Resources for IT Professionals >
Forums Home
>
Identity Management Forums
>
Identity Lifecycle Manager
>
ILM not deleting connector space objects when metaverse entries are removed.
ILM not deleting connector space objects when metaverse entries are removed.
- Hello,
I have 2 AD MA's pulling in user objects from 2 domains and provisioning Contacts into a 3rd Domain. All provisioning and changes are flowing correctly, except for when one of the user objects is deleted. In my provisioning code i have the logic to deprovision the objects 'mventry.ConnectedMAs("MA3").Connectors.DeprovisionAll() ' , and i see the metaverse entries removed after running a full sync on the contributing ADMA.
I then try to run an export on my MA3 and it does not flow the deletion. in my MA setup, i have set the deprovisioning to "Stage a delete on the object for the next export run"
Searching the MV for deleted objects shows that the object is no longer in the MV.
Searching the MA3 connector space show the object as a connector.
I'm at a loss for what i am missing, and looking to you experts for assistance.
I am new to ILM, but have learned A TON from this forum, this is a fantastic resource!
Answers
- What do you see on the properties of your CS object? You should be able to see to what it is connected (lineage button). From there you can see if this is correct (if it should be indeed connected to that MV object - if it is incorrect, you can start be examining your join rules). Maybe you're somehow looking at the wrong object?
Paul Loonen (Avanade)- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorMonday, August 24, 2009 8:33 PM
All Replies
- What do you see on the properties of your CS object? You should be able to see to what it is connected (lineage button). From there you can see if this is correct (if it should be indeed connected to that MV object - if it is incorrect, you can start be examining your join rules). Maybe you're somehow looking at the wrong object?
Paul Loonen (Avanade)- Marked As Answer byAhmad Abdel-wahedMSFT, ModeratorMonday, August 24, 2009 8:33 PM
- Paul,
The object in question has an object state of connector, and the connection operation is listed as provisioning-rules.
When i check the metaverse object properties there are no attributes listed, but on the connectors tab it shows the object in my 3rd data source. (where i am expecting it to be deleted from).
When I attempt to do a metaverse search for the object, it is not found, I assume this is because no attributes are listed in the Metaverse object properties.
I also go into the metaverse object properties and manually disconnect the object with disconnector (default) and then run my syncs and exports and the object still does not delete in the directory.
- Could you please post the relevant section of your MVExtension (the bit where you do the provisioning and deprovisioning of objects of that particular CS)? I suspect that for one reason or the other you are provisioning a new connector after the old one is deprovisioned.
Paul Loonen (Avanade) - Paul,
Here is the relevant bit:
ADMA = mventry.ConnectedMAs("ADManagementAgent")
numConnectors = ADMA.Connectors.Count
If (mventry("uniquecn").IsPresent) Then
container = "OU=gal,dc=domain,dc=com"
rdn = "CN=" & mventry("uniquecn").Value
dn = ADMA.EscapeDNComponent(rdn).Concat(container)
Else
mventry.ConnectedMAs("ADManagementAgent").Connectors.DeprovisionAll()
End If
If 0 = numConnectors Then
csentry = ADMA.Connectors.StartNewConnector("contact")
csentry.DN = dn
csentry.CommitNewConnector()
ElseIf 1 = numConnectors Then
myConnector = ADMA.Connectors.ByIndex(0)
myConnector.DN = dn
Else
Throw New UnexpectedDataException("multiple connectors:" + numConnectors.ToString)
End If
End If
EDIT: Added to code, Changed name of ManagementAgent to ADAManagementAgent- Edited bykurps Monday, August 24, 2009 9:35 PM
Paul's got you on the right track as far as asking for the relevant bits of your code, however it seems there are pieces missing from what's shown here.
- numConnectors seems to get set outside the scope of what's shown, and SHOULD change as a result of the operations taking place in the code segment (DeprovisionALL)
- Your trigger for provisioning is the presence of an mv attribute called uniquecn, and it is possible you would have connectors in the relevant MA without this attribute existing on the entry. Clearly you are checking for .IsPresent to see if you can refer to the attribute value for the construction of the DN, but it turns out now this is your trigger for provision.
- How do you ascertain that "ManagementAgent" is actually an AD MA? The name chosen for the management agent doesn't indicate that you have reason to believe it is the AD MA.
- Is numbConnectors just for this management agent (assuming it's the AD MA) or all MAs?
AhmadAW- Ahmad,
I updated my post above:
1. Added the numconnectors bit.
2. I should not have any objects without a uniquecn attribute populated. And in the event that it does not have one, i do not want to create a contact object.
3. It is an AD Management agent, I had just changed the name to sanitize the code for public consumption.
4. numconnectors is just for this MA. See updated code above.
Thank you much. - At the very least, I would rewrite my code as follows:
ADMA = mventry.ConnectedMAs("ADManagementAgent")
numConnectors = ADMA.Connectors.Count
If (mventry("uniquecn").IsPresent) Then
container = "OU=gal,dc=domain,dc=com"
rdn = "CN=" & mventry("uniquecn").Value
dn = ADMA.EscapeDNComponent(rdn).Concat(container)
If 0 = numConnectors Then
csentry = ADMA.Connectors.StartNewConnector("contact")
csentry.DN = dn
csentry.CommitNewConnector()
ElseIf 1 = numConnectors Then
myConnector = ADMA.Connectors.ByIndex(0)
myConnector.DN = dn
Else
Throw New UnexpectedDataException("multiple connectors:" + numConnectors.ToString)
End If
Else 'uniquecn is not present
mventry.ConnectedMAs("ADManagementAgent").Connectors.DeprovisionAll()
End If
This will at least avoid that you're creating connectors even when uniquecn is not present.
Also, what I would do - if you can reproduce your problem anyway, is to run everything through a debugger and see in the debugger when and why things go wrong.
Paul Loonen (Avanade)
