[midPoint] unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)

Radovan Semancik radovan.semancik at evolveum.com
Tue Jul 30 10:01:05 CEST 2019 

Hi,

Ordering rule 2.5.13.3 works for OpenLDAP. It is perhaps worth trying. 
The trouble with AD is that it does not specify any matching rules in 
its LDAP schema. Therefore this is all pretty much a guesswork.

However, I'm quite curious. What version/flavor of AD are you using? I 
have tested the connector with several versions and configurations, but 
I have never run into this problem. Paging/sorting worked without any 
need for special configuration. I wonder what might me the root cause.

-- 
Radovan Semancik
Software Architect
evolveum.com




On 7/29/19 5:50 PM, JStanczak at vinu.edu wrote:
> That helps. It's the VLV causing it. I think I have it almost there 
> but I'm not sure what ordering rule (VLV ordering rule) to use.
>
> controls=Sort(uid:<????>:A) <-- I've tried several numbers and each 
> time I get unavailableCriticalExtension.
>
> Setting to SPR works just fine but it would be nice to use VLV if it's 
> better.
>
> Thanks.
>
>
>
>
> -----"midPoint" <midpoint-bounces at lists.evolveum.com 
> <mailto:midpoint-bounces at lists.evolveum.com>> wrote: -----
> To: midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
> From: "Radovan Semancik"
> Sent by: "midPoint"
> Date: 07/25/2019 05:27AM
> Subject: Re: [midPoint] unavailableCriticalExtension: 000020EF: 
> SvcErr: DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)
>
> Hi,
>
> LDAP protocol is extensible by using a mechanisms of extended 
> operations and controls. This error suggests, that AD does not support 
> one of the controls that are used in operation that midPoint has 
> requested. You can have a look at AD log files and hope that you will 
> find more information as to which particular control is not supported. 
> Or you can contact Microsoft support. However, according to my 
> experience, both are quite pointless exercises. When it comes to that 
> particular technology, trial-and-error is the best approach that I 
> could find.
>
> Therefore I would suggest to follow our troubleshooting guide:
>
> https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting
>
> I would recommend to find the LDAP operation that caused the error. 
> The connector should log all important parts of the operations, 
> including the controls. Look for "controls=....". One of those 
> controls is probably the cause of the problem. Once you know what 
> control is the problem, you can try enable that control in the AD. Or, 
> if that is not possible, then the connector has several configuration 
> options that control the use those LDAP controls. However, the 
> connector is only using a very basic set of controls that make LDAP 
> protocol barely usable for IDM purposes. Disabling any of them may 
> affect usability of midPoint's connection to AD. But I'm speculating 
> here. Let's see what control is the problem first.
>
> -- 
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
> On 7/24/19 3:44 PM, JStanczak at vinu.edu wrote:
>> When accessing all users on the resource I get the below error. 
>> Searching for users works fine too. Is this some AD limitation?
>>
>>
>> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector - 2.0
>> java.version - 1.8.0_191
>> Version - 3.9
>> ConnId framework version - 1.5.0.0
>>
>> com.evolveum.midpoint.util.exception.CommunicationException: Error 
>> communicating with the connector 
>> ConnectorInstanceIcfImpl(connector:cd7ec95b-9007-47b4-b6f6-9a95ec085f68(ConnId 
>> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v2.0)): IO 
>> error: 
>> org.identityconnectors.framework.common.exceptions.ConnectorIOException(LDAP 
>> error during search in DC=local-test,DC=vinu,DC=edu: 
>> unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140552, 
>> problem 5010 (UNAVAIL_EXTENSION), data 0?? (12))
>> at 
>> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.searchResourceObjects(ResourceObjectConverter.java:1330)
>>
>> Thanks.
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190730/c46a0df6/attachment.htm>

More information about the midPoint mailing list