[midPoint] Import User Task failure

Florin. Stingaciu fstingaciu at mirantis.com
Thu Oct 20 19:52:07 CEST 2016


Hey Jason,

It sounds like our problems are in a similar vein but not quite the same. I
had no problems deleting the shadow at all through the REPO in the GUI. My
problem lies with Importing Users from AD. Once my task reaches that user
it somehow spits an error indicating that the there is no definition for
the DN (as a schema object) in the shadow and thus cuasing my sync task to
fail prematurely.

Also unlike you, I don't have the possibility of deleting this user from AD
as I'm not the managing it. I only realized that this shadow was created an
hour ago as until now I thought it failed to create the shadow due to the
special character. I deleted the shadow and I'm re-running the import user
task again to see if it overcomes this problem.

Thanks,
-F

On Thu, Oct 20, 2016 at 10:38 AM, Jason Everling <jeverling at bshp.edu> wrote:

> These were the tables, used the oid to locate,
>
> m_shadow.name_orig
> m_object.name_orig
> m_object_ext_string.stringValue
>
> JASON
>
> On Thu, Oct 20, 2016 at 12:37 PM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> Hah! Someone else came across this error! I had the same issue with the
>> diacritics and AD, see this thread,
>> http://lists.evolveum.com/pipermail/midpoint/2015-November/001489.html
>>
>> I had to manually go into the database and modify certain items for that
>> object, removing the invalid character in order to delete the shadow from
>> gui
>>
>> JASON
>>
>> On Thu, Oct 20, 2016 at 12:26 PM, Florin. Stingaciu <
>> fstingaciu at mirantis.com> wrote:
>>
>>> Upon further investigation, I've also noticed that this user actually
>>> does have a shadow in the midPoint repository and further inspection of the
>>> source indicates that the initial error means that the attribute DN has no
>>> definition in the schema. This is definitely not the case as other shadows
>>> don't have this issue. I am assuming that the special char is somehow
>>> tripping midPoint into believing that the DN has no definition (
>>> https://github.com/Evolveum/midpoint/blob/02f47924ccaffc96a
>>> dfd9129aff655a17428a45d/repo/repo-sql-impl/src/main/java/com
>>> /evolveum/midpoint/repo/sql/data/common/any/RAnyConverter.java#L80).
>>>
>>> I will try deleting this shadow from the repo and run the task again and
>>> update this thread with the result, however I don't have much confidence
>>> that this will work.
>>>
>>> Thanks,
>>> -F
>>>
>>> On Wed, Oct 19, 2016 at 9:25 PM, Florin. Stingaciu <
>>> fstingaciu at mirantis.com> wrote:
>>>
>>>> I managed to find the problematic user in AD after enabling TRACE logs
>>>> in ShadowCache. It turns out the user has a special char
>>>> (CN=İrem_LASTNAME,OU=People). I'm assuming this is causing midPoint to fail
>>>> processing this user and return a schema error.
>>>>
>>>> I tried to ignore this user in my condition section, however I believe
>>>> the shadow is processed before the resource condition is checked and the
>>>> task fails with the error in my initial post. Are there any workarounds in
>>>> which this scenario is considered a Partial Failure so this task can
>>>> continue executing? This user is one of 50000.
>>>>
>>>> A possible solution would involve raising a different error if an
>>>> invalid char (according to midPoint) was to be found on the resource. One
>>>> that can be caught in ShadowCache.java (https://github.com/Evolveum/m
>>>> idpoint/blob/master/provisioning/provisioning-impl/src/main/
>>>> java/com/evolveum/midpoint/provisioning/impl/ShadowCache.java#L875)
>>>> and returned as a "Object failed to processed" rather than a Schema Error.
>>>> I'm open to any suggestions.
>>>>
>>>> Thanks,
>>>> -F
>>>>
>>>> On Wed, Oct 19, 2016 at 1:14 PM, Florin. Stingaciu <
>>>> fstingaciu at mirantis.com> wrote:
>>>>
>>>>> Also, this only happens with a Import Users task and not with
>>>>> Reconcile Users Task. The reconcile users task finishes successfully..
>>>>>
>>>>> On Wed, Oct 19, 2016 at 12:56 PM, Florin. Stingaciu <
>>>>> fstingaciu at mirantis.com> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> My import users task fails with the following error:
>>>>>> http://pastebin.com/L0bKs9U2
>>>>>>
>>>>>> I tried increasing the log level, however the logs previous to this
>>>>>> pertain to the previous user that was successfully imported. The resource
>>>>>> is an active directory entry.
>>>>>>
>>>>>> My condition section looks as follows:
>>>>>>
>>>>>>                         dn = basic.getAttributeValues(shadow,
>>>>>> "dn")[0]
>>>>>>                         if (dn == "someDN"){
>>>>>>                             return false
>>>>>>                         }
>>>>>>                         else if (dn == "someotherDN"){
>>>>>>                             return false
>>>>>>                         }
>>>>>>                         else if (dn.contains("a sub OU domain")){
>>>>>>                             return false
>>>>>>                         }
>>>>>> return (basic.getAttributeValues(shadow, "mail") != null)
>>>>>>
>>>>>>
>>>>>> I've tried removing the condition and that didn't help. Any ideas on
>>>>>> what could be the problem?
>>>>>>
>>>>>> Realistically, no entry in AD can have an empty DN. Could it maybe be
>>>>>> a bad shadow somewhere, missing the dn?
>>>>>>
>>>>>> Thanks,
>>>>>> -F
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161020/77ed4167/attachment.htm>


More information about the midPoint mailing list