Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

IDM (All versions) connector returns null search result

Last updated Apr 8, 2021

The purpose of this article is to provide assistance if your IDM connector (Active Directory®, LDAP etc) returns a null search result for attribute queries even though the record can be found. That is, native queries performed directly against these external systems (such as a Connector Server search against Active Directory or a ldapsearch on DS) find the record.


Symptoms

With a query such as:

var params = {"query":{"Equals":{"field" : "samaccountname","values":[tempSamAccountName]}}};

where the attribute name is sAMAccountName rather than the all lower case version included in the query.

Note

This issue affects any command that searches an external system, where the case used in the command does not match the case of the attribute name stored in IDM.

The log from the connector shows the record has been found:

ConnectorServer.exe Information: 0 : Setting search string to '(&(ObjectCategory=Person)(&(objectclass=User (samaccountname=Test)))' DateTime=2014-04-14T18:58:14.6545244Z  ConnectorServer.exe Information: 0 : Search: Performing query  DateTime=2014-04-14T18:58:14.6545244Z  ConnectorServer.exe Information: 0 : Found object LDAP://10.10.100.10/CN=Core,OU=employees,DC=admin,DC=test,DC=example,DC=com  DateTime=2014-04-14T18:58:14.6545244Z  ConnectorServer.exe Information: 0 : Returning ''LDAP://10.10.100.10/CN=Core,OU=employees,DC=admin,DC=test,DC=example,DC=com''  DateTime=2014-04-14T18:58:14.6545244Z  ConnectorServer.exe Information: 0 : Search: found 1 results  DateTime=2014-04-14T18:58:14.6545244Z

But the log from IDM shows a null result:

FINEST: Request: { "type": "resource", "uuid": "3fc900a3-1f54-4297-b05a-14b4c0eefd86", "parent": { "id": null, "_isDirectHttp": true, "value": [ { "replace": "examplecomStatus", "value": [ "Emp:1", "Employee:Core", "Admin:A" ] } ], "parent": { "type": "http", "uuid": "a9f07a2e-9425-43cb-9bd4-3ae140f3ff9e", "parent": { "type": "root", "uuid": "b445ab80-a7e5-41ba-b674-9f5d9625c261", "parent": null }, "security": { "username": "openidmadmin", "userid": { "component": "internal/user", "id": "openidmadmin" }, "openidm-roles": [ "openidm-admin", "openidm-authorized" ] }, "method": "POST", "path": "/openidm/managed/user", "query": { "_action": "patch", "email": "core@example.com", "_queryId": "for-email" }, "headers": { "Host": "localhost:8080", "Content-Length": "98", "User-Agent": "curl/1.10.1 (x86_64-redhat-linux-gnu) libcurl/1.10.1 NSS/3.14.3.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2", "X-OpenIDM-Username": "openidmadmin", "Content-Type": "application/json", "Accept": "*/*" } }, "method": "action", "uuid": "22b9f099-2f2f-4098-b689-58df95cd9b51", "params": { "_action": "patch", "email": "core@example.com", "_queryId": "for-email" }, "type": "resource" }, "method": "query", "id": "system/core/account", "params": { "query": { "Equals": { "field": "samaccountname", "values": [ "Test" ] } } } }, Response: { "result": [ ] }

Recent Changes

N/A

Causes

Attribute names in IDM are case sensitive by default, whereas attribute names in many external systems such as LDAP servers (including DS) and Active Directory are not; therefore, the connector can find the record regardless of the attribute case but IDM cannot unless the case in the query exactly matches the attribute name.

Solution

This issue can be resolved in one of two ways:

  • Standardize the data in your external system so that all attribute names use the same case as IDM.
  • Disable the FilteredResultsHandler to make the search case insensitive.

You can disable the FilteredResultsHandler by including the following in your provisioner configuration file (for example, provisioner.openicf-ad.json or provisioner.openicf-ldap.json), which is located in the /path/to/idm/conf directory:

"resultsHandlerConfig" :       {           "enableNormalizingResultsHandler" : true,           "enableFilteredResultsHandler" : false,           "enableAttributesToGetSearchResultsHandler" : true        }
Note

You must include all three result handlers to override the defaults; the three results handlers are enabled by default if the resultsHandlerConfig is not specified.

See Also

Error when deleting an object from DS using the REST API in IDM (All versions)

Synchronization Guide › Reconcile With Case-Insensitive Data Stores

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.