[midPoint] Can't import LDAP groups, user reconciliation ends with errors (3.4.1)

Pavol Mederly mederly at evolveum.com
Sat Dec 10 18:31:36 CET 2016


This doesn't look like midPoint problem at first sight. Maybe some 
misconfiguration.

Error modifying LDAP entry cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx:
[remove:uniqueMember: cn=Directory Manager,remove:cn: Accounting Managers,]:
objectClassViolation: missing attribute "cn" required by object class "groupOfUniqueNames"? (65)

I'm not a particular expert in LDAP but I suspect midPoint is driven 
(maybe by your configuration) to remove "cn" Attribute from your 
Accounting Managers group.

To diagnose that, one probably needs a bit of knowledge of midPoint. I'd 
suggest you to try to follow suggestions mentioned here 
<https://wiki.evolveum.com/display/midPoint/Usual+Troubleshooting+Steps> 
and here 
<https://wiki.evolveum.com/display/midPoint/Troubleshooting+Mappings>.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 10.12.2016 18:19, Wojciech Staszewski wrote:
> Hi!
> I've just found the reason of reconciliation fail.
> Accidentaly I removed my Midpoint account (I wanted to remove projection, but I deleted whole acount).
> Obviously my LDAP account also disappeared.
> I recreated account in LDAP, imported my account back to Midpoint, added administrator role,
> but TASKS I made before have no owner now. I deleted them and recreated and now reconciliation works.
>
> Still cannot import groups.
> Stack is here ( I don't want to paste it into e-mail because it is quite long):
> https://www.skygge.com/1/ldap_group_import_fail.txt
>
> Dnia sobota, 10 grudnia 2016 16:18:48 CET Pavol Mederly pisze:
>> Hello Wojciech,
>>
>> NPE is an indication of a bug. It would be helpful if you could provide
>> the stack trace, so we could (try to) determine what is the cause.
>>
>> Best regards,
>>
>> Pavol Mederly
>> Software developer
>> evolveum.com
>>
>> On 10.12.2016 16:10, Wojciech Staszewski wrote:
>>> Hello,
>>>
>>> Something bad happened to my LDAP resource.
>>> It worked well, I imported all users, some groups, configured synchronization and all task was processed ok.
>>> But two days ago I saw errors in reconciliation:
>>>
>>> "Last error when processing object	SystemException: java.lang.NullPointerException"
>>>
>>> O the resource -> Accounts -> Result:
>>> Failed to reconciliation: java.lang.IllegalStateException: Subresult com.evolveum.midpoint.model.impl.lens.projector.InboundProcessor.processInbound of operation com.evolveum.midpoint.model.impl.lens.projector.Projector.project is still UNKNOWN during cleanup; during handling of exception java.lang.NullPointerException
>>>
>>> Since yesterday I'm trying to import other groups from this resource, but every time i got this error:
>>>
>>> "No name in new object null as produced by template null in iteration 0, we cannot process an object without a name"
>>> And the role in Midpoint is created with empty name.
>>>
>>> And in error details:
>>>
>>> com.evolveum.midpoint.util.exception.NoFocusNameSchemaException: No name in new object null as produced by template null in iteration 0, we cannot process an object without a name
>>>
>>> Execute (Model)
>>> Schema violation during processing shadow: shadow: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx (OID:8c0692d3-3235-4b9d-bd89-da1bc80b3f31): Schema violation: Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error modifying LDAP entry cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx: [remove:uniqueMember: cn=Directory Manager,remove:cn: Accounting Managers,]: objectClassViolation: missing attribute "cn" required by object class "groupOfUniqueNames"? (65))
>>>
>>> Ldapsearch on my 389ds shows "cn" attribute in the groups:
>>>
>>> # Accounting Managers, Groups, xxx.xx
>>> dn: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx
>>> objectClass: top
>>> objectClass: groupOfUniqueNames
>>> cn: Accounting Managers
>>> ou: groups
>>> description: People who can manage accounting entries
>>> uniqueMember: cn=Directory Manager
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>> Actually I don't know where to find a reason, I reviewed schema, schema handling and synchronization both users and groups, compared them with Evolveum example 389ds resource and see no differences. Any help appreciated.
>>> Wociech Staszewski
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161210/986debcb/attachment.htm>


More information about the midPoint mailing list