Syncing users two-way with AD to FIM & Attribute Flow Rules
Hi Everyone,
I'm making my way through this FIM stuff. I somehow made it around my last issue and to be honest I have no idea what caused it.
Right now i'm trying to build what will be our production Syncing logic. Right now I have two MA's: the FIM Service MA and AD DS. I'm trying to set it up so I can provision users in FIM into a particular OU and also have FIM sync my existing user accounts
over to the FIM Portal (for password reset). I'm running into an issue where if I configure both import and export attribute flows on the FIM Service MA objects then are exported to the Service database without any AD Attributes. If I remove the Import flow
mappings AD data then is published to the FIM Service data without a problem.
There must be a simple reason for what is going on. Any ideas?
July 15th, 2010 11:59pm
Did you configure import and export flows on the AD sync rules in the FIM portal?
Do you see the attributes present in the FIM Sync MV?
Did you check the attribute flow precedence in the FIM Sync MV?
HTH,
Peter
Peter Geelen - Sr. Consultant IDA (http://www.fim2010.be)
[If a post helps to resolve your issue, please click the
"Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2010 12:04pm
This is by design.
As Peter has indicated, you need to take a look at your attribute flow precedence configuration.
You can either configure your environment to use manual flow precedence - which is not a good idea if you need one source to be authoritative - or you are initializing your environment in phases.
In case of a phased approach, you would first bring all AD objects into FIM and configure an outbound synchronization rule to AD when you are done bringing existing AD objects into FIM.
More details about attribute flow precedence are
here.
Cheers,
MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
July 16th, 2010 1:29pm
Thanks guys for responding I was at work late last night trying to figure this out.
1. I have configured an inbound and outbound sync rule in the FIM portal.
2. I have checked the attribute flow precedence on the sync service. If seems to have the same effect regardless if I specify the FIM Sync MA or the AD MA first.
3. I'm not at my computer right now but I will say I do remember that the attributes ARE in the MV, they just will not sync to the FIM MV Connector space.
That's just the outbound sync from the portal, but I also am having a problem with the inbound sync for AD DS to the MV. For some reason if I try to sync the "displayName" attribute the sync will fail giving me a "sync provisioning" error. If I remove the
displayname attribtue from the import flow rules on the MA and in the sync rule the user will sync over. One time I even got an exception-dll error
Can I remove import mappings on the FIM MA and just use the declarative sync rule, am I doing something wrong? I was going off of the "Two Authoritative Sources Guide"
I'm so close I can taste it, there has to be something minor i'm overlooking. I'll take a look at that attribute flow precedence doc. Is there a way I can post my MA and sync rule config so you guys can take a look?
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2010 3:27pm
To post MA and sync rule config: see the
FIM Script box and FIM Community Knowledge Box.
HTH,
Peter
Peter Geelen - Sr. Consultant IDA (http://www.fim2010.be)
[If a post helps to resolve your issue, please click the
"Mark as Answer" or "Helpful" button at the top of that post. By marking a post as Answered or Helpful, you help others find the answer faster.]
July 16th, 2010 3:32pm
Okay here are my Sync Rules and MA configuration. I totally figured out my "Display Name" problem. I smacked myself in the face when I thought about it. I had been using a comma in my Display name i.e Russell, Brandon. And because i'm using it in my DN string
as a variable its causing an error, cause you can't have a DN with a comma in the middle of it like that. "DOH" I'll just have to switch the variable, no biggie.
I'm still having the problem where I can't sync any user attributes when I have import sync rules on my MA. Perhaps it's presendence but when I make the AD MA 1st presendence it doesen't change anything. I just have to be missing something. Does this config
seem okay for a start?
Synchronization Rule Configuration
Name
FENIX User Inbound Sync Rule
Connector
{4CD914AA-4C22-4920-BFBD-955BF724EB08}
Pending
No
Description
Created Time
14/07/2010
Precedence
1
Flow Type
Inbound and Outbound
Scope
Metaverse Object Type
person
Data Source
{7F6896F4-E481-43B9-B03C-6C55AE7CBFB2}
Data Source Object Type
user
Relationship
Create object in FIM
true
Create object in Connected System
true
Relationship termination
false
Relationship Criteria
ILM Attribute
Data Source Attribute
accountName
sAMAccountName
Inbound Attribute Flows
Destination
Source
displayName
displayName
firstName
givenName
domain
CustomExpression(IIF(Eq(Left(ConvertSidToString(objectSid),40),"S-1-5-21-4133570775-275769922-3532604739"),"FENIXVM","Unknown"))
objectSid
objectSid
accountName
sAMAccountName
lastName
sn
Initial Outbound Attribute Flows
Allow Nulls
Destination
Source
false
userAccountControl
Constant: 512
false
dn
+("CN=",displayName,",OU=FIMObjects,DC=FENIX,DC=Local")
false
unicodePwd
Constant: p@ssw0rd
Persistent Outbound Attribute Flows
Allow Nulls
Destination
Source
false
sAMAccountName
accountName
false
company
company
false
displayName
displayName
false
employeeID
employeeID
false
givenName
firstName
false
sn
lastName
false
manager
manager
MA CONFIG:
FIM MA Attribute Flow Configuration
Metaverse object type: detectedRuleEntry
Flow Direction
Data Source Attribute
Metaverse Attribute
Type
Flow Nulls
Inbound
dn
csObjectID
Direct
Outbound
SynchronizationRuleID
synchronizationRuleID
Direct
no
DisplayName
displayName
Direct
no
Connector
connector
Direct
no
ResourceParent
resourceParent
Direct
no
dn
sync-rule-mapping
no
MVObjectID
object-id
Direct
no
Metaverse object type: expectedRuleEntry
Flow Direction
Data Source Attribute
Metaverse Attribute
Type
Flow Nulls
Inbound
CreatedTime
createdTime
Direct
ExpectedRuleEntryAction
expectedRuleEntryAction
Direct
SynchronizationRuleData
synchronizationRuleData
Direct
SynchronizationRuleID
synchronizationRuleID
Direct
DisplayName
displayName
Direct
Outbound
StatusError
statusError
Direct
no
SynchronizationRuleStatus
status
Direct
no
Metaverse object type: group
Flow Direction
Data Source Attribute
Metaverse Attribute
Type
Flow Nulls
Inbound
dn
csObjectID
Direct
AccountName
accountName
Direct
DisplayName
displayName
Direct
Member
member
Direct
ExpectedRulesList
expectedRulesList
Direct
Scope
scope
Direct
Type
type
Direct
DisplayedOwner
displayedOwner
Direct
Outbound
dn
sync-rule-mapping
no
MVObjectID
object-id
Direct
no
AccountName
accountName
Direct
no
DisplayName
displayName
Direct
no
Member
member
Direct
no
Scope
scope
Direct
no
Type
type
Direct
no
DisplayedOwner
displayedOwner
Direct
no
Metaverse object type: person
Flow Direction
Data Source Attribute
Metaverse Attribute
Type
Flow Nulls
Inbound
sAMAccountNameAccountName
accountName
sync-rule-mapping
displayNameDisplayName
displayName
sync-rule-mapping
objectSidDomain
domain
sync-rule-mapping
givenNameFirstName
firstName
sync-rule-mapping
snLastName
lastName
sync-rule-mapping
objectSid
objectSid
sync-rule-mapping
dn
csObjectID
Direct
ExpectedRulesList
expectedRulesList
Direct
Company
company
Direct
Manager
manager
Direct
Outbound
dn
sync-rule-mapping
no
MVObjectID
object-id
Direct
no
AccountName
accountName
Direct
no
Company
company
Direct
no
DisplayName
displayName
Direct
no
Domain
domain
Direct
no
EmployeeID
employeeID
Direct
no
EmployeeType
employeeType
Direct
no
FirstName
firstName
Direct
no
LastName
lastName
Direct
no
Manager
manager
Direct
no
ObjectSID
objectSid
Direct
no
Metaverse object type: synchronizationRule
Flow Direction
Data Source Attribute
Metaverse Attribute
Type
Flow Nulls
Inbound
ConnectedObjectType
connectedObjectType
Direct
ConnectedSystem
connectedSystem
Direct
ConnectedSystemScope
connectedSystemScope
Direct
CreateConnectedSystemObject
createConnectedSystemObject
Direct
CreateILMObject
createILMObject
Direct
Dependency
dependency
Direct
DisconnectConnectedSystemObject
disconnectConnectedSystemObject
Direct
DisplayName
displayName
Direct
ExistenceTest
existenceTest
Direct
FlowType
flowType
Direct
ILMObjectType
ilmObjectType
Direct
InitialFlow
initialFlow
Direct
PersistentFlow
persistentFlow
Direct
Precedence
precedence
Direct
RelationshipCriteria
relationshipCriteria
Direct
SynchronizationRuleParameters
synchronizationRuleParameters
Direct
Thanks for the assistance guys!
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2010 1:13am
I'm just stuck. Anyone see anything funny with the config?
July 19th, 2010 5:37pm
Just wanted to write and update with what has happened. I took a look at the attribute precedence. I'm positive I put the AD MA with the highest presdence. That didn't seem to work despite the document provided explained the exact problem
I was having. However after turning on the "Use equal precedence" option the problem stopped.
Oddly in this case this is exactly what I want. I want the last MA to write to the MV to change the value and allow it to pass to all connected MAs. I'd imagine if I had an HR system or something that was more authoritative I'd use that as the highest precedence
and then anything lower than that would simply drop off other attributes that it was not authoritative for.
So essentially the lesson learned here (I think) is that an MA that has higher precedence of an attribute will not accept a value from an MA that has a lower precendence value into its connector space (although that value will be stored in the
MV).
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2010 11:52pm