[midPoint] Import User Task failure

Thu Oct 20 19:26:07 CEST 2016

Upon further investigation, I've also noticed that this user actually does
have a shadow in the midPoint repository and further inspection of the
source indicates that the initial error means that the attribute DN has no
definition in the schema. This is definitely not the case as other shadows
don't have this issue. I am assuming that the special char is somehow
tripping midPoint into believing that the DN has no definition (
https://github.com/Evolveum/midpoint/blob/02f47924ccaffc96adfd9129aff655a17428a45d/repo/repo-sql-impl/src/main/java/com/evolveum/midpoint/repo/sql/data/common/any/RAnyConverter.java#L80
).

I will try deleting this shadow from the repo and run the task again and
update this thread with the result, however I don't have much confidence
that this will work.

Thanks,
-F

On Wed, Oct 19, 2016 at 9:25 PM, Florin. Stingaciu <fstingaciu at mirantis.com>
wrote:

> I managed to find the problematic user in AD after enabling TRACE logs in
> ShadowCache. It turns out the user has a special char
> (CN=İrem_LASTNAME,OU=People). I'm assuming this is causing midPoint to fail
> processing this user and return a schema error.
>
> I tried to ignore this user in my condition section, however I believe the
> shadow is processed before the resource condition is checked and the task
> fails with the error in my initial post. Are there any workarounds in which
> this scenario is considered a Partial Failure so this task can continue
> executing? This user is one of 50000.
>
> A possible solution would involve raising a different error if an invalid
> char (according to midPoint) was to be found on the resource. One that can
> be caught in ShadowCache.java (https://github.com/Evolveum/
> midpoint/blob/master/provisioning/provisioning-impl/src/main/java/com/
> evolveum/midpoint/provisioning/impl/ShadowCache.java#L875) and returned
> as a "Object failed to processed" rather than a Schema Error. I'm open to
> any suggestions.
>
> Thanks,
> -F
>
> On Wed, Oct 19, 2016 at 1:14 PM, Florin. Stingaciu <
> fstingaciu at mirantis.com> wrote:
>
>> Also, this only happens with a Import Users task and not with Reconcile
>> Users Task. The reconcile users task finishes successfully..
>>
>> On Wed, Oct 19, 2016 at 12:56 PM, Florin. Stingaciu <
>> fstingaciu at mirantis.com> wrote:
>>
>>> Hello,
>>>
>>> My import users task fails with the following error:
>>> http://pastebin.com/L0bKs9U2
>>>
>>> I tried increasing the log level, however the logs previous to this
>>> pertain to the previous user that was successfully imported. The resource
>>> is an active directory entry.
>>>
>>> My condition section looks as follows:
>>>
>>>                         dn = basic.getAttributeValues(shadow, "dn")[0]
>>>                         if (dn == "someDN"){
>>>                             return false
>>>                         }
>>>                         else if (dn == "someotherDN"){
>>>                             return false
>>>                         }
>>>                         else if (dn.contains("a sub OU domain")){
>>>                             return false
>>>                         }
>>> return (basic.getAttributeValues(shadow, "mail") != null)
>>>
>>>
>>> I've tried removing the condition and that didn't help. Any ideas on
>>> what could be the problem?
>>>
>>> Realistically, no entry in AD can have an empty DN. Could it maybe be a
>>> bad shadow somewhere, missing the dn?
>>>
>>> Thanks,
>>> -F
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161020/78c2cab4/attachment.htm>