Skip to Content
0

uIS_SetValue Setting Error Instead of Correct Value

Jan 09 at 03:41 PM

57

avatar image

Experts,

I have a weird issue I'm hoping you can help me with. I'm trying to find out why a value that I'm trying to set with uIS_SetValue is showing an error in the attribute value instead of what I'm feeding into the function. Here's the script in question, see line 26 (I have marked it):

// Main function: z_setDN


function z_setDN(Par){ 
	var split = Par.split("||");
	var adLogin = split[0];
	var startPoint = split[1];
	var mskey = split[2];
	var prefix = Left(adLogin,3);
	var IDStoreID = uGetIDStore();
	var country = "";
	var city = "";
	var entity = "";
	var finalResult = "";
	var sql = "";
	var uISResult = "";
	
	if(prefix == "ADM" || prefix == "ADS" || prefix == "CYB" || prefix == "EXU") {
		uISResult = uIS_SetValue(mskey, IDStoreID, "Z_MX_AD_" + prefix + "_LOGIN_ID", adLogin);
		if(prefix == "EXU") {
			finalResult = "cn=" + adLogin + "," + startPoint;
		} else {
			finalResult = "cn=" + adLogin + ",ou=Users," + startPoint;
		}
		uWarning("finalResult (pre-set of Account_DN_AD>: " + finalResult);
Line26:		uISResult = uIS_SetValue(mskey, IDStoreID, "Z_MX_ACCOUNT_DN_AD_" + prefix, finalResult);
		uWarning("uISResult: " + uISResult);
	} else {
		uISResult = uIS_SetValue(mskey, IDStoreID, "Z_MX_AD_INTERNAL1_LOGIN_ID", adLogin);
		sql = "select SEARCHVALUE from IDMV_VALUE_BASIC \
				where ATTRNAME = 'Z_MX_AD_TRIGRAM' and MSKEY in ( \
				select MCSEARCHVALUE as MSKEY from IDMV_VALLINK_BASIC \
				where MSKEY = " + mskey + " and MCATTRNAME = 'MXREF_Z_MX_OFFICE_LOCATION_MAPPING')";
		city = uSelect(sql);
		sql = "select SEARCHVALUE from IDMV_VALUE_BASIC \
				where ATTRNAME = 'Z_MX_COUNTRY' and MSKEY in ( \
				select MCSEARCHVALUE as MSKEY from IDMV_VALLINK_BASIC \
				where MSKEY = " + mskey + " and MCATTRNAME = 'MXREF_Z_MX_OFFICE_LOCATION_MAPPING')";
		country = uSelect(sql);
		sql = "select SEARCHVALUE from IDMV_VALUE_BASIC \
				where ATTRNAME = 'Z_MX_LEGAL_ENTITY_AD' and MSKEY in ( \
				select MCSEARCHVALUE as MSKEY from IDMV_VALLINK_BASIC \
				where MSKEY = " + mskey + " and MCATTRNAME = 'MXREF_Z_MX_LEGAL_ENTITY_MAPPING')";
		entity = uSelect(sql);
		finalResult = "cn=" + adLogin + ",ou=USERS,ou=" + entity + ",ou=" + city + ",ou=" + country + "," + startPoint;
		uISResult = uIS_SetValue(mskey, IDStoreID, "Z_MX_ACCOUNT_DN_AD_INTERNAL1", finalResult);
	}


	uWarning("finalResult: " + finalResult);
	// uSetContextVar("Z_NEW_ACCTDN", finalResult);
	// uSetContextVar("Z_NEW_LOGIN_ID", adLogin);	
	// uSetContextVar("Z_USR_MSKEY", mskey);
	return finalResult;
}

Also, here's the screen shot with the values of the uWarning messages from lines 25 and 27:

As you can see, the value of, "finalResult" is a valid AD DN and the uIS_SetValue result is a, "+", meaning that it executed properly. However, here's the value of the attribute when I query the database:

Why is there an error in there? Everything is configured properly. This makes no sense. Has anyone seen this before?

capture.png (165.1 kB)
capture2.png (193.9 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

5 Answers

Best Answer
Brandon Bollin Jan 16 at 10:01 AM
0

OK so... We figured out what this issue was. When my custom provisioning task create the new DN and set the DN attribute, it actually is doing this correctly in all the scripts I pasted above. After that happens, the framework calls an external job and that job fetched the ObjectSID from the newly created LDAP account and stores that SID in a custom attribute on the MX_PERSON record. However, before that external job had a chance to finish, back up in my connector, the initial password is being generated. I'm using a script in there that needs the SID but the external job was not done yet. Further, that script is setup to update the DN attribute if it ever doesn't match what's in LDAP, based on a LDAP query using the SID.

So you can see the vicious loop here. The framework creates the account and sets the DN. The external job is called to fetch the SID. That job is not done by the time the random password generation / provisioning to AD occurs. Password tasks need the SID on the MX_PERSON record to function properly and to properly set the DN attribute on the MX_PERSON record; since those needs were not met, the DN attribute now being set to that error message.

Once all this was discovered, I retooled to process to avoid this issue and everything works fine now. Thanks for the suggestions fellow experts!

Share
10 |10000 characters needed characters left characters exceeded
Steffi Warnecke
Jan 09 at 04:14 PM
0

Hello Brandon,

just some brainstorming:

  • Is there any validation on that attribute?
  • Do you have an example sql query result where the DN attribute is filled with a correct value? Not Marty, maybe the Doc is somewhere to be found? ;)

.

Regards,

Steffi.

Share
10 |10000 characters needed characters left characters exceeded
Matt Pollicove
Jan 11 at 02:27 PM
0

The only thing I can think of Brandon is that it's not liking something that is being passed. Try hard coding one value at a time until it works.

Matt

Show 1 Share
10 |10000 characters needed characters left characters exceeded

We tried that. If we try to hard code the exact same DN value, it works fine. We even tried commenting out the uIS_SetValues and, if you'll look at the bottom of my script, uncommenting the part where we pass the finalResult into a context variable. Then we added a To Identity Store pass and retrieved the value of the context variable so we could write the contents in a more, IDM best practice way and we're still getting the error.

The last time we tried anything we did a trace on the MX_PERSON record in question and we're getting an LDAP error. An LDAP error? When trying to write to the IdS? That makes no sense. I'll post the contents of the trace log in a new comment below.

0
Brandon Bollin Jan 12 at 09:22 AM
0

Never mind on the LDAP error comment. That error we were seeing was another part of the provisioning process, writing the password to LDAP, which is also failing, but I'll approach that issue once I solve this issue.

I used SQL to sort through the trace log and only return results related to the task and job within the task that's trying to write the DN to my custom attribute. As far as IDM is concerned, it's performing the task successfully. Attached is the result, in TAB delimited format, from the trace for that specific action. Could this be an issue on the database side?


Share
10 |10000 characters needed characters left characters exceeded
Deva Prakash B Jan 11 at 08:39 AM
0

Hello Brandon,

!ERROR - this result will come, if the mentioned attribute is not available. I tried the below code and it is working as expected.

Please check whether the attribute is existing or not.

Regards,

Deva

// Main function: test  

function test(Par){ 
        //Example calling DSE internal function 
        //uStop("Terminated by user"); 
        var rep = "SAP_SYSTEM"; 
        var mskey = Par.get("MSKEY"); 

        var OutString = uIS_SetValue(mskey,1,"ACCOUNT"+rep,"userid"); 
        uWarning(OutString); 
        return ; 
}
Show 1 Share
10 |10000 characters needed characters left characters exceeded

Ahhh... So even though the attribute is present in the schema, if the user doesn't already have that attribute on their account, uIS_SetValue cannot do an, "insert" of the attribute. It can only do a, "modify". Is that a correct summary? When I read SAP's documentation more closely, it does say that uIS_SetValue, "Updates the value of a given attribute for a given entry..." To me, update does not mean add. SAP's documentation also strongly recommends using a To Identity Store pass to update / add attribute to identities instead of this function due to unpredictable results.

OK. I will try to rewrite my process to work around this limitation and see what happens. I will update once I have a result. Thanks!

1