[midPoint] unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)

Radovan Semancik radovan.semancik at evolveum.com
Wed Jul 31 14:15:36 CEST 2019 

Hi,

I was curious. I have checked my testing AD 2012R2. And it works well 
with VLV:

Search REQ base=CN=Users,DC=ad,DC=evolveum,DC=com, 
filter=(objectClass=user), scope=sub,
  attributes=[*, unicodePwd, userAccountControl, createTimeStamp, 
msExchHideFromAddressLists, objectGUID, objectClass], 
controls=Sort(cn:null:A),,VLV(beforeCount=0, afterCount=1, offset=2, 
contentCount=0, contextID=null)

Maybe the problem is not VLV by itself, maybe the problem is that sort? 
Maybe it works only for some attributes?
Or maybe there is some special configuration in your case? My AD 
instance is pretty much default configuration.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 7/30/19 2:48 PM, JStanczak at vinu.edu wrote:
> Windows Server 2012 R2.
>
> Ya I've tried several codes. Nothing seems to work. Many of the codes 
> were from Ldp.exe. SPR is ok for now but I will have to loop back and 
> fix this issue later. I'm kind of at a loss for the moment.
>
> Thanks.
>
>
> -----"midPoint" <midpoint-bounces at lists.evolveum.com 
> <mailto:midpoint-bounces at lists.evolveum.com>> wrote: -----
> To: midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
> From: "Radovan Semancik"
> Sent by: "midPoint"
> Date: 07/30/2019 04:01AM
> Subject: Re: [midPoint] unavailableCriticalExtension: 000020EF: 
> SvcErr: DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)
>
> Hi,
>
> Ordering rule 2.5.13.3 works for OpenLDAP. It is perhaps worth trying. 
> The trouble with AD is that it does not specify any matching rules in 
> its LDAP schema. Therefore this is all pretty much a guesswork.
>
> However, I'm quite curious. What version/flavor of AD are you using? I 
> have tested the connector with several versions and configurations, 
> but I have never run into this problem. Paging/sorting worked without 
> any need for special configuration. I wonder what might me the root cause.
>
> -- 
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
>
> On 7/29/19 5:50 PM, JStanczak at vinu.edu wrote:
>> That helps. It's the VLV causing it. I think I have it almost there 
>> but I'm not sure what ordering rule (VLV ordering rule) to use.
>>
>> controls=Sort(uid:<????>:A) <-- I've tried several numbers and each 
>> time I get unavailableCriticalExtension.
>>
>> Setting to SPR works just fine but it would be nice to use VLV if 
>> it's better.
>>
>> Thanks.
>>
>>
>>
>>
>> -----"midPoint" <midpoint-bounces at lists.evolveum.com 
>> <mailto:midpoint-bounces at lists.evolveum.com>> wrote: -----
>> To: midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
>> From: "Radovan Semancik"
>> Sent by: "midPoint"
>> Date: 07/25/2019 05:27AM
>> Subject: Re: [midPoint] unavailableCriticalExtension: 000020EF: 
>> SvcErr: DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)
>>
>> Hi,
>>
>> LDAP protocol is extensible by using a mechanisms of extended 
>> operations and controls. This error suggests, that AD does not 
>> support one of the controls that are used in operation that midPoint 
>> has requested. You can have a look at AD log files and hope that you 
>> will find more information as to which particular control is not 
>> supported. Or you can contact Microsoft support. However, according 
>> to my experience, both are quite pointless exercises. When it comes 
>> to that particular technology, trial-and-error is the best approach 
>> that I could find.
>>
>> Therefore I would suggest to follow our troubleshooting guide:
>>
>> https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting
>>
>> I would recommend to find the LDAP operation that caused the error. 
>> The connector should log all important parts of the operations, 
>> including the controls. Look for "controls=....". One of those 
>> controls is probably the cause of the problem. Once you know what 
>> control is the problem, you can try enable that control in the AD. 
>> Or, if that is not possible, then the connector has several 
>> configuration options that control the use those LDAP controls. 
>> However, the connector is only using a very basic set of controls 
>> that make LDAP protocol barely usable for IDM purposes. Disabling any 
>> of them may affect usability of midPoint's connection to AD. But I'm 
>> speculating here. Let's see what control is the problem first.
>>
>> -- 
>> Radovan Semancik
>> Software Architect
>> evolveum.com
>>
>>
>> On 7/24/19 3:44 PM, JStanczak at vinu.edu wrote:
>>> When accessing all users on the resource I get the below error. 
>>> Searching for users works fine too. Is this some AD limitation?
>>>
>>>
>>> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector - 2.0
>>> java.version - 1.8.0_191
>>> Version - 3.9
>>> ConnId framework version - 1.5.0.0
>>>
>>> com.evolveum.midpoint.util.exception.CommunicationException: Error 
>>> communicating with the connector 
>>> ConnectorInstanceIcfImpl(connector:cd7ec95b-9007-47b4-b6f6-9a95ec085f68(ConnId 
>>> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v2.0)): IO 
>>> error: 
>>> org.identityconnectors.framework.common.exceptions.ConnectorIOException(LDAP 
>>> error during search in DC=local-test,DC=vinu,DC=edu: 
>>> unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140552, 
>>> problem 5010 (UNAVAIL_EXTENSION), data 0?? (12))
>>> at 
>>> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.searchResourceObjects(ResourceObjectConverter.java:1330)
>>>
>>> Thanks.
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190731/311c2dd0/attachment.htm>

More information about the midPoint mailing list