[midPoint] unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)

Javier Ignacio Martinez jmartinez at identicum.com
Fri Aug 2 23:14:55 CEST 2019 

Sorry, I missed something in the previous email:
we also modified the paging strategy in the connectorConfiguration:

<pagingStrategy>spr</pagingStrategy>

Regards.

On Fri, Aug 2, 2019 at 6:12 PM Javier Ignacio Martinez <
jmartinez at identicum.com> wrote:

> Hi,
> I think we had the same issue when trying to access all users on an Active
> Directory Resource.
>
> After doing some research, what worked for us was adding this line inside
> <connectorConfiguration>:
>
> <pagingBlockSize>5</pagingBlockSize>
>
> Let me know if this works for you.
> Regards.
>
> On Wed, Jul 31, 2019 at 9:15 AM Radovan Semancik <
> radovan.semancik at evolveum.com> wrote:
>
>> Hi,
>>
>> I was curious. I have checked my testing AD 2012R2. And it works well
>> with VLV:
>>
>> Search REQ base=CN=Users,DC=ad,DC=evolveum,DC=com,
>> filter=(objectClass=user), scope=sub,
>>  attributes=[*, unicodePwd, userAccountControl, createTimeStamp,
>> msExchHideFromAddressLists, objectGUID, objectClass],
>> controls=Sort(cn:null:A),,VLV(beforeCount=0, afterCount=1, offset=2,
>> contentCount=0, contextID=null)
>>
>> Maybe the problem is not VLV by itself, maybe the problem is that sort?
>> Maybe it works only for some attributes?
>> Or maybe there is some special configuration in your case? My AD instance
>> is pretty much default configuration.
>>
>> --
>> Radovan Semancik
>> Software Architectevolveum.com
>>
>>
>>
>> On 7/30/19 2:48 PM, JStanczak at vinu.edu wrote:
>>
>> Windows Server 2012 R2.
>>
>> Ya I've tried several codes. Nothing seems to work. Many of the codes
>> were from Ldp.exe. SPR is ok for now but I will have to loop back and fix
>> this issue later. I'm kind of at a loss for the moment.
>>
>> Thanks.
>>
>>
>> -----"midPoint" <midpoint-bounces at lists.evolveum.com> wrote: -----
>> To: midpoint at lists.evolveum.com
>> From: "Radovan Semancik"
>> Sent by: "midPoint"
>> Date: 07/30/2019 04:01AM
>> Subject: Re: [midPoint] unavailableCriticalExtension: 000020EF: SvcErr:
>> DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)
>>
>> Hi,
>>
>> Ordering rule 2.5.13.3 works for OpenLDAP. It is perhaps worth trying.
>> The trouble with AD is that it does not specify any matching rules in its
>> LDAP schema. Therefore this is all pretty much a guesswork.
>>
>> However, I'm quite curious. What version/flavor of AD are you using? I
>> have tested the connector with several versions and configurations, but I
>> have never run into this problem. Paging/sorting worked without any need
>> for special configuration. I wonder what might me the root cause.
>>
>> --
>> Radovan Semancik
>> Software Architect
>> evolveum.com
>>
>>
>>
>> On 7/29/19 5:50 PM, JStanczak at vinu.edu wrote:
>>
>> That helps. It's the VLV causing it. I think I have it almost there but
>> I'm not sure what ordering rule (VLV ordering rule) to use.
>>
>> controls=Sort(uid:<????>:A) <-- I've tried several numbers and each time
>> I get unavailableCriticalExtension.
>>
>> Setting to SPR works just fine but it would be nice to use VLV if it's
>> better.
>>
>> Thanks.
>>
>>
>>
>>
>> -----"midPoint" <midpoint-bounces at lists.evolveum.com> wrote: -----
>> To: midpoint at lists.evolveum.com
>> From: "Radovan Semancik"
>> Sent by: "midPoint"
>> Date: 07/25/2019 05:27AM
>> Subject: Re: [midPoint] unavailableCriticalExtension: 000020EF: SvcErr:
>> DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)
>>
>> Hi,
>>
>> LDAP protocol is extensible by using a mechanisms of extended operations
>> and controls. This error suggests, that AD does not support one of the
>> controls that are used in operation that midPoint has requested. You can
>> have a look at AD log files and hope that you will find more information as
>> to which particular control is not supported. Or you can contact Microsoft
>> support. However, according to my experience, both are quite pointless
>> exercises. When it comes to that particular technology, trial-and-error is
>> the best approach that I could find.
>>
>> Therefore I would suggest to follow our troubleshooting guide:
>>
>> https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting
>>
>> I would recommend to find the LDAP operation that caused the error. The
>> connector should log all important parts of the operations, including the
>> controls. Look for "controls=....". One of those controls is probably the
>> cause of the problem. Once you know what control is the problem, you can
>> try enable that control in the AD. Or, if that is not possible, then the
>> connector has several configuration options that control the use those LDAP
>> controls. However, the connector is only using a very basic set of controls
>> that make LDAP protocol barely usable for IDM purposes. Disabling any of
>> them may affect usability of midPoint's connection to AD. But I'm
>> speculating here. Let's see what control is the problem first.
>>
>> --
>> Radovan Semancik
>> Software Architect
>> evolveum.com
>>
>>
>> On 7/24/19 3:44 PM, JStanczak at vinu.edu wrote:
>>
>> When accessing all users on the resource I get the below error. Searching
>> for users works fine too. Is this some AD limitation?
>>
>>
>> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector - 2.0
>> java.version - 1.8.0_191
>> Version - 3.9
>> ConnId framework version - 1.5.0.0
>>
>> com.evolveum.midpoint.util.exception.CommunicationException: Error
>> communicating with the connector
>> ConnectorInstanceIcfImpl(connector:cd7ec95b-9007-47b4-b6f6-9a95ec085f68(ConnId
>> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v2.0)): IO error:
>> org.identityconnectors.framework.common.exceptions.ConnectorIOException(LDAP
>> error during search in DC=local-test,DC=vinu,DC=edu:
>> unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140552, problem 5010
>> (UNAVAIL_EXTENSION), data 0?? (12))
>> at
>> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.searchResourceObjects(ResourceObjectConverter.java:1330)
>>
>> Thanks.
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> --
> Javier Martínez
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
>

-- 
Javier Martínez
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190802/5c8dd505/attachment.htm>

More information about the midPoint mailing list