8.1 Post Upgrade Active Directory Warning

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.1

Please share any other relevant files that may be required (for example, logs).

ad_lincoln.xml (75 KB)

Share all details related to your problem, including any error messages you may have received.

Hi all, after an upgrade to 8.1 we started seeing warnings during AD aggregations. From our internal testing, nothing seems amiss, so is this noise from SailPoint or something we should be concerned about? Attached is our sanitized AD application XML.

sailpoint.connector.LDAPConnector:4543 - 276551473 Problem resolving [eduPersonAffiliation]Attribute eduPersonAffiliation has no value
java.util.NoSuchElementException: Attribute eduPersonAffiliation has no value
at javax.naming.directory.BasicAttribute.get(BasicAttribute.java:300) ~[?:1.8.0_392]
at sailpoint.connector.LDAPConnector.resolveAttributeValue(LDAPConnector.java:4539) [connector-bundle-directories.jar:8.1p6]
at sailpoint.connector.LDAPConnector.buildAttributes(LDAPConnector.java:4364) [connector-bundle-directories.jar:8.1p6]
at sailpoint.connector.LDAPConnector.buildAttributes(LDAPConnector.java:4263) [connector-bundle-directories.jar:8.1p6]
at sailpoint.connector.ADLDAPConnector.buildAttributes(ADLDAPConnector.java:503) [connector-bundle-directories.jar:8.1p6]
at sailpoint.connector.LDAPConnector.buildObject(LDAPConnector.java:3319) [connector-bundle-directories.jar:8.1p6]
at sailpoint.connector.ADLDAPConnector.buildObjectSingleForest(ADLDAPConnector.java:1661) [connector-bundle-directories.jar:8.1p6]
at sailpoint.connector.ADLDAPConnector.buildObjectMultiForest(ADLDAPConnector.java:2250) [connector-bundle-directories.jar:8.1p6]
at sailpoint.connector.ADLDAPConnector.buildObject(ADLDAPConnector.java:4200) [connector-bundle-directories.jar:8.1p6]
at sailpoint.connector.ADLDAPConnector$DirSyncIterator.nextWithDnNativeId(ADLDAPConnector.java:9728) [connector-bundle-directories.jar:8.1p6]
at sailpoint.connector.ADLDAPConnector$DirSyncIterator.next(ADLDAPConnector.java:9403) [connector-bundle-directories.jar:8.1p6]
at sailpoint.connector.ConnectorProxy$CustomizingIterator.peek(ConnectorProxy.java:1329) [connector-bundle-identityiq.jar:8.1p6]
at sailpoint.connector.ConnectorProxy$CustomizingIterator.hasNext(ConnectorProxy.java:1355) [connector-bundle-identityiq.jar:8.1p6]

I did see a related post (Warning During Active Directory Aggregation) but that was due to maxValsRange and this seems to be different.

Thanks for any help!

2

Is this Attribute getting aggregated for the users who is having values in AD? or none of the users attribute is aggregating?
Also what kind of attribute is this, Single valued or multi valued at AD end?

I could see this as part of your account aggregation schema, no where used in provisioning as well, If that’s the case, if the attribute is multi-valued at AD end, make it multi at SailPoint configuration as well try

      <AttributeDefinition name="eduPersonAffiliation" type="string" multi="true">
        <Description>List of entity's affiliations</Description>
      </AttributeDefinition>
3

I was able to enable trace logging for sailpoint.connector.LDAPConnector and found a little more details. I still can’t pinpoint why for some attributes that are obviously empty the connector does not throw a warning but for others it does. The warnings are thrown for the same few attributes though, so hopefully that will help narrow it down.

Here is an example:

sailpoint.connector.LDAPConnector:97 - Entering lambda$buildAttributes$147: Arguments => unlPrimaryAffiliation, sailpoint.object.AttributeDefinition@11e792c1
sailpoint.connector.LDAPConnector:108 - Exiting lambda$buildAttributes$147: Arguments => unlPrimaryAffiliation, sailpoint.object.AttributeDefinition@11e792c1, Returns => 494920710 Building attribute [unlPrimaryAffiliation] multi 'false'
sailpoint.connector.LDAPConnector:97 - Entering lambda$buildAttributes$147: Arguments => unlPrimaryAffiliation, sailpoint.object.AttributeDefinition@11e792c1
sailpoint.connector.LDAPConnector:108 - Exiting lambda$buildAttributes$147: Arguments => unlPrimaryAffiliation, sailpoint.object.AttributeDefinition@11e792c1, Returns => 494920710 Building attribute [unlPrimaryAffiliation] multi 'false'
sailpoint.connector.LDAPConnector:4375 - 494920710 Building attribute [unlPrimaryAffiliation] multi 'false'
sailpoint.connector.LDAPConnector:97 - Entering resolveAttributeValue: Arguments => unlPrimaryAffiliation: No values
sailpoint.connector.LDAPConnector:97 - Entering lambda$resolveAttributeValue$167: Arguments => unlPrimaryAffiliation: No values, java.util.NoSuchElementException: Attribute unlPrimaryAffiliation has no value
sailpoint.connector.LDAPConnector:108 - Exiting lambda$resolveAttributeValue$167: Arguments => unlPrimaryAffiliation: No values, java.util.NoSuchElementException: Attribute unlPrimaryAffiliation has no value, Returns => 494920710 Problem resolving [unlPrimaryAffiliation]Attribute unlPrimaryAffiliation has no value
sailpoint.connector.LDAPConnector:97 - Entering lambda$resolveAttributeValue$167: Arguments => unlPrimaryAffiliation: No values, java.util.NoSuchElementException: Attribute unlPrimaryAffiliation has no value
sailpoint.connector.LDAPConnector:108 - Exiting lambda$resolveAttributeValue$167: Arguments => unlPrimaryAffiliation: No values, java.util.NoSuchElementException: Attribute unlPrimaryAffiliation has no value, Returns => 494920710 Problem resolving [unlPrimaryAffiliation]Attribute unlPrimaryAffiliation has no value
sailpoint.connector.LDAPConnector:4611 - 494920710 Problem resolving [unlPrimaryAffiliation]Attribute unlPrimaryAffiliation has no value java.util.NoSuchElementException: Attribute unlPrimaryAffiliation has no value at javax.naming.directory.BasicAttribute.get(BasicAttribute.java:300) ~[?:1.8.0_402] at sailpoint.connector.LDAPConnector.resolveAttributeValue(LDAPConnector.java:4607) [connector-bundle-directories.jar:8.2p5] at sailpoint.connector.LDAPConnector.buildAttributes(LDAPConnector.java:4432) [connector-bundle-directories.jar:8.2p5] at sailpoint.connector.LDAPConnector.buildAttributes(LDAPConnector.java:4331) [connector-bundle-directories.jar:8.2p5] at sailpoint.connector.ADLDAPConnector.buildAttributes(ADLDAPConnector.java:516) [connector-bundle-directories.jar:8.2p5] at sailpoint.connector.LDAPConnector.buildObject(LDAPConnector.java:3373) [connector-bundle-directories.jar:8.2p5] at sailpoint.connector.ADLDAPConnector.buildObjectSingleForest(ADLDAPConnector.java:1674) [connector-bundle-directories.jar:8.2p5] at sailpoint.connector.ADLDAPConnector.buildObjectMultiForest(ADLDAPConnector.java:2270) [connector-bundle-directories.jar:8.2p5] at sailpoint.connector.ADLDAPConnector.buildObject(ADLDAPConnector.java:4229) [connector-bundle-directories.jar:8.2p5] at sailpoint.connector.ADLDAPConnector$DirSyncIterator.nextWithDnNativeId(ADLDAPConnector.java:9882) [connector-bundle-directories.jar:8.2p5] at sailpoint.connector.ADLDAPConnector$DirSyncIterator.next(ADLDAPConnector.java:9557) [connector-bundle-directories.jar:8.2p5] at sailpoint.connector.ConnectorProxy$CustomizingIterator.peek(ConnectorProxy.java:1332) [connector-bundle-identityiq.jar:8.2p5] at sailpoint.connector.ConnectorProxy$CustomizingIterator.hasNext(ConnectorProxy.java:1358) [connector-bundle-identityiq.jar:8.2p5] at sailpoint.api.Aggregator.aggregateAccounts(Aggregator.java:3156) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919] at sailpoint.api.Aggregator.primaryAccountAggregation(Aggregator.java:2827) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919] at sailpoint.api.Aggregator.aggregateApplication(Aggregator.java:2675) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919] at sailpoint.api.Aggregator.phaseAggregate(Aggregator.java:2576) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919] at sailpoint.api.Aggregator.execute(Aggregator.java:2139) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919] at sailpoint.task.ResourceIdentityScan.doUnpartitioned(ResourceIdentityScan.java:245) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919] at sailpoint.task.ResourceIdentityScan.execute(ResourceIdentityScan.java:225) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919] at sailpoint.api.TaskManager.runSync(TaskManager.java:981) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919] at sailpoint.api.TaskManager.runSync(TaskManager.java:764) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919] at sailpoint.scheduler.JobAdapter.execute(JobAdapter.java:128) [identityiq.jar:8.2p5 Build dedd9529823-20230427-083919] at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?] at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.2.jar:?]
sailpoint.connector.LDAPConnector:115 - Throwing resolveAttributeValue - java.util.NoSuchElementException: Attribute unlPrimaryAffiliation has no value

From our logs, here are all the attributes having this issue:

userWorkstations
unlPrimaryAffiliation
description
unlpronouns
eduPersonAffiliation
eduPersonScopedAffiliation
eduPersonPrimaryAffiliation
telephoneNumber
unlmail
4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.