The UNIFYBroker-based Active Directory provisioning model uses a Powershell connector in Broker to action \u201conce-off\u201d operations for an AD user account, such as:<\/p>\n
The Broker Powershell connector has the following configuration components:<\/p>\n
The Powershell connector can also be used for AD objects other than users.<\/p>\n
A key element of the user lifecycle at [CUSTOMERX] is the \u201cIdentity State\u201d of each user, which is derived from various user attributes (e.g. HR contract start date, manual disable flag, user last login timestamp, etc) and drives the values of various other attributes (e.g. AD Distinguished Name, account disable\/enable state, exchange mailbox enable\/disable, etc).\u00a0 There are similar attributes (\u201cGroup State\u201d and \u201cContact State\u201d) for AD groups and AD mail contacts.<\/p>\n
The following documents the specific actions performed by Broker connectors:<\/p>\n
These three Broker connectors each have a corresponding Broker adapter, but share one \u201cProvisioning\u201d MA within MIM.\u00a0 Please refer to the Provisioning MA configuration and the Powershell connector implementation for important aspects of the solution (e.g. required minimum attributes that must be exported from MIM for use when creating the various AD objects).<\/p>\n
The following important lessons were learned during implementation.<\/p>\n
\u201cImport All\u201d cannot be treated as a periodic baseline as per our normal MIM best practices, because when run it resets (nulls) all connector attribute values other than those it sets directly.\u00a0 This means that the next MIM export operation (after a MIM full import\/sync to identify that the attributes have been cleared \u2013 and not a delta import\/sync as this does not notify MIM of the changes) will have to restore all export attribute values (i.e. Identity\/Group\/Contact State, in the [CUSTOMERX] case) and this will re-trigger any \u201cUpdate Entities\u201d code for all objects (i.e. attempt to re-enable or re-disable every user\u2019s exchange mailbox, in the [CUSTOMERX] case).<\/p>\n
\u201cImport Changes\u201d functionality must be implemented and cannot be set to \u201cNone\u201d.\u00a0 Following on from the previous paragraph, because regular baselining of the connector is problematical and best avoided an incremental synchronisation method is needed to keep the connector in sync with the source AD data.\u00a0 If this is omitted then objects that are created directly in AD by other systems will not be visible in the connector (and consequently won\u2019t be created in the MIM \u201cProvisioning\u201d MA, leading to failed provisioning requests from MIM when the attempt is made to create the already-existing AD object).<\/p>\n
The default timeout for MIM export profile runs to ECMA2 connectors such as Broker is 60 seconds, and the default batch size is 5,000 objects.\u00a0 At [CUSTOMERX], Broker was unable to process requests from MIM fast enough, leading to timeouts which manifest in MIM as \u201ccd-error\u201d errors on each exported object with no other useful information logged anywhere.\u00a0 Therefore it is highly recommended that the timeout be significantly increased.\u00a0 It may also be effective to decrease the batch size, but this approach was not tested and is therefore unconfirmed.<\/p>\n
Errors during export (e.g. problems during the development of the Broker Powershell connector code, or transient errors when executing commands from the Broker Powershell connector code) cause MIM to report errors against exported objects, even though Broker may actually correctly save the updated value of that attribute.\u00a0 If a subsequent export attempt is made then Broker returns an \u201cOther\u201d error on the second export attempt, with error default \u201cInternal error #9 (Cannot add value)\u201d.\u00a0 Debugging this situation and identifying what is causing it to occur can be difficult, since it only occurs on a second export after a previous error has been encountered, for a different reason.\u00a0 Consequently it is recommended that all Broker powershell \u201cUpdate Entities\u201d code must include error-checking and be wrapped in exceptions handling and use the Failed Operations mechanism (\u201c$components.Failures.Push($entity)\u201d) to correctly record operation failures.\u00a0 Refer to the Broker Powershell connector documentation for details of this mechanism.\u00a0 It is arguably a bug in Broker that it fails to correctly handle the second export\u2019s attribute update.<\/p>\n
When using PSSessions in the Powershell connector to perform operations remotely, be sure to call Remove-PSSession to free the session as soon as it is no longer required.\u00a0 Failure to do so may contribute to Broker misbehaviour, although this is unconfirmed.<\/p>\n
\u201ccd-error\u201d with no other details \u2013 a timeout from the MIM side.\u00a0 Increase the export profile\u2019s timeout (\u201cOperation Timeout (s)\u201d on the third screen of the Run Profile wizard \u2013 NOT the Custom Data \u201cTimeout (seconds)\u201d on the second)<\/p>\n
\u201cOther\u201d Internal error #9 (Cannot add value) \u2013 a previous export failed and Broker updated the attribute but reported the error back to MIM, which retries the export and confuses Broker which has already saved a value to this attribute.<\/p>\n
If you are having other errors during export, remove your powershell code altogether and leave just a empty stub in place that does nothing (not even load a blank external script).\u00a0 Try running your entire export (full data set) and make sure it works correctly first.\u00a0 Then try some delta exports (just a few records) and make sure they work.\u00a0 Once you’re sure you have that mechanism working correctly, but your code back in gradually – add functionality bit by bit, making sure you do both the entire export (full data set) and the the delta export (just a few records) each time.<\/p>\n","protected":false},"excerpt":{"rendered":"
Background The UNIFYBroker-based Active Directory provisioning model uses a Powershell connector in Broker to action \u201conce-off\u201d operations for an AD user account, such as: Account creation Account deletion Mailbox enable\/disable The Broker Powershell connector has the following configuration components: \u201cImport All\u201d \u2013 e.g. pre-load all existing users from AD \u201cImport Changes\u201d \u2013 e.g. identity and…<\/span><\/p>\n