[midPoint] Live Sync on AD LDAP Connector

Samu Viitanen zamppa90 at hotmail.com
Mon Jan 11 15:29:27 CET 2016 

Hi Radovan,

I have tried the synchronization with these instructions. The sync still is not working, I set up my logging as you explained, and the logs that come out are like this:

2016-01-11 16:21:32,935 TRACE: method: getLatestSyncToken msg:Enter: getLatestSyncToken(ObjectClass: user)
2016-01-11 16:21:32,936 TRACE: method: null msg:check alive: OK
2016-01-11 16:21:32,936 TRACE: method: null msg:Searching DN ou=ProvSamu Users,dc=example,dc=test with (cn=__entry_like_this_is_unlikely_to_exist__), attrs: [], cookie: null
2016-01-11 16:21:32,943 WARN: method: null msg:No DirSync response control in search done response
2016-01-11 16:21:32,943 TRACE: method: getLatestSyncToken msg:Return: null
2016-01-11 16:21:32,946 TRACE: method: sync msg:Enter: sync(ObjectClass: user, null, com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl$1 at 35ce0e4c, OperationOptions: {RETURN_DEFAULT_ATTRIBUTES:true,ATTRS_TO_GET:[__PASSWORD__,__ENABLE__,createTimeStamp]})
2016-01-11 16:21:32,947 TRACE: method: null msg:check alive: OK
2016-01-11 16:21:32,947 TRACE: method: sync msg:Enter: sync(ObjectClass: user, null, org.identityconnectors.framework.impl.api.local.operations.SyncImpl$1 at 10d47c9c, OperationOptions: {RETURN_DEFAULT_ATTRIBUTES:true,ATTRS_TO_GET:[__PASSWORD__,__ENABLE__,createTimeStamp]})
2016-01-11 16:21:32,947 TRACE: method: null msg:Searching DN ou=ProvSamu Users,dc=example,dc=test with (objectClass=*), attrs: [], cookie: null
2016-01-11 16:21:32,992 WARN: method: null msg:No DirSync response control in search done response
2016-01-11 16:21:32,992 TRACE: method: null msg:Search DN ou=ProvSamu Users,dc=example,dc=test with (objectClass=*): 0 entries, 0 processed
2016-01-11 16:21:32,992 TRACE: method: sync msg:Return
2016-01-11 16:21:32,993 TRACE: method: sync msg:Return: null

What caught my attention is the "No DirSync response control in search done response". Doesn't the DirSync control determine what entries have been changed since last query? I really think I have to do something on the AD side, but I have no idea what. I can still read the AD accounts from the resource, but the sync is still not working for some reason... I will look into it later.

Thanks

BR,
Samu Viitanen

To: midpoint at lists.evolveum.com
From: radovan.semancik at evolveum.com
Date: Mon, 4 Jan 2016 12:11:41 +0100
Subject: Re: [midPoint] Live Sync on AD LDAP Connector


  
    
  
  
    Hi Samu,

      

      AD Livesync with LDAP connector is supposed to work and it indeed
      works in my tests. Here's the setup on midPoint side:

      

https://github.com/Evolveum/midpoint/tree/master/testing/conntest/src/test/resources/ad-ldap

      

      I have documented the entire setup in this wiki page:

      

https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector

      

      However, I'm not really sure what are exactly the access rights
      and setup to be done on the AD side.

      

      Perhaps the best steps for you are to enable trace on ConnId
      framework and LDAP connector. Set up logging like this:

      

      org.identityconnectors.framework: TRACE

      com.evolveum.polygon.connector.ldap: TRACE

      

      The midPoint logfiles should tell you what exactly is going on and
      why are you not getting any synchronization events. You should see
      invocation of ConnId sync() method, then LDAP connector detecting
      the change, invocation of ConnId handle() method for each change
      and then midPoint provisioning and model (notifyChange() method)
      processing the change.

      

      However, please be warned: if the problem is on the AD side then
      all you usually get is "unwilling to perform" error and I have
      found no practical way how to figure out what is going on on the
      AD side. AD logfiles are mostly useless. So good old guessing and
      trial and error is often the only way ...

      

      -- 
Radovan Semancik
Software Architect
evolveum.com

      

      

      On 12/30/2015 09:40 AM, Samu Viitanen wrote:

    
    
      
      Hello,

        

        I have experimented with the new experimental AD with LDAP
        connector, and in my solution the Live Synchronization does not
        seem to work. Is it supposed to work or is that still TODO? I
        keep getting a warning about current sync token being null and
        it does not sync anything from AD, but the task is still running
        fine. If it should work, is there something special I need to
        take into consideration to get it working?

        

        Best Regards

        Samu Viitanen

      
      

      
      

      _______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint

    
    

    

    
  


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160111/dfcbb218/attachment.htm>

More information about the midPoint mailing list