[midPoint] Import User Task failure

Jason Everling jeverling at bshp.edu
Thu Oct 20 19:38:38 CEST 2016


These were the tables, used the oid to locate,

m_shadow.name_orig
m_object.name_orig
m_object_ext_string.stringValue

JASON

On Thu, Oct 20, 2016 at 12:37 PM, Jason Everling <jeverling at bshp.edu> wrote:

> Hah! Someone else came across this error! I had the same issue with the
> diacritics and AD, see this thread,
> http://lists.evolveum.com/pipermail/midpoint/2015-November/001489.html
>
> I had to manually go into the database and modify certain items for that
> object, removing the invalid character in order to delete the shadow from
> gui
>
> JASON
>
> On Thu, Oct 20, 2016 at 12:26 PM, Florin. Stingaciu <
> fstingaciu at mirantis.com> wrote:
>
>> Upon further investigation, I've also noticed that this user actually
>> does have a shadow in the midPoint repository and further inspection of the
>> source indicates that the initial error means that the attribute DN has no
>> definition in the schema. This is definitely not the case as other shadows
>> don't have this issue. I am assuming that the special char is somehow
>> tripping midPoint into believing that the DN has no definition (
>> https://github.com/Evolveum/midpoint/blob/02f47924ccaffc96a
>> dfd9129aff655a17428a45d/repo/repo-sql-impl/src/main/java/
>> com/evolveum/midpoint/repo/sql/data/common/any/RAnyConverter.java#L80).
>>
>> I will try deleting this shadow from the repo and run the task again and
>> update this thread with the result, however I don't have much confidence
>> that this will work.
>>
>> Thanks,
>> -F
>>
>> On Wed, Oct 19, 2016 at 9:25 PM, Florin. Stingaciu <
>> fstingaciu at mirantis.com> wrote:
>>
>>> I managed to find the problematic user in AD after enabling TRACE logs
>>> in ShadowCache. It turns out the user has a special char
>>> (CN=İrem_LASTNAME,OU=People). I'm assuming this is causing midPoint to fail
>>> processing this user and return a schema error.
>>>
>>> I tried to ignore this user in my condition section, however I believe
>>> the shadow is processed before the resource condition is checked and the
>>> task fails with the error in my initial post. Are there any workarounds in
>>> which this scenario is considered a Partial Failure so this task can
>>> continue executing? This user is one of 50000.
>>>
>>> A possible solution would involve raising a different error if an
>>> invalid char (according to midPoint) was to be found on the resource. One
>>> that can be caught in ShadowCache.java (https://github.com/Evolveum/m
>>> idpoint/blob/master/provisioning/provisioning-impl/src/main/
>>> java/com/evolveum/midpoint/provisioning/impl/ShadowCache.java#L875) and
>>> returned as a "Object failed to processed" rather than a Schema Error. I'm
>>> open to any suggestions.
>>>
>>> Thanks,
>>> -F
>>>
>>> On Wed, Oct 19, 2016 at 1:14 PM, Florin. Stingaciu <
>>> fstingaciu at mirantis.com> wrote:
>>>
>>>> Also, this only happens with a Import Users task and not with Reconcile
>>>> Users Task. The reconcile users task finishes successfully..
>>>>
>>>> On Wed, Oct 19, 2016 at 12:56 PM, Florin. Stingaciu <
>>>> fstingaciu at mirantis.com> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> My import users task fails with the following error:
>>>>> http://pastebin.com/L0bKs9U2
>>>>>
>>>>> I tried increasing the log level, however the logs previous to this
>>>>> pertain to the previous user that was successfully imported. The resource
>>>>> is an active directory entry.
>>>>>
>>>>> My condition section looks as follows:
>>>>>
>>>>>                         dn = basic.getAttributeValues(shadow, "dn")[0]
>>>>>                         if (dn == "someDN"){
>>>>>                             return false
>>>>>                         }
>>>>>                         else if (dn == "someotherDN"){
>>>>>                             return false
>>>>>                         }
>>>>>                         else if (dn.contains("a sub OU domain")){
>>>>>                             return false
>>>>>                         }
>>>>> return (basic.getAttributeValues(shadow, "mail") != null)
>>>>>
>>>>>
>>>>> I've tried removing the condition and that didn't help. Any ideas on
>>>>> what could be the problem?
>>>>>
>>>>> Realistically, no entry in AD can have an empty DN. Could it maybe be
>>>>> a bad shadow somewhere, missing the dn?
>>>>>
>>>>> Thanks,
>>>>> -F
>>>>>
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161020/b79ed9c8/attachment.htm>


More information about the midPoint mailing list