interface is going to be complicated by the fact that I can't merely search for objects with (USNAME=Svcfimadmin) since that won't give me a result is the USNAME is 'svcfimadmin'. I would need to use (USNAME=svcfimadmin) to get any result. Instead I'll likely need to do something like get the first character and import all objects with that name, grab all the User Names and manipulate them in code.
That could be avoided if I could set the comparison to be case insensitive. I can't really think of any cases at all where I'd want a comparison to be case sensitive, and indeed on review of the issue it appears that Active Directory and other systems typically have comparisons set as case insensitive (a few attributes are sensitive). Many end systems will ignore the case for attributes like Account Names etc too.
I imagine the case sensitive could make more difficult in other situations where someone wants to make use of the LDAP interfaces to perform searches and the like.
I'm not sure how feasible it would be to add a 'case insensitive' string type, or provide a flag that could be set on an attribute basis to determine how searches via the LDAP interface are handled.
Exclusion timings return true at the end of an exclusion period
While the next run information is always correct, the CheckDue function of exclusion timings starts returning true if an exclusion period ends, rather than at the appropriate next run time. This is because the internal timing's NextRun property is not updated when an exclusion period is in effect, and as such will retain a NextRun value in the past, causing it to run on the next CheckDue call outside of the exclusion.
Add descriptions for log writers
The definition about "console" is a bit unclear. I had no clue until Tony explained what it is referring to,
"it writes to the console if you're debugging Identity Broker through the console at:
C:\Program Files\UNIFY Solutions\IdentityBroker\Services\Unify.Service.Connect.Debug.exe"
I think it could be a good idea to add some detailed information on the page just to make it clear for everyone.
Cheers,
Sam
Implement SCOM integration capabilities
SCOM integration capability for consumption in EB 3.1 and IdB 4.1
System administrators prefer to observe activity and errors through existing monitoring tools, such as SCOM. The value of Event Broker (and our entire product range) in an Enterprise would be greatly improved by permitting this.
Include a character ValueType
There is currently no character field in Identity Broker. This is currently worked around by storing those values in the StringValue field:
GET: entity.GetValue<StringValue>(...).Value0;
SET: entity.SetValue<StringValue>(character.ToString(...));
However if this won't take much time it might be more descriptive to include a character field type.
Installer should configure web engine settings
The service installer should configure the web engine settings for FIM Event Broker and Identity Broker.
Consider stopping ActionRefresh when the page isn't focused.
Consider stopping ActionRefresh when the page isn't focused as it would reduce network usage.
Prevalidation of log writer display name duplicate
If you create a Custom Log Writer with the same display name as an existing one it goes back to the Logs page with an error "A log writer already exists with the name "BlahBlahBlah" " You lose any configuration. Could be good to validate first.
Customer support service by UserEcho