jsosa
June 18, 2024, 5:35pm
1
Hi! I am dealing with an after modify AD rule. When I try to execute this simple line, rule (and operation) fails:
"test" | Out-File "c:\SailPoint\SampleSourceBeforeCreateScript.log" -Append
But when I try this:
dir > c:\dir.txt
dir.txt file is created correctly.
What I see on VAs log is:
{"exception":{"stacktrace":"sailpoint.tools.GeneralException: Error(s) reported back from the IQService - After script returned non zero exit code : 255 : \n\tat sailpoint.connector.ADLDAPConnector.processResponse(ADLDAPConnector.java:6174)\n\tat sailpoint.connector.ADLDAPConnector.handleObjectRequest(ADLDAPConnector.java:6736)\n\tat sailpoint.connector.ADLDAPConnector.provision(ADL.....
I also found this entry:
IQService Returned Non Zero Exit Code 255 - Compass .
I leveraged iqs log server, but it logs no error.
Executing directly where iqs is installed, works correctly. Service user is domain administrator.
ethompson
June 20, 2024, 12:00am
2
Check the permissions of the account that is running the script that it can write to that log file location.
jsosa
June 20, 2024, 4:16pm
3
Thanks @ethompson for response!
I found an entry in compass that helped me, I was lacking of the attributes part:
IQService Returned Non Zero Exit Code 255 - Compass .
{
"description": "Rule powershell after operation",
"type": "ConnectorAfterModify",
"signature": {
"input": [
{
"name": "Application",
"description": "Map of the application configuration.",
"type": "System.Collections.Hashtable"
},
{
"name": "Request",
"description": "Reference to the account request provisioning instructions.",
"type": "SailPoint.Utils.objects.AccountRequest"
},
{
"name": "Result",
"description": "Reference to the provisioning result that can be manipulated if necessary.",
"type": "SailPoint.Utils.objects.ServiceResult"
}
],
"output": null
},
"sourceCode": {
"version": "1.0",
"script": "\"SomeTeste\" | Out-File \"c:\\SailPoint\\SampleSourceBeforeCreateScript.log\" -Append"
},
"attributes": {
"ObjectOrientedScript": "true",
"extension": ".ps1",
"sourceVersion": "2021-02-22 18:18:20",
"disabled": "false",
"program": "powershell.exe",
"timeout": "300"
},
"id": "6f9f59967fc740c7a32a9c21a8c41da0",
"name": "ADAfterModify",
"created": "2024-06-18T14:27:27.866Z",
"modified": "2024-06-18T14:27:27.866Z"
}
I opened a bug because the official documentation is completely inadequate in this area and suggests we send a full XML data structure as the script.
opened 07:27PM - 18 Jul 24 UTC
This page [https://developer.identitysoon.com/idn/docs/rules/connector-rules/bef… ore-and-after-rule-operations](https://developer.identitysoon.com/idn/docs/rules/connector-rules/before-and-after-rule-operations) suggests that the rule setup and payload for connector rules follow an XML structure like so...
```
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="SampleSource BeforeCreate" type="ConnectorBeforeCreate">
<Attributes>
<Map>
<entry key="ObjectOrientedScript" value="true" />
<entry key="disabled" value="false" />
<entry key="extension" value=".ps1" />
<entry key="program" value="powershell.exe" />
<entry key="timeout" value="300" />
</Map>
</Attributes>
<Description>
This is an IQService afterScript - On a successful provisioning event, this after script should be used as the starting point to
initiate a separate PowerShell script residing on the client's IQService server.
Configuration tasks include the following:
- Set a proper location for the $logFile variable.
- Set the proper script location and name for the $command variable.
- Set the $enableDebug flag to $true or $false to toggle debug mode.
</Description>
<Source>
<![CDATA[
$logDate = Get-Date -UFormat "%Y%m%d"
$logFile = "c:\SailPoint\Scripts\Logs\ConnectorAfterCreate_$logDate.log"
$command = "c:\SailPoint\Scripts\SampleSource-AfterCreate.
```
However, the actual payload to the API is not even close. The XML stuff is converted to attributes, the script is in its own block. This is so not clear and luckily I discovered it on the developer forum here: https://developer.sailpoint.com/discuss/t/error-executing-after-modify-ad-rule-after-script-returned-non-zero-exit-code-255/67381
```
{
"description": "Rule powershell after operation",
"type": "ConnectorAfterModify",
"signature": {
"input": [
{
"name": "Application",
"description": "Map of the application configuration.",
"type": "System.Collections.Hashtable"
},
{
"name": "Request",
"description": "Reference to the account request provisioning instructions.",
"type": "SailPoint.Utils.objects.AccountRequest"
},
{
"name": "Result",
"description": "Reference to the provisioning result that can be manipulated if necessary.",
"type": "SailPoint.Utils.objects.ServiceResult"
}
],
"output": null
},
"sourceCode": {
"version": "1.0",
"script": "\"SomeTeste\" | Out-File \"c:\\SailPoint\\SampleSourceBeforeCreateScript.log\" -Append"
},
"attributes": {
"ObjectOrientedScript": "true",
"extension": ".ps1",
"sourceVersion": "2021-02-22 18:18:20",
"disabled": "false",
"program": "powershell.exe",
"timeout": "300"
},
"id": "6f9f59967fc740c7a32a9c21a8c41da0",
"name": "ADAfterModify",
"created": "2024-06-18T14:27:27.866Z",
"modified": "2024-06-18T14:27:27.866Z"
}
```
Please update this documentation, the XML stuff appears to be a big holdover from the IdentityIQ product and just set 4 hours of time on fire trying to wade through error messages, debug logs, and forums trying to figure out what was wrong when I was following the documentation.
Thank you for posting this, I spent the whole morning following the documentation…
1 Like
system
September 16, 2024, 7:33pm
5
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.