Hacking the import/export logs

Here’s a trick that is worth knowing – though I’m only recommending it for TEST ENVIRONMENTS – consider yourself warned.

You may have noticed the “test only” log file options on the import and export run profiles. Being able to stop the run at the log file is incredibly useful for testing what would have been exported, without actually going ahead and doing it. You can then resume the export from the log file – and if you wanted to, there is nothing to actually stop you editing that log file before resuming the run.

Mostly I have made use of this trick in test situations where I want to simulate a set of external data to see how my MIIS code deals with it. Perhaps I need to test for certain odd situations that are a bit hard to generate in the real environment, so as a short-cut I construct an import.xml to feed the right data into MIIS.

You could also change a setting in an export.xml file to test how the change effects the external environment. Maybe you can’t get access to make the change directly and this way you can piggy-back on MIIS’s existing permissions, without actually having to modify extension code or flow rules.

And now here is where I confess that I’m writing this post tonight because I actually used this hack on a production system today <gasp>. Not sure why, but MIIS was giving me repeated dn-attributes-failure messages when I attempted to export a group. It was complaining a new member didn’t exist in AD – but it did (I got a collegue to double-check just in case I was going nuts!). After trying various full import/syncs I finally resorted to hacking the export.xml to change the “add” member command to a “delete”. The export then completed (making no changes as the user wasn’t in the group yet after all), I resync’d everything, the member add was duly re-queued, and this time it exported happily. I’m still trying to figure out why this situation happened in the first place, but as a sneaky fix-it, the log file hack got me back in business quicker than any of the alternative, and more drastic methods.

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.