[midPoint] Ldap Connector Errors
Chris Moore
chris.moore5 at wisc.edu
Thu Nov 30 21:07:18 CET 2017
Community,
I am trying to connect to an openldap server with midpoint and do a simple import and match shadows to the users in midpoint.
Has anyone seen this error before, or know of a fix for this error?
When I run the import task, I am getting an error on the LDAP side:
Do_modify: get_ctrls failed
On midpoing I am getting the following error:
Couldn't modify object: generic error in the connector: Generic error in the connector. Can't process shadow shadow: uid=abrown,ou=People,dc=example,dc=edu (OID:38a0542d-2113-410a-bb0b-a03345ceb969).
<?xml version="1.0" encoding="UTF-8"?>
<objects xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector"
xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">
<resource oid="6573361b-20c9-4d79-8f00-f1445b5902a2">
<name>LDAP</name>
<connectorRef type="ConnectorType">
<filter>
<q:equal>
<q:path>c:connectorType</q:path>
<q:value>com.evolveum.polygon.connector.ldap.LdapConnector</q:value>
</q:equal>
</filter>
</connectorRef>
<connectorConfiguration>
<icfc:configurationProperties>
<icfcldap:port>389</icfcldap:port>
<icfcldap:host>myldaphost</icfcldap:host>
<icfcldap:baseContext>ou=People,dc=example,dc=edu</icfcldap:baseContext>
<icfcldap:bindDn>myldpabindDN</icfcldap:bindDn>
<icfcldap:bindPassword><t:clearValue>myldpapassword</t:clearValue></icfcldap:bindPassword>
<icfcldap:usePermissiveModify>always</icfcldap:usePermissiveModify>
<icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
<icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm>
<icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute>
<icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule>
<icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
<icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
</icfc:configurationProperties>
<icfc:resultsHandlerConfiguration>
<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
</icfc:resultsHandlerConfiguration>
</connectorConfiguration>
<schema>
<generationConstraints>
<generateObjectClass>ri:inetOrgPerson</generateObjectClass>
<generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
<generateObjectClass>ri:groupOfNames</generateObjectClass>
<generateObjectClass>ri:organizationalUnit</generateObjectClass>
<generateObjectClass>ri:eduPerson</generateObjectClass>
</generationConstraints>
</schema>
<schemaHandling>
<objectType>
<intent>default</intent>
<displayName>Default Account</displayName>
<default>true</default>
<objectClass>ri:inetOrgPerson</objectClass>
<attribute>
<ref>ri:uid</ref>
<inbound>
<target>
<path>$user/name</path>
</target>
</inbound>
</attribute>
<attribute>
<ref>ri:entryUUID</ref>
<displayName>Entry UUID</displayName>
<limitations>
<access>
<read>true</read>
<add>false</add>
<modify>true</modify>
</access>
</limitations>
<matchingRule>mr:stringIgnoreCase</matchingRule>
</attribute>
</objectType>
</schemaHandling>
<synchronization>
<objectSynchronization>
<enabled>true</enabled>
<correlation>
<q:description>
Correlation expression is a search query.
Following search queury will look for users that have "name"
equal to the "uid" attribute of the account. Simply speaking,
it will look for match in usernames in the IDM and the resource.
The correlation rule always looks for users, so it will not match
any other object type.
</q:description>
<q:equal>
<q:path>name</q:path>
<c:expression>
<c:path>$c:account/c:attributes/ri:uid</c:path>
</c:expression>
</q:equal>
</correlation>
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
</reaction>
<reaction>
<situation>deleted</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
</objectSynchronization>
</synchronization>
</resource>
<task>
<name>Import LDAP Accounts</name>
<extension >
<mext:kind>account</mext:kind>
<mext:objectclass>ri:inetOrgPerson</mext:objectclass>
</extension>
<ownerRef oid="00000000-0000-0000-0000-000000000002" type="c:UserType"><!-- administrator --></ownerRef>
<executionStatus>runnable</executionStatus>
<category>ImportingAccounts</category>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/import/handler-3</handlerUri>
<objectRef oid="6573361b-20c9-4d79-8f00-f1445b5902a2" type="c:ResourceType"><!--LDAP--></objectRef>
<recurrence>single</recurrence>
<binding>loose</binding>
<threadStopAction>restart</threadStopAction>
</task>
</objects>
Chris Moore | EIS / Middleware | chris.moore5 at wisc.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171130/5c3e5a9a/attachment.htm>
More information about the midPoint
mailing list