[midPoint] ERR_04306 Cannot find a Syntax object ....

Radovan Semancik Radovan.Semancik at evolveum.com
Tue May 10 17:00:25 CEST 2016 

Hi, 

Blame Microsoft :-) 

The root cause of these errors is the fact that Active Directory does not really follow LDAP standard. E.g. it does not provide SYNTAX clauses in the schema, redefines attributes, etc. The Apache Directory API that we are using was originally designed for ApacheDS which is a designed as an LDAP-compliant server. When I was starting with LDAP connector and tried to use the Apache Directory API with real-world servers such as AD then it broke down on LDAP standard violations. Many of these issues are now "fixed" in the Apache Directory API code. But the errors and warning remain. Given the current structure of the Apache Directory API code these errors are not entirely easy to eliminate. I hope to find some time to rework the Apache Directory API error handling and reporting one day, so they can disappear. But for now they are a sad reminder of a the way how some corporations (mis)interpret the standards. 

But, the relatively slow speed is a different issues that is only marginally related. The delays is caused by the connector reading the LDAP schema. The connector has to read the entire LDAP schema, as there is no way to select only some objectclasses and attributes (and there is no way how to express that in ConnId either, but that can be fixed). The connector needs that schema to correctly interpret datatypes, compare values, etc. But that would not be a big problem if the schema is retrieved only once. Now it is retrieved once for every new connection. That is caused by the fact that it is not entirely easy to share a cached schema between ConnId connector instances. Therefore each new connector instance needs to retrieve the schema from server. But that will be hopefully fixed in the future: https://jira.evolveum.com/browse/MID-2702 

-- 
Radovan Semancik 
Software Architect 
evolveum.com 

----- Original Message -----

> From: "Florin. Stingaciu" <fstingaciu at mirantis.com>
> To: midpoint at lists.evolveum.com
> Sent: Tuesday, May 10, 2016 2:45:53 AM
> Subject: [midPoint] ERR_04306 Cannot find a Syntax object ....

> Hello,

> I'm using the AdLdapConnector version 1.4.3.0 to directly connect to an
> Active Directory instance in a read only mode of operation. Whenever I click
> on the resource or try to open a user profile that has an account on this
> Active Directory, the following error appears in the logs:

> > 2016-05-10 00:33:56,087 [UCF] [http-bio-8080-exec-6] INFO
> > (org.apache.directory.api.ldap.schema.manager.impl.DefaultSchemaManager):
> > Loading other enabled schema:
> 
> > Schema Name: other
> 
> > Disabled: false
> 
> > Owner: uid=admin,ou=system
> 
> > Dependencies: []
> 
> > SchemaLoader : DefaultSchemaLoader
> 
> > 2016-05-10 00:33:56,157 [UCF] [http-bio-8080-exec-6] INFO
> > (org.apache.directory.api.ldap.model.schema.registries.helper.AttributeTypeHelper):
> > ERR_04306 Cannot find a Syntax object 1.3.6.1.4.1.1466.115.121.1.40 while
> > building cross-references for the x25FacilitiesDataOutgoing AttributeType.
> 
> > 2016-05-10 00:33:56,157 [UCF] [http-bio-8080-exec-6] INFO
> > (org.apache.directory.api.ldap.model.schema.registries.helper.AttributeTypeHelper):
> > ERR_04306 Cannot find a Syntax object 1.3.6.1.4.1.1466.115.121.1.40 while
> > building cross-references for the x25FacilitiesDataIncoming AttributeType.
> 
> > 2016-05-10 00:33:56,157 [UCF] [http-bio-8080-exec-6] INFO
> > (org.apache.directory.api.ldap.model.schema.registries.helper.AttributeTypeHelper):
> > ERR_04306 Cannot find a Syntax object 1.3.6.1.4.1.1466.115.121.1.40 while
> > building cross-references for the x25CallUserDataOutgoing AttributeType.
> 
> > 2016-05-10 00:33:56,157 [UCF] [http-bio-8080-exec-6] INFO
> > (org.apache.directory.api.ldap.model.schema.registries.helper.AttributeTypeHelper):
> > ERR_04306 Cannot find a Syntax object 1.3.6.1.4.1.1466.115.121.1.12 while
> > building cross-references for the fromServer AttributeType.
> 
> > 2016-05-10 00:33:56,157 [UCF] [http-bio-8080-exec-6] INFO
> > (org.apache.directory.api.ldap.model.schema.registries.helper.AttributeTypeHelper):
> > ERR_04306 Cannot find a Syntax object 1.3.6.1.4.1.1466.115.121.1.12 while
> > building cross-references for the msDS-Preferred-GC-Site AttributeType.
> 
> > 2016-05-10 00:33:56,157 [UCF] [http-bio-8080-exec-6] INFO
> > (org.apache.directory.api.ldap.model.schema.registries.helper.AttributeTypeHelper):
> > ERR_04306 Cannot find a Syntax object 1.3.6.1.4.1.1466.115.121.1.7 while
> > building cross-references for the generatedConnection AttributeType.
> 
> This error continues appearing for a lot of different attributes. This is
> just a snippet. This causes a very slow loading time for an action that
> requires a schema load. Also, keep in mind that this actually doesn't break
> anything. It's just slow.
> Here's my connector config:

> > <resource >
> 
> > <!-- Resource name. It will be displayed in GUI. -->
> 
> > <name>Active Directory</name>
> 
> > <description>
> 
> > LDAP resource using a ConnId AD connector.
> 
> > </description>
> 
> > <connectorRef type="ConnectorType">
> 
> > <description>
> 
> > Reference to the OpenICF LDAP connector. This is dynamic reference, it will
> > be translated to
> 
> > OID during import.
> 
> > </description>
> 
> > <filter>
> 
> > <q:and>
> 
> > <q:equal>
> 
> > <q:path>c:connectorType</q:path>
> 
> > <q:value>com.evolveum.polygon.connector.ldap.ad.AdLdapConnector</q:value>
> 
> > </q:equal>
> 
> > <q:equal>
> 
> > <q:path>c:connectorVersion</q:path>
> 
> > <q:value>1.4.3.0-SNAPSHOT</q:value>
> 
> > </q:equal>
> 
> > </q:and>
> 
> > </filter>
> 
> > </connectorRef>
> 

> > <!-- Configuration section contains configuration of the connector,
> 
> > such as hostnames and passwords -->
> 
> > <connectorConfiguration xmlns:icfc="
> > http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3
> > ">
> 
> > <icfc:configurationProperties xmlns:icfcldap="
> > http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.ad.AdLdapConnector
> > ">
> 
> > <icfcldap:port>3268</icfcldap:port>
> 
> > <icfcldap:host>active_directory.server</icfcldap:host>
> 
> > <icfcldap:baseContext>ou=People,dc=example,dc=com</icfcldap:baseContext>
> 
> > <icfcldap:bindDn>CN=ldap.service,dc=example,dc=com</icfcldap:bindDn>
> 
> > <icfcldap:bindPassword>
> 
> > <t:clearValue>password</t:clearValue>
> 
> > </icfcldap:bindPassword>
> 
> > <icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
> 
> > <icfcldap:vlvSortAttribute>sAMAccountName</icfcldap:vlvSortAttribute>
> 
> > <icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule>
> 
> > </icfc:configurationProperties>
> 
> > <icfc:resultsHandlerConfiguration>
> 
> > <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
> 
> > <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
> 
> > <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
> 
> > </icfc:resultsHandlerConfiguration>
> 
> > </connectorConfiguration>
> 
> Any help would be greatly appreciated.

> Thanks,
> -F

> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160510/9f72439c/attachment.htm>

More information about the midPoint mailing list