[midPoint] unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)

Jason Everling jeverling at bshp.edu
Tue Jul 30 19:39:09 CEST 2019


Most of those settings are standard ldap related, for AD it seems to not
like most of the settings. We are using AD/LDAP connector on 2019 without
issue, results config is below, everything else is undefined

      <icfc:resultsHandlerConfiguration>

 <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>

 <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>

 <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
      </icfc:resultsHandlerConfiguration>



On Tue, Jul 30, 2019 at 7:48 AM <JStanczak at vinu.edu> wrote:

> Windows Server 2012 R2.
>
> Ya I've tried several codes. Nothing seems to work. Many of the codes were
> from Ldp.exe. SPR is ok for now but I will have to loop back and fix this
> issue later. I'm kind of at a loss for the moment.
>
> Thanks.
>
>
> -----"midPoint" <midpoint-bounces at lists.evolveum.com> wrote: -----
> To: midpoint at lists.evolveum.com
> From: "Radovan Semancik"
> Sent by: "midPoint"
> Date: 07/30/2019 04:01AM
> Subject: Re: [midPoint] unavailableCriticalExtension: 000020EF: SvcErr:
> DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)
>
> Hi,
>
> Ordering rule 2.5.13.3 works for OpenLDAP. It is perhaps worth trying. The
> trouble with AD is that it does not specify any matching rules in its LDAP
> schema. Therefore this is all pretty much a guesswork.
>
> However, I'm quite curious. What version/flavor of AD are you using? I
> have tested the connector with several versions and configurations, but I
> have never run into this problem. Paging/sorting worked without any need
> for special configuration. I wonder what might me the root cause.
>
> --
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
>
> On 7/29/19 5:50 PM, JStanczak at vinu.edu wrote:
>
> That helps. It's the VLV causing it. I think I have it almost there but
> I'm not sure what ordering rule (VLV ordering rule) to use.
>
> controls=Sort(uid:<????>:A) <-- I've tried several numbers and each time I
> get unavailableCriticalExtension.
>
> Setting to SPR works just fine but it would be nice to use VLV if it's
> better.
>
> Thanks.
>
>
>
>
> -----"midPoint" <midpoint-bounces at lists.evolveum.com> wrote: -----
> To: midpoint at lists.evolveum.com
> From: "Radovan Semancik"
> Sent by: "midPoint"
> Date: 07/25/2019 05:27AM
> Subject: Re: [midPoint] unavailableCriticalExtension: 000020EF: SvcErr:
> DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)
>
> Hi,
>
> LDAP protocol is extensible by using a mechanisms of extended operations
> and controls. This error suggests, that AD does not support one of the
> controls that are used in operation that midPoint has requested. You can
> have a look at AD log files and hope that you will find more information as
> to which particular control is not supported. Or you can contact Microsoft
> support. However, according to my experience, both are quite pointless
> exercises. When it comes to that particular technology, trial-and-error is
> the best approach that I could find.
>
> Therefore I would suggest to follow our troubleshooting guide:
>
> https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting
>
> I would recommend to find the LDAP operation that caused the error. The
> connector should log all important parts of the operations, including the
> controls. Look for "controls=....". One of those controls is probably the
> cause of the problem. Once you know what control is the problem, you can
> try enable that control in the AD. Or, if that is not possible, then the
> connector has several configuration options that control the use those LDAP
> controls. However, the connector is only using a very basic set of controls
> that make LDAP protocol barely usable for IDM purposes. Disabling any of
> them may affect usability of midPoint's connection to AD. But I'm
> speculating here. Let's see what control is the problem first.
>
> --
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
> On 7/24/19 3:44 PM, JStanczak at vinu.edu wrote:
>
> When accessing all users on the resource I get the below error. Searching
> for users works fine too. Is this some AD limitation?
>
>
> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector - 2.0
> java.version - 1.8.0_191
> Version - 3.9
> ConnId framework version - 1.5.0.0
>
> com.evolveum.midpoint.util.exception.CommunicationException: Error
> communicating with the connector
> ConnectorInstanceIcfImpl(connector:cd7ec95b-9007-47b4-b6f6-9a95ec085f68(ConnId
> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v2.0)): IO error:
> org.identityconnectors.framework.common.exceptions.ConnectorIOException(LDAP
> error during search in DC=local-test,DC=vinu,DC=edu:
> unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140552, problem 5010
> (UNAVAIL_EXTENSION), data 0?? (12))
> at
> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.searchResourceObjects(ResourceObjectConverter.java:1330)
>
> Thanks.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190730/af0a1f2e/attachment.htm>


More information about the midPoint mailing list