[midPoint] OpenLDAP Group Member Error

Brad Firestone bhotrock at gmail.com
Fri May 17 17:34:29 CEST 2019


I'm running midPoint 3.9 with LDAP connector 2.0  Connecting to OpenLDAP 
version 2.4.45+dfsg-1ubuntu1  memberOf, refInt, lastBind, and sssvlv 
overlays are installed.

I've been trying to setup LDAP group management according to the Wiki 
and other docs I've found.  Automatic groupOfNames creation in 
"ou=roles,ou=accounts,dc=example,dc=com" is working fine when I create a 
Role with an Assignment of the LDAP Group Metarole.  So that seems like 
most of the connection is working correctly.

But I'm getting the following error message when I try to add a user to 
a Role that should put them in the LDAP Group.
-------
Operation: 
operation.org.identityconnectors.framework.api.ConnectorFacade.updateDelta

Message:  Unknown UID: LDAP entry for UID Attribute: {Name=__UID__, 
Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute: 
{Name=__NAME__, Value=[cn=test 
role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found

Parameters:  uid    [caed9d00-0c8c-1039-98e5-a53942dc29e0]
attributesDelta:    [[Attribute: {Name=member, 
ValuesToAdd=[cn=testuser,ou=users,ou=accounts,dc=example,dc=com], 
ValuesToRemove=null, ValuesToReplace=null}]]
objectClass:    [crOCD 
({http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}groupOfNames)]
options:    [OperationOptions: {}]

Context:  connector    [class 
org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl]

Error: 
org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP 
entry for UID Attribute: {Name=__UID__, 
Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute: 
{Name=__NAME__, Value=[cn=test 
role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found)
-------

Here is the Association section from the LDAP Resource:
         <association>
                 <ref>ri:ldapGroup</ref>
                 <tolerant>false</tolerant>
                 <displayName>LDAP Group Membership</displayName>
                 <kind>entitlement</kind>
                 <intent>ldapGroup</intent>
                 <direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
                 <valueAttribute>ri:dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
           </association>

And the Entitlement Object section from the LDAP Resource:
         <objectType>
             <kind>entitlement</kind>
             <intent>ldapGroup</intent>
             <displayName>LDAP Group</displayName>
             <objectClass>ri:groupOfNames</objectClass>

             <attribute>
                 <ref>ri:dn</ref>
<matchingRule>mr:distinguishedName</matchingRule>
                 <outbound>
                     <!-- Name cannot be weak. Changes in name trigger 
object rename. -->
                     <source>
                         <path>$focus/name</path>
                     </source>
                         <expression>
                             <script>
                             <code>
                                 import javax.naming.ldap.Rdn
                                 import javax.naming.ldap.LdapName

                                 dn = new 
LdapName('ou=roles,ou=accounts,dc=example,dc=org')
                                 dn.add(new Rdn('cn', name.toString()))
                                 return dn.toString()
                             </code>
                         </script>
                         </expression>
                 </outbound>
             </attribute>
             <attribute>
                 <ref>ri:member</ref>
<matchingRule>mr:distinguishedName</matchingRule>
                 <fetchStrategy>minimal</fetchStrategy>
                 <outbound>
                     <strength>strong</strength>
                     <!-- Workaround - groupOfNames MUST have at least 
one member. Even non-existent DN. -->
                     <expression>
                         <value>cn=dummy,o=whatever</value>
                     </expression>
                 </outbound>
             </attribute>
             <attribute>
                 <ref>ri:cn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
                 <outbound>
                     <strength>weak</strength>
                     <source>
                         <path>$focus/name</path>
                     </source>
                 </outbound>
             </attribute>
             <attribute>
                 <ref>ri:description</ref>
                 <outbound>
                     <source>
                         <path>description</path>
                     </source>
                 </outbound>
             </attribute>
             <configuredCapabilities>
                 <cap:pagedSearch>
<cap:defaultSortField>ri:cn</cap:defaultSortField>
                 </cap:pagedSearch>
             </configuredCapabilities>
         </objectType>

I'm not sure if there are other important configs that would be helpful 
to see.  I'll be happy to post anything that's helpful.

This may be a related issue that might help locate the issue:  When I 
look at the Accounts tab of the Resource in the GUI, Search In: Resource 
gives a list of Accounts on the server.  However, doing the same in the 
Entitlements tab, with the Intent set to ldapGroup, does not display any 
entries, even though there are groups on the server.

One last thing that might help diagnose this:  If I try to remove the 
LDAP Group Metarole assignment from the Role, (hoping it would delete 
the groupOfNames from the server, I get the following error:
--------
Can't delete object shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=test 
role,ou=roles,ou=accounts,dc=example,dc=com). Reason: 
org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP 
entry for UID Attribute: {Name=__UID__, 
Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute: 
{Name=__NAME__, Value=[cn=test 
role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found): Can't 
delete object shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=Test 
Role,ou=roles,ou=accounts,dc=example,dc=com). Reason: 
org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP 
entry for UID Attribute: {Name=__UID__, 
Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute: 
{Name=__NAME__, Value=[cn=test 
role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found)

-------
I'm reasonably sure I just have something out of place somewhere. 
Hopefully someone can spot what I've done wrong.
Thank you!
Brad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/9e945489/attachment.htm>


More information about the midPoint mailing list