[midPoint] OpenLDAP Group Member Error
Brad Firestone
bhotrock at gmail.com
Fri May 17 17:34:29 CEST 2019
I'm running midPoint 3.9 with LDAP connector 2.0 Connecting to OpenLDAP
version 2.4.45+dfsg-1ubuntu1 memberOf, refInt, lastBind, and sssvlv
overlays are installed.
I've been trying to setup LDAP group management according to the Wiki
and other docs I've found. Automatic groupOfNames creation in
"ou=roles,ou=accounts,dc=example,dc=com" is working fine when I create a
Role with an Assignment of the LDAP Group Metarole. So that seems like
most of the connection is working correctly.
But I'm getting the following error message when I try to add a user to
a Role that should put them in the LDAP Group.
-------
Operation:
operation.org.identityconnectors.framework.api.ConnectorFacade.updateDelta
Message: Unknown UID: LDAP entry for UID Attribute: {Name=__UID__,
Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
{Name=__NAME__, Value=[cn=test
role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found
Parameters: uid [caed9d00-0c8c-1039-98e5-a53942dc29e0]
attributesDelta: [[Attribute: {Name=member,
ValuesToAdd=[cn=testuser,ou=users,ou=accounts,dc=example,dc=com],
ValuesToRemove=null, ValuesToReplace=null}]]
objectClass: [crOCD
({http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}groupOfNames)]
options: [OperationOptions: {}]
Context: connector [class
org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl]
Error:
org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
entry for UID Attribute: {Name=__UID__,
Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
{Name=__NAME__, Value=[cn=test
role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found)
-------
Here is the Association section from the LDAP Resource:
<association>
<ref>ri:ldapGroup</ref>
<tolerant>false</tolerant>
<displayName>LDAP Group Membership</displayName>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
And the Entitlement Object section from the LDAP Resource:
<objectType>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<displayName>LDAP Group</displayName>
<objectClass>ri:groupOfNames</objectClass>
<attribute>
<ref>ri:dn</ref>
<matchingRule>mr:distinguishedName</matchingRule>
<outbound>
<!-- Name cannot be weak. Changes in name trigger
object rename. -->
<source>
<path>$focus/name</path>
</source>
<expression>
<script>
<code>
import javax.naming.ldap.Rdn
import javax.naming.ldap.LdapName
dn = new
LdapName('ou=roles,ou=accounts,dc=example,dc=org')
dn.add(new Rdn('cn', name.toString()))
return dn.toString()
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:member</ref>
<matchingRule>mr:distinguishedName</matchingRule>
<fetchStrategy>minimal</fetchStrategy>
<outbound>
<strength>strong</strength>
<!-- Workaround - groupOfNames MUST have at least
one member. Even non-existent DN. -->
<expression>
<value>cn=dummy,o=whatever</value>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:cn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<path>$focus/name</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:description</ref>
<outbound>
<source>
<path>description</path>
</source>
</outbound>
</attribute>
<configuredCapabilities>
<cap:pagedSearch>
<cap:defaultSortField>ri:cn</cap:defaultSortField>
</cap:pagedSearch>
</configuredCapabilities>
</objectType>
I'm not sure if there are other important configs that would be helpful
to see. I'll be happy to post anything that's helpful.
This may be a related issue that might help locate the issue: When I
look at the Accounts tab of the Resource in the GUI, Search In: Resource
gives a list of Accounts on the server. However, doing the same in the
Entitlements tab, with the Intent set to ldapGroup, does not display any
entries, even though there are groups on the server.
One last thing that might help diagnose this: If I try to remove the
LDAP Group Metarole assignment from the Role, (hoping it would delete
the groupOfNames from the server, I get the following error:
--------
Can't delete object shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=test
role,ou=roles,ou=accounts,dc=example,dc=com). Reason:
org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
entry for UID Attribute: {Name=__UID__,
Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
{Name=__NAME__, Value=[cn=test
role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found): Can't
delete object shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=Test
Role,ou=roles,ou=accounts,dc=example,dc=com). Reason:
org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
entry for UID Attribute: {Name=__UID__,
Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
{Name=__NAME__, Value=[cn=test
role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found)
-------
I'm reasonably sure I just have something out of place somewhere.
Hopefully someone can spot what I've done wrong.
Thank you!
Brad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/9e945489/attachment.htm>
More information about the midPoint
mailing list