Changing container fails with "need-full-object" on delta-import.

Tony Sheehy 12 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 9 years ago 4

Changing container fails with "need-full-object" on delta-import.

The following actions were taken to hit this issue:

  • Connector with field decimal (not key, not required, not readonly)
  • Change the value
  • Delta import on an adapter with a format of CN=schemaKey,CN=decimal

The following LDIF is generated:

version: 1
dn: CN=c0fd28b9-5a8f-45ca-b3b9-69a60aa69c2b
changetype: moddn
newrdn: CN=c0fd28b9-5a8f-45ca-b3b9-69a60aa69c2b
deleteoldrdn: 1

dn: CN=c0fd28b9-5a8f-45ca-b3b9-69a60aa69c2b,CN=2
changetype: modify
replace: decimal
decimal: 2

dn: CN=2
changetype: add
objectClass: container

Failing the delta import with "need-full-object".

This will be because the moddn statement in this case should be using the "newsuperior" directive rather than "newrdn" - see http://www.zytrax.com/books/ldap/ch8/#newsuperior.

However, this scenario yields potential issues with FIM's handling of reference values, where new containers cause the connector space to reevaluate itself. If 1000+ entities had their superior change on an import, this could potentially result on a delta import that causes a large number of referential updates in the connector space. This would need to be tested of course.

I added a unit test to the LDIF component for moddn and confirmed that it does correctly handle superior changes. The issue here instead was related to IDB-578 and reflection of the adapter context. The DN configuration would have been changed to include a parent after entities were already present in the adapter context, and an import run to FIM to pull the new DNs in. However, the adapter context DN is not updated until the entity is changed because DNs are not in the difference report.

I have done the following:

  • Exposed "Clear Adapter" functionality for a quicker turnaround when this occurs
  • Added warning messages for clearing connectors and adapters
  • Updated the DN message when entities are present in the context to suggest that clearing the context needs to occur
  • Updated IDB40:Distinguished name generators with this information

Final step involves adding the clear adapter functionality to the index page.

Added clear adapter functions to the adapter index.

Tony, I think this issue has been suitably addressed until IDB-578 is introduced. Can you please confirm?

Confirmed or migrated to VSO.