[midPoint] OpenLDAP Group Member Error
Brad Firestone
bhotrock at gmail.com
Mon May 20 18:03:17 CEST 2019
Thanks for all the suggestions. I did finally get it working.
Just to document the solution:
My problem was having the baseContext in the connectorConfiguration set
too far down the tree. I had set it for ou=users, and the groups branch
was above that in the tree. Once I made that change, it all worked as
expected.
Brad
Brad Firestone wrote on 5/17/19 11:08 AM:
> Hi Oleksandr,
> Thanks for the response!!
> I guess I should have posted the connectorConfiguration section too.
> I've already included memberOf. Here's that section of the LDAP Resource:
>
> <connectorConfiguration
> xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
> xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
> <icfc:configurationProperties>
> <icfcldap:port>636</icfcldap:port>
> <icfcldap:host>ldap02.example.com</icfcldap:host>
> <icfcldap:baseContext>ou=users,ou=accounts,dc=example,dc=com</icfcldap:baseContext>
> <icfcldap:bindDn>cn=admin,dc=example,dc=com</icfcldap:bindDn>
> <icfcldap:bindPassword><t:clearValue>secret</t:clearValue></icfcldap:bindPassword>
> <icfcldap:connectionSecurity>ssl</icfcldap:connectionSecurity>
> <icfcldap:usePermissiveModify>always</icfcldap:usePermissiveModify>
> <icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
> <icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm>
> <icfcldap:vlvSortAttribute>cn</icfcldap:vlvSortAttribute>
> <icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule>
> <icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
> <icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
> </icfc:configurationProperties>
> <icfc:resultsHandlerConfiguration>
> <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
> <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
> <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
> </icfc:resultsHandlerConfiguration>
> </connectorConfiguration>
>
> Do you see anything else that I might be missing?
> Thanks again!
>
> Oleksandr Nekriach wrote on 5/17/19 10:53 AM:
>> Hi Brad,
>> Try to add value "memberOf" into configuration settings
>> operationalAttributes on your LDAP resource in IDM
>>
>> Best regards,
>> Oleksandr
>>
>> On Fri, 17 May 2019 at 18:34, Brad Firestone <bhotrock at gmail.com
>> <mailto:bhotrock at gmail.com>> wrote:
>>
>> I'm running midPoint 3.9 with LDAP connector 2.0 Connecting to
>> OpenLDAP version 2.4.45+dfsg-1ubuntu1 memberOf, refInt,
>> lastBind, and sssvlv overlays are installed.
>>
>> I've been trying to setup LDAP group management according to the
>> Wiki and other docs I've found. Automatic groupOfNames creation
>> in "ou=roles,ou=accounts,dc=example,dc=com" is working fine when
>> I create a Role with an Assignment of the LDAP Group Metarole.
>> So that seems like most of the connection is working correctly.
>>
>> But I'm getting the following error message when I try to add a
>> user to a Role that should put them in the LDAP Group.
>> -------
>> Operation:
>> operation.org.identityconnectors.framework.api.ConnectorFacade.updateDelta
>>
>> Message: Unknown UID: LDAP entry for UID Attribute:
>> {Name=__UID__, Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0],
>> NameHint=Attribute: {Name=__NAME__, Value=[cn=test
>> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found
>>
>> Parameters: uid [caed9d00-0c8c-1039-98e5-a53942dc29e0]
>> attributesDelta: [[Attribute: {Name=member,
>> ValuesToAdd=[cn=testuser,ou=users,ou=accounts,dc=example,dc=com],
>> ValuesToRemove=null, ValuesToReplace=null}]]
>> objectClass: [crOCD
>> ({http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}groupOfNames)]
>> options: [OperationOptions: {}]
>>
>> Context: connector [class
>> org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl]
>>
>> Error:
>> org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
>> entry for UID Attribute: {Name=__UID__,
>> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
>> {Name=__NAME__, Value=[cn=test
>> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found)
>> -------
>>
>> Here is the Association section from the LDAP Resource:
>> <association>
>> <ref>ri:ldapGroup</ref>
>> <tolerant>false</tolerant>
>> <displayName>LDAP Group Membership</displayName>
>> <kind>entitlement</kind>
>> <intent>ldapGroup</intent>
>> <direction>objectToSubject</direction>
>> <associationAttribute>ri:member</associationAttribute>
>> <valueAttribute>ri:dn</valueAttribute>
>> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>>
>> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>> </association>
>>
>> And the Entitlement Object section from the LDAP Resource:
>> <objectType>
>> <kind>entitlement</kind>
>> <intent>ldapGroup</intent>
>> <displayName>LDAP Group</displayName>
>> <objectClass>ri:groupOfNames</objectClass>
>>
>> <attribute>
>> <ref>ri:dn</ref>
>> <matchingRule>mr:distinguishedName</matchingRule>
>> <outbound>
>> <!-- Name cannot be weak. Changes in name
>> trigger object rename. -->
>> <source>
>> <path>$focus/name</path>
>> </source>
>> <expression>
>> <script>
>> <code>
>> import javax.naming.ldap.Rdn
>> import javax.naming.ldap.LdapName
>>
>> dn = new
>> LdapName('ou=roles,ou=accounts,dc=example,dc=org')
>> dn.add(new Rdn('cn',
>> name.toString()))
>> return dn.toString()
>> </code>
>> </script>
>> </expression>
>> </outbound>
>> </attribute>
>> <attribute>
>> <ref>ri:member</ref>
>> <matchingRule>mr:distinguishedName</matchingRule>
>> <fetchStrategy>minimal</fetchStrategy>
>> <outbound>
>> <strength>strong</strength>
>> <!-- Workaround - groupOfNames MUST have at
>> least one member. Even non-existent DN. -->
>> <expression>
>> <value>cn=dummy,o=whatever</value>
>> </expression>
>> </outbound>
>> </attribute>
>> <attribute>
>> <ref>ri:cn</ref>
>> <matchingRule>mr:stringIgnoreCase</matchingRule>
>> <outbound>
>> <strength>weak</strength>
>> <source>
>> <path>$focus/name</path>
>> </source>
>> </outbound>
>> </attribute>
>> <attribute>
>> <ref>ri:description</ref>
>> <outbound>
>> <source>
>> <path>description</path>
>> </source>
>> </outbound>
>> </attribute>
>> <configuredCapabilities>
>> <cap:pagedSearch>
>> <cap:defaultSortField>ri:cn</cap:defaultSortField>
>> </cap:pagedSearch>
>> </configuredCapabilities>
>> </objectType>
>>
>> I'm not sure if there are other important configs that would be
>> helpful to see. I'll be happy to post anything that's helpful.
>>
>> This may be a related issue that might help locate the issue:
>> When I look at the Accounts tab of the Resource in the GUI,
>> Search In: Resource gives a list of Accounts on the server.
>> However, doing the same in the Entitlements tab, with the Intent
>> set to ldapGroup, does not display any entries, even though there
>> are groups on the server.
>>
>> One last thing that might help diagnose this: If I try to remove
>> the LDAP Group Metarole assignment from the Role, (hoping it
>> would delete the groupOfNames from the server, I get the
>> following error:
>> --------
>> Can't delete object
>> shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=test
>> role,ou=roles,ou=accounts,dc=example,dc=com). Reason:
>> org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
>> entry for UID Attribute: {Name=__UID__,
>> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
>> {Name=__NAME__, Value=[cn=test
>> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found):
>> Can't delete object
>> shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=Test
>> Role,ou=roles,ou=accounts,dc=example,dc=com). Reason:
>> org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
>> entry for UID Attribute: {Name=__UID__,
>> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
>> {Name=__NAME__, Value=[cn=test
>> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found)
>>
>> -------
>> I'm reasonably sure I just have something out of place somewhere.
>> Hopefully someone can spot what I've done wrong.
>> Thank you!
>> Brad
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> --
>> Best regards,
>>
>>
>>
>> Oleksandr Nekriach | Identity and access management engineer
>>
>> Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia
>> <https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=%213m1%214b1%214m5%213m4%211s0x46eecf5753e42351:0x23b120b9745cae62%218m2%213d56.9575205%214d24.1129122>
>>
>> +37125314685 <tel:+371%2025%20314%20685>
>> ,
>> o.nekriach at dynatech.lv <mailto:o.nekriach at dynatech.lv>
>> |
>> www.dynatech.lv <http://www.dynatech.lv>
>>
>>
>> Stay connected:
>> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
>> <https://www.linkedin.com/company-beta/17893047/>
>>
>>
>> Confidentiality Notice: This message contains confidential
>> information and is intended only for the named recipient(s). If you
>> are not the addressee you may not copy, distribute or perform any
>> other activities with this information. If you have received this
>> transmission in error, please notify us by e-mail immediately. E-mail
>> transmission cannot be guaranteed to be secure or error-free as
>> information could be intercepted, corrupted, lost, destroyed, arrive
>> late or incomplete, or contain viruses.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190520/17f955a9/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 1975 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190520/17f955a9/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 745 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190520/17f955a9/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 762 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190520/17f955a9/attachment-0002.png>
More information about the midPoint
mailing list