[midPoint] Synchronization Trouble - Active Directory to MP

Ivan Noris ivan.noris at evolveum.com
Mon Dec 14 13:49:27 CET 2020


Hi Gus,

seems to be permission problem in your AD.

LDAP error during DirSync search: insufficientAccessRights: 00002105:
LdapErr: DSID-0C0909A9, comment: Error processing control, data 0,
v3839? (50)


Best regards,

Ivan

On 12. 12. 2020 18:38, Gus Lou via midPoint wrote:
> Hi Richard
> I checked the permissions of the midpooint account in AD again and it
> is in accordance with the guidelines in the link below:
> Active Directory with LDAP connector - midPoint - Evolveum Confluence
> <https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector>
>
> I applied permissions at the domain level xyz.net <http://xyz.net>
>
> Here it is part of midpoint log:
> ----------------------------------------------------------------------------------------------------------------
> 2020-12-11 16:53:22,996 [] [Thread-327] ERROR
> (com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy): method:
> null msg:LDAP error during DirSync search: insufficientAccessRights:
> 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control,
> data 0, v3839? (50)
> 2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] WARN
> (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got
> ConnId exception (might be handled by upper layers later)
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException
> in connector:a0c5bb85-f4f0-4954-af1d-17ec4f27233e(ConnId
> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v3.1):
> ConnectorSpec(resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa
> Active Directory (LDAP)), name=null,
> oid=a0c5bb85-f4f0-4954-af1d-17ec4f27233e): LDAP error during DirSync
> search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9,
> comment: Error processing control, data 0, v3839? (50), reason: LDAP
> error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0,
> v3839? (50) (class
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException)
> 2020-12-11 16:53:22,997 [PROVISIONING] [midPointScheduler_Worker-2]
> ERROR
> (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Got
> unexpected exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0,
> v3839? (50)
> com.evolveum.midpoint.util.exception.SystemException: Got unexpected
> exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0,
> v3839? (50)
> at
> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
> at
> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
> at
> com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
> at
> com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
> at
> com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
> at
> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
> Caused by:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0,
> v3839? (50)
> at
> com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
> at
> com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
> at
> com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
> at
> com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
> at
> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
> at com.sun.proxy.$Proxy249.sync(Unknown Source)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
> at com.sun.proxy.$Proxy249.sync(Unknown Source)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
> 2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] ERROR
> (com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler): Live
> Sync: Unspecified error: Got unexpected exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0,
> v3839? (50)
> com.evolveum.midpoint.util.exception.SystemException: Got unexpected
> exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0,
> v3839? (50)
> at
> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
> at
> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
> at
> com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
> at
> com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
> at
> com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
> at
> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
> Caused by:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0,
> v3839? (50)
> at
> com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
> at
> com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
> at
> com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
> at
> com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
> at
> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
> at com.sun.proxy.$Proxy249.sync(Unknown Source)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
> at com.sun.proxy.$Proxy249.sync(Unknown Source)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
> 2020-12-11 16:53:23,015 [] [midPointScheduler_Worker-2] INFO
> (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Task
> encountered permanent error, suspending the task. Task =
> Task(id:1546210629125-0-1, name:Sync: Active Directory (Groups),
> oid:36d98518-9db1-49ce-a4d7-75be1047bac6)
> 2020-12-11 16:53:23,015 [TASK_MANAGER] [midPointScheduler_Worker-2]
> INFO (com.evolveum.midpoint.task.quartzimpl.TaskManagerQuartzImpl):
> Suspending tasks [Task(id:1546210629125-0-1, name:Sync: Active
> Directory (Groups), oid:36d98518-9db1-49ce-a4d7-75be1047bac6)]; do not
> stop tasks.
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Best Regards
>
> Gus
>
>
>
> Em sex., 11 de dez. de 2020 às 20:22, Richard Richter via midPoint
> <midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>>
> escreveu:
>
>     Hello
>
>     I have no idea why this happens, just looking at the message, it
>     seems to come from *java.util.Base64.decode(...)* call, it is in
>     the code and probably some Base64 encoded string is not correct.
>     It always helps if you can provide also a stacktrace, part of the
>     log or something. If it's easy to answer without it, it doesn't
>     hurt. Here, I have no idea where the call originates from.
>
>     Regards
>
>     Richard Richter
>     midPoint developer
>
>     ------------------------------------------------------------------------
>     *From: *"midPoint General Discussion" <midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>>
>     *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>>
>     *Cc: *"Gus Lou" <gugalou38 at gmail.com <mailto:gugalou38 at gmail.com>>
>     *Sent: *Friday, December 11, 2020 11:44:56 PM
>     *Subject: *[midPoint] Synchronization Trouble - Active Directory to MP
>
>     Hi Guys
>
>     I need to import groups, users and users and their existing access
>     into Active Directory to Midpoint (MP version 4.2, ADLdapConector 3.1)
>
>     To achieve this goal, I did the following:
>
>     1-I imported the active directory resource template from the
>     address below:
>     https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/ad-ldap-medusa-medium.xml
>
>     2-I created two synchronization tasks, one for users and one for
>     groups.
>
>     When I run the synchronization tasks, I get the following error:
>
>     *Unspecified error: Got unexpected exception:
>     java.lang.IllegalArgumentException: Last unit does not have enough
>     valid bits*
>
>     I have already checked the required permissions following the
>     guidelines in the link below:
>     https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector
>
>
>     Does anyone have any ideas to resolve or any other documentation
>     that I can review.?
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     https://lists.evolveum.com/mailman/listinfo/midpoint
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20201214/fcde9683/attachment-0001.htm>


More information about the midPoint mailing list