[midPoint] Assignment time constraints problem

Гетманский Олег o.getmanskiy at solarsecurity.ru
Thu Jul 16 15:31:12 CEST 2015


Hi. We have problems assigning temporary AD membership to users.
We use Exchange connector, and when permanent (no validFrom or validTo) assignment is assigned, everything is all right (we really see that AD user is a member of corresponding AD group).
But, assignments with validFrom in future make no effects - at the time when validFrom comes we see that user is not a member of corresponding AD group.

"Validity scanner" task is runnable every 15 seconds. Seems that it does some calculations, because we see progress "0/1", when "1/1".
In time of these calculations, logs are flood with errors:
...
2015-07-16 14:12:52,153 [UCF] [midPointScheduler_Worker-8] ERROR (com.evolveum.midpoint.provisioning.ucf.impl.IcfUtil): ICF Exception org.identityconnectors.framework.impl.api.remote.RemoteWrappedException in connector:77c1ca49-0c76-40d4-a633-ef3f4b2be30f(ICF Org.IdentityConnectors.Exchange.ExchangeConnector v1.4.1.20283 @localhost ICF connector (port 8759)): resource:8790e490-326a-46e9-ba35-9e0c1dcbb41d(Exchange) while updating object identified by ICF UID '<GUID=f536a14e0ff0cc43be613eb07e5d53be>': Remote exception: Cannot process argument transformation on parameter 'PrimarySmtpAddress'. Cannot convert null to type "Microsoft.Exchange.Data.SmtpAddress".

org.identityconnectors.framework.impl.api.remote.RemoteWrappedException: Remote exception: Cannot process argument transformation on parameter 'PrimarySmtpAddress'. Cannot convert null to type "Microsoft.Exchange.Data.SmtpAddress".

at org.identityconnectors.framework.impl.serializer.CommonObjectHandlers$17.deserialize(CommonObjectHandlers.java:293) ~[CommonObjectHandlers$17.class:na]
at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder$InternalDecoder.readObject(BinaryObjectDecoder.java:154) ~[BinaryObjectDecoder$InternalDecoder.class:na]
at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder.readObject(BinaryObjectDecoder.java:293) ~[BinaryObjectDecoder.class:na]
at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder.readObjectField(BinaryObjectDecoder.java:413) ~[BinaryObjectDecoder.class:na]
at org.identityconnectors.framework.impl.serializer.MessageHandlers$5.deserialize(MessageHandlers.java:139) ~[MessageHandlers$5.class:na]
at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder$InternalDecoder.readObject(BinaryObjectDecoder.java:154) ~[BinaryObjectDecoder$InternalDecoder.class:na]
at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder.readObject(BinaryObjectDecoder.java:293) ~[BinaryObjectDecoder.class:na]
at org.identityconnectors.framework.impl.api.remote.RemoteFrameworkConnection.readObject(RemoteFrameworkConnection.java:155) ~[RemoteFrameworkConnection.class:na]
at org.identityconnectors.framework.impl.api.remote.RemoteOperationInvocationHandler.invoke(RemoteOperationInvocationHandler.java:95) ~[RemoteOperationInvocationHandler.class:na]
at com.sun.proxy.$Proxy188.update(Unknown Source) ~[na:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_79]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_79]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_79]
at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_79]
at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99) ~[DelegatingTimeoutProxy.class:na]
at com.sun.proxy.$Proxy188.update(Unknown Source) ~[na:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_79]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_79]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_79]
at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_79]
at org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:83) ~[LoggingProxy.class:na]
at com.sun.proxy.$Proxy188.update(Unknown Source) ~[na:na]
at org.identityconnectors.framework.impl.api.AbstractConnectorFacade.update(AbstractConnectorFacade.java:187) ~[AbstractConnectorFacade.class:na]
at com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl.modifyObject_aroundBody14(ConnectorInstanceIcfImpl.java:1518) [ConnectorInstanceIcfImpl.class:na]
at com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl$AjcClosure15.run(ConnectorInstanceIcfImpl.java:1) [ConnectorInstanceIcfImpl$AjcClosure15.class:na]
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) [JoinPointImpl.class:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:178) [MidpointAspect.class:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1) [MidpointAspect.class:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.processUcfNdc(MidpointAspect.java:78) [MidpointAspect.class:na]
at com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl.modifyObject(ConnectorInstanceIcfImpl.java:1291) [ConnectorInstanceIcfImpl.class:na]
at com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl.modifyObject(ConnectorInstanceIcfImpl.java:1) [ConnectorInstanceIcfImpl.class:na]
at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.executeModify(ResourceObjectConverter.java:579) [ResourceObjectConverter.class:na]
at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.modifyResourceObject(ResourceObjectConverter.java:471) [ResourceObjectConverter.class:na]
at com.evolveum.midpoint.provisioning.impl.ShadowCache.modifyShadow(ShadowCache.java:438) [ShadowCache.class:na]
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.modifyObject_aroundBody10(ProvisioningServiceImpl.java:878) [ProvisioningServiceImpl.class:na]
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl$AjcClosure11.run(ProvisioningServiceImpl.java:1) [ProvisioningServiceImpl$AjcClosure11.class:na]
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) [JoinPointImpl.class:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:178) [MidpointAspect.class:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1) [MidpointAspect.class:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.processProvisioningNdc(MidpointAspect.java:68) [MidpointAspect.class:na]
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.modifyObject(ProvisioningServiceImpl.java:839) [ProvisioningServiceImpl.class:na]
at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.modifyProvisioningObject(ChangeExecutor.java:1166) [ChangeExecutor.class:na]
at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeModification(ChangeExecutor.java:1032) [ChangeExecutor.class:na]
at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta(ChangeExecutor.java:630) [ChangeExecutor.class:na]
at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeChanges(ChangeExecutor.java:282) [ChangeExecutor.class:na]
at com.evolveum.midpoint.model.impl.lens.Clockwork.processSecondary(Clockwork.java:439) [Clockwork.class:na]
at com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java:269) [Clockwork.class:na]
at com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:191) [Clockwork.class:na]
at com.evolveum.midpoint.model.impl.sync.FocusValidityScannerTaskHandler.recomputeUser(FocusValidityScannerTaskHandler.java:169) [FocusValidityScannerTaskHandler.class:na]
at com.evolveum.midpoint.model.impl.sync.FocusValidityScannerTaskHandler.access$2(FocusValidityScannerTaskHandler.java:162) [FocusValidityScannerTaskHandler.class:na]
at com.evolveum.midpoint.model.impl.sync.FocusValidityScannerTaskHandler$1.handleObject(FocusValidityScannerTaskHandler.java:154) [FocusValidityScannerTaskHandler$1.class:na]
at com.evolveum.midpoint.model.impl.util.AbstractSearchIterativeResultHandler.processRequest(AbstractSearchIterativeResultHandler.java:274) [AbstractSearchIterativeResultHandler.class:na]
at com.evolveum.midpoint.model.impl.util.AbstractSearchIterativeResultHandler.handle(AbstractSearchIterativeResultHandler.java:146) [AbstractSearchIterativeResultHandler.class:na]
at com.evolveum.midpoint.repo.cache.RepositoryCache$1.handle(RepositoryCache.java:201) [RepositoryCache$1.class:na]
at com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl.searchObjectsIterativeAttempt(SqlRepositoryServiceImpl.java:1813) [SqlRepositoryServiceImpl.class:na]
at com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl.searchObjectsIterative_aroundBody26(SqlRepositoryServiceImpl.java:1784) [SqlRepositoryServiceImpl.class:na]
at com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl$AjcClosure27.run(SqlRepositoryServiceImpl.java:1) [SqlRepositoryServiceImpl$AjcClosure27.class:na]
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) [JoinPointImpl.class:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:178) [MidpointAspect.class:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1) [MidpointAspect.class:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.processRepositoryNdc(MidpointAspect.java:58) [MidpointAspect.class:na]
at com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl.searchObjectsIterative(SqlRepositoryServiceImpl.java:1745) [SqlRepositoryServiceImpl.class:na]
at com.evolveum.midpoint.repo.cache.RepositoryCache.searchObjectsIterative_aroundBody6(RepositoryCache.java:204) [RepositoryCache.class:na]
at com.evolveum.midpoint.repo.cache.RepositoryCache$AjcClosure7.run(RepositoryCache.java:1) [RepositoryCache$AjcClosure7.class:na]
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) [JoinPointImpl.class:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.wrapSubsystem(MidpointAspect.java:178) [MidpointAspect.class:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.ajc$inlineAccessMethod$com_evolveum_midpoint_util_aspect_MidpointAspect$com_evolveum_midpoint_util_aspect_MidpointAspect$wrapSubsystem(MidpointAspect.java:1) [MidpointAspect.class:na]
at com.evolveum.midpoint.util.aspect.MidpointAspect.processRepositoryNdc(MidpointAspect.java:58) [MidpointAspect.class:na]
at com.evolveum.midpoint.repo.cache.RepositoryCache.searchObjectsIterative(RepositoryCache.java:192) [RepositoryCache.class:na]
at com.evolveum.midpoint.model.impl.ModelObjectResolver.searchIterative(ModelObjectResolver.java:224) [ModelObjectResolver.class:na]
at com.evolveum.midpoint.model.impl.util.AbstractSearchIterativeTaskHandler.run(AbstractSearchIterativeTaskHandler.java:162) [AbstractSearchIterativeTaskHandler.class:na]
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:479) [JobExecutor.class:na]
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:359) [JobExecutor.class:na]
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:162) [JobExecutor.class:na]
at org.quartz.core.JobRunShell.run(JobRunShell.java:213) [JobRunShell.class:na]
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557) [SimpleThreadPool$WorkerThread.class:na]
...

Here is our user mapping:

         <attribute>
            <c:ref>ri:PrimarySmtpAddress</c:ref>
            <displayName>Адрес в Exchange</displayName>
            <exclusiveStrong>false</exclusiveStrong>
            <tolerant>false</tolerant>
            <inbound>
               <name>Адрес в Exchange</name>
               <authoritative>true</authoritative>
               <exclusive>false</exclusive>
               <strength>normal</strength>
               <target>
                  <c:path>$focus/emailAddress</c:path>
               </target>
            </inbound>
         </attribute>

If there's no outbound mapping, connector should not try to write null PrimarySmtpAddress, am I right?

Our association configuration:

         <association>
            <c:ref>group</c:ref>
            <displayName>AD Group Membership</displayName>
            <exclusiveStrong>false</exclusiveStrong>
            <tolerant>false</tolerant>
            <kind>entitlement</kind>
            <intent>default</intent>
            <direction>objectToSubject</direction>
            <associationAttribute>ri:member</associationAttribute>
            <valueAttribute>icfs:name</valueAttribute>
            <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
         </association>

Our metarole used for AD membership:

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
      oid="e1b56b20-9d09-472a-9ede-8fa19b0c112b"
      version="45">
   <name>Metarole for account</name>
   <metadata>
      <createTimestamp>2015-05-06T17:38:28.517+03:00</createTimestamp>
      <creatorRef oid="00000000-0000-0000-0000-000000000002" type="c:UserType"><!-- administrator --></creatorRef>
      <createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
   </metadata>
   <inducement>
      <construction>
         <resourceRef oid="8790e490-326a-46e9-ba35-9e0c1dcbb41d" type="c:ResourceType"><!-- Exchange --></resourceRef>
         <kind>account</kind>
         <intent>default</intent>
         <association>
            <c:ref>group</c:ref>
            <outbound>
               <expression>
                  <associationFromLink>
                     <projectionDiscriminator>
                        <kind>entitlement</kind>
                        <intent>default</intent>
                     </projectionDiscriminator>
                  </associationFromLink>
               </expression>
            </outbound>
         </association>
      </construction>
      <order>2</order>
   </inducement>
</role>

Regards, Oleg Getmansky

P.S.: Same errors occur when the time of validTo comes and user should be expelled from the corresponding AD group
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150716/0b3d058b/attachment.htm>


More information about the midPoint mailing list