[midPoint] Changing Distinguished Name of ldap account which is member of group leads to Error modifying LDAP entry noSuchAttribute

Oleksandr Nekriach o.nekriach at dynatech.lv
Thu Sep 28 12:46:30 CEST 2017


Ivan, thank you very much!

2017-09-28 13:03 GMT+03:00 Ivan Noris <ivan.noris at evolveum.com>:

> Hi Oleksandr,
>
> from midpoint common schema:
>
>                      <xsd:element name="explicitReferentialIntegrity"
> type="xsd:boolean"  minOccurs="0" default="true">
>                         <xsd:annotation>
>                             <xsd:documentation>
>                                 Whether you require midPoint to provide
> referential integrity for object-to-subject associations.
>
>                                 Used for resources that do not provide
> referential integrity by themselves, e.g. for OpenDJ with
>                                 default settings (i.e. with referential
> integrity plugin turned off).
>
>                                 For resources having referential
> integrity, e.g. for Active Directory, set this parameter to false.
>                             </xsd:documentation>
>                         </xsd:annotation>
>                      </xsd:element>
>
> As turning OFF (false) helped, your directory server must have been
> configured to update group membership according to the DN change. And that
> collided with midPoint behaviour.
>
> Typically you have to turn this off (set to false) for Active Directory.
>
> FYI: our OpenLDAP installation and configuration wiki:
> https://wiki.evolveum.com/display/midPoint/OpenLDAP+
> Installation+and+Configuration mentions how to turn referential integrity
> for OpenLDAP...
>
> Best regards,
>
> Ivan
>
> On 28.09.2017 11:19, Oleksandr Nekriach wrote:
>
> Hello Ivan,
>
> Thank you for help!
> I turned off explicitReferentialIntegrity and this solved my problem.
> What does this setting mean?
>
> Best regards, Oleksandr
>
> 2017-09-27 18:07 GMT+03:00 Ivan Noris <ivan.noris at evolveum.com>:
>
>> Hi Oleksandr,
>>
>> AFAIK memberof overlay is to compute "memberof" attribute of the LDAP
>> account. But your exception comes from group modification: Error modifying
>> LDAP entry cn=TestRole_forMidpoint_2,ou=InternalGroups,ou=Groups,ou=MD,dc=dyninno,dc=test:
>> [remove:member: uid=Oleksandr.Nekriach,ou=Agen
>> ts,ou=Users,ou=MD,dc=dyninno,dc=test,]: noSuchAttribute:  (16)
>>
>> My first guess was that you have "refint" module and corresponding
>> overlay activated on OpenLDAP side. If you are really not using OpenLDAP's
>> referential integrity, then it should work as it is configured. You have
>> even configured "usePermissiveModify"...
>>
>> I remember when I was playing with referential integrity, if I renamed
>> account in LDAP (through mp) and it failed with similar error, but the
>> group membership was still correct after this operation (showing renamed
>> account), the problem was that LDAP server was doing the referential
>> integrity automatically and I needed to turn off
>> explicitReferentialIntegrity in association configuration.
>>
>> No more ideas yet.
>>
>> Regards,
>>
>> Ivan
>>
>> On 27.09.2017 16:16, Oleksandr Nekriach wrote:
>>
>> Hi Ivan,
>> We have added to OpenLdap memberOf overlay (see config below). But I
>> don't sure that is good idea to remove it. Do you have some idea?
>>
>> dn: cn=module{2},cn=config
>> cn: module{2}
>> changetype: modify
>> objectClass: olcModuleList
>> olcModuleLoad: memberof
>> olcModulePath: /usr/lib/ldap
>>
>> dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
>> objectClass: olcConfig
>> objectClass: olcMemberOf
>> objectClass: olcOverlayConfig
>> objectClass: top
>> olcOverlay: memberof
>> olcMemberOfDangling: ignore
>> olcMemberOfRefInt: TRUE
>> olcMemberOfGroupOC: groupOfNames
>> olcMemberOfMemberAD: member
>> olcMemberOfMemberOfAD: memberOf
>>
>> 2017-09-27 15:49 GMT+03:00 Ivan Noris <ivan.noris at evolveum.com>:
>>
>>> Hi Oleksandr,
>>>
>>> you have association set with explicitReferentialIntegrity, that means
>>> midpoint will update group membership if user DN changes. Could this
>>> collide with your OpenLDAP refint overlay (or whatever is the name for
>>> automatic referential integrity)?
>>> I
>>>
>>>
>>> On 27.09.2017 13:28, Oleksandr Nekriach wrote:
>>>
>>> Hello,
>>> Please help me understand what is wrong.
>>> I have role which assign a group to OpenLdap resource acount. Also I
>>> have resource with expresion which dynamical calculates Distinguished Name
>>> and has dependency on source attribute  "Locality". Also I expand ldap
>>> resource schema with memberOf attribute.
>>> When I change Locality attribute I get an error
>>> InvalidAttributeValueException: Error modifying LDAP entry
>>> cn=TestRole_forMidpoint_2,ou=InternalGroups,ou=Groups,ou=MD,dc=dyninno,dc=test:
>>> [remove:member: uid=Oleksandr.Nekriach,ou=Agen
>>> ts,ou=Users,ou=MD,dc=dyninno,dc=test,]: noSuchAttribute:  (16)
>>>
>>> I can't understand why I got this error if resource account was modified
>>> successfuly as I want.
>>>
>>>   <displayName>TestRole_forMidpoint</displayName>
>>>    <inducement id="5">
>>>       <construction>
>>>          <resourceRef oid="00000000-0004-0000-0000-00000000004"
>>>                       relation="org:default"
>>>                       type="c:ResourceType"><!-- myOpenLDAP4
>>> --></resourceRef>
>>>          <association>
>>>             <c:ref>ri:Group</c:ref>
>>>             <outbound>
>>>                <expression>
>>>                   <associationTargetSearch xmlns:xsi="
>>> http://www.w3.org/2001/XMLSchema-instance"
>>>
>>> xsi:type="c:SearchObjectExpressionEvaluatorType">
>>>                      <filter>
>>>                         <q:equal>
>>>                            <q:path>declare namespace icfs='
>>> http://midpoint.evolveum.com/xml/ns/public/connector/i
>>> cf-1/resource-schema-3'; declare namespace ri='
>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3';
>>> attributes/ri:cn</q:path>
>>>                            <q:value>TestRole_forMidpoint_2</q:value>
>>>                         </q:equal>
>>>                      </filter>
>>>                      <searchOnResource>true</searchOnResource>
>>>                   </associationTargetSearch>
>>>                </expression>
>>>             </outbound>
>>>          </association>
>>>       </construction>
>>>    </inducement>
>>>
>>>          <attribute>
>>>             <c:ref>ri:dn</c:ref>
>>>             <displayName>Distinguished Name</displayName>
>>>             <matchingRule xmlns:mr="http://prism.evolveu
>>> m.com/xml/ns/public/matching-rule-3">mr:distinguishedName</matchingRule>
>>>             <outbound>
>>>                <strength>strong</strength>
>>>                <source>
>>>                   <c:path>$user/name</c:path>
>>>                </source>
>>>                <source>
>>>                   <c:path>$user/description</c:path>
>>>                </source>
>>>                <source>
>>>                   <c:path>$user/locality</c:path>
>>>                </source>
>>>                <expression>
>>>                   <script xsi:type="c:ScriptExpressionEvaluatorType">
>>>                      <code>
>>>                         String rightPartOfDN=",ou=InternalUse
>>> rs,ou=Users,ou=LV";
>>>                         String dc=",dc=dyninno,dc=test";
>>>                         if(name!=null && description!=null
>>> && locality!=null){
>>>                         if(locality.toString().equalsIgnoreCase("RIX")
>>> && description.toString().contains("Agent")){
>>>                         rightPartOfDN=",ou=Agents,ou=Users,ou=LV";
>>>                         }
>>>                         if(locality.toString().equalsIgnoreCase("KIV")
>>> && description.toString().contains("Agent")){
>>>                         rightPartOfDN=",ou=Agents,ou=Users,ou=MD";
>>>                         }
>>>                         }
>>>                         return "uid=" + name.toString() + iterationToken
>>> + rightPartOfDN+dc;
>>>                          </code>
>>>                   </script>
>>>                </expression>
>>>             </outbound>
>>>          </attribute>
>>>
>>>
>>>
>>> 2017-09-27 13:59:42,925 [] [Thread-24] WARN
>>> (com.evolveum.polygon.connector.ldap.schema.AbstractSchemaTranslator):
>>> method: null msg:Uknown attribute 1.3.6.1.4.1.1466.115.121.1.15, cannot
>>> determine if it is binary
>>> 2017-09-27 13:59:42,939 [] [Thread-23] WARN
>>> (com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter): The
>>> resource: myOpenLDAP4 (OID:00000000-0004-0000-0000-00000000004) does
>>> not provide definition for null value of simulated activation attribute
>>> 2017-09-27 13:59:43,893 [] [Thread-23] WARN
>>> (com.evolveum.polygon.connector.ldap.schema.AbstractSchemaTranslator):
>>> method: null msg:Uknown attribute 1.3.6.1.4.1.1466.115.121.1.15, cannot
>>> determine if it is binary
>>> 2017-09-27 13:59:44,410 [] [Thread-23] WARN
>>> (com.evolveum.polygon.connector.ldap.schema.AbstractSchemaTranslator):
>>> method: null msg:Uknown attribute 1.3.6.1.4.1.1466.115.121.1.15, cannot
>>> determine if it is binary
>>> 2017-09-27 13:59:44,712 [] [Thread-23] WARN
>>> (com.evolveum.polygon.connector.ldap.schema.AbstractSchemaTranslator):
>>> method: null msg:Uknown attribute 1.3.6.1.4.1.1466.115.121.1.12, cannot
>>> determine if it is binary
>>> 2017-09-27 13:59:45,077 [] [Thread-23] WARN
>>> (com.evolveum.polygon.connector.ldap.schema.AbstractSchemaTranslator):
>>> method: null msg:Uknown attribute 1.3.6.1.4.1.1466.115.121.1.12, cannot
>>> determine if it is binary
>>> 2017-09-27 13:59:45,120 [] [Thread-23] ERROR
>>> (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): ConnId
>>> Exception org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException
>>> in connector:cb288b2c-1e5f-4b78-924e-a215b723137d(ConnId
>>> com.evolveum.polygon.connector.ldap.LdapConnector v1.4.5):
>>> ConnectorSpec(object:00000000-0004-0000-0000-00000000004(myOpenLDAP4),
>>> name=null, oid=cb288b2c-1e5f-4b78-924e-a215b723137d) while removing
>>> attribute values from object identified by ConnId UID
>>> '57ef6422-32fa-1037-9380-3b12ae02d26c': Error modifying LDAP entry
>>> cn=TestRole_forMidpoint_2,ou=InternalGroups,ou=Groups,ou=MD,dc=dyninno,dc=test:
>>> [remove:member: uid=Oleksandr.Nekriach,ou=Agen
>>> ts,ou=Users,ou=MD,dc=dyninno,dc=test,]: noSuchAttribute:  (16)
>>> org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException:
>>> Error modifying LDAP entry cn=TestRole_forMidpoint_2,ou=I
>>> nternalGroups,ou=Groups,ou=MD,dc=dyninno,dc=test: [remove:member:
>>> uid=Oleksandr.Nekriach,ou=Agents,ou=Users,ou=MD,dc=dyninno,dc=test,]:
>>> noSuchAttribute:  (16)
>>>         at com.evolveum.polygon.connector.ldap.LdapUtil.processLdapResult(LdapUtil.java:455)
>>> ~[connector-ldap-1.4.5.jar:na]
>>>         at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.pr
>>> ocessModifyResult(AbstractLdapConnector.java:1119)
>>> ~[connector-ldap-1.4.5.jar:na]
>>>         at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.mo
>>> dify(AbstractLdapConnector.java:1110) ~[connector-ldap-1.4.5.jar:na]
>>>         at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.ld
>>> apUpdateAttempt(AbstractLdapConnector.java:1060)
>>> ~[connector-ldap-1.4.5.jar:na]
>>>         at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.ld
>>> apUpdate(AbstractLdapConnector.java:1019) ~[connector-ldap-1.4.5.jar:na]
>>>         at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.re
>>> moveAttributeValues(AbstractLdapConnector.java:990)
>>> ~[connector-ldap-1.4.5.jar:na]
>>>         at org.identityconnectors.framework.impl.api.local.operations.U
>>> pdateImpl.removeAttributeValues(UpdateImpl.java:171)
>>> ~[connector-framework-internal-1.4.2.35.jar:na]
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> ~[na:1.8.0_131]
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> ~[na:1.8.0_131]
>>>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> ~[na:1.8.0_131]
>>>         at java.lang.reflect.Method.invoke(Method.java:498)
>>> ~[na:1.8.0_131]
>>>         at org.identityconnectors.framework.impl.api.local.operations.C
>>> onnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98)
>>> ~[connector-framework-internal-1.4.2.35.jar:na]
>>>         at com.sun.proxy.$Proxy184.removeAttributeValues(Unknown
>>> Source) ~[na:na]
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> ~[na:1.8.0_131]
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> ~[na:1.8.0_131]
>>>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> ~[na:1.8.0_131]
>>>         at java.lang.reflect.Method.invoke(Method.java:498)
>>> ~[na:1.8.0_131]
>>>         at org.identityconnectors.framework.impl.api.local.operations.T
>>> hreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
>>> ~[connector-framework-internal-1.4.2.35.jar:na]
>>>         at com.sun.proxy.$Proxy184.removeAttributeValues(Unknown
>>> Source) ~[na:na]
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> ~[na:1.8.0_131]
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> ~[na:1.8.0_131]
>>>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> ~[na:1.8.0_131]
>>>         at java.lang.reflect.Method.invoke(Method.java:498)
>>> ~[na:1.8.0_131]
>>>         at org.identityconnectors.framework.impl.api.DelegatingTimeoutP
>>> roxy.invoke(DelegatingTimeoutProxy.java:99)
>>> ~[connector-framework-internal-1.4.2.35.jar:na]
>>>         at com.sun.proxy.$Proxy184.removeAttributeValues(Unknown
>>> Source) ~[na:na]
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> ~[na:1.8.0_131]
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> ~[na:1.8.0_131]
>>>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> ~[na:1.8.0_131]
>>>         at java.lang.reflect.Method.invoke(Method.java:498)
>>> ~[na:1.8.0_131]
>>>         at org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:83)
>>> ~[connector-framework-internal-1.4.2.35.jar:na]
>>>         at com.sun.proxy.$Proxy184.removeAttributeValues(Unknown
>>> Source) ~[na:na]
>>>         at org.identityconnectors.framework.impl.api.AbstractConnectorF
>>> acade.removeAttributeValues(AbstractConnectorFacade.java:225)
>>> ~[connector-framework-internal-1.4.2.35.jar:na]
>>>         at com.evolveum.midpoint.provisioning.ucf.impl.connid.Connector
>>> InstanceConnIdImpl.modifyObject(ConnectorInstanceConnIdImpl.java:1843)
>>> ~[ucf-impl-connid-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.impl.ResourceObjectConver
>>> ter.executeModify(ResourceObjectConverter.java:765)
>>> [provisioning-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.impl.ResourceObjectConver
>>> ter.executeEntitlements(ResourceObjectConverter.java:1165)
>>> [provisioning-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.impl.ResourceObjectConver
>>> ter.executeEntitlementChangesModify(ResourceObjectConverter.java:1112)
>>> [provisioning-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.impl.ResourceObjectConver
>>> ter.modifyResourceObject(ResourceObjectConverter.java:612)
>>> [provisioning-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.impl.ShadowCache.modifyShadow(ShadowCache.java:684)
>>> [provisioning-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceI
>>> mpl.modifyObject(ProvisioningServiceImpl.java:679)
>>> [provisioning-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.modifyP
>>> rovisioningObject(ChangeExecutor.java:1397) [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute
>>> Modification(ChangeExecutor.java:1281) [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta(ChangeExecutor.java:812)
>>> [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute
>>> Changes(ChangeExecutor.java:308) [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.Clockwork.lambda$proce
>>> ssSecondary$0(Clockwork.java:481) [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java:1253)
>>> ~[model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java:1240)
>>> ~[model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.Clockwork.processSecondary(Clockwork.java:479)
>>> [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java:327)
>>> [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:203)
>>> [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.controller.ModelController.
>>> executeChanges(ModelController.java:569) ~[model-impl-3.6.jar:na]
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> ~[na:1.8.0_131]
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> ~[na:1.8.0_131]
>>>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> ~[na:1.8.0_131]
>>>         at java.lang.reflect.Method.invoke(Method.java:498)
>>> ~[na:1.8.0_131]
>>>         at org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invo
>>> ke(LazyInitProxyFactory.java:507) ~[wicket-ioc-7.6.0.jar:7.6.0]
>>>         at com.sun.proxy.$Proxy156.executeChanges(Unknown Source)
>>> ~[na:na]
>>>         at com.evolveum.midpoint.web.component.progress.ProgressReporte
>>> r.lambda$executeChangesAsync$0(ProgressReporter.java:187) ~[classes/:na]
>>>         at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_131]
>>> 2017-09-27 13:59:45,129 [] [Thread-23] ERROR
>>> (com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter):
>>> Error while modifying entitlement ProvisioningContext(for RSD(entitlement
>>> (Group) @00000000-0004-0000-0000-00000000004) in
>>> object:00000000-0004-0000-0000-00000000004(myOpenLDAP4)) of
>>> ProvisioningContext(for shadow:9873b7ed-3679-4a66-9445
>>> -344e9b52dd34(uid=Oleksandr.Nekriach,ou=Agents,ou=Users,ou=MD,dc=dyninno,dc=test)
>>> in object:00000000-0004-0000-0000-00000000004(myOpenLDAP4)): Schema
>>> violation: Invalid attribute: org.identityconnectors.framewo
>>> rk.common.exceptions.InvalidAttributeValueException(Error modifying
>>> LDAP entry cn=TestRole_forMidpoint_2,ou=InternalGroups,ou=Groups,ou=MD,dc=dyninno,dc=test:
>>> [remove:member: uid=Oleksandr.Nekriach,ou=Agen
>>> ts,ou=Users,ou=MD,dc=dyninno,dc=test,]: noSuchAttribute:  (16))
>>> com.evolveum.midpoint.util.exception.SchemaException: Schema violation:
>>> Invalid attribute: org.identityconnectors.framewo
>>> rk.common.exceptions.InvalidAttributeValueException(Error modifying
>>> LDAP entry cn=TestRole_forMidpoint_2,ou=InternalGroups,ou=Groups,ou=MD,dc=dyninno,dc=test:
>>> [remove:member: uid=Oleksandr.Nekriach,ou=Agen
>>> ts,ou=Users,ou=MD,dc=dyninno,dc=test,]: noSuchAttribute:  (16))
>>>         at com.evolveum.midpoint.provisioning.impl.ResourceObjectConver
>>> ter.executeModify(ResourceObjectConverter.java:797)
>>> [provisioning-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.impl.ResourceObjectConver
>>> ter.executeEntitlements(ResourceObjectConverter.java:1165)
>>> [provisioning-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.impl.ResourceObjectConver
>>> ter.executeEntitlementChangesModify(ResourceObjectConverter.java:1112)
>>> [provisioning-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.impl.ResourceObjectConver
>>> ter.modifyResourceObject(ResourceObjectConverter.java:612)
>>> [provisioning-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.impl.ShadowCache.modifyShadow(ShadowCache.java:684)
>>> [provisioning-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceI
>>> mpl.modifyObject(ProvisioningServiceImpl.java:679)
>>> [provisioning-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.modifyP
>>> rovisioningObject(ChangeExecutor.java:1397) [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute
>>> Modification(ChangeExecutor.java:1281) [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta(ChangeExecutor.java:812)
>>> [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute
>>> Changes(ChangeExecutor.java:308) [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.Clockwork.lambda$proce
>>> ssSecondary$0(Clockwork.java:481) [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java:1253)
>>> ~[model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java:1240)
>>> ~[model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.Clockwork.processSecondary(Clockwork.java:479)
>>> [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java:327)
>>> [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:203)
>>> [model-impl-3.6.jar:na]
>>>         at com.evolveum.midpoint.model.impl.controller.ModelController.
>>> executeChanges(ModelController.java:569) ~[model-impl-3.6.jar:na]
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> ~[na:1.8.0_131]
>>>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> ~[na:1.8.0_131]
>>>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> ~[na:1.8.0_131]
>>>         at java.lang.reflect.Method.invoke(Method.java:498)
>>> ~[na:1.8.0_131]
>>>         at org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invo
>>> ke(LazyInitProxyFactory.java:507) ~[wicket-ioc-7.6.0.jar:7.6.0]
>>>         at com.sun.proxy.$Proxy156.executeChanges(Unknown Source)
>>> ~[na:na]
>>>         at com.evolveum.midpoint.web.component.progress.ProgressReporte
>>> r.lambda$executeChangesAsync$0(ProgressReporter.java:187) ~[classes/:na]
>>>         at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_131]
>>> Caused by: com.evolveum.midpoint.util.exception.SchemaException:
>>> Invalid attribute: org.identityconnectors.framewo
>>> rk.common.exceptions.InvalidAttributeValueException(Error modifying
>>> LDAP entry cn=TestRole_forMidpoint_2,ou=InternalGroups,ou=Groups,ou=MD,dc=dyninno,dc=test:
>>> [remove:member: uid=Oleksandr.Nekriach,ou=Agen
>>> ts,ou=Users,ou=MD,dc=dyninno,dc=test,]: noSuchAttribute:  (16))
>>>         at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUti
>>> l.lookForKnownCause(ConnIdUtil.java:352) ~[ucf-impl-connid-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUti
>>> l.processIcfException(ConnIdUtil.java:215) ~[ucf-impl-connid-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.ucf.impl.connid.Connector
>>> InstanceConnIdImpl.modifyObject(ConnectorInstanceConnIdImpl.java:1850)
>>> ~[ucf-impl-connid-3.6.jar:na]
>>>         at com.evolveum.midpoint.provisioning.impl.ResourceObjectConver
>>> ter.executeModify(ResourceObjectConverter.java:765)
>>> [provisioning-impl-3.6.jar:na]
>>>         ... 24 common frames omitted
>>>
>>>
>>> --
>>> Best regards,
>>>
>>> Oleksandr Nekriach | Identity and access management engineer
>>>
>>> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>>>
>>> +37125314685 <+371%2025%20314%20685>
>>> ,
>>> o.nekriach at dynatech.lv
>>> |
>>> www.dynatech.lv
>>>
>>>
>>>
>>>
>>> Stay connected:
>>> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
>>> <https://www.linkedin.com/company-beta/17893047/>
>>>
>>>
>>> Confidentiality Notice: This message contains confidential information
>>> and is intended only for the named recipient(s). If you are not the
>>> addressee you may not copy, distribute or perform any other activities with
>>> this information. If you have received this transmission in error, please
>>> notify us by e-mail immediately. E-mail transmission cannot be guaranteed
>>> to be secure or error-free as information could be intercepted, corrupted,
>>> lost, destroyed, arrive late or incomplete, or contain viruses.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>> Ivan Noris
>>> Senior Identity Engineerevolveum.com
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>> --
>> Best regards,
>>
>> Oleksandr Nekriach | Identity and access management engineer
>>
>> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>>
>> +37125314685 <+371%2025%20314%20685>
>> ,
>> o.nekriach at dynatech.lv
>> |
>> www.dynatech.lv
>>
>>
>>
>>
>> Stay connected:
>> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
>> <https://www.linkedin.com/company-beta/17893047/>
>>
>>
>> Confidentiality Notice: This message contains confidential information
>> and is intended only for the named recipient(s). If you are not the
>> addressee you may not copy, distribute or perform any other activities with
>> this information. If you have received this transmission in error, please
>> notify us by e-mail immediately. E-mail transmission cannot be guaranteed
>> to be secure or error-free as information could be intercepted, corrupted,
>> lost, destroyed, arrive late or incomplete, or contain viruses.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> --
> Best regards,
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia
>
> +37125314685 <+371%2025%20314%20685>
> ,
> o.nekriach at dynatech.lv
> |
> www.dynatech.lv
>
>
>
>
> Stay connected:
> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
> <https://www.linkedin.com/company-beta/17893047/>
>
>
> Confidentiality Notice: This message contains confidential information and
> is intended only for the named recipient(s). If you are not the addressee
> you may not copy, distribute or perform any other activities with this
> information. If you have received this transmission in error, please notify
> us by e-mail immediately. E-mail transmission cannot be guaranteed to be
> secure or error-free as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 
Best regards,

Oleksandr Nekriach | Identity and access management engineer

Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia

+37125314685 <+371%2025%20314%20685>
,
o.nekriach at dynatech.lv
|
www.dynatech.lv




Stay connected:
<https://www.facebook.com/DynatechLatvia/?ref=br_rs>
<https://www.linkedin.com/company-beta/17893047/>


Confidentiality Notice: This message contains confidential information and
is intended only for the named recipient(s). If you are not the addressee
you may not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please notify
us by e-mail immediately. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170928/32789545/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170928/32789545/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7770
Type: image/png
Size: 2602 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170928/32789545/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170928/32789545/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170928/32789545/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7770
Type: image/png
Size: 2602 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170928/32789545/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1502777022855-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170928/32789545/attachment-0005.png>


More information about the midPoint mailing list