[midPoint] OpenLDAP Group Member Error

Oleksandr Nekriach o.nekriach at dynatech.lv
Fri May 17 17:53:08 CEST 2019


Hi Brad,
Try to add value "memberOf" into configuration settings
operationalAttributes on your LDAP resource  in IDM

Best regards,
Oleksandr

On Fri, 17 May 2019 at 18:34, Brad Firestone <bhotrock at gmail.com> wrote:

> I'm running midPoint 3.9 with LDAP connector 2.0  Connecting to OpenLDAP
> version 2.4.45+dfsg-1ubuntu1  memberOf, refInt, lastBind, and sssvlv
> overlays are installed.
>
> I've been trying to setup LDAP group management according to the Wiki and
> other docs I've found.  Automatic groupOfNames creation in
> "ou=roles,ou=accounts,dc=example,dc=com" is working fine when I create a
> Role with an Assignment of the LDAP Group Metarole.  So that seems like
> most of the connection is working correctly.
>
> But I'm getting the following error message when I try to add a user to a
> Role that should put them in the LDAP Group.
> -------
> Operation:
> operation.org.identityconnectors.framework.api.ConnectorFacade.updateDelta
>
> Message:  Unknown UID: LDAP entry for UID Attribute: {Name=__UID__,
> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
> {Name=__NAME__, Value=[cn=test
> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found
>
> Parameters:  uid    [caed9d00-0c8c-1039-98e5-a53942dc29e0]
> attributesDelta:    [[Attribute: {Name=member,
> ValuesToAdd=[cn=testuser,ou=users,ou=accounts,dc=example,dc=com],
> ValuesToRemove=null,
> ValuesToReplace=null}]]
> objectClass:    [crOCD ({
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> }groupOfNames)]
> options:    [OperationOptions: {}]
>
> Context:  connector    [class
> org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl]
>
> Error:
> org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
> entry for UID Attribute: {Name=__UID__,
> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
> {Name=__NAME__, Value=[cn=test
> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found)
> -------
>
> Here is the Association section from the LDAP Resource:
>         <association>
>                 <ref>ri:ldapGroup</ref>
>                 <tolerant>false</tolerant>
>                 <displayName>LDAP Group Membership</displayName>
>                 <kind>entitlement</kind>
>                 <intent>ldapGroup</intent>
>                 <direction>objectToSubject</direction>
>                 <associationAttribute>ri:member</associationAttribute>
>                 <valueAttribute>ri:dn</valueAttribute>
>
> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>           </association>
>
> And the Entitlement Object section from the LDAP Resource:
>         <objectType>
>             <kind>entitlement</kind>
>             <intent>ldapGroup</intent>
>             <displayName>LDAP Group</displayName>
>             <objectClass>ri:groupOfNames</objectClass>
>
>             <attribute>
>                 <ref>ri:dn</ref>
>                 <matchingRule>mr:distinguishedName</matchingRule>
>                 <outbound>
>                     <!-- Name cannot be weak. Changes in name trigger
> object rename. -->
>                     <source>
>                         <path>$focus/name</path>
>                     </source>
>                         <expression>
>                             <script>
>                             <code>
>                                 import javax.naming.ldap.Rdn
>                                 import javax.naming.ldap.LdapName
>
>                                 dn = new
> LdapName('ou=roles,ou=accounts,dc=example,dc=org')
>                                 dn.add(new Rdn('cn', name.toString()))
>                                 return dn.toString()
>                             </code>
>                         </script>
>                         </expression>
>                 </outbound>
>             </attribute>
>             <attribute>
>                 <ref>ri:member</ref>
>                 <matchingRule>mr:distinguishedName</matchingRule>
>                 <fetchStrategy>minimal</fetchStrategy>
>                 <outbound>
>                     <strength>strong</strength>
>                     <!-- Workaround - groupOfNames MUST have at least one
> member. Even non-existent DN. -->
>                     <expression>
>                         <value>cn=dummy,o=whatever</value>
>                     </expression>
>                 </outbound>
>             </attribute>
>             <attribute>
>                 <ref>ri:cn</ref>
>                 <matchingRule>mr:stringIgnoreCase</matchingRule>
>                 <outbound>
>                     <strength>weak</strength>
>                     <source>
>                         <path>$focus/name</path>
>                     </source>
>                 </outbound>
>             </attribute>
>             <attribute>
>                 <ref>ri:description</ref>
>                 <outbound>
>                     <source>
>                         <path>description</path>
>                     </source>
>                 </outbound>
>             </attribute>
>             <configuredCapabilities>
>                 <cap:pagedSearch>
>                     <cap:defaultSortField>ri:cn</cap:defaultSortField>
>                 </cap:pagedSearch>
>             </configuredCapabilities>
>         </objectType>
>
> I'm not sure if there are other important configs that would be helpful to
> see.  I'll be happy to post anything that's helpful.
>
> This may be a related issue that might help locate the issue:  When I look
> at the Accounts tab of the Resource in the GUI, Search In: Resource gives a
> list of Accounts on the server.  However, doing the same in the
> Entitlements tab, with the Intent set to ldapGroup, does not display any
> entries, even though there are groups on the server.
>
> One last thing that might help diagnose this:  If I try to remove the LDAP
> Group Metarole assignment from the Role, (hoping it would delete the
> groupOfNames from the server, I get the following error:
> --------
> Can't delete object shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=test
> role,ou=roles,ou=accounts,dc=example,dc=com). Reason:
> org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
> entry for UID Attribute: {Name=__UID__,
> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
> {Name=__NAME__, Value=[cn=test
> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found): Can't delete
> object shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=Test
> Role,ou=roles,ou=accounts,dc=example,dc=com). Reason:
> org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
> entry for UID Attribute: {Name=__UID__,
> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
> {Name=__NAME__, Value=[cn=test
> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found)
>
> -------
> I'm reasonably sure I just have something out of place somewhere.
> Hopefully someone can spot what I've done wrong.
> Thank you!
> Brad
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>


-- 
Best regards,



Oleksandr Nekriach | Identity and access management engineer

Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia
<https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=!3m1!4b1!4m5!3m4!1s0x46eecf5753e42351:0x23b120b9745cae62!8m2!3d56.9575205!4d24.1129122>

+37125314685 <+371%2025%20314%20685>
,
o.nekriach at dynatech.lv
|
www.dynatech.lv


Stay connected:
<https://www.facebook.com/DynatechLatvia/?ref=br_rs>
<https://www.linkedin.com/company-beta/17893047/>


Confidentiality Notice: This message contains confidential information and
is intended only for the named recipient(s). If you are not the addressee
you may not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please notify
us by e-mail immediately. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/c3754e47/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/c3754e47/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/c3754e47/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/c3754e47/attachment-0002.png>


More information about the midPoint mailing list