Invalid-DN During Export on a SQL MA
Hit a confusing error recently on a SQL MA. This SQL MA has no reference attributes, and the anchor is simply a GUID (good enough for the FIM MA, right?). On Export there are a few objects with an Export Error of "invalid-dn". This is confusing because this MA has no DNs. The problem here is that the MA has pending exports for objects that don't exist in the target SQL table. In my case these objects are waiting to be cleaned up by a Full Import, so I expect these to just go away naturally without any of my invasive meddling. Weird error, I would have preferred something more like "Object not found". Hopefully the next person that gets this error finds this post ;-)CraigMartin Edgile, Inc. http://identitytrench.com
June 27th, 2012 11:51am

Craig, I'm curious as to why you have pending exports for objects that don't exist and a full import will clean them up. Are they not pending adds? Does your SQL MA not have a way of importing deletes on a delta import? I had that problem for awhile with one of my simpler SQL MAs. I suspect in this case the "invalid-dn" error is really referring to your anchor value. In many ways the anchor and DN are synonymous. Chris
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2012 4:10pm

Hey Chris, it was an issue with the triggers creating our delta table entries that tricked the sync engine into having a CSEntry for an object that had no corresponding row in the SQL table. So the row existed in the delta table, but not the full table. A full import makes the issue go away, but doesn't solve the actual problem. In this case, the error ('invalid-dn') might be referring to the anchor, but my point is that the error doesn't reflect the actual problem (missing object in the SQL table). I suspect on export the MA is looking for the target row (by the CSEntry DN) but doesn't find it. When it fails to find the row in SQL it tells me 'invalid-dn' where I would have preferred to get detail such as "failed to find the object in SQL using query: select * from foo where hoof = 'hearted'", or simply "Object not found". Nitpicking? Maybe. The intent of the post is to make this easier for the next person that hits this error and wonders why the SQL MA thinks a DN is invalid ;-)CraigMartin Edgile, Inc. http://identitytrench.com
June 27th, 2012 7:09pm

I have noticed the same thing. Thankfully, a quick search turned up this post. 'Invalid-dn' is indeed a misleading error message for this situation. 'Invalid-anchor' would make much more sense to me in this scenario. For anyone else who hits this, the reason I came up with this is because I am using a view on my SQL MA to only show the last month's data. Before my update to the SQL Table could process, the entry it was trying to update dropped out of the 1 month period. This caused the entry to not exist in the view, which generated the 'invalid-dn' error. Thanks for taking the time to post this, Craig. It helped me find the cause of my error and eliminate some head scratching much more quickly than I would have without it.
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2012 9:52am

Glad you found it! Could you please vote the post as helpful? It'll make people think I'm pretty ;-)CraigMartin Edgile, Inc. http://identitytrench.com
July 17th, 2012 11:29am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics