[midPoint] OpenLDAP Group Member Error
Brad Firestone
bhotrock at gmail.com
Fri May 17 18:08:48 CEST 2019
Hi Oleksandr,
Thanks for the response!!
I guess I should have posted the connectorConfiguration section too.
I've already included memberOf. Here's that section of the LDAP Resource:
<connectorConfiguration
xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
<icfc:configurationProperties>
<icfcldap:port>636</icfcldap:port>
<icfcldap:host>ldap02.example.com</icfcldap:host>
<icfcldap:baseContext>ou=users,ou=accounts,dc=example,dc=com</icfcldap:baseContext>
<icfcldap:bindDn>cn=admin,dc=example,dc=com</icfcldap:bindDn>
<icfcldap:bindPassword><t:clearValue>secret</t:clearValue></icfcldap:bindPassword>
<icfcldap:connectionSecurity>ssl</icfcldap:connectionSecurity>
<icfcldap:usePermissiveModify>always</icfcldap:usePermissiveModify>
<icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
<icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm>
<icfcldap:vlvSortAttribute>cn</icfcldap:vlvSortAttribute>
<icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule>
<icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
<icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
</icfc:configurationProperties>
<icfc:resultsHandlerConfiguration>
<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
</icfc:resultsHandlerConfiguration>
</connectorConfiguration>
Do you see anything else that I might be missing?
Thanks again!
Oleksandr Nekriach wrote on 5/17/19 10:53 AM:
> Hi Brad,
> Try to add value "memberOf" into configuration settings
> operationalAttributes on your LDAP resource in IDM
>
> Best regards,
> Oleksandr
>
> On Fri, 17 May 2019 at 18:34, Brad Firestone <bhotrock at gmail.com
> <mailto:bhotrock at gmail.com>> wrote:
>
> I'm running midPoint 3.9 with LDAP connector 2.0 Connecting to
> OpenLDAP version 2.4.45+dfsg-1ubuntu1 memberOf, refInt, lastBind,
> and sssvlv overlays are installed.
>
> I've been trying to setup LDAP group management according to the
> Wiki and other docs I've found. Automatic groupOfNames creation
> in "ou=roles,ou=accounts,dc=example,dc=com" is working fine when I
> create a Role with an Assignment of the LDAP Group Metarole. So
> that seems like most of the connection is working correctly.
>
> But I'm getting the following error message when I try to add a
> user to a Role that should put them in the LDAP Group.
> -------
> Operation:
> operation.org.identityconnectors.framework.api.ConnectorFacade.updateDelta
>
> Message: Unknown UID: LDAP entry for UID Attribute:
> {Name=__UID__, Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0],
> NameHint=Attribute: {Name=__NAME__, Value=[cn=test
> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found
>
> Parameters: uid [caed9d00-0c8c-1039-98e5-a53942dc29e0]
> attributesDelta: [[Attribute: {Name=member,
> ValuesToAdd=[cn=testuser,ou=users,ou=accounts,dc=example,dc=com],
> ValuesToRemove=null, ValuesToReplace=null}]]
> objectClass: [crOCD
> ({http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}groupOfNames)]
> options: [OperationOptions: {}]
>
> Context: connector [class
> org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl]
>
> Error:
> org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
> entry for UID Attribute: {Name=__UID__,
> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
> {Name=__NAME__, Value=[cn=test
> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found)
> -------
>
> Here is the Association section from the LDAP Resource:
> <association>
> <ref>ri:ldapGroup</ref>
> <tolerant>false</tolerant>
> <displayName>LDAP Group Membership</displayName>
> <kind>entitlement</kind>
> <intent>ldapGroup</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:member</associationAttribute>
> <valueAttribute>ri:dn</valueAttribute>
> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
> </association>
>
> And the Entitlement Object section from the LDAP Resource:
> <objectType>
> <kind>entitlement</kind>
> <intent>ldapGroup</intent>
> <displayName>LDAP Group</displayName>
> <objectClass>ri:groupOfNames</objectClass>
>
> <attribute>
> <ref>ri:dn</ref>
> <matchingRule>mr:distinguishedName</matchingRule>
> <outbound>
> <!-- Name cannot be weak. Changes in name
> trigger object rename. -->
> <source>
> <path>$focus/name</path>
> </source>
> <expression>
> <script>
> <code>
> import javax.naming.ldap.Rdn
> import javax.naming.ldap.LdapName
>
> dn = new
> LdapName('ou=roles,ou=accounts,dc=example,dc=org')
> dn.add(new Rdn('cn', name.toString()))
> return dn.toString()
> </code>
> </script>
> </expression>
> </outbound>
> </attribute>
> <attribute>
> <ref>ri:member</ref>
> <matchingRule>mr:distinguishedName</matchingRule>
> <fetchStrategy>minimal</fetchStrategy>
> <outbound>
> <strength>strong</strength>
> <!-- Workaround - groupOfNames MUST have at
> least one member. Even non-existent DN. -->
> <expression>
> <value>cn=dummy,o=whatever</value>
> </expression>
> </outbound>
> </attribute>
> <attribute>
> <ref>ri:cn</ref>
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <outbound>
> <strength>weak</strength>
> <source>
> <path>$focus/name</path>
> </source>
> </outbound>
> </attribute>
> <attribute>
> <ref>ri:description</ref>
> <outbound>
> <source>
> <path>description</path>
> </source>
> </outbound>
> </attribute>
> <configuredCapabilities>
> <cap:pagedSearch>
> <cap:defaultSortField>ri:cn</cap:defaultSortField>
> </cap:pagedSearch>
> </configuredCapabilities>
> </objectType>
>
> I'm not sure if there are other important configs that would be
> helpful to see. I'll be happy to post anything that's helpful.
>
> This may be a related issue that might help locate the issue:
> When I look at the Accounts tab of the Resource in the GUI, Search
> In: Resource gives a list of Accounts on the server. However,
> doing the same in the Entitlements tab, with the Intent set to
> ldapGroup, does not display any entries, even though there are
> groups on the server.
>
> One last thing that might help diagnose this: If I try to remove
> the LDAP Group Metarole assignment from the Role, (hoping it would
> delete the groupOfNames from the server, I get the following error:
> --------
> Can't delete object
> shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=test
> role,ou=roles,ou=accounts,dc=example,dc=com). Reason:
> org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
> entry for UID Attribute: {Name=__UID__,
> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
> {Name=__NAME__, Value=[cn=test
> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found):
> Can't delete object
> shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=Test
> Role,ou=roles,ou=accounts,dc=example,dc=com). Reason:
> org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
> entry for UID Attribute: {Name=__UID__,
> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
> {Name=__NAME__, Value=[cn=test
> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found)
>
> -------
> I'm reasonably sure I just have something out of place somewhere.
> Hopefully someone can spot what I've done wrong.
> Thank you!
> Brad
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> --
> Best regards,
>
>
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia
> <https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=%213m1%214b1%214m5%213m4%211s0x46eecf5753e42351:0x23b120b9745cae62%218m2%213d56.9575205%214d24.1129122>
>
> +37125314685 <tel:+371%2025%20314%20685>
> ,
> o.nekriach at dynatech.lv <mailto:o.nekriach at dynatech.lv>
> |
> www.dynatech.lv <http://www.dynatech.lv>
>
>
> Stay connected:
> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
> <https://www.linkedin.com/company-beta/17893047/>
>
>
> Confidentiality Notice: This message contains confidential information
> and is intended only for the named recipient(s). If you are not the
> addressee you may not copy, distribute or perform any other activities
> with this information. If you have received this transmission in
> error, please notify us by e-mail immediately. E-mail transmission
> cannot be guaranteed to be secure or error-free as information could
> be intercepted, corrupted, lost, destroyed, arrive late or incomplete,
> or contain viruses.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/aafac977/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 1891 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/aafac977/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 745 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/aafac977/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 762 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/aafac977/attachment-0002.png>
More information about the midPoint
mailing list