0
Not a bug

Missing object class in IdB 5.1

Matthew Woolnough 2 years ago in UNIFYBroker/Microsoft Identity Manager • updated by anonymous 2 years ago 22

Configuring IdB5.1 for the first time with SharePoint connector and MIM. MIM does not see the object class that the Adapter is presenting, but it does see the container.

IdB for MIM 5.1 RC2 is the version I have installed.

Affected Versions:
Fixed by Version:

Answer

Answer

I forgot that the installer doesn't put the DLL into the right directory. 🤦

The 5.0 version was in an responding to requests. 

I'm getting a different error now, but will open a new issue for that one. 


Unify.Service.Connect.exe File Version is 5.1.0.2. 

Unify.Connectors.Microsoft.SharePoint File Version is 5.1.0.0.

Unify.IdentityBroker.FIMAdapter File Version is 5.1.0.0, but as previously mentioned, this is 5.1 RC2.


I can't see how to attach configs here. Please let me know if these are required.



Under review

Can you please confirm that you're configuring a UNIFY MA and not the generic one? We're unable to reproduce (seeing the object classes just fine) using our MA with both single schema and multi-schema mode.

Not sure exactly what you mean by this. I'm creating a ECMA2 MA using the Unify.IdentityBroker.FIMAdapter.dll.


That's all I meant, just that you're not selecting the Generic LDAP MA.

Querying the RootDSE returns just the container.

-----------
***Searching...
ldap_search_s(ld, "(null)", 0, "(objectclass=*)", attrList,  0, &msg)
Getting 1 entries:
Dn: (RootDSE)

-----------


Also..... (assuming the schema should be available at cn=schema), a schema query is also returning just the container. 


***Searching...
ldap_search_s(ld, "cn=schema", 0, "(objectclass=*)", attrList,  0, &msg)
Matched DNs: CN=schema
Getting 1 entries:
Dn: cn=schema

Your configuration appears fine and works for me.

The queries are (as per LDAP specification):

Find OU's:

DC=IdentityBroker
(ObjectClass=*)
One Level
*

Query schema (as you're using multiple schemas, not the single schema mode):

CN=smellyfeet,cn=schema
(ObjectClass=SubSchema)
Base
ObjectClasses;AttributeTypes

Result:

-----------
***Searching...
ldap_search_s(ld, "DC=IdentityBroker", 1, "(ObjectClass=*)", attrList,  0, &msg)
Matched DNs: DC=IdentityBroker
Getting 1 entries:
Dn: OU=smellyfeet,DC=IdentityBroker
objectClass (2): top; container; 
OU: smellyfeet; 
subschemaSubentry: CN=smellyfeet,cn=schema; 
-----------
***Searching...
ldap_search_s(ld, "CN=smellyfeet,cn=schema", 0, "(ObjectClass=SubSchema)", attrList,  0, &msg)
Matched DNs: CN=smellyfeet,CN=schema
Getting 1 entries:
Dn: cn=smellyfeet,cn=schema
attributeTypes (36): ( 2.5.18.10 NAME 'subschemaSubentry' DESC 'The name of the subschema (sub)entry.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION ); ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl' DESC 'Lists object identifiers identifying the request controls the server supports.' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE NO-USER-MODIFICATION ); ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion' DESC 'The supportedLDAPVersion attribute lists the versions of LDAP that the server supports.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 NO-USER-MODIFICATION ); ( 1.2.36.109584947.1.1.1.1 NAME 'vendorName' DESC 'Vendor version of the LDAP server.' EQUALITY caseExactMatch ORDERING caseExactOrderingMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION ); ( 1.2.36.109584947.1.1.1.2 NAME 'vendorVersion' DESC 'Vendor version of the LDAP server.' EQUALITY caseExactMatch ORDERING caseExactOrderingMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION ); ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts' DESC 'The namingContexts attribute lists the context prefixes of the naming contexts the server masters or shadows.' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION ); ( 2.5.18.1 NAME 'createTimestamp' DESC 'The time the entry was added.' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION ); ( 2.5.4.0 NAME 'objectClass' DESC 'Specifies the object classes of an entry.' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 NO-USER-MODIFICATION ); ( 1.3.6.1.1.16.4 NAME 'entryUUID' DESC 'UUID of the entry.' EQUALITY uuidMatch ORDERING uuidOrderingMatch SYNTAX 1.3.6.1.1.16.1 SINGLE-VALUE NO-USER-MODIFICATION ); ( 1.2...
objectClasses (4): ( 2.5.6.0 NAME 'top' DESC 'Object class which all other structural object classes must inherit from.' ABSTRACT MUST objectClass MAY ( createTimestamp $ entryUUID ) ); ( 2.5.20.1 NAME 'subschema' DESC 'Subschema (sub)entries are used for administering information about the directory schema.' SUP top STRUCTURAL MUST ( vendorName $ vendorVersion ) ); ( 1.2.36.109584947.1.1.2.5 NAME 'container' DESC 'Object class which all other structural object classes must inherit from.' SUP top STRUCTURAL ); ( 1.2.36.109584947.1.1.2.104461012335965435127738143049937965423 NAME 'oranges' DESC '' SUP top STRUCTURAL MAY ( UserProfileGUID $ SID $ ADGuid $ AccountName $ FirstName $ LastName $ PreferredName $ WorkPhone $ Department $ Title $ SPS-JobTitle $ Manager $ WorkEmail $ CellPhone $ Office $ SPS-Location $ RoleLevel $ CostCentre $ Company $ DaysAtOffice $ StaffType $ usrDivision $ Team $ GroupOrg $ Branch $ Floor $ RoleDescriptionUrl ) ); 
-----------

Are you testing against the latest hotfix of MIM? That's the only thing I can think of that might be differentiating the environments 

Not on the latest.

Before getting into that I'd like to double check that the right ldap information is being exchanged. Please trace the ldap traffic (e.g. RawCap) whilst navigating through the configuration screens so that I can see whether the right queries are being run.

Thanks.

Used netsh to capture trace so I didn't have to install anything.

Used Microsoft Network Monitor to view the file contents. Detail here if you don't know how to do this. 

Captured the following:;

  • Unsuccessful refresh schema to IdB (service stopped)
  • Refresh schema to IdB
  • Update partitions in MIM MA



nettrace-boot.cab

Which service stopped, MIM or IdB? Is there anything in the even log?

I installed Richards Contacts connector and it had a bug which meant that IdB wouldnt start. I tried to refresh the schema when IdB had stopped. 

I haven't looked. 

It appears as though the capture only got traffic on the physical adapter & not localhost.

Will try to capture traffic again.

RawCap can do that and only requires an exe be dropped on the machine (no installation).

They're a bit strict on security there. Id rather not have to ask permission. I configured IdB to listen on 0.0.0.0 and tried again. results attached.  It appears that you need Microsoft Message Analyser to view the .ETL file now.


ldap.cab

Not there. need to reconfigure the MA Host

I'm interpreting this as IdB telling FIM to look at cn=schema for its schema, not CN=smellyfeet,cn=schema, but I could be wrong.


Wireshark capture of previous screenshot wiresharkCap.pcapng

It traces like it's the v5.0 MA, not the v5.1, strangely. Could you please check the properties on the MA dll to make sure it's v5.1? If it is, please attach it here.

Thanks.

Answer

I forgot that the installer doesn't put the DLL into the right directory. 🤦

The 5.0 version was in an responding to requests. 

I'm getting a different error now, but will open a new issue for that one.