Hi,

Running FIM 2010 R2 SP1 (4.1.3613.0) and have a very simple Outbound System Scoped Sync Rule, setting the following attributes:

• initial password
• initial DN

The sync rule works, as users are provisioned in the target system. However the FIM MA generates the "Sync-rule-validation-parsing-error". Even if we remove all the attributes from the sync rule, the error continues to exists. We have also recreated the rule.

Any ideas why we're getting the error message (and the rule is working)?

Here is the extract of the Sync Rule:

<?xml version="1.0" encoding="utf-8"?>
<Results xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <ExportObject>
    <Source>http://localhost:5725/ResourceManagementService</Source>
    <ResourceManagementObject>
      <ObjectIdentifier>urn:uuid:9d587de2-5ed2-46a6-9354-e7a12865a55f</ObjectIdentifier>
      <ObjectType>SynchronizationRule</ObjectType>
      <IsPlaceholder>false</IsPlaceholder>
      <ResourceManagementAttributes>
        <ResourceManagementAttribute>
          <AttributeName>ObjectID</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>urn:uuid:9d587de2-5ed2-46a6-9354-e7a12865a55f</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>ConnectedObjectType</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>businessperson</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>ConnectedSystem</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>{57C9FB04-B024-4E6C-BBED-CEBF930EBD1B}</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>CreateConnectedSystemObject</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>True</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>CreatedTime</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>17/05/2015 12:05:35 a.m.</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>CreateILMObject</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>False</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>Creator</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>urn:uuid:6f478f0e-9205-4082-870e-9616f96ccf45</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>DisconnectConnectedSystemObject</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>False</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>DisplayName</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>LDAP Sync Rule</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>FlowType</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>1</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>ILMObjectType</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>person</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>InitialFlow</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>true</IsMultiValue>
          <Values>
            <string>&lt;export-flow allows-null="false"&gt;&lt;src&gt;Password1&lt;/src&gt;&lt;dest&gt;userpassword&lt;/dest&gt;&lt;scoping&gt;&lt;/scoping&gt;&lt;/export-flow&gt;</string>
            <string>&lt;export-flow allows-null="false"&gt;&lt;src&gt;&lt;attr&gt;uid&lt;/attr&gt;&lt;attr&gt;ldapOu&lt;/attr&gt;&lt;/src&gt;&lt;dest&gt;entrydn&lt;/dest&gt;&lt;scoping&gt;&lt;/scoping&gt;&lt;fn id="+" isCustomExpression="false"&gt;&lt;arg&gt;"uid="&lt;/arg&gt;&lt;arg&gt;uid&lt;/arg&gt;&lt;arg&gt;",ou="&lt;/arg&gt;&lt;arg&gt;ldapOu&lt;/arg&gt;&lt;arg&gt;",o=company.org"&lt;/arg&gt;&lt;/fn&gt;&lt;/export-flow&gt;</string>
          </Values>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>ObjectType</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>SynchronizationRule</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>Precedence</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>1</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>RelationshipCriteria</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>&lt;conditions/&gt;</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>ManagementAgentID</AttributeName>
          <HasReference>true</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>urn:uuid:8a6b60b0-b286-4cc8-9b0f-cdf043cd41ec</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>msidmOutboundIsFilterBased</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>True</Value>
        </ResourceManagementAttribute>
        <ResourceManagementAttribute>
          <AttributeName>msidmOutboundScopingFilters</AttributeName>
          <HasReference>false</HasReference>
          <IsMultiValue>false</IsMultiValue>
          <Value>&lt;scoping&gt;&lt;scope&gt;&lt;csAttribute&gt;company&lt;/csAttribute&gt;&lt;csOperator&gt;EQUAL&lt;/csOperator&gt;&lt;csValue&gt;LDAP&lt;/csValue&gt;&lt;/scope&gt;&lt;/scoping&gt;</Value>
        </ResourceManagementAttribute>
      </ResourceManagementAttributes>
      <LocalizedResourceManagementAttributes />
    </ResourceManagementObject>
  </ExportObject>
</Results>

• Edited by Shim Kwan Monday, May 18, 2015 11:22 PM

Hi,

We have now created a traditional sync rule with the same attribute export flows as above, that uses MPR, Workflow, Set transition...and FIM now displays 2 sync-rule-validation-parsing-error messages.

Any ideas?

• Edited by Shim Kwan Tuesday, May 19, 2015 4:08 AM

one more thing - should I see the Scoped Outbound Sync Rule in the MV? As I see nothing. And yet it is provisioning new users.

• Edited by Shim Kwan Monday, June 08, 2015 2:03 AM

Just to repeat, the Sync Rule has provisioned users in the target system before. Here are the screen shots of the Sync Rule:

I have refreshed the FIM MA, and the schema, even recreated the FIM MA...here is the actual error msg on the Sync server:

one more thing - should I see the Scoped Outbound Sync Rule in the MV? As I see nothing. And yet it is provisioning new users.

• Edited by Shim Kwan 5 hours 22 minutes ago

Kwan - no you won't see anything in the MV (or in the FIM Portal on the user) for a scoped sync rule (which I agree makes troubleshooting like this very difficult).  Looking at your rule I would suggest your problem might be with the DN construction.

<export-flow allows-null="false"><src><attr>uid</attr><attr>ldapOu</attr></src><dest>entrydn</dest><scoping></scoping><fn id="+" isCustomExpression="false"><arg>"uid="</arg><arg>uid</arg><arg>",ou="</arg><arg>ldapOu</arg><arg>",o=company.org"</arg></fn></export-flow>

I would be doing the following:

1. add scope filter "uid NOTEQUAL " (leave the value as an empty string)
2. add scope filter "ldapOu NOTEQUAL "
3. construct the DN using the "EscapeDNComponent" function (you may have invalid chars in either of your contributing source attributes).

Try this variation on the source attributes (3 items concatenated):

EscapeDNComponent("uid="+uid)+

EscapeDNComponent("ou="+ldapOu)

+

",o=company.org"

thank you for your suggestions Bob, but unfortunately the same error persists.

the company is also investigating another IDM vendor, and if that works quicker to set up this simple provisioning demo, they will pick the alternate vendor over FIM.

thanks again,

sk

Just spotted something else - change your EAF to set unicodePwd instead of userPassword.  See https://msdn.microsoft.com/en-us/library/windows/desktop/ms696059%28v=vs.100%29.aspx?f=255&MSPPError=-2147217396

we're trying to export to an Oracle based LDAP system, which uses the "userPassword" attribute.

thanks Bob

also, out of curiosity, if we delete all the 3 EAF in the Sync Rule, FIM still complains with the same error message. FIM has a problem even if the Sync Rule isn't doing anything. Loosing confidence in the product...

Have you tried deleting and re-creating the sync rule?  I haven't heard of too many people using FIM declarative rules to provision to Oracle LDAP - what MA are you using?  PowerShell?