none
Provision to AD LDS RRS feed

  • Question

  • I have seen various people posting about issues with provisioning account sin AD LDS with an AD LDS MA with FIM 2010. The posts I have read have been slightly different than my problem. So I am trying to see if you guys can give me some things to check out. I am trying to use an extension rule to provision the account to AD LDS. I have enabled the setting, the MA is running as my elevated account(testing purposes) so I know it has rights to the OU. I modified an C# MVExtension project to fit in our envirnment as well(to the best of my ability). We have objects in the Metaverse and cannot get them to export

    We have also tried using sync rules too( I realize these are to different things). We don't receive any errors in the Event Viewer of the Sync Manager console. I am desperate and welcome any suggestions.  Below is the provisioning code in the extension file I created, just in case someone can make since of it. Thanks for you help!!!

    void IMVSynchronization.Provision(MVEntry mventry)
            {
                ConnectedMA ManagementAgent;
                int Connectors = 0;
                CSEntry csentry;
                ReferenceValue DN;

                ManagementAgent = mventry.ConnectedMAs["Staff Import"];
                Connectors = ManagementAgent.Connectors.Count;

                //Provision to SQL
                if (0 == Connectors)
                {
                    csentry = ManagementAgent.Connectors.StartNewConnector("Person");
                    csentry["SASID"].Value = mventry["employeeID"].Value;
                    csentry["CN"].Value = mventry["accountName"].Value;
                    csentry["Department"].Value = mventry["department"].Value;
                    csentry["CN"].Value = mventry["displayname"].Value;
                    csentry["FT/PT"].Value = mventry["employeeType"].Value;
                    csentry["Address"].Value = mventry["address"].Value;
                    csentry["City"].Value = mventry["city"].Value;
                    csentry["CN"].Value = mventry["accountName"].Value;
                    csentry["Department"].Value = mventry["department"].Value;
                    csentry["Classess"].Value = mventry["Classess"].Value;
                    csentry["Description"].Value = mventry["description"].Value;
                    csentry["Email"].Value = mventry["email"].Value;
                    csentry["Fax"].Value = mventry["Fax"].Value;
                    csentry["FirstName"].Value = mventry["firstName"].Value;
                    csentry["Instructors"].Value = mventry["Instructors"].Value;
                    csentry["LastName"].Value = mventry["lastName"].Value;
                    csentry["PersonLocation"].Value = mventry["location"].Value;
                    csentry["PositionLocation"].Value = mventry["title"].Value;
                    csentry["PositionTitle"].Value = mventry["title"].Value;
                    csentry["State"].Value = mventry["State"].Value;
                    csentry["Supervisor"].Value = mventry["Supervisor"].Value;
                    csentry["Zip"].Value = mventry["Zip"].Value;
                    csentry["CN"].Value = mventry["loginName"].Value;
                     csentry.CommitNewConnector();
                }

                if (1 == Connectors)
                {
                }

                ManagementAgent = mventry.ConnectedMAs["ADLDS"];
                Connectors = ManagementAgent.Connectors.Count;

                //Provision to AD
                if (0 == Connectors)
                {
                    DN = ManagementAgent.EscapeDNComponent("CN=" + mventry["displayName"].Value).Concat("OU=Staff,DC=Test,DC=org");
                    csentry = ManagementAgent.Connectors.StartNewConnector("user");
                    csentry.DN = DN;
                    csentry["CN"].Value = mventry["accountName"].Value;
                    csentry["employeeID"].Value = mventry["employeeID"].Value;
                    csentry["unicodePwd"].Value = "Windows20";
                    csentry["msDS=UserAccountDisabled"].Value = "false";
                }

    Thursday, April 5, 2012 10:57 PM

Answers

  • In general, on an attribute level, the purpose of provisioning is to initialize an object.
    In other words, with the exception of a DN update, you can't use provisioning code to propagate attribute updates.

    Attribute updates need to be handled by attribute flow rules.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    Tuesday, April 17, 2012 12:53 PM
  • Mario,

    An 'Export' run, just exports the content of the connectorspace to the target system. In your case, you should first run a 'Full Synchronization' step from your source system, which executes the code above and will create your new object.

    As for your code: you are currently creating variables, but you are not using them. You should set values in the connectorspace by adding something like:
    csentry["displayname"] = displayname;

    ..or, as I mentioned above, define the attribute flow from the client interface. You should also commit the new connector.

    Try this one:

    void IMVSynchronization.Provision(MVEntry mventry)
    {
    	ConnectedMA managementAgent;
    	int connectors = 0;
    	CSEntry csentry;
    	ReferenceValue DN;
    
    	managementAgent = mventry.ConnectedMAs["ADLDS"];
    	connectors = managementAgent.Connectors.Count;
    	//Provision to AD
    	if (connectors == 0)
    	{
    		DN = managementAgent.EscapeDNComponent("CN=" + mventry["displayName"].Value).Concat(",OU=Staff,DC=Test,DC=org");
    		csentry = managementAgent.Connectors.StartNewConnector("user");
    		csentry.DN = DN;
    		csentry["CN"].Value = mventry["accountName"].Value;
    		csentry["employeeID"].Value = mventry["employeeID"].Value;
    		csentry["unicodePwd"].Value = "Windows20";
    		csentry["msDS=UserAccountDisabled"].Value = "false";
    		csentry.CommitNewConnector();
    	}
    }

    As for the error you got by adding the comma before the OU=Staff, can you give me the error? Maybe I can help you with that one.

    Regards,
    Pieter.


    Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/


    • Edited by Pieter de Loos Friday, April 6, 2012 3:53 PM Added the comma before OU=Staff
    • Marked as answer by mario.exe Friday, April 6, 2012 8:55 PM
    Friday, April 6, 2012 3:51 PM

All replies

  • did some playing around and found this in the event viewer.. "This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded". Which I believe it has to deal with the Rules extension I added but not sure what to change.
    Friday, April 6, 2012 1:54 AM
  • reverted the Visual Studio Target Framework to .Net Framework 2.0, now I am getting "An error was encountered when processing your request Error: The expression mapping is executed but it fails becuase of a missing source attribute"...surely I am getting closer right?
    Friday, April 6, 2012 2:17 AM
  • Mario,

    I think there is a comma missing in your DN specification, just before 'OU=Staff':

    DN = ManagementAgent.EscapeDNComponent("CN=" + mventry["displayName"].Value).Concat(",OU=Staff,DC=Test,DC=org");

    And, for safety reasons, I would advise to use the 'IsPresent'-method on getting the metaverse attributes, like so:

    string superVisor = null;
    if(mventry["Supervisor"].IsPresent)
    {
      superVisor = mventry["Supervisor"].Value;
    }

    (you  might want to wrap that in a method, for reusability).

    I can also see that you set every attribute during provisoning. I would advise you to set the minimum amount of attributes during provisioning and set the remaining attributes during synchronization.

    Regards,
    Pieter


    Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/

    Friday, April 6, 2012 7:58 AM
  • THANK YOU! THANK YOU! what you suggested really helped me out. It complained when I put a comma before the OU=Staff though.  One question, can you help me with the code to get the MVObject to AD LDS? I mean what  is the method? That is the other half of my initial problem.  Is this code below sufficient? I have objects in the MV but when I try to do an export it says I have 0 objects to export. I just want to verify my code will work once I have that issue resolved. The code I copied and pasted into Visual Studio appears to only be to get the object from CS to MV??. I think..here is the other sub in the code

      ManagementAgent = mventry.ConnectedMAs["ADLDS"];
                Connectors = ManagementAgent.Connectors.Count;

               string displayname = null;
                string unicodePwd = null;
                string UserAccountDisabled = "msDS-UserAccountDisabled";

                if (0 == Connectors)
                {
                    string employeeID = null;
                   
                    if(mventry["employeeID"].IsPresent)
                    {
                    employeeID = mventry["EmployeeID"].Value;
                    }

                    DN = ManagementAgent.EscapeDNComponent("CN=" + mventry["displayName"].Value).Concat("OU=Staff,DC=Test,DC=org");
                    csentry = ManagementAgent.Connectors.StartNewConnector("user");
                    csentry.DN = DN;
                 
                   
                   displayname = mventry["displayname"].Value;
                   employeeID = mventry["employeeID"].Value;
                   unicodePwd = "Windows1";
                   UserAccountDisabled = "false";
                }

    Thanks again

    Friday, April 6, 2012 3:26 PM
  • Mario,

    An 'Export' run, just exports the content of the connectorspace to the target system. In your case, you should first run a 'Full Synchronization' step from your source system, which executes the code above and will create your new object.

    As for your code: you are currently creating variables, but you are not using them. You should set values in the connectorspace by adding something like:
    csentry["displayname"] = displayname;

    ..or, as I mentioned above, define the attribute flow from the client interface. You should also commit the new connector.

    Try this one:

    void IMVSynchronization.Provision(MVEntry mventry)
    {
    	ConnectedMA managementAgent;
    	int connectors = 0;
    	CSEntry csentry;
    	ReferenceValue DN;
    
    	managementAgent = mventry.ConnectedMAs["ADLDS"];
    	connectors = managementAgent.Connectors.Count;
    	//Provision to AD
    	if (connectors == 0)
    	{
    		DN = managementAgent.EscapeDNComponent("CN=" + mventry["displayName"].Value).Concat(",OU=Staff,DC=Test,DC=org");
    		csentry = managementAgent.Connectors.StartNewConnector("user");
    		csentry.DN = DN;
    		csentry["CN"].Value = mventry["accountName"].Value;
    		csentry["employeeID"].Value = mventry["employeeID"].Value;
    		csentry["unicodePwd"].Value = "Windows20";
    		csentry["msDS=UserAccountDisabled"].Value = "false";
    		csentry.CommitNewConnector();
    	}
    }

    As for the error you got by adding the comma before the OU=Staff, can you give me the error? Maybe I can help you with that one.

    Regards,
    Pieter.


    Pieter de Loos - Consultant at Traxion (http://www.traxion.com) http://fimfacts.wordpress.com/


    • Edited by Pieter de Loos Friday, April 6, 2012 3:53 PM Added the comma before OU=Staff
    • Marked as answer by mario.exe Friday, April 6, 2012 8:55 PM
    Friday, April 6, 2012 3:51 PM
  • Thanks again Pieter!

    I don't recall the exact error, I  received regarding the OU. I just removed the comma and the error went away.  Another guy and I just got back from FIM training last week and we are finding there are alot of little things were weren't told(of course). The extension rule was already built and we didn't touch C#. This is the longest I have played with it, but I have gotten alot better understanding of how at least this rules extension works.

    I also just discovered the FIM Event log, and I see there is a certificate issue of some kind, not sure if it would affect exports to AD LDS or not. So I am going to have to focus my attension on that now to rule it out, but I do currently have the code you helped with in our testing environment and it is no longer causing the miscellaneous "execption-dll-errors".

    Many many thanks!!!!!

    Friday, April 6, 2012 8:54 PM
  • by the way Pieter that error was:

    Microsoft.MetadirectoryServices.InvalidDNException: DN ",OU=Staff,DC=Test,DC=org" is not valid.

    Friday, April 6, 2012 10:15 PM
  • Hi guys,

    Not meaning to reopen this thread, but my searching lead me here. All the above code and process works exactly for my scenarios also, however, i also need to propogate when the password changes from the sql db - to the AD LDS. So i added the additional code

    if (connectedMA.Connectors.Count < 1)
    				{
    					// similar code as above...
    				}
    				else
    				{
    					// try update the pwd
    					if (mventry.ObjectType.Equals("LDSUser"))
    					{
    						CSEntry csEntry = connectedMA.Connectors.ByDN[myDN];
    						if (csEntry["unicodePwd"].StringValue != mventry["pwdHex"].Value)
    						{
    							csEntry["unicodePwd"].StringValue = mventry["pwdHex"].Value;
    							this.Log(string.Format("Updated: {0}", mventry["description"].Value));
    						}
    					}
    				}

    but it gives me the error that unicode is read-only!

    How can i propage updating the pwd??

    Thanks

    Tuesday, April 17, 2012 11:56 AM
  • In general, on an attribute level, the purpose of provisioning is to initialize an object.
    In other words, with the exception of a DN update, you can't use provisioning code to propagate attribute updates.

    Attribute updates need to be handled by attribute flow rules.

    Cheers,
    Markus


    Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

    Tuesday, April 17, 2012 12:53 PM
  • Thanks - i've moved this to a flow rule and works nicely
    Wednesday, April 18, 2012 8:53 AM