IBM Security Verify

 View Only
Expand all | Collapse all

IGI rules bug?

  • 1.  IGI rules bug?

    Posted Thu April 15, 2021 11:16 PM
    Trying to add an Account Creation rule in out queue, the rule like the following:

    when
    event : EventOutBean( )
    userBean : UserBean( )
    orgUnitBean : OrgUnitBean( )
    accountBean : AccountBean( )
    then
    // [ V1.0 - 2021-04-15 ]

    final String AD = "Active Directory";
    final String EDIR = "eDirectory";

    String target = event.getTarget();

    if (target.equalsIgnoreCase(AD) || target.equalsIgnoreCase(EDIR)) {
    BeanList parentOrgBeanList = _OrgUnitAction.findParent(sql, false, orgUnitBean);
    if (!parentOrgBeanList.isEmpty()) {
    StringBuffer container = null;
    if (target.equalsIgnoreCase(AD)) {
    container = new StringBuffer();
    // Find account container for Active Directory
    for (int i = 0; i < parentOrgBeanList.size() - 1; i++) {
    container.append("ou=");
    container.append(((OrgUnitBean) parentOrgBeanList.get(i)).getName());
    container.append(",");
    }
    container.append("dc=demolab,dc=com");
    logger.debug("User container in AD: " + container.toString());
    accountBean.setDn("cn=" + accountBean.getDisplayName() + "," + container.toString());
    _AccountAction.updateAccount(sql, accountBean);
    }
    if (target.equalsIgnoreCase(EDIR)) {
    container = new StringBuffer();
    // Find account container for eDirectory
    for (int i = 0; i < parentOrgBeanList.size() - 1; i++) {
    container.append("ou=");
    container.append(((OrgUnitBean) parentOrgBeanList.get(i)).getCode());
    container.append(",");
    }
    container.append("o=Lab");
    container.insert(0, "ou=Users,");
    logger.debug("User container in eDirectory: " + container.toString());
    accountBean.setDn("cn=" + accountBean.getName() + "," + container.toString());
    _AccountAction.updateAccount(sql, accountBean);
    }
    }
    }


    And get the following error:
    Apr 16, 2021, 10:54:50 AM INFO  AGC:65 - Inserito oggetto com.engiweb.profilemanager.common.bean.event.EventOutBean: [ID=376, OPERATION=8, TRACE=8, STATE=1, WRITE=true, DATEPROCESS=2021-04-16 10:54:32.115, DATEEVENT=2021-04-16 10:17:50.753, PERSON=245, USER=c: 321, TARGET=Active Directory, CODICEOPERAZIONE=PM_731043771391490408_admin, VALORE1=bryan, VALORE2=g0NFjXWJ795pKzg4frTyKQ==, VALORE3=000000, VALORE4=null, APPLICATION=Active Directory]
    Apr 16, 2021, 10:54:50 AM INFO  AGC:65 - Inserito oggetto com.engiweb.profilemanager.common.bean.UserBean: [ID=245, DN=null, ATTR1=null, ATTR2=null, ATTR3=null, ATTR4=null, ATTR5=null, VALUE=null, CODE=bryan, SURNAME=葉, NAME=協萱, EMAIL=null, CODFISC=0076, SEX=0, DATEOFBIRTH=null, PLACEOFBIRTH=null, ADDRESS=null, LOCALITY=null, REGISTER=null, DESCRIPTION=null, STATE=0, LASTMODUSER=null, LASTMODTIME=2021-04-06 14:11:50.775, PWDMANAGEMENT_DISABLED=0, PWDMANAGEMENT_EXPIRE=null, PWDMANAGEMENT_ID=343, ORGANIZATIONALUNIT_ID=108, ORGANIZATIONALUNIT_CODE=B1300, ORGANIZATIONALUNIT_NAME=技術維運處, HIERARCHY_ID=1, HIERARCHY_CODE=null, HIERARCHY_NAME=null, PERSONTYPE_ID=100, PERSONTYPE_NAME=Employee, PERSONTYPE_DESCRIPTION=Identity registered in ISIM, MASTER_CODE=null, MASTER_ID=null, UMETYPE=NONE]
    Apr 16, 2021, 10:54:50 AM INFO  AGC:65 - Inserito oggetto com.engiweb.profilemanager.common.bean.ExternalInfo: [[name=ISN value=null objectValue=null required=null], [name=CREATED_ON value=06/04/2021 14:11 objectValue=Tue Apr 06 14:11:50 CST 2021 required=null], [name=USERSTATUS value=1 objectValue=1 required=null], [name=ATTR10 value=null objectValue=null required=0], [name=LAST_MOD_TIME value=06/04/2021 14:11 objectValue=Tue Apr 06 14:11:50 CST 2021 required=null], [name=OU value=B1300 objectValue=B1300 required=null], [name=LAST_MOD_USER value=null objectValue=null required=null], [name=Is Dep. Manager value=3 objectValue=3 required=null], [name=Education value=Technicians objectValue=Technicians required=null], [name=Cod Subarea value=null objectValue=null required=null], [name=NATION value=null objectValue=null required=null], [name=Cod Area value=網路管理師 objectValue=網路管理師 required=null], [name=City value=null objectValue=null required=null], [name=Manager value=0060 objectValue=0060 required=null], [name=Cod User value=null objectValue=null required=null], [name=ACCOUNT_EXPIRY_DATE value=null objectValue=null required=null]]
    Apr 16, 2021, 10:54:50 AM INFO  AGC:65 - Inserito oggetto com.engiweb.profilemanager.common.bean.OrgUnitBean: [ = COPYRIGHT = null,  = serialVersionUID = -,  = id = 108,  = name = 技術維運處,  = code = B1300,  = description = ,  = parent = null,  = value = null,  = state = null,  = attr1 = 109,  = attr2 = null,  = attr3 = null,  = attr4 = null,  = attr5 = null,  = lastModUser = null,  = lastModTime = Thu Mar 25 23:18:05 CST 2021,  = enableSOD = 0,  = organizationalunittype_description = null,  = organizationalunittype_name = null,  = organizationalunittype_id = null,  = organizationalunittype_code = null,  = reviewState = null,  = person_name = null,  = person_surname = null,  = person_code = null,  = person_email = null,  = person_id = null,  = adminList = null,  = adminByDelegationList = null,  = ownerCode = null,  = hierarchy_id = 1,  = hierarchy_name = null, ]
    Apr 16, 2021, 10:54:50 AM INFO  AGC:65 - Inserito oggetto com.engiweb.profilemanager.common.bean.AccountBean: [ = COPYRIGHT = null,  = serialVersionUID = -,  = id = 369,  = code = bryan,  password = ****,  oldPassword = ****,  = algorithm = null,  = isDefault = 1,  = disabled = 0,  = forceChangePwd = 0,  = pwdLife = 0,  = numberLoginError = 0,  = isReverseIgnore = 1,  = lastModUser = null,  = lastlogin = null,  = lastModTime = Fri Apr 16 10:17:30 CST 2021,  = lastChangePwd = Fri Apr 16 10:17:30 CST 2021,  = lastWrongLogin = null,  = lastNPwd = {SHA-256}fXFJhqB2D8zXdXx6Eze10PwHUh33KnJ0mSVFl5Ox0QI=,  = name = ,  = surname = ,  = email = ,  = dn = ,  = displayName = ,  = identityUID = null,  = questionResetPwd = null,  = response = null,  = value = null,  = attr1 = null,  = attr2 = 000000,  = attr3 = null,  = attr4 = PM_731043771391490408_admin,  = attr5 = null,  = state = 0,  = expire = null,  = block = com.engiweb.profilemanager.common.bean.Block@5d1cfe88,  = pwdcfg_id = 101,  = pwdcfg_name = Active Directory,  = pwdcfg_description = null,  = pwdcfg_sync = 2,  = pwdcfg_attr1 = ADprofile,  = pwdpolicy_id = 103,  = pwdpolicy_name = Company All,  = person_id = 245,  = person_code = bryan,  = person_dn = null,  = person_surname = 葉,  = person_name = 協萱,  = person_sex = 0,  = person_email = null,  = person_codfisc = 0076,  = person_master = null,  = persontype_id = 100,  = persontype_name = Employee,  = lastCertTime = null,  = challengeCounter = null,  = challengeFailedAttempts = null,  = challengeToken = null,  = challengeTokenCreation = null,  = changeLogId = 253,  = accountType_id = null,  = accountType_name = null,  = accountType_description = null,  = accountType_state = null,  = active = 1,  = sourceName = null,  = sourceType = null,  = sourceID = null,  = additionalInfo = null,  = personForFulfillment = null,  = attributesToRemove = {},  = attributesToAdd = {},  = pwdPolicyBean = null,  = isNeedPwdSync = null,  = messages = {}, ]
    Apr 16, 2021, 10:54:50 AM ERROR AGC:50 - AccountDAO.getUser(): The Identity Brokerage Target ID is either null or empty for this Account Configuration: Active Directory
    Apr 16, 2021, 10:54:50 AM ERROR AGC:50 - Exception executing consequence for rule "Set Dn" in defaultpkg: java.lang.NullPointerException
    Apr 16, 2021, 10:54:50 AM ERROR AGC:81 - Error :MR_OUT_376_245 - null
    java.lang.NullPointerException
    at com.engiweb.profilemanager.backend.dao.AccountDAO.findAttrValue(AccountDAO.java:3822)
    at com.engiweb.profilemanager.backend.dao.AccountDAO.findAttrValue(AccountDAO.java:172)
    at com.engiweb.profilemanager.backend.dao.AccountDAO.createChangeLog(AccountDAO.java:3460)
    at com.engiweb.profilemanager.backend.dao.AccountDAO.updateAccount(AccountDAO.java:1084)
    at com.engiweb.profilemanager.common.ruleengine.action.reorganize._AccountAction.updateAccount(_AccountAction.java:111)
    at defaultpkg.Rule_Set_Dn182270844.defaultConsequence(Rule_Set_Dn182270844.java:32)
    at defaultpkg.Rule_Set_Dn182270844DefaultConsequenceInvokerGenerated.evaluate(Unknown Source)
    at defaultpkg.Rule_Set_Dn182270844DefaultConsequenceInvoker.evaluate(Unknown Source)
    at org.drools.core.common.DefaultAgenda.fireActivation(DefaultAgenda.java:1089)
    at org.drools.core.phreak.RuleExecutor.fire(RuleExecutor.java:121)
    at org.drools.core.phreak.RuleExecutor.evaluateNetworkAndFire(RuleExecutor.java:74)
    at org.drools.core.common.DefaultAgenda.fireNextItem(DefaultAgenda.java:1007)
    at org.drools.core.common.DefaultAgenda.fireLoop(DefaultAgenda.java:1350)
    at org.drools.core.common.DefaultAgenda.fireAllRules(DefaultAgenda.java:1288)
    at org.drools.core.impl.StatefulKnowledgeSessionImpl.internalFireAllRules(StatefulKnowledgeSessionImpl.java:1306)
    at org.drools.core.impl.StatefulKnowledgeSessionImpl.fireAllRules(StatefulKnowledgeSessionImpl.java:1297)
    at org.drools.core.impl.StatefulKnowledgeSessionImpl.fireAllRules(StatefulKnowledgeSessionImpl.java:1278)
    at com.engiweb.ruleengine.backend.event.AbstractSynchEvent.executeStatefullDrools(AbstractSynchEvent.java:215)
    at com.engiweb.ruleengine.backend.event.AbstractSynchEvent.executeDrools(AbstractSynchEvent.java:110)
    at com.engiweb.profilemanager.backend.ruleengine.SynchEventOut.createAccount(SynchEventOut.java:1094)
    at com.engiweb.profilemanager.backend.ruleengine.SynchEventOut.executeOperation(SynchEventOut.java:638)
    at com.engiweb.profilemanager.backend.ruleengine.SynchEventOut.doWork(SynchEventOut.java:370)
    at com.engiweb.profilemanager.backend.ruleengine.SynchEventOut.newRun(SynchEventOut.java:230)
    at com.engiweb.profilemanager.backend.ruleengine.eventout.EventOutWorker.doWork(EventOutWorker.java:68)
    at com.engiweb.profilemanager.backend.performance.Worker.run(Worker.java:54)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    at java.lang.Thread.run(Thread.java:822)
    at com.ibm.ws.concurrent.internal.ManagedThreadImpl.run(ManagedThreadImpl.java:94)

    any ideas are very appreciate.


    ------------------------------
    Andy Wu
    ------------------------------


  • 2.  RE: IGI rules bug?

    Posted Fri April 16, 2021 04:14 AM

    I found the cause of the error was using 

    _AccountAction.updateAccount() method
    and even I change to use

    UserAction.updateAccount() method, still the same result.
    Are these two method can't be use in OUT queue?


    ------------------------------
    Andy Wu
    ------------------------------



  • 3.  RE: IGI rules bug?

    Posted Wed May 05, 2021 12:54 AM
    Andy, 

    Sorry.  Just noticed this post.  Are you still having trouble with rule?

    ------------------------------
    [David] [Kuehr-McLaren] [
    Security Expert Labs]
    [Senior Security Architect - STSM]
    [IBM]
    [dkuehrmc@us.ibm.com]
    ------------------------------



  • 4.  RE: IGI rules bug?

    Posted Wed May 05, 2021 02:51 AM
    Hi David,
        Yes, the issue still there, event I change from
    _AccountAction.updateAccount(sql, accountBean);
    to
    UserAction.updateAccount(sql, accountBean);
    all get the same result.

    I'm trying to customize different destination dn  for employee in different department for Active Directory.
    So, I try add a rule to set account dn and bind to OUT queue and then add another rule(pre-mapping)
    to extract the dn value and append to erADContainer attribute.

    And
        Thanks for response.

    ------------------------------
    Andy Wu
    ------------------------------



  • 5.  RE: IGI rules bug?

    Posted Wed August 25, 2021 10:21 AM
    Hi, did you managed to get this work? I'm facing the same issue.

    Thank you​​​

    ------------------------------
    Riccardo Pizzuto
    ------------------------------



  • 6.  RE: IGI rules bug?

    Posted Sun August 29, 2021 10:28 PM

    Yes, it's still there even I upgrade to the last patch of IGI.

    I can't issue a ticket to support due to this was a POC project to my client. I just using another function to bypass this issue



    ------------------------------
    Andy Wu
    ------------------------------



  • 7.  RE: IGI rules bug?

    Posted Mon August 30, 2021 09:24 AM
    Could you please share what function bypassed the issue? Many thanks

    ------------------------------
    Riccardo Pizzuto
    ------------------------------



  • 8.  RE: IGI rules bug?

    Posted Mon August 30, 2021 09:49 AM
    Hi Riccardo,
        I can't use customize rule to fix this issue even if I place another rule to post mapping rules like the following:
    event.getBean().setCurrentAttributeValue("erADContainer", container.toString());
       Finally I give up and use Account Configuration to set target attributes with fixed dn.

    ------------------------------
    Andy Wu
    ------------------------------



  • 9.  RE: IGI rules bug?

    Posted Tue August 31, 2021 12:21 PM
    Hi,

    We're facing the same issue in our PROD Environment for the rule ModifyUser
    I just opened a ticket to support.
    What version of IGI do you have?

    Regards

    ------------------------------
    Laurence PETIT
    ------------------------------



  • 10.  RE: IGI rules bug?

    Posted Mon August 30, 2021 03:47 AM
    Hi Andy,

    At first look, the code and methods seems ok except for "for" loop. However the error logs looks it is pointing to another issue. Can you go through the OUT queue rule without any issue if this rule is removed?

    ------------------------------
    Jaskeerat Singh
    ------------------------------



  • 11.  RE: IGI rules bug?

    Posted Mon August 30, 2021 09:13 AM
    Hi Jaskeerat,
        If the rule removed, the issue was gone.
    But that not my case, I need to create account in target system with random dn not fix dn.

    Regards
    Andy

    ------------------------------
    Andy Wu
    ------------------------------