Hello, I have MAs for exporting Contact objects and CRL distribution points to SQL where they are staged and then sent on to other connected systems. In the OSRs I'm flowing the attributes required in the SQL tables and csObjectID to dn (IFO) to get the objects into the SQL CS. However, on attribute change, such as an update to the certificate binary, i'm seeing invalid-dn errors on the export runs. The dn in the connector space does look odd, e.g. "cn=joe bloggs\,ou=accounts\,dc=whatever\,dc=com" which is not how the same object looks in the AD connector space, it has the 'usual' formed dn that you'd expect. Obviously you don't flow csObjectID to dn in the AD OSRs. Is there a need to confirm the exports as all of the objects in the SQL CS are 'Awaiting Export Confirmation'? Is there as way to run confirming imports on SQL as running a Delta Import Delta Sync has no effect. Kind regards, Rob

Hi Rob, Did you define an inbound rule for your SQL MA? If not, try defining an inbound rule, with no attribute flows, that just joins the objects in the DB with the objects in the connector space. Basically, you have only to define in the "relationship" tab the same criteria you defined in the outbound rule. At that point, the delta import and synch operations should have an effect. Cheers, PaoloPaolo Tedesco - http://cern.ch/idm

Hi Rob, Did you define an inbound rule for your SQL MA? If not, try defining an inbound rule, with no attribute flows, that just joins the objects in the DB with the objects in the connector space. Basically, you have only to define in the "relationship" tab the same criteria you defined in the outbound rule. At that point, the delta import and synch operations should have an effect. Cheers, PaoloPaolo Tedesco - http://cern.ch/idm

Rob, Yes, you need to run confirming imports (it can be delta or full import). Do you get the same errors if you run a full import? Are you provisioning to the target MAs? If yes, are you sure you've correctly assembled the dn? What happens if you drill down on the "invalid-dn" errors? Could you explain a bit more in detail what exactly your are doing? Which MAs, which (relevant) attribute flows exactly? Could you describe the import/export flows a bit more clear? Regarding your remark "which is not how the same object looks in the AD connector space"... In a MA, the dn is not necessarily a DN like in AD. The dn is also referred as the anchor of the MA (talking non LDAP MAs). In SQL it usually is NOT the format cn=xxxx, ou=yyyy, dc=whatever,dc=com. Which MAs throw the error? Only the SQL MA? Did you create delta tables/delta views on the SQL tables? Kind regards, PeterPeter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

Rob, Yes, you need to run confirming imports (it can be delta or full import). Do you get the same errors if you run a full import? Are you provisioning to the target MAs? If yes, are you sure you've correctly assembled the dn? What happens if you drill down on the "invalid-dn" errors? Could you explain a bit more in detail what exactly your are doing? Which MAs, which (relevant) attribute flows exactly? Could you describe the import/export flows a bit more clear? Regarding your remark "which is not how the same object looks in the AD connector space"... In a MA, the dn is not necessarily a DN like in AD. The dn is also referred as the anchor of the MA (talking non LDAP MAs). In SQL it usually is NOT the format cn=xxxx, ou=yyyy, dc=whatever,dc=com. Which MAs throw the error? Only the SQL MA? Did you create delta tables/delta views on the SQL tables? Kind regards, PeterPeter Geelen (Traxion) - Sr. Consultant IDA (http://www.fim2010.be) [If a post helps to resolve your issue, please click the "Mark as Answer" of that post or "Helpful" button of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]

Thanks Paulo and Peter, Just set up some ISRs with no attribute flows to confirm the exports and now all appears well in the world of the sync engine again! Cheers Rob

Just as an observation, it doesn't appear possible to create a Delta Import run profile on the SQL MA. Is there a reason for this? Cheers Rob

It is possible, but you need to define a delta view. Check these articles: Generating delta views using triggers Generating delta views using snapshots The documentation is related to MIIS, but it's the same for FIM. Cheers, Paolo Paolo Tedesco - http://cern.ch/idm