[midPoint] Midpoint 3.3 and OpenLDAP
Shawn McKinney
smckinney at symas.com
Mon Dec 21 15:52:42 CET 2015
Hello
I am working on a sample deployment of Midpoint 3.3. Here are some details:
O/S : CentOS 7 64-bit
JDK : java version “1.7.0_91”, OpenJDK Runtime Environment (rhel-2.6.2.1.el7_1-x86_64 u91-b00), OpenJDK 64-Bit Server VM (build 24.91-b01, mixed mode)
Tomcat : 8.0.29
PostgreSQL : PostgreSQL 9.2.14 on x86_64-redhat-linux-gnu
OpenLDAP : slapd 2.4.43
The current task, get openldap setup as a resource with Midpoint so it can start to manage accounts.
Here are some specifics about the openldap deployment.
1. in the slapd.conf I have added the following acls:
# midpoint ACLs:
access to attrs=userPassword,shadowLastChange by dn="cn=idm,ou=Administrators,dc=example,dc=com" write
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
by anonymous auth by self write
by * none
access to dn.base=""
by * read
access to dn.subtree="ou=people,dc=example,dc=com"
by dn="cn=idm,ou=Administrators,dc=example,dc=com" write
access to dn.subtree="ou=groups,dc=example,dc=com"
by dn="cn=idm,ou=Administrators,dc=example,dc=com" write
access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
by dn="cn=idm,ou=Administrators,dc=example,dc=com" read by self read by * none
2. I have added the following user to the directory to be used by midpoint connections:
dn: cn=idm,ou=Administrators,dc=example,dc=com
objectClass: inetOrgPerson
cn: idm
sn: IDM Administrator
description: Special LDAP acccount used by the IDM to access the LDAP data.
userPassword:: e1NTSEF9UjVLRjNLNFgyRlg1Z2tXS3VEeG00TTZnWnlPMFFnTkY=
3. I have successfully tested creating connections with this user with another application (apache directory studio).
Here are some details about my openldap setup. It is failing when I try to list resources using the admin UI. Can you help?
1. I used this file as the base config: https://github.com/Evolveum/midpoint/blob/master/samples/resources/openldap/openldap-localhost-medium.xml
2. with some changes:
<icfc:configurationProperties>
<icfcldap:port>389</icfcldap:port>
<icfcldap:host>10.72.85.21</icfcldap:host>
<icfcldap:baseContext>dc=example,dc=com</icfcldap:baseContext>
<icfcldap:bindDn>cn=idm,ou=Administrators,dc=example,dc=com</icfcldap:bindDn>
<icfcldap:bindPassword><t:clearValue>secret</t:clearValue></icfcldap:bindPassword>
<icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
<!--icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm-->
<icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute>
<icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule>
<icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
<icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
</icfc:configurationProperties>
<icfc:resultsHandlerConfiguration>
<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
</icfc:resultsHandlerConfiguration>
</connectorConfiguration>
3. Which can then be successfully imported to the admin UI.
4. When I list the resources, I get an error:
2015-12-21 14:49:00,921 [UCF] [http-nio-8080-exec-8] ERROR (com.evolveum.midpoint.provisioning.ucf.impl.IcfUtil): ICF Exception java.lang.NullPointerException in connector:bcf82b24-29fa-490a-8210-bc7ce827af3d(ICF com.evolveum.polygon.connector.ldap.LdapConnector v1.4.2.0): resource:d0811790-1d80-11e4-86b2-3c970e467874(OpenLDAP): null
java.lang.NullPointerException: null
at org.apache.directory.ldap.client.api.LdapNetworkConnection.<init>(LdapNetworkConnection.java:231) ~[api-all-1.0.0-M32-e1.jar:1.0.0-M32-e1]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.<init>(LdapNetworkConnection.java:360) ~[api-all-1.0.0-M32-e1.jar:1.0.0-M32-e1]
at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.connect(AbstractLdapConnector.java:1115) ~[connector-ldap-1.4.2.0.jar:na]
at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.init(AbstractLdapConnector.java:165) ~[connector-ldap-1.4.2.0.jar:na]
at org.identityconnectors.framework.impl.api.local.ConnectorPoolManager$ConnectorPoolHandler.makeObject(ConnectorPoolManager.java:131) ~[connector-framework-internal-1.4.2.0.jar:na]
at org.identityconnectors.framework.impl.api.local.ConnectorPoolManager$ConnectorPoolHandler.makeObject(ConnectorPoolManager.java:83) ~[connector-framework-internal-1.4.2.0.jar:na]
at org.identityconnectors.framework.impl.api.local.ObjectPool.makeObject(ObjectPool.java:398) ~[connector-framework-internal-1.4.2.0.jar:na]
at org.identityconnectors.framework.impl.api.local.ObjectPool.borrowObjectNoTest(ObjectPool.java:294) ~[connector-framework-internal-1.4.2.0.jar:na]
at org.identityconnectors.framework.impl.api.local.ObjectPool.borrowObject(ObjectPool.java:248) ~[connector-framework-internal-1.4.2.0.jar:na]
at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:87) ~[connector-framework-internal-1.4.2.0.jar:na]
at com.sun.proxy.$Proxy163.schema(Unknown Source) ~[na:na]
at sun.reflect.GeneratedMethodAccessor700.invoke(Unknown Source) ~[na:na]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_91]
at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_91]
at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96) ~[connector-framework-internal-1.4.2.0.jar:na]
at com.sun.proxy.$Proxy163.schema(Unknown Source) ~[na:na]
at sun.reflect.GeneratedMethodAccessor700.invoke(Unknown Source) ~[na:na]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_91]
at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_91]
at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99) ~[connector-framework-internal-1.4.2.0.jar:na]
at com.sun.proxy.$Proxy163.schema(Unknown Source) ~[na:na]
at sun.reflect.GeneratedMethodAccessor700.invoke(Unknown Source) ~[na:na]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_91]
at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_91]
at org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:83) ~[connector-framework-internal-1.4.2.0.jar:na]
at com.sun.proxy.$Proxy163.schema(Unknown Source) ~[na:na]
at org.identityconnectors.framework.impl.api.AbstractConnectorFacade.schema(AbstractConnectorFacade.java:145) ~[connector-framework-internal-1.4.2.0.jar:na]
at com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl.retrieveResourceSchema(ConnectorInstanceIcfImpl.java:588) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl.initialize_aroundBody4(ConnectorInstanceIcfImpl.java:498) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl$AjcClosure5.run(ConnectorInstanceIcfImpl.java:1) [provisioning-impl-3.3.jar:na]
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) [aspectjtools-1.7.3.jar:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:178) [util-3.3.jar:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1) [util-3.3.jar:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.processUcfNdc(MidpointAspect.java:78) [util-3.3.jar:na]
at com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl.initialize(ConnectorInstanceIcfImpl.java:473) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.provisioning.impl.ConnectorManager.createConfiguredConnectorInstance(ConnectorManager.java:162) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.provisioning.impl.ConnectorManager.getConfiguredConnectorInstance(ConnectorManager.java:129) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.provisioning.impl.ResourceManager.getConnectorInstance(ResourceManager.java:834) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.provisioning.impl.ResourceManager.completeResource(ResourceManager.java:258) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.provisioning.impl.ResourceManager.putToCache(ResourceManager.java:159) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.provisioning.impl.ResourceManager.getResource(ResourceManager.java:130) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.completeObject(ProvisioningServiceImpl.java:633) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.searchRepoObjects(ProvisioningServiceImpl.java:561) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.searchObjects_aroundBody6(ProvisioningServiceImpl.java:500) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl$AjcClosure7.run(ProvisioningServiceImpl.java:1) [provisioning-impl-3.3.jar:na]
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) [aspectjtools-1.7.3.jar:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:178) [util-3.3.jar:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1) [util-3.3.jar:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.processProvisioningNdc(MidpointAspect.java:68) [util-3.3.jar:na]
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.searchObjects(ProvisioningServiceImpl.java:486) [provisioning-impl-3.3.jar:na]
at com.evolveum.midpoint.model.impl.controller.ModelController.searchObjects_aroundBody8(ModelController.java:846) [model-impl-3.3.jar:na]
at com.evolveum.midpoint.model.impl.controller.ModelController$AjcClosure9.run(ModelController.java:1) [model-impl-3.3.jar:na]
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) [aspectjtools-1.7.3.jar:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:178) [util-3.3.jar:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1) [util-3.3.jar:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.processModelNdc(MidpointAspect.java:63) [util-3.3.jar:na]
at com.evolveum.midpoint.model.impl.controller.ModelController.searchObjects(ModelController.java:799) [model-impl-3.3.jar:na]
at com.evolveum.midpoint.web.component.data.ObjectDataProvider.internalIterator(ObjectDataProvider.java:123) [classes/:na]
at com.evolveum.midpoint.web.component.data.BaseSortableDataProvider.iterator(BaseSortableDataProvider.java:190) [classes/:na]
at org.apache.wicket.markup.repeater.data.DataViewBase$ModelIterator.<init>(DataViewBase.java:107) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.markup.repeater.data.DataViewBase.getItemModels(DataViewBase.java:74) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.markup.repeater.AbstractPageableView.getItemModels(AbstractPageableView.java:101) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.markup.repeater.RefreshingView.onPopulate(RefreshingView.java:93) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.markup.repeater.AbstractRepeater.onBeforeRender(AbstractRepeater.java:123) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.markup.repeater.AbstractPageableView.onBeforeRender(AbstractPageableView.java:115) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.internalBeforeRender(Component.java:949) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.beforeRender(Component.java:1017) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1684) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.onBeforeRender(Component.java:3833) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.internalBeforeRender(Component.java:949) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.beforeRender(Component.java:1017) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1684) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.onBeforeRender(Component.java:3833) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.internalBeforeRender(Component.java:949) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.beforeRender(Component.java:1017) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1684) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.onBeforeRender(Component.java:3833) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.internalBeforeRender(Component.java:949) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.beforeRender(Component.java:1017) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1684) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.onBeforeRender(Component.java:3833) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.markup.html.form.Form.onBeforeRender(Form.java:1803) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.internalBeforeRender(Component.java:949) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.beforeRender(Component.java:1017) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1684) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.onBeforeRender(Component.java:3833) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Page.onBeforeRender(Page.java:809) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.internalBeforeRender(Component.java:949) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.beforeRender(Component.java:1017) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.internalPrepareForRender(Component.java:2201) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Page.internalPrepareForRender(Page.java:240) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Component.render(Component.java:2290) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.Page.renderPage(Page.java:1024) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.request.handler.render.WebPageRenderer.renderPage(WebPageRenderer.java:139) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:284) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:175) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:890) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64) [wicket-request-6.20.0.jar:6.20.0]
at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:261) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:218) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:289) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:259) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:201) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:282) [wicket-core-6.20.0.jar:6.20.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.29]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.0.6.RELEASE.jar:4.0.6.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) [spring-security-web-3.2.5.RELEASE.jar:3.2.5.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) [spring-web-4.0.6.RELEASE.jar:4.0.6.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) [spring-web-4.0.6.RELEASE.jar:4.0.6.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.29]
at com.evolveum.midpoint.web.util.MidPointProfilingServletFilter.doFilter(MidPointProfilingServletFilter.java:78) [classes/:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [catalina.jar:8.0.29]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:8.0.29]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) [catalina.jar:8.0.29]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) [catalina.jar:8.0.29]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) [catalina.jar:8.0.29]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [catalina.jar:8.0.29]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [catalina.jar:8.0.29]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616) [catalina.jar:8.0.29]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [catalina.jar:8.0.29]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) [catalina.jar:8.0.29]
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096) [tomcat-coyote.jar:8.0.29]
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) [tomcat-coyote.jar:8.0.29]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) [tomcat-coyote.jar:8.0.29]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) [tomcat-coyote.jar:8.0.29]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_91]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_91]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.0.29]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_91]
[midpoint at localhost fortress]$
5. Here is the connector that's active:
<icfc:configurationProperties xmlns:gen189="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
6. Here is the resource as currently configured in my env:
<resource xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="d0811790-1d80-11e4-86b2-3c970e467874" version="0">
<name>OpenLDAP</name>
<description>
LDAP resource using a ConnId LDAP connector. It contains configuration
for use with OpenLDAP servers.
</description>
<metadata>
<createTimestamp>2015-12-19T01:12:45.236Z</createTimestamp>
<creatorRef oid="00000000-0000-0000-0000-000000000002" type="c:UserType"/>
<createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
</metadata>
<connectorRef oid="bcf82b24-29fa-490a-8210-bc7ce827af3d" type="c:ConnectorType">
<!-- ICF com.evolveum.polygon.connector.ldap.LdapConnector v1.4.2.0 -->
<description>
Reference to the OpenICF LDAP connector. This is dynamic reference, it will be translated to
OID during import.
</description>
<filter>
<q:equal>
<q:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:connectorType</q:path>
<q:value>com.evolveum.polygon.connector.ldap.LdapConnector</q:value>
</q:equal>
</filter>
</connectorRef>
<connectorConfiguration xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
<icfc:resultsHandlerConfiguration>
<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
</icfc:resultsHandlerConfiguration>
<icfc:configurationProperties xmlns:gen189="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
<gen189:port>389</gen189:port>
<gen189:vlvSortAttribute>uid</gen189:vlvSortAttribute>
<gen189:baseContext>dc=example,dc=com</gen189:baseContext>
<gen189:vlvSortOrderingRule>2.5.13.3</gen189:vlvSortOrderingRule>
<gen189:bindDn>cn=idm,ou=Administrators,dc=example,dc=com</gen189:bindDn>
<gen189:pagingStrategy>auto</gen189:pagingStrategy>
<gen189:operationalAttributes>memberOf</gen189:operationalAttributes>
<gen189:operationalAttributes>createTimestamp</gen189:operationalAttributes>
<gen189:host>10.72.85.21</gen189:host>
<gen189:bindPassword>
<t:encryptedData>
<t:encryptionMethod>
<t:algorithm>http://www.w3.org/2001/04/xmlenc#aes128-cbc</t:algorithm>
</t:encryptionMethod>
<t:keyInfo>
<t:keyName>R7wh8+ARxcNGTzk5EsXG79KJvgA=</t:keyName>
</t:keyInfo>
<t:cipherData>
<t:cipherValue>Sim3cp2FMxa4XXlPiO4QgpDS8BNhMN6v57HBtQ7WbX0=</t:cipherValue>
</t:cipherData>
</t:encryptedData>
</gen189:bindPassword>
</icfc:configurationProperties>
</connectorConfiguration>
<schema>
<generationConstraints>
<generateObjectClass>ri:inetOrgPerson</generateObjectClass>
<generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
<generateObjectClass>ri:groupOfNames</generateObjectClass>
<generateObjectClass>ri:organizationalUnit</generateObjectClass>
</generationConstraints>
</schema>
<schemaHandling>
<objectType>
<kind>account</kind>
<displayName>Normal Account</displayName>
<default>true</default>
<objectClass>ri:inetOrgPerson</objectClass>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:dn</c:ref>
<displayName>Distinguished Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>true</add>
<modify>true</modify>
</access>
</limitations>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<source>
<c:path>$user/name</c:path>
</source>
<expression>
<script>
<code>
'uid=' + name + iterationToken + ',ou=people,dc=example,dc=com'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:entryUUID</c:ref>
<displayName>Entry UUID</displayName>
<limitations>
<access>
<read>true</read>
<add>false</add>
<modify>true</modify>
</access>
</limitations>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
</attribute>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</c:ref>
<displayName>Common Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>true</add>
<modify>true</modify>
</access>
</limitations>
<outbound>
<source>
<c:path>$user/fullName</c:path>
</source>
</outbound>
<inbound>
<target>
<c:path>$user/fullName</c:path>
</target>
</inbound>
</attribute>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:sn</c:ref>
<displayName>Surname</displayName>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
<outbound>
<source>
<c:path>familyName</c:path>
</source>
</outbound>
<inbound>
<target>
<c:path>familyName</c:path>
</target>
</inbound>
</attribute>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:givenName</c:ref>
<displayName>Given Name</displayName>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:givenName</c:path>
</source>
</outbound>
<inbound>
<target>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:givenName</c:path>
</target>
</inbound>
</attribute>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:uid</c:ref>
<displayName>Login Name</displayName>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<description>Source may have description</description>
<c:path>$user/name</c:path>
</source>
<expression>
<script>
<code>name + iterationToken</code>
</script>
</expression>
</outbound>
<inbound>
<target>
<description>Targets may have description</description>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:name</c:path>
</target>
</inbound>
</attribute>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:description</c:ref>
<outbound>
<strength>weak</strength>
<expression>
<description>Expression that assigns a fixed value</description>
<value>Created by midPoint</value>
</expression>
</outbound>
</attribute>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:l</c:ref>
<displayName>Location</displayName>
<outbound>
<source>
<c:path>$user/locality</c:path>
</source>
</outbound>
</attribute>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:employeeType</c:ref>
<displayName>Employee Type</displayName>
<tolerant>false</tolerant>
<outbound>
<source>
<c:path>$user/employeeType</c:path>
</source>
</outbound>
</attribute>
<association>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group</c:ref>
<displayName>LDAP Group Membership</displayName>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
</association>
<iteration>
<maxIterations>5</maxIterations>
</iteration>
<protected>
<filter>
<q:equal>
<q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#stringIgnoreCase</q:matching>
<q:path xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">attributes/ri:dn</q:path>
<q:value>cn=idm,ou=Administrators,dc=example,dc=com</q:value>
</q:equal>
</filter>
</protected>
<activation>
<administrativeStatus>
<outbound/>
<inbound>
<strength>weak</strength>
<expression>
<asIs/>
</expression>
</inbound>
</administrativeStatus>
</activation>
<credentials>
<password>
<outbound>
<expression>
<asIs/>
</expression>
</outbound>
<inbound>
<strength>weak</strength>
<expression>
<generate/>
</expression>
</inbound>
</password>
</credentials>
</objectType>
<objectType>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<displayName>LDAP Group</displayName>
<objectClass>ri:groupOfNames</objectClass>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:dn</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<source>
<c:path>$focus/name</c:path>
</source>
<expression>
<script>
<code>
import javax.naming.ldap.Rdn
import javax.naming.ldap.LdapName
dn = new LdapName('ou=groups,dc=example,dc=com')
dn.add(new Rdn('cn', name.toString()))
return dn.toString()
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:member</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:distinguishedName</matchingRule>
<fetchStrategy>minimal</fetchStrategy>
</attribute>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<c:path>$focus/name</c:path>
</source>
</outbound>
</attribute>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:description</c:ref>
<outbound>
<source>
<c:path>description</c:path>
</source>
</outbound>
</attribute>
<configuredCapabilities xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
<cap:pagedSearch>
<cap:defaultSortField>ri:uid</cap:defaultSortField>
</cap:pagedSearch>
</configuredCapabilities>
</objectType>
</schemaHandling>
<consistency>
<avoidDuplicateValues>true</avoidDuplicateValues>
</consistency>
<synchronization>
<objectSynchronization>
<enabled>true</enabled>
<correlation>
<q:description>
Correlation expression is a search query.
Following search queury will look for users that have "name"
equal to the "uid" attribute of the account. Simply speaking,
it will look for match in usernames in the IDM and the resource.
The correlation rule always looks for users, so it will not match
any other object type.
</q:description>
<q:equal>
<q:path>name</q:path>
<expression>
<c:path xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">declare namespace ri='http://midpoint.evolveum.com/xml/ns/public/resource/instance-3'; $account/attributes/ri:uid</c:path>
</expression>
</q:equal>
</correlation>
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
</reaction>
<reaction>
<situation>deleted</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
</action>
</reaction>
</objectSynchronization>
</synchronization>
</resource>
Shawn
More information about the midPoint
mailing list