Closed briuccio closed 3 years ago
ryannewington
commented
3 years ago Hi @briuccio
sorry for the delay in responding. In the Global Parameters section of the MA, have you assigned a Contact DN prefix? If not, try setting this to contact:
This can happen if contacts have the same email address of objects in the directory. Setting a prefix helps ensure they always have a unique DN
briuccio
commented
3 years ago Hi @ryannewington ,
thank you for your answer. this is the setting that I have right now:
After some research I found out that, someone in my organization, delete and recreate a group when is needed to remove all members from that group. The mim see a different anchor (google id) but same DN (mail) and set that group as Transient in the connector space. For some reason it seems that the object deleted from google is keeped in the connector space of lithnet.
Still I need to set a prefix to contact DN?
Thank you
ryannewington
commented
3 years ago That makes sense. FIM will report an object as transient on a DN/anchor change like you reported.
A full import should remove any object from the connector space that no longer exists in the feed from Google.
However, be aware that FIM may not remove obsolete objects from the connector space if there were errors or warnings on import. Youll need to ensure that you perform a full import that completes with a successful (no warnings or errors) result. Once this happens, FIM releases any deleted objects from the connector space
briuccio
commented
3 years ago You are perfectly right. We can't get a completed full import without error because there are some groups on google that begins with "#"
Is there any way, as per your experience, to filter those groups in the import phase? Even if we have a rule extension on the connector filter?
Thanks
ryannewington
commented
3 years ago Is that a bug with the connector that we need to fix? Can you share the section of the import log that contains one of these errors?
briuccio
commented
3 years ago I can't find anything in the ma-operations.log. I paste here the error that i got in the gui
at Google.Apis.Services.BaseClientService.1.ConfiguredTaskAwaiter.GetResult() at Google.Apis.Requests.ClientServiceRequest1.1.<ExecuteAsync>d__27.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Google.Apis.Requests.ClientServiceRequest1.1.GetResult() at Lithnet.GoogleApps.ApiExtensions.ExecuteWithRetry[T](ClientServiceRequest1 request, Func2 shouldRetry, Int32 retryAttempts, Int32 consumeTokens) at Lithnet.GoogleApps.ApiExtensions.ExecuteWithRetry[T](ClientServiceRequest1 request, RetryEvents policy, Int32 retryAttempts, Int32 consumeTokens)
at Lithnet.GoogleApps.ApiExtensions.ExecuteWithRetry[T](ClientServiceRequest`1 request, RetryEvents policy)
ryannewington
commented
3 years ago Thanks, that is the error information I'm looking for but it seems to be truncated. Can you see if there is a complete version of this stack trace in the windows event log?
briuccio
commented
3 years ago I found this
ECMA2 MA import run caused an error.
Error Name: <!DOCTYPE html>
404. That’s an error.
The requested URL /groups/v1/groups/ was not found on this server. That’s all we know.
Error Detail: at Google.Apis.Services.BaseClientService.
ryannewington
commented
3 years ago @briuccio I'm struggling to reproduce this one.
I can create a group in google that has a name starting with #, and I dont run into any issues.
However, it won't let me create one with an email address starting with #
Are you able to give me some guidance on how to reproduce this situation?
briuccio
commented
3 years ago Hello Ryan, sorry for late reply. I resolved the issue by filtering objects with mail that contains # and by run a full import without errors. The transient object were released.
The issue occurs when a group with email address starting with # is read from an import by lithnet and the error that I wrote before occurs. The fun fact is that those groups where created with lithnet as well :)
stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.
Hello, I set up a provisioning flow where for each group from google MIM will provision a contact in an Active Directory. I found out that many object from Lithnet Agent are marked as "transient" but they are also projected in metaverse and, for provisioning logic, they are also created as a contact in active directory. I'm sure that objects marked as transient are not available anymore on Google, so the question is why they are not removed from the connector space after a full import of the agent?
Thank for your help.
Regards.