none
FIM Synchronization Issue: LDIF Data Source not flowing attributes to Metaverse RRS feed

  • Question

  • Hi FIM helpers,

    I'm indeed need of help... I have about 3 issues in 1.

    Scenario: I am trying to import and synchronize my LDIF file into the metaverse. I need to import and sync a group update with additional members (already existing in the AD) and remove members (already existing in AD). So far I have successfully had AD transferring group updates into FIM and FIM transferring group updates to AD. I need this LDIF file to be the priority 1 in updating roughly 35 groups in the metaverse.

    Issue 1: Not sure I have the format down right for the LDIF. Here is my sample:

    Note: dn: is my anchor, displayName is my join property, member is my multi-value imported attribute flow member

    dn: CN=VDSGroup2, OU=FIMObjects, DC=flip, DC=flop, DC=company, DC=com
    changetype: add
    objectclass: group
    objectclass: top
    cn: VDSGroup2
    displayName: VDSGroup2
    member: CN=User1\, One, OU=FIMUsers, OU=Accounts, DC=flip, DC=flop, DC=company, DC=com
    member: CN=User2\, Two, OU=FIMUsers, OU=Accounts, DC=flip, DC=flop, DC=company, DC=com
    member: CN=User3\, Three, OU=FIMUsers, OU=Accounts, DC=flip, DC=flop, DC=company, DC=com
    member: CN=User4\, Four, OU=FIMUsers, OU=Accounts, DC=flip, DC=flop, DC=company, DC=com

    Issue 2: When trying to use the "modify" Changetype, FIM throws the error-changetype-invalid so I've also been testing with delimited text files.

    Issue 3: I do have some successful adds members of groups into the CS when using changetype: add. However it seems that the sync engine never actually changes the groups' members in the metaverse. When doing sync preview, all I see is Applied Delete to that attribute. This happens even after setting the attribute flow precedence to 1.

    I'd greatly appreciate some assistance to any of these answers.

    And yes I do have to use the LDIF MA and Delimited Text MA to update these security groups.

    Thanks,

    Andrew




    Monday, April 1, 2013 5:45 PM

Answers

  • Yes. The person objects and the group object specified in the LDIF file all are in the metaverse. To make sure I got the spelling right, I copied the DNs from AD.
    The person objects must also be present in the same LDIF file--in the same MA where the groups are defined--it isn't enough for them to exist only in the metaverse.

    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    Wednesday, April 3, 2013 7:48 PM

All replies

  • Are you consistently using the separator after the colon for your fields (ie. a space)?

    Are you receiving any errors trying to do this? Or are you just getting the Applied Delete? Also, do the members you are referencing exist in the same connector space? If not, the memberships will not resolve within the connector space and will not be passed correctly to the metaverse.

    Monday, April 1, 2013 11:25 PM
  • Yes. The colon and space were consistent in the file. I miswrote the copy above. I will edit it.

    No errors in the process. When running Import and Full Synchronization, I will see the 1 "Add" in "Staging" correctly with the corresponding members of the group. Under "Inbound Synchronization" I get 1 "Join" and 1 "Connector without Flow Updates".

    As far as the Applied Delete I changed something to not receive it anymore, but I generated the preview Full Synchronization to see that. Under the Import flow reads Import flow mode: full, with Status: Applied on the mapping of member from datasource to member in the metaverse. Although the Initial Value does not resemble what the connector space does, it resembles AD's version of that groups members. Finally, Final Value reads (Unchanged).

    I'm not sure I understand the question about referencing members in the same connector space? If I am importing them into the connector space from the datasource (LIDF file), wouldn't they just exist due to that? 

    thanks Matt

    Tuesday, April 2, 2013 2:11 AM
  • Yes they should, as long as the members and the groups come in through the same management agent they should. 

    In the preview, are you looking at the Import Attribute Flow, or are you looking at the provisioning that's happening to AD (sounds like you might be). If it's populated under the "Initial Value" that usually refers to the values you are setting in your provisioning logic, with "Unchanged" signifying that you don't have an Export Attribute Flow overriding it to something different.

    It sounds like whatever you changed would have fixed it - you can always commit a preview to confirm this for one user and confirm the memberships appear in the AD connector space (which it sounds like it did).

    Tuesday, April 2, 2013 4:41 AM
  • Yes the window I was looking at was the Import Attribute Flow. I went ahead and committed the preview but didnt see a change in the metaverse. :-/ Side note: it also seems to not matter whether the file is a txt or ldf. The sync engine returns the same results.
    Tuesday, April 2, 2013 3:20 PM
  • If you were looking at the Import Attribute Flow then it sounds like the members aren't resolving to the metaverse for whatever reason. Confirm those objects are also being projected and exist, or the groups will have no members in the MV (trying to reference objects that don't exist).

    Wednesday, April 3, 2013 12:53 AM
  • Yes. The person objects and the group object specified in the LDIF file all are in the metaverse. To make sure I got the spelling right, I copied the DNs from AD.
    Wednesday, April 3, 2013 7:27 PM
  • Yes. The person objects and the group object specified in the LDIF file all are in the metaverse. To make sure I got the spelling right, I copied the DNs from AD.
    The person objects must also be present in the same LDIF file--in the same MA where the groups are defined--it isn't enough for them to exist only in the metaverse.

    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    Wednesday, April 3, 2013 7:48 PM