FIM 2010 Troubleshooting: Discovery Errors - multi-single-mismatch
Environment
- Sun One Management Agent
Problem statement
In doing a Full and/or a Delta Import on a Sun One Management Agent we are seeing several Discovery Errors with the wording "multi-single mismatch".
Clicking the object link or the "multi-single mismatch" links in the errors section displays the Object Error Details dialog.
Troubleshooting
We then took a look at the Run History after exporting it to XML, and found the error message listed there. However, no more information other than the DN of the object.
Run History
<ma-discovery-errors>
<ma-object-error><error-type>multi-single-mismatch</error-type><dn>((( OBJECT DN )))</dn><anchor>fd9cae02-1dd111b2-8076e6a0-e33eba5b</anchor></ma-object-error>
From there, we dumped the hologram of the object to see what the object looked like in the connector space.
Steps to export CS object
Open and Administrative Command Prompt and Navigate to %programfiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin folder
Execute the following command and then press the ENTER key
csexport <name of the sun one management agent> badobject.xml /f:d=<dn of bad object>
On receipt of the badobject.xml, we reviewed the connector space information for multi-valued attributes. Since the problem was being exposed on Import, we reviewed the "pending-import-hologram " section. We can identify a multi-value attribute by looking for the word multivalued. The XML element multivalued has a true or false setting. We were able to identify the multivalued and single valued attributes, but that is about it at this point.
Multi-valued attributes
<pending-import-hologram>
<entry dn="((( OBJECT DN ))) ">
<anchor>fd9cae02-1dd111b2-8076e6a0-e33eba5b</anchor>
<parent-anchor>3b38b2e6-1dd211b2-802ae6a0-e33eba5b</parent-anchor>
<primary-objectclass>inetOrgPerson</primary-objectclass>
<objectclass><oc-value>top</oc-value>
<oc-value>Person</oc-value>
<oc-value>inetOrgPerson</oc-value>
<oc-value>organizationalPerson</oc-value>
<oc-value>(( OC VALUE )))</oc-value>
</objectclass>
<attr multivalued="false " type="string " name="MyMailAttribute ">
<value><mymail@mymail.com%3C/value>>
</attr>
<attr multivalued="true " type="string " name="MyPersonAffliation ">
<value>Full Time Employee</value>
</attr>
We then ran a network trace and we were able to locate an LDAP Result for a specific UID that was failing.
Network trace
Frame: Number = 2903, Captured Frame Length = 210, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-B2-00-15],SourceAddress:[00-10-DB-FF-21-50]
+ Tcp: Flags=...AP..., SrcPort=LDAP(389), DstPort=65307, PayloadLen=156, Seq=4213507664 - 4213507820, Ack=2781020950, Win=49640 (scale factor 0x0) = 49640
Ldap: Search Result Entry, MessageID: 1234567
- LDAPMessage: Search Result Entry, MessageID: 1234567
+ ParserHeader:
+ MessageID: 1234567
+ OperationHeader: Search Result Entry, 4(0x4)
- SearchResultEntry: changenumber=987654,cn=changelog
+ ObjectName: changenumber=987654,cn=changelog
+ Attributes: 3 Partial Attributes
We then reviewed the Sun One Change Log information for that specific changenumber. Notice the modification add to MyMailAttribute. If we go back and check MyMailAttribute in the badobject.xml file, we can see that it is a single valued attribute.
Sun One Change log
changeNumber: 987654
changeType: modify
targetDn: ((( OBJECT DN )))
changes:
add: MyMailAttribute
MyMailAttribute: msftengineer@microsoft.com
-
replace: modifiersname
modifiersname: cn=managers
-
replace: modifytimestamp
modifytimestamp: 20130108052303Z
BADOBJECT.XML
<attr multivalued="false " type="string " name="MyMailAttribute ">
<value><mymail@mymail.com%3C/value>>
</attr>
Resolution
To resolve the issue, we followed these steps:
- Made MyMailAttribute a multivalued attribute
- Refresh Schema on the Sun One Management Agent
- Run a Full Import (Stage Only)
- Run a Full Synchronization