[midPoint] Midpoint 3.3 and OpenLDAP

Shawn McKinney smckinney at symas.com
Mon Dec 21 15:52:42 CET 2015


Hello

I am working on a sample deployment of Midpoint 3.3.  Here are some details:

O/S : CentOS 7 64-bit
JDK : java version “1.7.0_91”, OpenJDK Runtime Environment (rhel-2.6.2.1.el7_1-x86_64 u91-b00), OpenJDK 64-Bit Server VM (build 24.91-b01, mixed mode)
Tomcat : 8.0.29
PostgreSQL : PostgreSQL 9.2.14 on x86_64-redhat-linux-gnu
OpenLDAP : slapd 2.4.43

The current task, get openldap setup as a resource with Midpoint so it can start to manage accounts.  

Here are some specifics about the openldap deployment.

1. in the slapd.conf I have added the following acls:
# midpoint ACLs:

access to attrs=userPassword,shadowLastChange by dn="cn=idm,ou=Administrators,dc=example,dc=com" write
        by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
        by anonymous auth by self write
        by * none

access to dn.base=""
        by * read

access to dn.subtree="ou=people,dc=example,dc=com"
        by dn="cn=idm,ou=Administrators,dc=example,dc=com" write

access to dn.subtree="ou=groups,dc=example,dc=com"
        by dn="cn=idm,ou=Administrators,dc=example,dc=com" write

access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
        by dn="cn=idm,ou=Administrators,dc=example,dc=com" read by self read by * none

2. I have added the following user to the directory to be used by midpoint connections:
dn: cn=idm,ou=Administrators,dc=example,dc=com
objectClass: inetOrgPerson
cn: idm
sn: IDM Administrator
description: Special LDAP acccount used by the IDM to access the LDAP data.
userPassword:: e1NTSEF9UjVLRjNLNFgyRlg1Z2tXS3VEeG00TTZnWnlPMFFnTkY=

3. I have successfully tested creating connections with this user with another application (apache directory studio).  


Here are some details about my openldap setup.  It is failing when I try to list resources using the admin UI.  Can you help?

1. I used this file as the base config: https://github.com/Evolveum/midpoint/blob/master/samples/resources/openldap/openldap-localhost-medium.xml

2. with some changes:
		<icfc:configurationProperties>
			<icfcldap:port>389</icfcldap:port>
			<icfcldap:host>10.72.85.21</icfcldap:host>
			<icfcldap:baseContext>dc=example,dc=com</icfcldap:baseContext>
			<icfcldap:bindDn>cn=idm,ou=Administrators,dc=example,dc=com</icfcldap:bindDn>
			<icfcldap:bindPassword><t:clearValue>secret</t:clearValue></icfcldap:bindPassword>
			<icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
			<!--icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm-->
			<icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute>
			<icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule>
			<icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
			<icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
		</icfc:configurationProperties>
		<icfc:resultsHandlerConfiguration>
			<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
			<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
			<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
		</icfc:resultsHandlerConfiguration>
	</connectorConfiguration>

3. Which can then be successfully imported to the admin UI.

4. When I list the resources, I get an error:

2015-12-21 14:49:00,921 [UCF] [http-nio-8080-exec-8] ERROR (com.evolveum.midpoint.provisioning.ucf.impl.IcfUtil): ICF Exception java.lang.NullPointerException in connector:bcf82b24-29fa-490a-8210-bc7ce827af3d(ICF com.evolveum.polygon.connector.ldap.LdapConnector v1.4.2.0): resource:d0811790-1d80-11e4-86b2-3c970e467874(OpenLDAP): null
java.lang.NullPointerException: null
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.<init>(LdapNetworkConnection.java:231) ~[api-all-1.0.0-M32-e1.jar:1.0.0-M32-e1]
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.<init>(LdapNetworkConnection.java:360) ~[api-all-1.0.0-M32-e1.jar:1.0.0-M32-e1]
	at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.connect(AbstractLdapConnector.java:1115) ~[connector-ldap-1.4.2.0.jar:na]
	at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.init(AbstractLdapConnector.java:165) ~[connector-ldap-1.4.2.0.jar:na]
	at org.identityconnectors.framework.impl.api.local.ConnectorPoolManager$ConnectorPoolHandler.makeObject(ConnectorPoolManager.java:131) ~[connector-framework-internal-1.4.2.0.jar:na]
	at org.identityconnectors.framework.impl.api.local.ConnectorPoolManager$ConnectorPoolHandler.makeObject(ConnectorPoolManager.java:83) ~[connector-framework-internal-1.4.2.0.jar:na]
	at org.identityconnectors.framework.impl.api.local.ObjectPool.makeObject(ObjectPool.java:398) ~[connector-framework-internal-1.4.2.0.jar:na]
	at org.identityconnectors.framework.impl.api.local.ObjectPool.borrowObjectNoTest(ObjectPool.java:294) ~[connector-framework-internal-1.4.2.0.jar:na]
	at org.identityconnectors.framework.impl.api.local.ObjectPool.borrowObject(ObjectPool.java:248) ~[connector-framework-internal-1.4.2.0.jar:na]
	at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:87) ~[connector-framework-internal-1.4.2.0.jar:na]
	at com.sun.proxy.$Proxy163.schema(Unknown Source) ~[na:na]
	at sun.reflect.GeneratedMethodAccessor700.invoke(Unknown Source) ~[na:na]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_91]
	at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_91]
	at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96) ~[connector-framework-internal-1.4.2.0.jar:na]
	at com.sun.proxy.$Proxy163.schema(Unknown Source) ~[na:na]
	at sun.reflect.GeneratedMethodAccessor700.invoke(Unknown Source) ~[na:na]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_91]
	at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_91]
	at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99) ~[connector-framework-internal-1.4.2.0.jar:na]
	at com.sun.proxy.$Proxy163.schema(Unknown Source) ~[na:na]
	at sun.reflect.GeneratedMethodAccessor700.invoke(Unknown Source) ~[na:na]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_91]
	at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_91]
	at org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:83) ~[connector-framework-internal-1.4.2.0.jar:na]
	at com.sun.proxy.$Proxy163.schema(Unknown Source) ~[na:na]
	at org.identityconnectors.framework.impl.api.AbstractConnectorFacade.schema(AbstractConnectorFacade.java:145) ~[connector-framework-internal-1.4.2.0.jar:na]
	at com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl.retrieveResourceSchema(ConnectorInstanceIcfImpl.java:588) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl.initialize_aroundBody4(ConnectorInstanceIcfImpl.java:498) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl$AjcClosure5.run(ConnectorInstanceIcfImpl.java:1) [provisioning-impl-3.3.jar:na]
	at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) [aspectjtools-1.7.3.jar:na]
	at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:178) [util-3.3.jar:na]
	at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1) [util-3.3.jar:na]
	at com.evolveum.midpoint.util.aspect.MidpointAspect.processUcfNdc(MidpointAspect.java:78) [util-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl.initialize(ConnectorInstanceIcfImpl.java:473) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.impl.ConnectorManager.createConfiguredConnectorInstance(ConnectorManager.java:162) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.impl.ConnectorManager.getConfiguredConnectorInstance(ConnectorManager.java:129) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.impl.ResourceManager.getConnectorInstance(ResourceManager.java:834) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.impl.ResourceManager.completeResource(ResourceManager.java:258) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.impl.ResourceManager.putToCache(ResourceManager.java:159) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.impl.ResourceManager.getResource(ResourceManager.java:130) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.completeObject(ProvisioningServiceImpl.java:633) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.searchRepoObjects(ProvisioningServiceImpl.java:561) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.searchObjects_aroundBody6(ProvisioningServiceImpl.java:500) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl$AjcClosure7.run(ProvisioningServiceImpl.java:1) [provisioning-impl-3.3.jar:na]
	at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) [aspectjtools-1.7.3.jar:na]
	at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:178) [util-3.3.jar:na]
	at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1) [util-3.3.jar:na]
	at com.evolveum.midpoint.util.aspect.MidpointAspect.processProvisioningNdc(MidpointAspect.java:68) [util-3.3.jar:na]
	at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.searchObjects(ProvisioningServiceImpl.java:486) [provisioning-impl-3.3.jar:na]
	at com.evolveum.midpoint.model.impl.controller.ModelController.searchObjects_aroundBody8(ModelController.java:846) [model-impl-3.3.jar:na]
	at com.evolveum.midpoint.model.impl.controller.ModelController$AjcClosure9.run(ModelController.java:1) [model-impl-3.3.jar:na]
	at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) [aspectjtools-1.7.3.jar:na]
	at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:178) [util-3.3.jar:na]
	at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1) [util-3.3.jar:na]
	at com.evolveum.midpoint.util.aspect.MidpointAspect.processModelNdc(MidpointAspect.java:63) [util-3.3.jar:na]
	at com.evolveum.midpoint.model.impl.controller.ModelController.searchObjects(ModelController.java:799) [model-impl-3.3.jar:na]
	at com.evolveum.midpoint.web.component.data.ObjectDataProvider.internalIterator(ObjectDataProvider.java:123) [classes/:na]
	at com.evolveum.midpoint.web.component.data.BaseSortableDataProvider.iterator(BaseSortableDataProvider.java:190) [classes/:na]
	at org.apache.wicket.markup.repeater.data.DataViewBase$ModelIterator.<init>(DataViewBase.java:107) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.markup.repeater.data.DataViewBase.getItemModels(DataViewBase.java:74) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.markup.repeater.AbstractPageableView.getItemModels(AbstractPageableView.java:101) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.markup.repeater.RefreshingView.onPopulate(RefreshingView.java:93) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.markup.repeater.AbstractRepeater.onBeforeRender(AbstractRepeater.java:123) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.markup.repeater.AbstractPageableView.onBeforeRender(AbstractPageableView.java:115) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.internalBeforeRender(Component.java:949) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.beforeRender(Component.java:1017) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1684) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.onBeforeRender(Component.java:3833) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.internalBeforeRender(Component.java:949) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.beforeRender(Component.java:1017) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1684) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.onBeforeRender(Component.java:3833) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.internalBeforeRender(Component.java:949) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.beforeRender(Component.java:1017) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1684) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.onBeforeRender(Component.java:3833) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.internalBeforeRender(Component.java:949) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.beforeRender(Component.java:1017) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1684) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.onBeforeRender(Component.java:3833) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.markup.html.form.Form.onBeforeRender(Form.java:1803) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.internalBeforeRender(Component.java:949) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.beforeRender(Component.java:1017) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1684) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.onBeforeRender(Component.java:3833) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Page.onBeforeRender(Page.java:809) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.internalBeforeRender(Component.java:949) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.beforeRender(Component.java:1017) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.internalPrepareForRender(Component.java:2201) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Page.internalPrepareForRender(Page.java:240) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Component.render(Component.java:2290) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.Page.renderPage(Page.java:1024) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.request.handler.render.WebPageRenderer.renderPage(WebPageRenderer.java:139) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:284) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:175) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:890) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64) [wicket-request-6.20.0.jar:6.20.0]
	at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:261) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:218) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:289) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:259) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:201) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:282) [wicket-core-6.20.0.jar:6.20.0]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.29]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.29]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.0.6.RELEASE.jar:4.0.6.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) [spring-web-4.0.6.RELEASE.jar:4.0.6.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) [spring-web-4.0.6.RELEASE.jar:4.0.6.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.29]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.29]
	at com.evolveum.midpoint.web.util.MidPointProfilingServletFilter.doFilter(MidPointProfilingServletFilter.java:78) [classes/:na]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.29]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.29]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [catalina.jar:8.0.29]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [catalina.jar:8.0.29]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) [catalina.jar:8.0.29]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [catalina.jar:8.0.29]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [catalina.jar:8.0.29]
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616) [catalina.jar:8.0.29]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [catalina.jar:8.0.29]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) [catalina.jar:8.0.29]
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096) [tomcat-coyote.jar:8.0.29]
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) [tomcat-coyote.jar:8.0.29]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) [tomcat-coyote.jar:8.0.29]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) [tomcat-coyote.jar:8.0.29]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_91]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_91]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.0.29]
	at java.lang.Thread.run(Thread.java:745) [na:1.7.0_91]
[midpoint at localhost fortress]$ 


5. Here is the connector that's active:
 <icfc:configurationProperties xmlns:gen189="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
      
6. Here is the resource as currently configured in my env:
<resource xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="d0811790-1d80-11e4-86b2-3c970e467874" version="0">
    <name>OpenLDAP</name>
    <description>
            LDAP resource using a ConnId LDAP connector. It contains configuration
            for use with OpenLDAP servers.
        </description>
    <metadata>
        <createTimestamp>2015-12-19T01:12:45.236Z</createTimestamp>
        <creatorRef oid="00000000-0000-0000-0000-000000000002" type="c:UserType"/>
        <createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
    </metadata>
    <connectorRef oid="bcf82b24-29fa-490a-8210-bc7ce827af3d" type="c:ConnectorType">
        <!-- ICF com.evolveum.polygon.connector.ldap.LdapConnector v1.4.2.0 -->
        <description>
                Reference to the OpenICF LDAP connector. This is dynamic reference, it will be translated to
                OID during import.
            </description>
        <filter>
            <q:equal>
                <q:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:connectorType</q:path>
                <q:value>com.evolveum.polygon.connector.ldap.LdapConnector</q:value>
            </q:equal>
        </filter>
    </connectorRef>
    <connectorConfiguration xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
        <icfc:resultsHandlerConfiguration>
            <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
            <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
            <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
        </icfc:resultsHandlerConfiguration>
        <icfc:configurationProperties xmlns:gen189="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
            <gen189:port>389</gen189:port>
            <gen189:vlvSortAttribute>uid</gen189:vlvSortAttribute>
            <gen189:baseContext>dc=example,dc=com</gen189:baseContext>
            <gen189:vlvSortOrderingRule>2.5.13.3</gen189:vlvSortOrderingRule>
            <gen189:bindDn>cn=idm,ou=Administrators,dc=example,dc=com</gen189:bindDn>
            <gen189:pagingStrategy>auto</gen189:pagingStrategy>
            <gen189:operationalAttributes>memberOf</gen189:operationalAttributes>
            <gen189:operationalAttributes>createTimestamp</gen189:operationalAttributes>
            <gen189:host>10.72.85.21</gen189:host>
            <gen189:bindPassword>
                <t:encryptedData>
                    <t:encryptionMethod>
                        <t:algorithm>http://www.w3.org/2001/04/xmlenc#aes128-cbc</t:algorithm>
                    </t:encryptionMethod>
                    <t:keyInfo>
                        <t:keyName>R7wh8+ARxcNGTzk5EsXG79KJvgA=</t:keyName>
                    </t:keyInfo>
                    <t:cipherData>
                        <t:cipherValue>Sim3cp2FMxa4XXlPiO4QgpDS8BNhMN6v57HBtQ7WbX0=</t:cipherValue>
                    </t:cipherData>
                </t:encryptedData>
            </gen189:bindPassword>
        </icfc:configurationProperties>
    </connectorConfiguration>
    <schema>
        <generationConstraints>
            <generateObjectClass>ri:inetOrgPerson</generateObjectClass>
            <generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
            <generateObjectClass>ri:groupOfNames</generateObjectClass>
            <generateObjectClass>ri:organizationalUnit</generateObjectClass>
        </generationConstraints>
    </schema>
    <schemaHandling>
        <objectType>
            <kind>account</kind>
            <displayName>Normal Account</displayName>
            <default>true</default>
            <objectClass>ri:inetOrgPerson</objectClass>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:dn</c:ref>
                <displayName>Distinguished Name</displayName>
                <limitations>
                    <minOccurs>0</minOccurs>
                    <access>
                        <read>true</read>
                        <add>true</add>
                        <modify>true</modify>
                    </access>
                </limitations>
                <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
                <outbound>
                    <source>
                        <c:path>$user/name</c:path>
                    </source>
                    <expression>
                        <script>
                            <code>
								'uid=' + name + iterationToken + ',ou=people,dc=example,dc=com'
							</code>
                        </script>
                    </expression>
                </outbound>
            </attribute>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:entryUUID</c:ref>
                <displayName>Entry UUID</displayName>
                <limitations>
                    <access>
                        <read>true</read>
                        <add>false</add>
                        <modify>true</modify>
                    </access>
                </limitations>
                <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
            </attribute>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</c:ref>
                <displayName>Common Name</displayName>
                <limitations>
                    <minOccurs>0</minOccurs>
                    <access>
                        <read>true</read>
                        <add>true</add>
                        <modify>true</modify>
                    </access>
                </limitations>
                <outbound>
                    <source>
                        <c:path>$user/fullName</c:path>
                    </source>
                </outbound>
                <inbound>
                    <target>
                        <c:path>$user/fullName</c:path>
                    </target>
                </inbound>
            </attribute>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:sn</c:ref>
                <displayName>Surname</displayName>
                <limitations>
                    <minOccurs>0</minOccurs>
                </limitations>
                <outbound>
                    <source>
                        <c:path>familyName</c:path>
                    </source>
                </outbound>
                <inbound>
                    <target>
                        <c:path>familyName</c:path>
                    </target>
                </inbound>
            </attribute>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:givenName</c:ref>
                <displayName>Given Name</displayName>
                <outbound>
                    <source>
                        <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:givenName</c:path>
                    </source>
                </outbound>
                <inbound>
                    <target>
                        <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:givenName</c:path>
                    </target>
                </inbound>
            </attribute>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:uid</c:ref>
                <displayName>Login Name</displayName>
                <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
                <outbound>
                    <strength>weak</strength>
                    <source>
                        <description>Source may have description</description>
                        <c:path>$user/name</c:path>
                    </source>
                    <expression>
                        <script>
                            <code>name + iterationToken</code>
                        </script>
                    </expression>
                </outbound>
                <inbound>
                    <target>
                        <description>Targets may have description</description>
                        <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:name</c:path>
                    </target>
                </inbound>
            </attribute>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:description</c:ref>
                <outbound>
                    <strength>weak</strength>
                    <expression>
                        <description>Expression that assigns a fixed value</description>
                        <value>Created by midPoint</value>
                    </expression>
                </outbound>
            </attribute>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:l</c:ref>
                <displayName>Location</displayName>
                <outbound>
                    <source>
                        <c:path>$user/locality</c:path>
                    </source>
                </outbound>
            </attribute>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:employeeType</c:ref>
                <displayName>Employee Type</displayName>
                <tolerant>false</tolerant>
                <outbound>
                    <source>
                        <c:path>$user/employeeType</c:path>
                    </source>
                </outbound>
            </attribute>
            <association>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group</c:ref>
                <displayName>LDAP Group Membership</displayName>
                <kind>entitlement</kind>
                <intent>ldapGroup</intent>
                <direction>objectToSubject</direction>
                <associationAttribute>ri:member</associationAttribute>
                <valueAttribute>ri:dn</valueAttribute>
            </association>
            <iteration>
                <maxIterations>5</maxIterations>
            </iteration>
            <protected>
                <filter>
                    <q:equal>
                        <q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#stringIgnoreCase</q:matching>
                        <q:path xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">attributes/ri:dn</q:path>
                        <q:value>cn=idm,ou=Administrators,dc=example,dc=com</q:value>
                    </q:equal>
                </filter>
            </protected>
            <activation>
                <administrativeStatus>
                    <outbound/>
                    <inbound>
                        <strength>weak</strength>
                        <expression>
                            <asIs/>
                        </expression>
                    </inbound>
                </administrativeStatus>
            </activation>
            <credentials>
                <password>
                    <outbound>
                        <expression>
                            <asIs/>
                        </expression>
                    </outbound>
                    <inbound>
                        <strength>weak</strength>
                        <expression>
                            <generate/>
                        </expression>
                    </inbound>
                </password>
            </credentials>
        </objectType>
        <objectType>
            <kind>entitlement</kind>
            <intent>ldapGroup</intent>
            <displayName>LDAP Group</displayName>
            <objectClass>ri:groupOfNames</objectClass>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:dn</c:ref>
                <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
                <outbound>
                    <source>
                        <c:path>$focus/name</c:path>
                    </source>
                    <expression>
                        <script>
                            <code>
								import javax.naming.ldap.Rdn
								import javax.naming.ldap.LdapName
								
								dn = new LdapName('ou=groups,dc=example,dc=com')
								dn.add(new Rdn('cn', name.toString()))
								return dn.toString()
							</code>
                        </script>
                    </expression>
                </outbound>
            </attribute>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:member</c:ref>
                <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:distinguishedName</matchingRule>
                <fetchStrategy>minimal</fetchStrategy>
            </attribute>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</c:ref>
                <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
                <outbound>
                    <strength>weak</strength>
                    <source>
                        <c:path>$focus/name</c:path>
                    </source>
                </outbound>
            </attribute>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:description</c:ref>
                <outbound>
                    <source>
                        <c:path>description</c:path>
                    </source>
                </outbound>
            </attribute>
            <configuredCapabilities xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
                <cap:pagedSearch>
                    <cap:defaultSortField>ri:uid</cap:defaultSortField>
                </cap:pagedSearch>
            </configuredCapabilities>
        </objectType>
    </schemaHandling>
    <consistency>
        <avoidDuplicateValues>true</avoidDuplicateValues>
    </consistency>
    <synchronization>
        <objectSynchronization>
            <enabled>true</enabled>
            <correlation>
                <q:description>
	                    Correlation expression is a search query.
	                    Following search queury will look for users that have "name"
	                    equal to the "uid" attribute of the account. Simply speaking,
	                    it will look for match in usernames in the IDM and the resource.
	                    The correlation rule always looks for users, so it will not match
	                    any other object type.
	                </q:description>
                <q:equal>
                    <q:path>name</q:path>
                    <expression>
                        <c:path xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">declare namespace ri='http://midpoint.evolveum.com/xml/ns/public/resource/instance-3'; $account/attributes/ri:uid</c:path>
                    </expression>
                </q:equal>
            </correlation>
            <reaction>
                <situation>linked</situation>
                <synchronize>true</synchronize>
            </reaction>
            <reaction>
                <situation>deleted</situation>
                <synchronize>true</synchronize>
                <action>
                    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
                </action>
            </reaction>
            <reaction>
                <situation>unlinked</situation>
                <synchronize>true</synchronize>
                <action>
                    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
                </action>
            </reaction>
            <reaction>
                <situation>unmatched</situation>
                <synchronize>true</synchronize>
                <action>
                    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
                </action>
            </reaction>
        </objectSynchronization>
    </synchronization>
</resource>


Shawn




More information about the midPoint mailing list