0
Not a bug

AD Link shows outgoing sync successful but entities werent provisioned

Huu Tran 2 years ago in UNIFYBroker/Plus • updated by Adam van Vliet (Chief Information Security Officer) 1 year ago 21

No error in Log either:

20180121,13:01:26,UNIFY Identity Broker,SyncEngine,Information,"Request to sync locker to adapter completed.
Synchronization job completed syncing 116 changes on the 'AD Link' link from the locker to adapter. Delayed: 0 Incomplete: 0 Denied: 0 Job ID: c5198353-498f-49ab-ad39-3f3ad154b57c Duration: 00:00:10.9188371",Normal
20180121,13:01:26,UNIFY Identity Broker,SyncEngine,Information,"Request to sync adapter to locker started.
Synchronization job started syncing 21057 changes on the 'AD Link' link from the adapter to locker. Job ID: 8ab397a7-93fc-484d-b25f-0f1faaa6e883",Normal
20180121,13:01:32,UNIFY Identity Broker,Change detection engine,Information,"Change detection engine unscheduled started.
Change detection engine unscheduled for connector AD Users started.",Normal

Link shows ougoing sync all good:






AD User Connector shows no entity is saved. AD User Adapter shows no entity is added. Test Mode is disabled.
Affected Versions:
Fixed by Version:
Under review

Hi Huu,

Are there any errors in the log for the Active Directory connector?

Hi Huu,

I'll look into the incorrect error reporting separately to this, and just focus here on why the entities are not being provisioned.

I note from your logs that there is a syntax error in one of your PowerShell provisioning tasks - please take a look at your scripts, fix up any errors and try synchronizing again. Also, take a look at Testing in Identity Broker Plus for some tips on testing and development - it might be easiest to test your provisioning tasks with CSV connectors, so that you have more control over the volume of entities and their entity values.

Hi Curtis, I already fixed the script and ran the sync. You can see the outgoing sync successful in the log after the error. I know about the dry run but it is too much work to copy the connector and CSV export. I tested by reducing the number of sync record to about 160 as you see in the log.

AD User Link says there is no outgoing changes, how can I trigger the provisioning again?

The configuration you attached still has a stray closing parenthesis on line 185, in the outgoing sync task.

You can trigger synchronization for an entity again by either making a change to the entity in the source system, or to all entities by triggering a baseline synchronization job.

Right. I fixed for pre-provisioning task but nDot for synchronisation task. I run baseline again and now there are errors wrting into AD.

You are right. There are error reporting issue which confused me yesterday.

The problem now is it looks like one of the field should not be there. The only field I added manually is UnicodePWD. I added that to set password initially. Can you please confirm you support that. Otherwise, pelase let me know how to do setting password for AD users

 

UnifyLog20180122.csv


Hi Huu,

The latest error in your log appears to be due to not setting the objectClass attribute for your Active Directory users. Can you try adding objectClass (multi-valued string) to the Active Directory connector (and most likely a rename transformation in the adapter) and ensuring that a value is set during provisioning, e.g

$joinedEntity.TargetEntity['ADUserAdapterObjectClass'] = 'top','person','organizationalPerson','user'

Thanks Curtis. It looks like adding "objectClass" into the schema and set its value during provisioning per your suggestion fixed that error. But there is new error: NoSuchAttribute. Is it the attribute "unicodePwd" causing that?


20180122,01:23:58,UNIFY Identity Broker,EntitySaver,Error,"The entity 609314 (f7604974-54be-4d11-ba67-0ac5fa6be011) for the adapter AD User Adapter (9f73e5e5-30df-4142-b850-db3e31f0a931) failed to add for the following reasons: Received error code NoSuchAttribute for item with dn CN=Christine Chen,OU=Users,OU=SouthernHealth,DC=test,DC=southernhealth,DC=org,DC=au. Message: 00000057: LdapErr: DSID-0C090C84, comment: Error in attribute conversion operation, data 0, v1772",Normal


BTW, can you please also look at the delete operation error (deprovisioning):

Adapter deleted entities 74 from adapter space 9f73e5e5-30df-4142-b850-db3e31f0a931. Duration: 00:00:00.1278778",Normal
20180122,01:23:59,UNIFY Identity Broker,EntitySaver,Error,"The entity 36ff7217-f143-4e0f-a216-0012ae3f5b9c for the adapter AD User Adapter (9f73e5e5-30df-4142-b850-db3e31f0a931) failed to delete for the following reasons: Method not found: 'System.Threading.Tasks.Task Unify.Connectors.AD.IADAgent.DeleteEntriesAsync(System.Collections.Generic.IEnumerable`1<System.String>, System.Action`2<System.String,System.Exception>, System.Action, System.Action)'.",Normal
20180122,01:23:59,UNIFY Identity Broker,EntitySaver,Error,"The entity 159140ca-e774-4c29-a88f-013d990ad344 for the adapter AD User Adapter (9f73e5e5-30df-4142-b850-db3e31f0a931) failed to delete for the following reasons: Method not found: 'System.Threading.Tasks.Task Unify.Connectors.AD.IADAgent.DeleteEntriesAsync(System.Collections.Generic.IEnumerable`1<System.String>, System.Action`2<System.String,System.Exception>, System.Action, System.Action)'.",Normal




UnifyLog20180122 (1).csv

Hi Huu,

This is an Active Directory error, so I can't say for certain. Could you try disabling the code that sets the unicodePwd field (and make sure that you set the ACCOUNTDISABLE flag (514) on uAC, and see if the error goes away?

I'll take a look at the deprovisioning error. Would you be able to attach your installed copy of Unify.Connectors.AD.Agent.dll?

Hi Curtis, Will do but I believe uAC must be set to 544 (active but no password required).



I removed 2 manually added fields: unicodePwd and accounteExpires but still the same error:

20180122,01:23:58,UNIFY Identity Broker,EntitySaver,Error,"The entity 609314 (f7604974-54be-4d11-ba67-0ac5fa6be011) for the adapter AD User Adapter (9f73e5e5-30df-4142-b850-db3e31f0a931) failed to add for the following reasons: Received error code NoSuchAttribute for item with dn CN=Christine Chen,OU=Users,OU=SouthernHealth,DC=test,DC=southernhealth,DC=org,DC=au. Message: 00000057: LdapErr: DSID-0C090C84, comment: Error in attribute conversion operation, data 0, v1772",Normal


How can I extract the ldif command to test it manually?

There isn't an easy way to extract the raw LDIF, but you could try using a network trace (e.g. WireShark) to capture the request and rebuild it manually.

I don't think I am allowed to install any network sniffer in the client's servers.

However, I review the data changes and I think the error relating to deleting (deprovisioning) rather than adding. It seems all the new records are now in AD. The errors are associated with the records that need to be deleted.

Thanks Huu. The issue is that I created the patches for How to filter sub-OUs in AD connector on top of an unreleased patch version. I'll create a release for that version which you should be able to apply the patches on top of to resolve this. In the meantime if you need to test deprovisioning, you can try using the following: Active Directory.zip

Also there are 21057 incoming incomplete changes. Just wonder how can I find the cause for that? There is no other message in the log:


20180122,01:19:33,UNIFY Identity Broker,Link,Information,"Request to manually queue a baseline synchronization job on link started.
Request to manually queue a baseline synchronization job on link AD Link started.",Normal
20180122,01:23:02,UNIFY Identity Broker,Link,Information,"Request to manually queue a baseline synchronization job on link completed.
Request to manually queue a baseline synchronization job on link 'AD Link' completed. Duration: 00:03:28.5661834",Normal
20180122,01:23:06,UNIFY Identity Broker,SyncEngine,Information,"Request to sync adapter to locker started.
Synchronization job started syncing 21247 changes on the 'AD Link' link from the adapter to locker. Job ID: 9663eff1-dd28-44b9-a6c8-8e5c260293bd",Normal
20180122,01:23:32,UNIFY Identity Broker,SyncEngine,Information,"Request to sync adapter to locker completed.
Synchronization job completed syncing 21247 changes on the 'AD Link' link from the adapter to locker. Delayed: 0 Incomplete: 21057 Denied: 0 Job ID: 9663eff1-dd28-44b9-a6c8-8e5c260293bd Duration: 00:00:25.7805490",Normal


Hi Huu,

Is it possible that these 21057 accounts don't have their sAMAccountName field set? I note that this is the configured join field.

They do have sAMAccountName set. Just majority wont be joint with any locker record. Anyway we can see the message (to find out the cause) for incomplete changes?

Schema violations are logged under Normal logging using this template:

The entity {entity key} ({entity id}) for the link {link name} ({link id}) failed validation {violation count} times for the following reasons: {list of violations}

Missing join values are logged under Verbose (as it logs all the entity id's) using this template:

The following entities {entity count} for the link {link name} ({link id}) are missing the field used for the join criteria: {entity id's}