IdentityIQ 8.3p3
Hello everyone and thank you for reading, I’m having some trouble trying to execute a Powershell on a custom rule via RPCService.
I’ve never seen this error, and I have used the RPCService utilities serveral times: The error is the following: (catalina.out log)
LAAAAAAA, lastDirsyncServer=sbmdebqcdd04v.ambientesbc.lab}}, ADAppVersion=V2, manageRecycleBin=false, compositeDefinition=null, cacheRmiPort=40001, ldapExtendedControls=[1.2.840.113556.1.4.1339], sysDescriptions={en_US=null}, nativeChangeDetectionEnabled=false, deletedObjectsContainer=CN=Deleted Objects,DOMAIN, afterProvisionRuleLocation=proxy, allowAutoPartitioning=true, templateApplication=Active Directory Template, IQServiceConfiguration=[{IQServiceHost=SBMDEBDIIQ01V.ambientesbc.lab, useTLSForIQService=false, IQServiceUser=null, IQServicePassword=null, IQServicePort=5050}], encrypted=domainSettings.password,forestSettings.password,exchangeSettings.password,IQServiceConfiguration.IQServicePassword, disableFspAggregation=false, enableCache=true, searchDNs=[{groupMembershipSearchDN=OU=Grupos,DC=ambientesbc,DC=lab, searchDN=OU=Administrativos,OU=Bancolombia,OU=Usuarios,DC=ambientesbc,DC=lab, groupMemberFilterString=(cn=*), searchScope=SUBTREE, primaryGroupSearchDN=null, iterateSearchFilter=(&(sAMAccountName=*)(objectClass=User)(objectCategory=person))}, {groupMembershipSearchDN=OU=Grupos,DC=ambientesbc,DC=lab, searchDN=OU=Sucursales,OU=Bancolombia,OU=Usuarios,DC=ambientesbc,DC=lab, groupMemberFilterString=(cn=*), searchScope=SUBTREE, primaryGroupSearchDN=null, iterateSearchFilter=(&(sAMAccountName=*)(objectClass=User)(objectCategory=person))}, {groupMembershipSearchDN=OU=Grupos,DC=ambientesbc,DC=lab, searchDN=OU=Proveedores,OU=Bancolombia,OU=Usuarios,DC=ambientesbc,DC=lab, groupMemberFilterString=(cn=*), searchScope=SUBTREE, primaryGroupSearchDN=null, iterateSearchFilter=(&(sAMAccountName=*)(objectClass=User)(objectCategory=person))}, {groupMembershipSearchDN=OU=Grupos,DC=ambientesbc,DC=lab, searchDN=OU=Sin Definir,OU=Bancolombia,OU=Usuarios,DC=ambientesbc,DC=lab, groupMemberFilterString=(cn=*), searchScope=SUBTREE, primaryGroupSearchDN=null, iterateSearchFilter=(&(sAMAccountName=*)(objectClass=User)(objectCategory=person))}, {groupMembershipSearchDN=OU=Grupos,DC=ambientesbc,DC=lab, searchDN=OU=Deshabilitados y Expirados,OU=Bancolombia,OU=Usuarios,DC=ambientesbc,DC=lab, groupMemberFilterString=(cn=*), searchScope=SUBTREE, primaryGroupSearchDN=null, iterateSearchFilter=(&(sAMAccountName=*)(objectClass=User)(objectCategory=person))}, {groupMembershipSearchDN=OU=Grupos,DC=ambientesbc,DC=lab, searchDN=OU=SOC,OU=Bancolombia,OU=Usuarios,DC=ambientesbc,DC=lab, groupMemberFilterString=(cn=*), searchScope=SUBTREE, primaryGroupSearchDN=null, iterateSearchFilter=(&(sAMAccountName=*)(objectClass=User)(objectCategory=person))}, {groupMembershipSearchDN=OU=Grupos,DC=ambientesbc,DC=lab, searchDN=OU=Administrativos,OU=Nequi,OU=Usuarios,DC=ambientesbc,DC=lab, groupMemberFilterString=(cn=*), searchScope=SUBTREE, primaryGroupSearchDN=null, iterateSearchFilter=(&(sAMAccountName=*)(objectClass=User)(objectCategory=person))}, {groupMembershipSearchDN=OU=Grupos,DC=ambientesbc,DC=lab, searchDN=OU=Proveedores,OU=Nequi,OU=Usuarios,DC=ambientesbc,DC=lab, groupMemberFilterString=(cn=*), searchScope=SUBTREE, primaryGroupSearchDN=null, iterateSearchFilter=(&(sAMAccountName=*)(objectClass=User)(objectCategory=person))}, {groupMembershipSearchDN=OU=Grupos,DC=ambientesbc,DC=lab, searchDN=OU=Administrativos,OU=Wenia,OU=Usuarios,DC=ambientesbc,DC=lab, groupMemberFilterString=(cn=*), searchScope=SUBTREE, primaryGroupSearchDN=null, iterateSearchFilter=(&(sAMAccountName=*)(objectClass=User)(objectCategory=person))}, {groupMembershipSearchDN=OU=Grupos,DC=ambientesbc,DC=lab, searchDN=OU=Proveedores,OU=Wenia,OU=Usuarios,DC=ambientesbc,DC=lab, groupMemberFilterString=(cn=*), searchScope=SUBTREE, primaryGroupSearchDN=null, iterateSearchFilter=(&(sAMAccountName=*)(objectClass=User)(objectCategory=person))}], beforeProvisioningRule=Rule-BeforeProvisioning-AD}}
2024-11-13T20:52:30.211Z
2024-11-13T15:52:25,826 WARN https-jsse-nio-8443-exec-50 sailpoint.connector.RPCService:560 - Failed to clone request: Cannot invoke "openconnector.ConnectorServices.deepCopy(Object)" because the return value of "sailpoint.connector.RPCService.getConnectorServices()" is null
The custom rule that’s using the RPCService to execute the powershell:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1731530542937" id="0a7cd38492bf1869819327434f590876" language="beanshell" modified="1731617237842" name="Test_Ejecucion_de_Script_Password_Gema">
<Source>
import sailpoint.object.RpcRequest;
import sailpoint.object.RpcResponse;
import sailpoint.connector.RPCService;
import sailpoint.object.Rule;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.Operation;
import sailpoint.object.Application;
import java.net.Socket;
import sailpoint.object.Custom;
//import sailpoint.connector.*;
Map data = new HashMap();
//Se levanta el script a ejecutar en AD
Rule afterProvisioningScript = context.getObjectByName(Rule.class, "GEMA_powershell_getPasswordSalt"); //Agregar nombre de la rule
//log.error(afterProvisioningScript.getSource());
Application ad = context.getObjectByName(Application.class, "Active Directory");
//log.error(ad.toXml());
data.put("Application", ad.getAttributes());
data.put("postScript", afterProvisioningScript);
// Fake account request
AccountRequest accountRequest = new AccountRequest();
accountRequest.setApplication("IIQ");
accountRequest.setNativeIdentity("*FAKE*");
accountRequest.setOperation(AccountRequest.Operation.Modify);
// Fake attribute request
AttributeRequest attribute1 = new AttributeRequest();
attribute1.setOperation(Operation.Add);
attribute1.setName("salt");
attribute1.setValue("48"); //Agregar sAMaAccountName
AttributeRequest attribute2 = new AttributeRequest();
attribute2.setOperation(Operation.Add);
attribute2.setName("pass");
attribute2.setValue("Admin123!"); //Agregar sAMaAccountName
List <AttributeRequest> attributeRequests = new ArrayList<AttributeRequest>();
attributeRequests.add(attribute1);
attributeRequests.add(attribute2);
accountRequest.setAttributeRequests(attributeRequests);
data.put("Request", accountRequest);
log.error(data.toString());
// Add to the IQService params
RPCService service = new RPCService("10.8.171.66", 5050, false, false);
//service.setConnectorServices(new sailpoint.connector.DefaultConnectorServices());
RpcRequest request = new RpcRequest("ScriptExecutor", "runAfterScript", data);
//log.error("point");
//service.checkForErrors(false);
RpcResponse response = service.execute(request);
if (response.hasMessages()) {
return response.getMessages().toString();
} else if (response.hasErrors()) {
return "Error: " + response.getErrors().toString();
}
return "No hay acciones\n" + accountRequest.toXml();
</Source>
</Rule>
And the powershell that’s being executed is the following:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1731530558782" id="0a7cd38492bf1869819327438d3e0877" language="beanshell" name="GEMA_powershell_getPasswordSalt" type="ConnectorAfterModify">
<Attributes>
<Map>
<entry key="ObjectOrientedScript" value="true"/>
<entry key="disabled" value="false"/>
<entry key="extension" value=".ps1"/>
<entry key="program" value="powershell.exe"/>
<entry key="timeout" value="2000"/>
</Map>
</Attributes>
<Description>
Powershel ejecutable a travez de IQService para obtener la contraseña encriptada y salt correspondiente de usuarios nuevos de GEMA invocando a la aplicacion EncryptGema.exe.
</Description>
<Source>
Try {
Add-type -path C:\IdentityIQ\utils.dll
$sReader = New-Object System.IO.StringReader([System.String]$env:Request);
$xmlReader = [System.xml.XmlTextReader]([sailpoint.Utils.xml.XmlUtil]::getReader($sReader));
$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);
$resultObject = New-Object Sailpoint.Utils.objects.ServiceResult;
$attributes = @{}
foreach ($attribute in $requestObject.AttributeRequests){
$attributes[$attribute.Name] = $attribute.Value;
}
#Handle input and do stuff here
$salt=$attributes["salt"]
$pass=$attributes["pass"]
$concatenado = "";
$cmdOutput = @(C:\EncryptGema.exe Password=$pass SaltCount=$salt)
Foreach ($i in $cmdOutput) {
$resultObject.Messages.add($i);
}
$resultObject.Messages.add($concatenado);
} catch [Exception] {
# You should probably do some logging here too
$ErrorMessage = $_.Exception.ToString();
$resultObject.Messages.add("Error: " + $ErrorMessage);
} finally {
$resultObject.toxml() | out-file $args[0];
}
</Source>
</Rule>
I really don’t know what’s going on, the connection to my Active Directory Application it’s okay, also is the connection to IQService. I actually compared the AD app definition to another from another implementation where I also use the RPCService utility, and it seems fine.