Warning During Active Directory Aggregation

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.4

Share all details related to your problem, including any error messages you may have received.

For quite a while now we have been getting hundreds of these warnings in our logs when an Active Directory group aggregation is running:

WARN QuartzScheduler_Worker-4 sailpoint.connector.LDAPConnector:4625 - 909493685 Problem resolving [member]Attribute member has no value
java.util.NoSuchElementException: Attribute member has no value

I have looked at the related discussions on Compass, but nothing seems to match what we are experiencing. It looks like possibly the “fix” could be to update the maxValRange value in Active Directory, but this doesn’t seem advisable. Other thoughts revolve around doing some sort of partitioning with the group aggregation, but I can’t see what should be done there.

Does anyone have any thoughts on making this warning go away? It’s a lot of extra noise in our logs.

Thanks,
Vic

1 Like
2

Hi Vic,
Would be grat if you could add here your app definition - anonymized of course

3

Hii @vic_rinkenberger

Could you give more details about the error?
Is it possible provide complete logs about the error? Is the error caused for all groups?

Please provide the application xml object to check configuration

4

Please, check if your member attribute has value.

I assume that in this mapping, aggregation would return member “,cn=users,dc=COMPANY,dc=com” with empty source value, which leads to an invalid DN syntax/format and/or an exception error.

Please, add custom code to AD to automatically add a dummy (or the owner) as a member when a new empty group is created.

5

This is the full error message:

2024-01-02T09:31:40,480  WARN QuartzScheduler_Worker-1 sailpoint.connector.LDAPConnector:4378 - 83817779 Vals for member attribute exceeded maxValsRange. Using range based retrieval
2024-01-02T09:31:40,480  WARN QuartzScheduler_Worker-1 sailpoint.connector.LDAPConnector:4543 - 83817779 Problem resolving [member]Attribute member has no value
java.util.NoSuchElementException: Attribute member has no value
	at javax.naming.directory.BasicAttribute.get(BasicAttribute.java:300) ~[?:?]
	at sailpoint.connector.LDAPConnector.resolveAttributeValue(LDAPConnector.java:4539) [connector-bundle-directories.jar:8.1p4]
	at sailpoint.connector.LDAPConnector.buildAttributes(LDAPConnector.java:4364) [connector-bundle-directories.jar:8.1p4]
	at sailpoint.connector.LDAPConnector.buildAttributes(LDAPConnector.java:4263) [connector-bundle-directories.jar:8.1p4]
	at sailpoint.connector.ADLDAPConnector.buildAttributes(ADLDAPConnector.java:478) [connector-bundle-directories.jar:8.1p4]
	at sailpoint.connector.LDAPConnector.buildObject(LDAPConnector.java:3319) [connector-bundle-directories.jar:8.1p4]
	at sailpoint.connector.ADLDAPConnector.buildObjectSingleForest(ADLDAPConnector.java:1636) [connector-bundle-directories.jar:8.1p4]
	at sailpoint.connector.ADLDAPConnector.buildObjectMultiForest(ADLDAPConnector.java:2222) [connector-bundle-directories.jar:8.1p4]
	at sailpoint.connector.ADLDAPConnector.buildObject(ADLDAPConnector.java:4083) [connector-bundle-directories.jar:8.1p4]
	at sailpoint.connector.LDAPConnector.getObject(LDAPConnector.java:878) [connector-bundle-directories.jar:8.1p4]
	at sailpoint.connector.ADLDAPConnector.getObject(ADLDAPConnector.java:4238) [connector-bundle-directories.jar:8.1p4]
	at sailpoint.connector.ADLDAPConnector$DirSyncIterator.nextWithDnNativeId(ADLDAPConnector.java:9561) [connector-bundle-directories.jar:8.1p4]
	at sailpoint.connector.ADLDAPConnector$DirSyncIterator.next(ADLDAPConnector.java:9254) [connector-bundle-directories.jar:8.1p4]
	at sailpoint.connector.ConnectorProxy$CustomizingIterator.peek(ConnectorProxy.java:1318) [connector-bundle-identityiq.jar:8.1p4]
	at sailpoint.connector.ConnectorProxy$CustomizingIterator.hasNext(ConnectorProxy.java:1344) [connector-bundle-identityiq.jar:8.1p4]
	at sailpoint.api.Aggregator.aggregateGroups(Aggregator.java:5361) [identityiq.jar:8.1p4 Build 8db8c87b938-20211220-115258]
	at sailpoint.api.Aggregator.aggregateApplication(Aggregator.java:2629) [identityiq.jar:8.1p4 Build 8db8c87b938-20211220-115258]
	at sailpoint.api.Aggregator.phaseAggregate(Aggregator.java:2541) [identityiq.jar:8.1p4 Build 8db8c87b938-20211220-115258]
	at sailpoint.api.Aggregator.execute(Aggregator.java:2121) [identityiq.jar:8.1p4 Build 8db8c87b938-20211220-115258]
	at sailpoint.task.ResourceIdentityScan.doUnpartitioned(ResourceIdentityScan.java:238) [identityiq.jar:8.1p4 Build 8db8c87b938-20211220-115258]
	at sailpoint.task.ResourceIdentityScan.execute(ResourceIdentityScan.java:218) [identityiq.jar:8.1p4 Build 8db8c87b938-20211220-115258]
	at sailpoint.api.TaskManager.runSync(TaskManager.java:903) [identityiq.jar:8.1p4 Build 8db8c87b938-20211220-115258]
	at sailpoint.api.TaskManager.runSync(TaskManager.java:723) [identityiq.jar:8.1p4 Build 8db8c87b938-20211220-115258]
	at sailpoint.scheduler.JobAdapter.execute(JobAdapter.java:128) [identityiq.jar:8.1p4 Build 8db8c87b938-20211220-115258]
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.2.3.jar:?]
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.2.3.jar:?]

Also, here is the Application XML.
Application.xml (52.1 KB)

The error seems to be happening for groups that have a lot of members, rather than groups with no members, but I could be wrong.

Thanks,
Vic

6

Looks like thats the reason Vals for member attribute exceeded maxValsRange

7

Yes, but I don’t know where I can configure that at.

This thread on Compass seems to be pointing in the right direction, but the only option seems to be setting the “pageSize” on the app (default value is 100). I set it to 20,000 and still got the same errors.

https://community.sailpoint.com/t5/IdentityIQ-Forum/Warn-sailpoint-connector-LDAPConnector-1465/m-p/2537

Thanks,
Vic

8

It looks lika AD issue not Sailpoint really this is what i found

Screenshot_20240102_184205_Chrome
Screenshot_20240102_184205_Chrome1326Ă—265 73.3 KB

And here the solution I found

Screenshot_20240102_184315_Chrome
Screenshot_20240102_184315_Chrome1812Ă—1750 234 KB

9

Yes, that’s what it is looking like. Microsoft doesn’t recommend changing the MaxValRange setting, it seems. Is no one else experiencing this issue? It seems like it would affect most IIQ customers.

Vic

10

The problem is not really Sailpoint related. Honestly so far during all my projects I’ve never had situation to have AD user with 1.5k groups. Maybe this can be improved on AD side by improving permissions model.

11

Since this is essentially an issue that can’t be fixed (without modifying Active Directory settings, which is not desirable), I’ve opted to just exclude the noisy messages from being logged:

appender.file.filter.1.type = Filters

appender.file.filter.1.a.type = RegexFilter
appender.file.filter.1.a.regex = .*Attribute member has no value.*
appender.file.filter.1.a.onMatch = DENY
appender.file.filter.1.a.onMismatch = NEUTRAL

appender.file.filter.1.b.type = RegexFilter
appender.file.filter.1.b.regex = .*Vals for member attribute exceeded maxValsRange.*
appender.file.filter.1.b.onMatch = DENY
appender.file.filter.1.b.onMismatch = NEUTRAL

appender.file.filter.1.d.type = RegexFilter
appender.file.filter.1.d.regex = .*
appender.file.filter.1.d.onMatch = ACCEPT

Thanks for everyone’s replies!

Vic

12

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.