Resources for IT Professionals >
Forums Home
>
Identity Management Forums
>
Identity Lifecycle Manager
>
ILM 2007 AD MA not synching
ILM 2007 AD MA not synching
- Here is my setup:
This is ILM 2007 Enterprise Edition
Version 3.3.118.0
I am not sure what type of license was used but I believe it was part of a volume licensing agreement..
The Sql server is on the same box and is 2005
Here is the version/build info:
Microsoft SQL Server Management Studio 9.00.4035.00
Microsoft Analysis Services Client Tools 2005.090.4035.00
Microsoft Data Access Components (MDAC) 2000.086.3959.00 (srv03_sp2_rtm.070216-1710)
Microsoft MSXML 2.6 3.0 4.0 6.0
Microsoft Internet Explorer 7.0.5730.13
Microsoft .NET Framework 2.0.50727.3082
Operating System 5.2.3790
Ilm is connected to AD 2003 Schema and OpenLdap.
We have configured MA for AD and OpenLdap.
Here is my goal.
To sync password changes in Ad to OpenLdap.
When a user does a Ctrl-Alt-Del to change their pw we want it to be synced to Openldap.
I am having a problem getting the sync to work with my AD MA. The import works but not the sync.
Originally we had this working but could not get the Openldap piece to work. Now we have the Ldap piece working but MY AD MA sync fails. During our troubleshooting of the original issue it appears that something was changed and I cannot figure out what.
When I try running a Full Import and Full Sync on the AD MA I get the following error:
The management agent "NewAdMA" failed on run profile "Full Sync" because the extension "OpenLDAPXMA.dll" does not contain a class implementing the required (IMVSynchronization or IMASynchronization) interface in the assembly.
I am not using the OpenLdapXMA for the Ad MA. I am using it for the Openldap MA.
Do I need to use an extension on the AD MA.
Keeping in mind that we are only looking to sync passwords could anyone list what I should be configuring on the AD MA for:
Attributes
Connector Filter
Join and Projection Rules
Attribute Flow
Deprovisioning
Extensions
Also, Do I need to use an OpenLdapPasswordExtension.dll
I have seen this mentioned in several articles one of which shows it being installed with the OpenldapXMA but I cannot find it on my system.
The other pieces seem to work as far as sending the pcns notifications to ILM but obviously we error out at that point because it is not syncing.
Any help would be greatly appreciated.
Answers
- Syncing your AD MA would cause provisioning into your OpenLDAP MA to run and subsequently EAF towards your OpenLDAP CS to happen. However, as far as I remember the OpenLDAPXMA.dll defines the library needed to define your ECMA as seen on the "configure connector information" page in the MA Designer (i.e. the implementation of the API used to talk to OpenLDAP). This assembly is normally only used during import/export and if I remember right for settings passwords. During Sync it would not be needed. Please verify that you didn't specify this assembly on the "configure extensions" page in the MA Designer.
Paul Loonen (Avanade)- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:24 PM
- Flybo,
The password sync will only work if ILM can match an AD user (via the MV) to a target system user.
So you need to make sure a user is properly joined/projected in the MV and/or joined/provisioned to your target system.
Then ILM can forward the new password to the target user in OpenLDAP.
Secondly, if provisioning is enabled, then ILM executes the provisioning code during sync.
So if you sync your AD, probably the provision code for your OpenLDAP MA is run.
You should clearly see this if you debug your code.
Compile your code in debug mode and debug your code with full details, the error should show exactly what is going wrong.
Set break points, and run through your code, step by step...
Are you using provisioning?
Have you configured the proper dll for you provisioning (MV Extension dll) ?
Have you configured the proper dll in you AD and OpenLDAP MA (MA extension dll)?
Kind regards,
Peter
Peter Geelen - Sr. Consultant IDA (http://www.traxion.com)- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:24 PM
All Replies
- Syncing your AD MA would cause provisioning into your OpenLDAP MA to run and subsequently EAF towards your OpenLDAP CS to happen. However, as far as I remember the OpenLDAPXMA.dll defines the library needed to define your ECMA as seen on the "configure connector information" page in the MA Designer (i.e. the implementation of the API used to talk to OpenLDAP). This assembly is normally only used during import/export and if I remember right for settings passwords. During Sync it would not be needed. Please verify that you didn't specify this assembly on the "configure extensions" page in the MA Designer.
Paul Loonen (Avanade)- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:24 PM
- Flybo,
The password sync will only work if ILM can match an AD user (via the MV) to a target system user.
So you need to make sure a user is properly joined/projected in the MV and/or joined/provisioned to your target system.
Then ILM can forward the new password to the target user in OpenLDAP.
Secondly, if provisioning is enabled, then ILM executes the provisioning code during sync.
So if you sync your AD, probably the provision code for your OpenLDAP MA is run.
You should clearly see this if you debug your code.
Compile your code in debug mode and debug your code with full details, the error should show exactly what is going wrong.
Set break points, and run through your code, step by step...
Are you using provisioning?
Have you configured the proper dll for you provisioning (MV Extension dll) ?
Have you configured the proper dll in you AD and OpenLDAP MA (MA extension dll)?
Kind regards,
Peter
Peter Geelen - Sr. Consultant IDA (http://www.traxion.com)- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorTuesday, November 03, 2009 6:24 PM
- Paul and Peter have provided excellent suggestions. In general, you need to be clear when talking about extensions and explain if the assembly is used for IMASynchronization, IMVSynchronization, IMAExtensible* or IMAPasswordManagement.
In your scenario, when you run the AD sync, it can require assemblies that implement IMVSynchronization as well as IMASynchronization for both the AD and OpenLDAP MAs. If there is no assembly found which matches the OpenLDAP MA's configuratin for assemblies that implement IMASynchronization (export attribute flow rules, for example), then you will see the error you are getting. Please verify that all assemblies configured in the MA properties and for provisioning are named correctly and in the \Extensions folder.
AhmadAW Peter,
Thank you for your response.
I was able to get the ADMA working again and pull the objects into ILM. I also have the OpenLdapMA working so it is connecting and putting objects in ILM.I am not sure what you mean by provisioning. How do I get the users properly joined/projected in the MV and/or joined/provisioned to your target system.
The Join/Projection Rules are where I am really lost. Is there a document out there that clearly defines what I should be configuring on these pages. Do I need anything other than the default selections on the Object types? Under attributes Keep in mind we are only going to use this to Sync passwords from AD to Openldap.
I have no experience debugging code.
Also, I seem to be missing the OpenLdapPasswordExtension.dll that is referenced in the MIIS/ILM OpenLdap Management Agent Installation Guide. According to the document it should be installed in the MIIS_DIR\Extensions driectory but it is not there. This shows as the extension to be used under the OpenLdapMA Extensions page.
Thanks.- Ahmad,
I have fixed the ADMA and I am able to run it. I think I can break this down into 2 problem areas. 1 is that I am not sure what objects/attributes I need and how to match them to allow just a password sync from Ad to OpenLdap. 2 is that I seem to be missing the OpenLdapPasswordExtension.dll. I have installed the OpenLdap XMA twice and when I look in the MIIS\Extensions folder I have no dll by this name.
