[midPoint] unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)

Javier Ignacio Martinez jmartinez at identicum.com
Fri Aug 2 23:12:09 CEST 2019 

Hi,
I think we had the same issue when trying to access all users on an Active
Directory Resource.

After doing some research, what worked for us was adding this line inside
<connectorConfiguration>:

<pagingBlockSize>5</pagingBlockSize>

Let me know if this works for you.
Regards.

On Wed, Jul 31, 2019 at 9:15 AM Radovan Semancik <
radovan.semancik at evolveum.com> wrote:

> Hi,
>
> I was curious. I have checked my testing AD 2012R2. And it works well with
> VLV:
>
> Search REQ base=CN=Users,DC=ad,DC=evolveum,DC=com,
> filter=(objectClass=user), scope=sub,
>  attributes=[*, unicodePwd, userAccountControl, createTimeStamp,
> msExchHideFromAddressLists, objectGUID, objectClass],
> controls=Sort(cn:null:A),,VLV(beforeCount=0, afterCount=1, offset=2,
> contentCount=0, contextID=null)
>
> Maybe the problem is not VLV by itself, maybe the problem is that sort?
> Maybe it works only for some attributes?
> Or maybe there is some special configuration in your case? My AD instance
> is pretty much default configuration.
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
>
> On 7/30/19 2:48 PM, JStanczak at vinu.edu wrote:
>
> Windows Server 2012 R2.
>
> Ya I've tried several codes. Nothing seems to work. Many of the codes were
> from Ldp.exe. SPR is ok for now but I will have to loop back and fix this
> issue later. I'm kind of at a loss for the moment.
>
> Thanks.
>
>
> -----"midPoint" <midpoint-bounces at lists.evolveum.com> wrote: -----
> To: midpoint at lists.evolveum.com
> From: "Radovan Semancik"
> Sent by: "midPoint"
> Date: 07/30/2019 04:01AM
> Subject: Re: [midPoint] unavailableCriticalExtension: 000020EF: SvcErr:
> DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)
>
> Hi,
>
> Ordering rule 2.5.13.3 works for OpenLDAP. It is perhaps worth trying. The
> trouble with AD is that it does not specify any matching rules in its LDAP
> schema. Therefore this is all pretty much a guesswork.
>
> However, I'm quite curious. What version/flavor of AD are you using? I
> have tested the connector with several versions and configurations, but I
> have never run into this problem. Paging/sorting worked without any need
> for special configuration. I wonder what might me the root cause.
>
> --
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
>
> On 7/29/19 5:50 PM, JStanczak at vinu.edu wrote:
>
> That helps. It's the VLV causing it. I think I have it almost there but
> I'm not sure what ordering rule (VLV ordering rule) to use.
>
> controls=Sort(uid:<????>:A) <-- I've tried several numbers and each time I
> get unavailableCriticalExtension.
>
> Setting to SPR works just fine but it would be nice to use VLV if it's
> better.
>
> Thanks.
>
>
>
>
> -----"midPoint" <midpoint-bounces at lists.evolveum.com> wrote: -----
> To: midpoint at lists.evolveum.com
> From: "Radovan Semancik"
> Sent by: "midPoint"
> Date: 07/25/2019 05:27AM
> Subject: Re: [midPoint] unavailableCriticalExtension: 000020EF: SvcErr:
> DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)
>
> Hi,
>
> LDAP protocol is extensible by using a mechanisms of extended operations
> and controls. This error suggests, that AD does not support one of the
> controls that are used in operation that midPoint has requested. You can
> have a look at AD log files and hope that you will find more information as
> to which particular control is not supported. Or you can contact Microsoft
> support. However, according to my experience, both are quite pointless
> exercises. When it comes to that particular technology, trial-and-error is
> the best approach that I could find.
>
> Therefore I would suggest to follow our troubleshooting guide:
>
> https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting
>
> I would recommend to find the LDAP operation that caused the error. The
> connector should log all important parts of the operations, including the
> controls. Look for "controls=....". One of those controls is probably the
> cause of the problem. Once you know what control is the problem, you can
> try enable that control in the AD. Or, if that is not possible, then the
> connector has several configuration options that control the use those LDAP
> controls. However, the connector is only using a very basic set of controls
> that make LDAP protocol barely usable for IDM purposes. Disabling any of
> them may affect usability of midPoint's connection to AD. But I'm
> speculating here. Let's see what control is the problem first.
>
> --
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
> On 7/24/19 3:44 PM, JStanczak at vinu.edu wrote:
>
> When accessing all users on the resource I get the below error. Searching
> for users works fine too. Is this some AD limitation?
>
>
> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector - 2.0
> java.version - 1.8.0_191
> Version - 3.9
> ConnId framework version - 1.5.0.0
>
> com.evolveum.midpoint.util.exception.CommunicationException: Error
> communicating with the connector
> ConnectorInstanceIcfImpl(connector:cd7ec95b-9007-47b4-b6f6-9a95ec085f68(ConnId
> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v2.0)): IO error:
> org.identityconnectors.framework.common.exceptions.ConnectorIOException(LDAP
> error during search in DC=local-test,DC=vinu,DC=edu:
> unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140552, problem 5010
> (UNAVAIL_EXTENSION), data 0?? (12))
> at
> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.searchResourceObjects(ResourceObjectConverter.java:1330)
>
> Thanks.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>


-- 
Javier Martínez
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190802/45831749/attachment.htm>

More information about the midPoint mailing list