locked
Generic LDAP Adapter Sync rules RRS feed

  • Question

  • I found that the generic LDAP adapter,  you cannot configure any Sync rules in the portal for it.. you can never see the external resource type. 

    Has anyone found a work around for this? Or experienced this?

    I guess I can do a work flow and MPR in the portal without the sync rule, but would prefer to use the sync rules. 

    Thanks

    Russ


    Russell Lema

    Thursday, March 9, 2017 8:12 PM

Answers

  • Hi Russ,

    It sounds like you may have exceeded the 'maxReceivedMessageSizeInBytes' in the ResourceManagementClient. If the XML representation of your LDAP schema exceeds 14MB, it will not be submitted to the FIM Service database, and so isn't available as an External System Resource Type. I've worked around this previously by using a subschema-filter to 'hide' un-used object classes and attributes during schema discovery. Alternatively you can use a metaverse rules extension to provision to your LDAP server.

    Cheers,

    Tom Houston, UK Identity Management Practice

    • Marked as answer by Russ Lema Tuesday, March 14, 2017 7:30 PM
    Saturday, March 11, 2017 1:53 PM

All replies

  • We are using the Generic LDAP adapter successfully.

    Try refreshing the MIMMA schema in the Sync client. Also try re-entering the MIMMA account details. This will refresh the ma-data object for the Generic LDAP Agent in the Portal.


    Please also ensure that you have done a Full Import on the Generic LDAP agent, and selected the appropriate object types.


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Friday, March 10, 2017 8:01 AM
  • I did both the full import and the refresh schema, no changes.. 

    I re-entered the MA credentials for the MIM Service account,  but still no external resource type.

    I think it might have something to do with the resource types that are in the UVD I am connecting to. 

    They are

    "GroupofUniqueNames" mapped to groups

    "mailGroup" mapped to groups with group type set as a constant of Distribution

    When I go to create and inbound sync rule, this is so I can expand the LDAP filters into Xpath membership filters or static member entries

    I see this

    Thanks for your help


    Russell Lema

    Friday, March 10, 2017 3:45 PM
  • Hi Russ,

    It sounds like you may have exceeded the 'maxReceivedMessageSizeInBytes' in the ResourceManagementClient. If the XML representation of your LDAP schema exceeds 14MB, it will not be submitted to the FIM Service database, and so isn't available as an External System Resource Type. I've worked around this previously by using a subschema-filter to 'hide' un-used object classes and attributes during schema discovery. Alternatively you can use a metaverse rules extension to provision to your LDAP server.

    Cheers,

    Tom Houston, UK Identity Management Practice

    • Marked as answer by Russ Lema Tuesday, March 14, 2017 7:30 PM
    Saturday, March 11, 2017 1:53 PM
  • Tom, 

    thanks for the reply, 

    I currently only have 4 objects selected on the LDAP MA... so I dont think that the size would exceed the max, but I guess it could be possible. 

    I was looking to do the sync rule, so I could do membership expansion for the LDAP group types into reference objects on the inbound sync. Since all the memberships coming from LDAP are actually just LDAP filters 

    example

    "alias=X" or "employeeNumber=XXXXX"

    so we have two steps, one is to convert the filters to Xpath, which I am adding to the MV extension, the second was to take the members in the manually added memberships and use the sync rule to get the reference values to populate the members.

     


    Russell Lema

    Monday, March 13, 2017 2:37 PM
  • Hi Russ,

    When you save the LDAP connector, the FIM Sync Service tries to upload an XML representation of the entire LDAP schema to the FIM Service. So if you have a large schema, i.e. lots of object class and attribute definitions, in your LDAP server, it may exceed the 14MB limit. You could try exporting your LDAP MA to an XML file and then checking its file size.

    Cheers,

    Tom Houston, UK Identity Management Practice

    • Proposed as answer by Borys Majewski Wednesday, February 5, 2020 3:21 PM
    Monday, March 13, 2017 9:37 PM
  • Tom, 

    Yep, you are correct the MA export it 47 MB.  I will see what can be done here to hide the schema. 

    I appreciate you pointing me in the right direction.. 

    Thanks

    Russ


    Russell Lema

    Tuesday, March 14, 2017 7:31 PM
  • Now I just have to figure out how to filter the sub-schema on the generic LDAP adapter, I found the way to do it with the LDAPX but not this MA. 

    Any suggestions how to filter this ?


    Russell Lema

    Wednesday, March 15, 2017 2:31 PM
  • Hi Russ,

    You need to reduce the size of the schema on your LDAP server. The LDAP server we were using shipped with a large default schema out of the box. Fortunately the product had a sub-schema filter feature that let us hide entire categories of object classes and attributes, such as the whole of the Sun schema and the whole of the HP schema. We managed to hide enough to reduce it to below 14MB, so it was successfully committed to the FIM Service and the resources were available in the External System Resource Type drop-down list.

    Cheers,

    Tom Houston, UK Identity Management Practice

    Wednesday, March 15, 2017 8:09 PM
  • Hey Everyone,

    Recently worked with Microsoft on this issue and think we found a resolution:

    this is regarding the "maxReceivedMessageSizeInBytes" setting:

    modify both files as per data from the below link (note that based on your install these directories may be different but both service and web config must be modified):

    https://docs.microsoft.com/en-us/previous-versions/mim/ff800821(v=ws.10)

    C:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config

    C:\Program Files\Microsoft Forefront Identity Manager\2010Service\Microsoft.ResourceManagement.Service.exe.config

    In “ResourceManagementClient » section

    XPath

    Values

    Default

    Notes

    /configuration/resourceManagementClient/ @maxReceivedMessageSizeInBytes

    [0,   Int32.MaxValue]

    14 MB   0xE00000 (14680064 decimal)

    The maximum received message size the client is   willing to receive

    Add the parameter “maxReceivedMessageSizeInBytes” with a value that will handle the size of the management agent definition

    I set mine up to accept requests of over 100 MB (100*1024*1024).  this has had no impact in regards to sync rules so far but I have noticed that if you try to view the properties of the ma-data object in the Portal it takes ages to load and may hit the builtin-timeout when attempting to retrieve the properties.

    The thing that was failing to write was the XML representation of the Management agent on to the ma-data object hence the lack of ability to select external data source object types via the picker.


    AK

    • Proposed as answer by Borys Majewski Wednesday, February 5, 2020 3:22 PM
    Friday, January 25, 2019 7:52 PM
  • Well done thanks for the update. 

    Russell Lema

    Friday, January 25, 2019 7:57 PM
  • @arek.kowalewski, I've found this parameter is honoured by the MIM Service. I set it to 100MB by adding maxReceivedMessageSizeInBytes="104857600" to the two files you mention, and now I can successfully enumerate 'External System Resource Type' in the Create Synchronization Rule dialog.

    Cheers,

    Tom Houston, UK Identity Management Practice

    Tuesday, February 4, 2020 6:32 PM