[midPoint] Live Sync on AD LDAP Connector

Radovan Semancik radovan.semancik at evolveum.com
Mon Jan 25 14:18:54 CET 2016 

Hi Sammu,

Yes, it looks like the DirSync is not working on the AD side. As far as 
I remember I haven't done any special configuration to enable DirSync. 
There is nothing that the connector can do to help you diagnose this. 
You have to look at the Active Directory server. But overall, it is very 
difficult to figure out what is wrong on the AD side, as it provides 
very little information. Logs are almost useless, so the best option is 
often plain old trial and error. Try googling for similar problems 
(DirSync not working). Also please check that the AD user that you use 
to access AD from midPoint has the necessary privileges. Maybe try using 
the most powerful administration privileges and then strip them down as 
necessary.

My notes about AD are here:
https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector
https://wiki.evolveum.com/pages/viewpage.action?pageId=20709437

-- 
Radovan Semancik
Software Architect
evolveum.com



On 01/11/2016 03:29 PM, Samu Viitanen wrote:
> Hi Radovan,
>
> I have tried the synchronization with these instructions. The sync 
> still is not working, I set up my logging as you explained, and the 
> logs that come out are like this:
>
> 2016-01-11 16:21:32,935 TRACE: method: getLatestSyncToken msg:Enter: 
> getLatestSyncToken(ObjectClass: user)
> 2016-01-11 16:21:32,936 TRACE: method: null msg:check alive: OK
> 2016-01-11 16:21:32,936 TRACE: method: null msg:Searching DN 
> ou=ProvSamu Users,dc=example,dc=test with 
> (cn=__entry_like_this_is_unlikely_to_exist__), attrs: [], cookie: null
> 2016-01-11 16:21:32,943 WARN: method: null msg:No DirSync response 
> control in search done response
> 2016-01-11 16:21:32,943 TRACE: method: getLatestSyncToken msg:Return: null
> 2016-01-11 16:21:32,946 TRACE: method: sync msg:Enter: 
> sync(ObjectClass: user, null, 
> com.evolveum.midpoint.provisioning.ucf.impl.ConnectorInstanceIcfImpl$1 at 35ce0e4c, 
> OperationOptions: 
> {RETURN_DEFAULT_ATTRIBUTES:true,ATTRS_TO_GET:[__PASSWORD__,__ENABLE__,createTimeStamp]})
> 2016-01-11 16:21:32,947 TRACE: method: null msg:check alive: OK
> 2016-01-11 16:21:32,947 TRACE: method: sync msg:Enter: 
> sync(ObjectClass: user, null, 
> org.identityconnectors.framework.impl.api.local.operations.SyncImpl$1 at 10d47c9c, 
> OperationOptions: 
> {RETURN_DEFAULT_ATTRIBUTES:true,ATTRS_TO_GET:[__PASSWORD__,__ENABLE__,createTimeStamp]})
> 2016-01-11 16:21:32,947 TRACE: method: null msg:Searching DN 
> ou=ProvSamu Users,dc=example,dc=test with (objectClass=*), attrs: [], 
> cookie: null
> 2016-01-11 16:21:32,992 WARN: method: null msg:No DirSync response 
> control in search done response
> 2016-01-11 16:21:32,992 TRACE: method: null msg:Search DN ou=ProvSamu 
> Users,dc=example,dc=test with (objectClass=*): 0 entries, 0 processed
> 2016-01-11 16:21:32,992 TRACE: method: sync msg:Return
> 2016-01-11 16:21:32,993 TRACE: method: sync msg:Return: null
>
> What caught my attention is the "No DirSync response control in search 
> done response". Doesn't the DirSync control determine what entries 
> have been changed since last query? I really think I have to do 
> something on the AD side, but I have no idea what. I can still read 
> the AD accounts from the resource, but the sync is still not working 
> for some reason... I will look into it later.
>
> Thanks
>
> BR,
> Samu Viitanen
>
> ------------------------------------------------------------------------
> To: midpoint at lists.evolveum.com
> From: radovan.semancik at evolveum.com
> Date: Mon, 4 Jan 2016 12:11:41 +0100
> Subject: Re: [midPoint] Live Sync on AD LDAP Connector
>
> Hi Samu,
>
> AD Livesync with LDAP connector is supposed to work and it indeed 
> works in my tests. Here's the setup on midPoint side:
>
> https://github.com/Evolveum/midpoint/tree/master/testing/conntest/src/test/resources/ad-ldap
>
> I have documented the entire setup in this wiki page:
>
> https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector
>
> However, I'm not really sure what are exactly the access rights and 
> setup to be done on the AD side.
>
> Perhaps the best steps for you are to enable trace on ConnId framework 
> and LDAP connector. Set up logging like this:
>
> org.identityconnectors.framework: TRACE
> com.evolveum.polygon.connector.ldap: TRACE
>
> The midPoint logfiles should tell you what exactly is going on and why 
> are you not getting any synchronization events. You should see 
> invocation of ConnId sync() method, then LDAP connector detecting the 
> change, invocation of ConnId handle() method for each change and then 
> midPoint provisioning and model (notifyChange() method) processing the 
> change.
>
> However, please be warned: if the problem is on the AD side then all 
> you usually get is "unwilling to perform" error and I have found no 
> practical way how to figure out what is going on on the AD side. AD 
> logfiles are mostly useless. So good old guessing and trial and error 
> is often the only way ...
>
> -- 
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
> On 12/30/2015 09:40 AM, Samu Viitanen wrote:
>
>     Hello,
>
>     I have experimented with the new experimental AD with LDAP
>     connector, and in my solution the Live Synchronization does not
>     seem to work. Is it supposed to work or is that still TODO? I keep
>     getting a warning about current sync token being null and it does
>     not sync anything from AD, but the task is still running fine. If
>     it should work, is there something special I need to take into
>     consideration to get it working?
>
>     Best Regards
>     Samu Viitanen
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________ midPoint mailing list 
> midPoint at lists.evolveum.com 
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160125/f2aa5b79/attachment.htm>

More information about the midPoint mailing list