Flexi-DN Data Converted to Contain Single Quotes

CA Identity Manager Connector Guides › Connector Xpress Guide › Troubleshooting Connector Xpress › Flexi-DN Data Converted to Contain Single Quotes

Flexi-DN Data Converted to Contain Single Quotes

Applies to the MS SQL Server connector only.

Symptom:

Your data can use the Flexi-DN data type for an multivalue attribute which contains a number of DN strings.

In Connector Xpress, the default converter adds single quotes to every value, which can cause problems with SQL Server.

Solution:

You can now select how to format the attribute before it is passed into the SQL query.

To make Connector Xpress generate the string with no quotes, use the flattening style SQLQUOTELESS.

Example: Using SQLQUOTELESS to generate a string with no quotation marks

In this example, the DN string look like this:

eTDYNObject001Name=1,eTDYNContainer001Name=Role Container

The default converter for the Flexi-DN data type extracts the role ID "1" from this full DN string.

If you add a Stored Procedure binding to this attribute, CA IAM Connector Server will generate a role ID string with each value enclosed with single quotes:

"'1', '2', '3', '4'"

When you use the flattening style SQLQUOTELESS, the role ID string is converted to the format that SQL Server expects:

"1, 2, 3, 4"

Setting a Managing Connector Server for a Dynamic Endpoint Fails

Valid on Windows and UNIX

Symptom:

Choosing a C++ Connector Server to manage your DYN endpoint fails, and an error message is displayed.

The most common reason for this failure is a mismatch of the type of endpoint type (for example, DYN) and the managing Connector Server (for example, C++ CS).

Solution:

Select a CA IAM Connector Server to manage the dynamic endpoint type.

ID/Sequence Column Support

Connector Xpress does not currently provide mapping support of any ID/Sequence columns, for example, auto-increment Object ID column.

Failed to Insert because IDENTITY_INSERT is Set to Off

Valid on MSSQL only

Symptom:

The message Failed to Insert because IDENTITY_INSERT is Set to Off appears when you create an account. This message occurs because your database table has IDENTITY_INSERT set to off.

Solution:

Write a stored procedure to create an account, and write scripts that set IDENTITY_INSERT on before the insert operation and then sets IDENTITY_INSERT off. Do the following:

Write a one-line stored procedure with timing=PRE (Before) that sets IDENTITY_INSERT [ database. [ owner. ] ] { table } on.
Write another one-line stored procedure with timing=POST (After) that sets IDENTITY_INSERT [ database. [ owner. ] ] { table } off.

Multiple Foreign Key Constraints

If the database table mapped to accounts is associated with multiple foreign-key constraints, do either of the following:

Write a stored procedure to delete the account and the associations the account has with other tables.
Configure a cascading delete in the database schema.

For example, in a company inventory database, the foreign keys in the customer group table and customer order table reference a customer account table. Customer account is mapped to account and customer group is mapped to account group in Connector Xpress. When you delete an account, Connector Xpress automatically deletes any entries in the account group that relate to this account. However, Connector Xpress does not delete the customer order table. The delete operation fails because of a violation of the foreign-key constraint.

To resolve the problem, do either of the following:

Write a stored procedure that removes any entries that are associated with the account that you want to delete before the actual account is deleted.
Configure a cascading delete on the customer account, if the database vendor or schema supports this feature.

The Role Definition Generator Will Not Run

Valid on Windows and UNIX

Symptom:

When I try to run the Role Definition Generator I get the following error message:

java.lang.UnsupportedClassVersionErrorException

This occurs when an older version of the Java JRE appears before the new version in the path.

Solution:

Verify that Java 5 JRE appears before older versions in the path.

Support for Binary-type Attributes

If you are performing DYN mappings in Connector Xpress to perform account management using CA Identity Manager, be aware that CA Identity Manager does not support binary-type attributes for DYN endpoint types.

As a result, any attributes that you specified as having a binary data type in Connector Xpress are not displayed on CA Identity Manager account management screens.

We recommend that you use Provisioning Manager to manage binary attributes on DYN endpoint types.

Support for Mandatory Attributes on a JDBC Endpoint

To support attributes that the JDBC endpoint defines as mandatory (that is, NOT NULL), but do not need to be mandatory from the provisioning point of view, the JDBC connector allows you to use an empty value for the provisioning attribute.

When you create an account and are mapping a mandatory attribute on the endpoint to a provisioning attribute that is non-mandatory, for example, a description field, and you do not enter a value for the description field, the JDBC connector maps the empty provisioning attribute to the endpoint attribute by populating the NOT NULL column on the endpoint database with spaces.

To support mapping of non-mandatory fields in Provisioning Manager, CA IAM Connector Server contains a NullValueClassConverter that converts empty values in non-mandatory provisioning attributes to spaces in mandatory attributes on the endpoint.

For example, empty values can occur on a legacy database system has a description field that is NOT NULL on the table being mapped to a user account. However, the description field is not set to mandatory in the Provisioning Manager, which means you do not have to enter a description for a user to create an account. The NullValueClassConverter is used to store the empty value.

The property nullValue in the pluginConfig class in the NullValueClassConverter is set to a space by default. You can change nullvalue to other values, but changing nullvalue requires additional configuration of the endpoint database.

For JDBC endpoints, CA IAM Connector Server loads the converter automatically. For other types of endpoints, for example, JNDI, manually configure CA IAM Connector Server to load the converter.

How to Enable Support for Mapping of Non-mandatory Fields in Provisioning Manager

To enable support for mapping of non-mandatory fields in Provisioning Manager to not-null columns in a JDBC database using the JDBC connector, add the metadata attribute useSpecialNullValue to the Connector Xpress Dyn mapping to each attribute that you want the NullValueClassConverter to convert. CA IAM Connector Server checks for the presence of this metadata attribute before enabling the converter.

Note: You can also use this procedure to enable support for other types of endpoints.

To enable support, do the following:

Use Connector Xpress or another editor to edit the metadata for your endpoint type.
Add the new Boolean metadata attribute useSpecialNullValue to the attribute that you want the NullValueClassConverter to convert, and set the Boolean value to true.
Note: Add the metadata attribute useSpecialNullValue to the Connector Xpress Dyn mapping to each attribute that you want to convert. CA IAM Connector Server checks for the presence of this metadata attribute before enabling the converter.
Set the isRequired metadata attribute to false.
Repeat this procedure for all attributes that you want to convert.

Example: Enable support for mapping of non-mandatory fields in Provisioning Manager

This example uses Connector Xpress to edit the metadata. The Description attribute of your account is mapped to eTDYN-str-01.

Follow these steps:

In Connector Xpress, right-click the endpoint type you want to edit the metadata for, then click Edit Metadata.
The Edit Metadata for Endpoint Type dialog appears.
Expand the eTDYN-str-01 node, then select the metadata subnode.
Click the Add button.
Connector Xpress adds a new metadata attribute node to the tree.
Name the new metadata node useSpecialNullValue.
Select Boolean from the type drop-down list.
Select the check-box next to the drop-down list.
The value of the useSpecialNullValue attribute is set to true.
Select the isRequired metadata attribute on eTDYN-str-01.
Clear the check-box next to the drop-down list.
The value of the isRequired attribute is set to false.

How to Enable Support for Mandatory Attributes on Endpoints other than JDBC Endpoints

To support endpoints other than JDBC endpoints that define attributes as mandatory (that is, NOT NULL), but do not need to be mandatory from the provisioning point of view, do the following:

Configure CA IAM Connector Server to Load the NullValueClassConverter

The NullValueClassConverter plugin is shipped with the JDBC connector. To use the NullValueClassConverter for endpoints other than JDBC endpoints, configure CA IAM Connector Server to load the converter.

Note: The converter is loaded automatically for JDBC endpoints.

Note: The property metadataPropNames has a value of useSpecialNullValue. Add the metadataPropNames metadata attribute to the Connector Xpress Dyn mapping for each attribute that the plugin handles. CA IAM Connector Server checks for the presence of this metadata attribute before enabling the plugin.

To enable the plugin, configure the plugin in an override connector.xml for your endpoint.

Follow these steps:

Rename the file SAMPLE.connector.xml in C:\Program Files\CA\Identity Manager\Connector Server\conf\override\jdbc to connector.xml.
Add the following entries in the connector.xml file:
<property name="classPluginConfigs">

<list>

<bean class="com.ca.jcs.cfg.MetaPluginConfig">

<property name="pluginClass">

<value>com.ca.jcs.converter.meta.NullValueClassConverter</value>

</property>

<property name="pluginConfig">

<bean class="com.ca.jcs.converter.meta.NullValueClassConverter$NullValueConverterConfig">

<property name="nullValue">

<value> </value>

</property>

</bean>

</property>

<property name="metadataPropNames">

<list>

<value>useSpecialNullValue</value>

</list>

</property>

</bean>

</list>

</property>

Note: The property nullValue in the pluginConfig class in the NullValueClassConverter is set to a space by default. To change the null value that the plugin uses, change the nullValue in the config bean.

Change the Default Value Used to Store an Empty Value

The property nullValue in the pluginConfig class in the NullValueClassConverter is set to a space by default. To change the default value used to store an empty value, change the nullValue in the config bean in the class plugin config of your connector.xml file.

Mapping Against One Endpoint and Acquiring Against Another Endpoint

If you perform mapping against one endpoint and acquire a directory referring to another, verify that they have the same tables and stored procedures (JDBC) or LDAP schema (JNDI).

Table Attribute Mappings

When you define your table and attribute mappings, you can make the various choices in the Type field on the Map Class and Attribute dialog. The choices you make define which predefined attribute is used and what the attributes behavior is.

If you select the Synchronized check box on the Attribute details dialog Connector Xpress determines the synchronization type from the attribute's data type automatically.

For example, the choices you make set the limits on how many predefined attributes there are for that type and behavior. The following table shows the limits:

Type and behavior	Limit
single-valued non-capability integer	10
single-valued capability integer	99
multivalued non-capability integer	10
multivalued capability integer	99
single-valued sensitive non-capability string	30
single-valued insensitive non-capability string	30
single-valued sensitive capability string	99
single-valued insensitive capability string	99
multivalued sensitive non-capability string	500
multivalued insensitive non-capability string	500
multivalued sensitive capability string	500
multivalued insensitive capability string	99
single-valued non-capability Boolean	10
single-valued capability Boolean	99
single-valued binary	10

Type Mapping

In Connector Xpress, an edittype=int maps to a plain LDAP string attribute, unless you explicitly request integer sync.

MySQL and Informix Stored Procedure Support

Connector Xpress does not support the following stored procedures from the following vendors:

MySQL–MySQL stored procedure parameters are not accessible through the required JDBC method and therefore are not supported.
Informix–Informix supports stored procedures with the same name but different parameters. This makes listing the stored procedures and their parameters problematic, and therefore are not supported.

JDBC Naming Attribute

You can only map the account and group naming attributes to columns which are required in the native table they are mapped to. That is, an attribute that does not allow null values. You are advised to verify that these columns act as primary keys for the tables containing them, or at the least, have a unique index applied to them.

Sybase Stored Procedures Failure

Valid on Windows and UNIX

Symptom:

The following exception is reported when invoking Sybase stored procedures:

Nested exception is com.sybase.jdbc3.jdbc.SybSQLException: Stored procedure 'AddObject_Instead_Parameter' may be run only in unchained transaction mode. The 'SET CHAINED OFF' command will cause the current session to use unchained transaction mode.

Solution:

CA IAM Connector Server requires that Sybase stored procedures have the set chained option to on.

Set the chained option to on for all Sybase stored procedures.

Connector Xpress Logging

Connector Xpress log messages are written to this file:

im_home\Connector Xpress\logs\conxp-log.txt

Note: The generated metadata is usually the primary resource about the problem being diagnosed. We recommend that you analyze the generated metadata using the Connector Xpress log files.