[midPoint] Error fetching account from Exchange

Ващенков Алексей a.vashchenkov at solarsecurity.ru
Fri Jul 3 14:44:41 CEST 2015 

It’s my fault I thought that kind=entitlement is set automatically

From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Pavol Mederly
Sent: Friday, July 3, 2015 3:24 PM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Error fetching account from Exchange

The Exchange connector should support entitlements assignment.
(I know of at least two deployments where this works.)

Maybe there's a bug that is manifesting in your case, but I doubt it a bit.

Pavol
Yes it helps.

As I can see the Exchange connector doesn’t allow to assign entitlements. So we need to use AD connector to assign roles.  And now I puzzle over about combine both of these connectors.
If we will be use exchange connector to create account in AD, than how we will be assign entitlements for this account. And if we will be use AD connector to create an account in AD, then I don’t understand how can I create only exchange account and “link” it with AD account.
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Pavol Mederly
Sent: Thursday, July 2, 2015 4:08 PM
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Error fetching account from Exchange

Absolutely strange. Seems like a bug in the connector.
Please, upgrade to the latest versions of:
- Exchange Connector:  1.4.1.20283 (https://wiki.evolveum.com/display/midPoint/Exchange+Connector)
- Connector Server: 1.4.0.84 (https://wiki.evolveum.com/display/midPoint/.NET+Connector+Server)

Regards,
Pavol

On 2. 7. 2015 14:57, Ващенков Алексей wrote:
ActiveDirectoryConnector Verbose: 1 : Found object LDAP://isim/CN=aanikeev.i.i2,OU=Региональный офис,OU=inrights,DC=isim,DC=local
    DateTime=2015-07-02T12:54:28.0893413Z
ActiveDirectoryConnector Verbose: 1 : Unsupported attribute type ... calling ToString (Name: 'whenChanged'(0) Type: 'System.DateTime' String Value: '7/2/2015 6:32:36 AM'
    DateTime=2015-07-02T12:54:28.0893413Z
ActiveDirectoryConnector Verbose: 1 : Unsupported attribute type ... calling ToString (Name: 'whenCreated'(0) Type: 'System.DateTime' String Value: '7/2/2015 6:31:48 AM'
    DateTime=2015-07-02T12:54:28.0893413Z
ActiveDirectoryConnector.Api Verbose: 1 : Returning ''LDAP://isim/CN=aanikeev.i.i2,OU=Региональный офис,OU=inrights,DC=isim,DC=local'', in 6 ms
    DateTime=2015-07-02T12:54:28.0953416Z
ExchangeConnector.AccountHandler Verbose: 1 : Object returned from AD connector:  - ConnectorAttribute: Name='sAMAccountName', Value(s)='aanikeev.i.i2'
- ConnectorAttribute: Name='cn', Value(s)='aanikeev.i.i2'
- ConnectorAttribute: Name='displayName', Value(s)='aanikeev.i.i2'
- ConnectorAttribute: Name='mail', Value(s)='aanikeev.i.i2 at isim.local<mailto:aanikeev.i.i2 at isim.local>'
- ConnectorAttribute: Name='countryCode', Value(s)='0'
- ConnectorAttribute: Name='uSNChanged', Value(s)='802474'
- ConnectorAttribute: Name='uSNCreated', Value(s)='802465'
- ConnectorAttribute: Name='whenChanged', Value(s)='7/2/2015 6:32:36 AM'
- ConnectorAttribute: Name='whenCreated', Value(s)='7/2/2015 6:31:48 AM'
- ConnectorAttribute: Name='ad_container', Value(s)='OU=Региональный офис,OU=inrights,DC=isim,DC=local'
- ConnectorAttribute: Name='distinguishedName', Value(s)='CN=aanikeev.i.i2,OU=Региональный офис,OU=inrights,DC=isim,DC=local'
- ConnectorAttribute: Name='objectClass', Value(s)='top, person, organizationalPerson, user'
- ConnectorAttribute: Name='PasswordNeverExpires', Value(s)='False'
- ConnectorAttribute: Name='__ENABLE__', Value(s)='True'
- ConnectorAttribute: Name='__LOCK_OUT__', Value(s)='False'
- ConnectorAttribute: Name='__PASSWORD_EXPIRED__', Value(s)='False'
- ConnectorAttribute: Name='__SHORT_NAME__', Value(s)='aanikeev.i.i2'
- ConnectorAttribute: Name='__NAME__', Value(s)='CN=aanikeev.i.i2,OU=Региональный офис,OU=inrights,DC=isim,DC=local'
- ConnectorAttribute: Name='__UID__', Value(s)='<GUID=a2ef20a6e5edef42838b1434e6d472ce>'
- ConnectorAttribute: Name='mailNickname', Value(s)='aanikeev.i.i2'
- ConnectorAttribute: Name='proxyAddresses', Value(s)='SMTP:aanikeev.i.i2 at isim.local'
- ConnectorAttribute: Name='msExchRecipientDisplayType', Value(s)='1073741824'
- ConnectorAttribute: Name='msExchRecipientTypeDetails', Value(s)='1'
- ConnectorAttribute: Name='homeMDB', Value(s)='CN=Mailbox Database 0360216730,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=IsimMail,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=isim,DC=local'

    DateTime=2015-07-02T12:54:28.1043421Z
ExchangeConnector.AccountHandler Verbose: 1 : Object as passed from Exchange connector:  - ConnectorAttribute: Name='sAMAccountName', Value(s)='aanikeev.i.i2'
- ConnectorAttribute: Name='cn', Value(s)='aanikeev.i.i2'
- ConnectorAttribute: Name='displayName', Value(s)='aanikeev.i.i2'
- ConnectorAttribute: Name='mail', Value(s)='aanikeev.i.i2 at isim.local<mailto:aanikeev.i.i2 at isim.local>'
- ConnectorAttribute: Name='countryCode', Value(s)='0'
- ConnectorAttribute: Name='uSNChanged', Value(s)='802474'
- ConnectorAttribute: Name='uSNCreated', Value(s)='802465'
- ConnectorAttribute: Name='whenChanged', Value(s)='7/2/2015 6:32:36 AM'
- ConnectorAttribute: Name='whenCreated', Value(s)='7/2/2015 6:31:48 AM'
- ConnectorAttribute: Name='ad_container', Value(s)='OU=Региональный офис,OU=inrights,DC=isim,DC=local'
- ConnectorAttribute: Name='distinguishedName', Value(s)='CN=aanikeev.i.i2,OU=Региональный офис,OU=inrights,DC=isim,DC=local'
- ConnectorAttribute: Name='objectClass', Value(s)='top, person, organizationalPerson, user'
- ConnectorAttribute: Name='PasswordNeverExpires', Value(s)='False'
- ConnectorAttribute: Name='__ENABLE__', Value(s)='True'
- ConnectorAttribute: Name='__LOCK_OUT__', Value(s)='False'
- ConnectorAttribute: Name='__PASSWORD_EXPIRED__', Value(s)='False'
- ConnectorAttribute: Name='__SHORT_NAME__', Value(s)='aanikeev.i.i2'
- ConnectorAttribute: Name='__NAME__', Value(s)='CN=aanikeev.i.i2,OU=Региональный офис,OU=inrights,DC=isim,DC=local'
- ConnectorAttribute: Name='__UID__', Value(s)='<GUID=a2ef20a6e5edef42838b1434e6d472ce>'
- ConnectorAttribute: Name='Alias', Value(s)='aanikeev.i.i2'
- ConnectorAttribute: Name='EmailAddresses', Value(s)='SMTP:aanikeev.i.i2 at isim.local'
- ConnectorAttribute: Name='msExchRecipientDisplayType', Value(s)='1073741824'
- ConnectorAttribute: Name='msExchRecipientTypeDetails', Value(s)='1'
- ConnectorAttribute: Name='homeMDB', Value(s)='CN=Mailbox Database 0360216730,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=IsimMail,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=isim,DC=local'
- ConnectorAttribute: Name='EmailAddressPolicyEnabled', Value(s)='True'
- ConnectorAttribute: Name='PrimarySmtpAddress', Value(s)='aanikeev.i.i2 at isim.local<mailto:aanikeev.i.i2 at isim.local>'
- ConnectorAttribute: Name='RecipientType', Value(s)='UserMailbox'

    DateTime=2015-07-02T12:54:28.1343438Z
ActiveDirectoryConnector Verbose: 1 : Search: found 1 results, took 00:00:02.349
    DateTime=2015-07-02T12:54:28.1343438Z
ExchangeConnector.Api Information: 1 : Exchange.ExecuteQuery method exiting, took 2359 ms

From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Pavol Mederly
Sent: Thursday, July 2, 2015 3:23 PM
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Error fetching account from Exchange

Thank you. Could you also post here a snippet from ConnectorServer.log file on your AD/Exchange server? Please select parts that are relevant to fetching the object from the server.
I removed connectorconfigauration block and put XML in attachment

From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Pavol Mederly
Sent: Thursday, July 2, 2015 2:33 PM
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Error fetching account from Exchange

Hello Алексей,

it is quite strange that you've got this exception. It occurs when midPoint gets an attribute in an object that was fetched from a resource (in this case the attribute is homeMDB), but does not have this attribute in resource object schema. It points to a bug in connector or some problem with the metadata (namely, the schema information in resource), or - with a very small probability - some misconfiguration at your side. The bug in connector should not be the reason, because this is a basic functionality of AD/Exchange connector, and it should work.

If you would post here your resource configuration (without passwords etc), we could have a look at that.
Also please indicate the midPoint version - i.e. if it's 3.1.1 or some of 3.2-snapshots.

Best regards,
Pavol
Hello we have achived success to create an account in axchange. But now we have an error
Original ICF name: homeMDB: Error resolving object with oid 'dd1408f0-bb0d-4fff-9e11-fbb544b4cde2': Subresult com.evolveum.midpoint.provisioning.ucf.api.ConnectorInstance.fetchObject of operation com.evolveum.midpoint.provisioning.api.ProvisioningService.getObject is still UNKNOWN during cleanup; during handling of exception com.evolveum.midpoint.util.exception.SchemaException: Schema violation during processing shadow: shadow: CN=aanikeev.i.i2,OU=Региональный офис,OU=inrights,DC=isim,DC=local (OID:dd1408f0-bb0d-4fff-9e11-fbb544b4cde2): Unknown attribute {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}homeMDB in definition of object class {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}AccountObjectClass.Original ICF name: homeMDB
What does it means? And how can we fix it?







_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint







_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint






_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint





_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150703/345a92aa/attachment.htm>

More information about the midPoint mailing list