ENVIRONMENT
PROBLEM STATEMENT
In doing a Full and/or a Delta Import on a Sun One Management Agent we are seeing several Discovery Errors with the wording "multi-single mismatch". Clicking the object link or the "multi-single mismatch" links in the errors section displays the Object Error Details dialog.
We then took a look at the Run History after exporting it to XML, and found the error message listed there. However, no more information other than the DN of the object.
RUN HISTORY
<ma-discovery-errors>
<ma-object-error><error-type>multi-single-mismatch</error-type><dn>((( OBJECT DN )))</dn><anchor>fd9cae02-1dd111b2-8076e6a0-e33eba5b</anchor></ma-object-error>
From there, we dumped the hologram of the object to see what the object looked like in the connector space.
STEPS TO EXPORT CONNECTOR SPACE OBJECT
Open and Administrative Command Prompt and Navigate to %programfiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin folder
Execute the following command and then press the ENTER key csexport <name of the sun one management agent> badobject.xml /f:d=<dn of bad object>
On receipt of the badobject.xml, we reviewed the connector space information for multi-valued attributes. Since the problem was being exposed on Import, we reviewed the "pending-import-hologram" section. We can identify a multi-value attribute by looking for the word multivalued. The XML element multivalued has a true or false setting. We were able to identify the multivalued and single valued attributes, but that is about it at this point.
MULTI-VALUED ATTRIBUTES
<pending-import-hologram>
<entry dn="((( OBJECT DN )))">
<anchor>fd9cae02-1dd111b2-8076e6a0-e33eba5b</anchor>
<parent-anchor>3b38b2e6-1dd211b2-802ae6a0-e33eba5b</parent-anchor>
<primary-objectclass>inetOrgPerson</primary-objectclass>
<objectclass><oc-value>top</oc-value>
<oc-value>Person</oc-value>
<oc-value>inetOrgPerson</oc-value>
<oc-value>organizationalPerson</oc-value>
<oc-value>(( OC VALUE )))</oc-value>
</objectclass>
<attr multivalued="false" type="string" name="MyMailAttribute">
<value>mymail@mymail.com</value>
</attr>
<attr multivalued="true" type="string" name="MyPersonAffliation">
<value>Full Time Employee</value>
We then ran a network trace and we were able to locate an LDAP Result for a specific UID that was failing.
NETWORK TRACE
Frame: Number = 2903, Captured Frame Length = 210, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-B2-00-15],SourceAddress:[00-10-DB-FF-21-50]
+ Tcp: Flags=...AP..., SrcPort=LDAP(389), DstPort=65307, PayloadLen=156, Seq=4213507664 - 4213507820, Ack=2781020950, Win=49640 (scale factor 0x0) = 49640
Ldap: Search Result Entry, MessageID: 1234567
- LDAPMessage: Search Result Entry, MessageID: 1234567
+ ParserHeader:
+ MessageID: 1234567
+ OperationHeader: Search Result Entry, 4(0x4)
- SearchResultEntry: changenumber=987654,cn=changelog
+ ObjectName: changenumber=987654,cn=changelog
+ Attributes: 3 Partial Attributes
We then reviewed the Sun One Change Log information for that specific changenumber. Notice the modification add to MyMailAttribute. If we go back and check MyMailAttribute in the badobject.xml file, we can see that it is a single valued attribute.
SUN ONE CHANGE LOG
BADOBJECT.XML
changeNumber: 987654
changeType: modify
targetDn: ((( OBJECT DN )))
changes:
add: MyMailAttribute
MyMailAttribute: msftengineer@microsoft.com
-
replace: modifiersname
modifiersname: cn=managers
replace: modifytimestamp
modifytimestamp: 20130108052303Z
RESOLUTION
To resolve the issue, we followed these steps:
Tim Macaulay edited Revision 1. Comment: updated title, and added some tags