[midPoint] Synchronization Trouble - Active Directory to MP
Ivan Noris
ivan.noris at evolveum.com
Mon Dec 14 14:08:36 CET 2020
Hi Gus,
I have not yet done this personally, but according to our wiki, you also
need Replicating Directory Changes permission.
Source:
https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector#ActiveDirectorywithLDAPconnector-AdministrativeAccountforProvisioning/Synchronization
For LiveSync, you also need "Replicating Directory Changes" permission
(please refer to https://support.microsoft.com/en-us/help/303972 and
https://support.microsoft.com/en-ae/help/891995/how-to-poll-for-object-attribute-changes-in-active-directory-on-window).
Best regards,
Ivan
On 14. 12. 2020 14:00, Gus Lou via midPoint wrote:
> Hi Ivan
>
> I'm checking the permissions again. I assigned full control permission
> at the domain level to the midpoint bind account in the active
> directory and enabled inheritance for all objects. It also assigns
> domain admin permission as well. I know that both permissions are not
> necessary and not recommended as they are highly permissive, but it
> was the way I found to try to eliminate possible permission errors.
> But unfortunately the problems persist.
> I will continue to investigate.
>
> Regards
>
> Gus
>
>
> Em seg., 14 de dez. de 2020 às 09:49, Ivan Noris via midPoint
> <midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>>
> escreveu:
>
> Hi Gus,
>
> seems to be permission problem in your AD.
>
> LDAP error during DirSync search: insufficientAccessRights:
> 00002105: LdapErr: DSID-0C0909A9, comment: Error processing
> control, data 0, v3839? (50)
>
>
> Best regards,
>
> Ivan
>
> On 12. 12. 2020 18:38, Gus Lou via midPoint wrote:
>> Hi Richard
>> I checked the permissions of the midpooint account in AD again
>> and it is in accordance with the guidelines in the link below:
>> Active Directory with LDAP connector - midPoint - Evolveum
>> Confluence
>> <https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector>
>>
>> I applied permissions at the domain level xyz.net <http://xyz.net>
>>
>> Here it is part of midpoint log:
>> ----------------------------------------------------------------------------------------------------------------
>> 2020-12-11 16:53:22,996 [] [Thread-327] ERROR
>> (com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy):
>> method: null msg:LDAP error during DirSync search:
>> insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9,
>> comment: Error processing control, data 0, v3839? (50)
>> 2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] WARN
>> (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil):
>> Got ConnId exception (might be handled by upper layers later)
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException
>> in connector:a0c5bb85-f4f0-4954-af1d-17ec4f27233e(ConnId
>> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v3.1):
>> ConnectorSpec(resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa
>> Active Directory (LDAP)), name=null,
>> oid=a0c5bb85-f4f0-4954-af1d-17ec4f27233e): LDAP error during
>> DirSync search: insufficientAccessRights: 00002105: LdapErr:
>> DSID-0C0909A9, comment: Error processing control, data 0, v3839?
>> (50), reason: LDAP error during DirSync search:
>> insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9,
>> comment: Error processing control, data 0, v3839? (50) (class
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException)
>> 2020-12-11 16:53:22,997 [PROVISIONING]
>> [midPointScheduler_Worker-2] ERROR
>> (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl):
>> Got unexpected exception:
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
>> LDAP error during DirSync search: insufficientAccessRights:
>> 00002105: LdapErr: DSID-0C0909A9, comment: Error processing
>> control, data 0, v3839? (50)
>> com.evolveum.midpoint.util.exception.SystemException: Got
>> unexpected exception:
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
>> LDAP error during DirSync search: insufficientAccessRights:
>> 00002105: LdapErr: DSID-0C0909A9, comment: Error processing
>> control, data 0, v3839? (50)
>> at
>> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
>> at
>> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
>> at
>> com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
>> at
>> com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
>> at
>> com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
>> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>> at
>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
>> Caused by:
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
>> LDAP error during DirSync search: insufficientAccessRights:
>> 00002105: LdapErr: DSID-0C0909A9, comment: Error processing
>> control, data 0, v3839? (50)
>> at
>> com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
>> at
>> com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
>> at
>> com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
>> at
>> com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
>> at
>> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
>> at
>> jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown
>> Source)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at
>> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
>> at com.sun.proxy.$Proxy249.sync(Unknown Source)
>> at
>> jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown
>> Source)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at
>> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
>> at com.sun.proxy.$Proxy249.sync(Unknown Source)
>> at
>> jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown
>> Source)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at
>> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
>> 2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] ERROR
>> (com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler): Live
>> Sync: Unspecified error: Got unexpected exception:
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
>> LDAP error during DirSync search: insufficientAccessRights:
>> 00002105: LdapErr: DSID-0C0909A9, comment: Error processing
>> control, data 0, v3839? (50)
>> com.evolveum.midpoint.util.exception.SystemException: Got
>> unexpected exception:
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
>> LDAP error during DirSync search: insufficientAccessRights:
>> 00002105: LdapErr: DSID-0C0909A9, comment: Error processing
>> control, data 0, v3839? (50)
>> at
>> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
>> at
>> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
>> at
>> com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
>> at
>> com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
>> at
>> com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
>> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>> at
>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
>> Caused by:
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
>> LDAP error during DirSync search: insufficientAccessRights:
>> 00002105: LdapErr: DSID-0C0909A9, comment: Error processing
>> control, data 0, v3839? (50)
>> at
>> com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
>> at
>> com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
>> at
>> com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
>> at
>> com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
>> at
>> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
>> at
>> jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown
>> Source)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at
>> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
>> at com.sun.proxy.$Proxy249.sync(Unknown Source)
>> at
>> jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown
>> Source)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at
>> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
>> at com.sun.proxy.$Proxy249.sync(Unknown Source)
>> at
>> jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown
>> Source)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at
>> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
>> 2020-12-11 16:53:23,015 [] [midPointScheduler_Worker-2] INFO
>> (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor):
>> Task encountered permanent error, suspending the task. Task =
>> Task(id:1546210629125-0-1, name:Sync: Active Directory (Groups),
>> oid:36d98518-9db1-49ce-a4d7-75be1047bac6)
>> 2020-12-11 16:53:23,015 [TASK_MANAGER]
>> [midPointScheduler_Worker-2] INFO
>> (com.evolveum.midpoint.task.quartzimpl.TaskManagerQuartzImpl):
>> Suspending tasks [Task(id:1546210629125-0-1, name:Sync: Active
>> Directory (Groups), oid:36d98518-9db1-49ce-a4d7-75be1047bac6)];
>> do not stop tasks.
>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> Best Regards
>>
>> Gus
>>
>>
>>
>> Em sex., 11 de dez. de 2020 às 20:22, Richard Richter via
>> midPoint <midpoint at lists.evolveum.com
>> <mailto:midpoint at lists.evolveum.com>> escreveu:
>>
>> Hello
>>
>> I have no idea why this happens, just looking at the message,
>> it seems to come from *java.util.Base64.decode(...)* call, it
>> is in the code and probably some Base64 encoded string is not
>> correct.
>> It always helps if you can provide also a stacktrace, part of
>> the log or something. If it's easy to answer without it, it
>> doesn't hurt. Here, I have no idea where the call originates
>> from.
>>
>> Regards
>>
>> Richard Richter
>> midPoint developer
>>
>> ------------------------------------------------------------------------
>> *From: *"midPoint General Discussion"
>> <midpoint at lists.evolveum.com
>> <mailto:midpoint at lists.evolveum.com>>
>> *To: *"midPoint General Discussion"
>> <midpoint at lists.evolveum.com
>> <mailto:midpoint at lists.evolveum.com>>
>> *Cc: *"Gus Lou" <gugalou38 at gmail.com
>> <mailto:gugalou38 at gmail.com>>
>> *Sent: *Friday, December 11, 2020 11:44:56 PM
>> *Subject: *[midPoint] Synchronization Trouble - Active
>> Directory to MP
>>
>> Hi Guys
>>
>> I need to import groups, users and users and their existing
>> access into Active Directory to Midpoint (MP version 4.2,
>> ADLdapConector 3.1)
>>
>> To achieve this goal, I did the following:
>>
>> 1-I imported the active directory resource template from the
>> address below:
>> https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/ad-ldap-medusa-medium.xml
>>
>> 2-I created two synchronization tasks, one for users and one
>> for groups.
>>
>> When I run the synchronization tasks, I get the following error:
>>
>> *Unspecified error: Got unexpected exception:
>> java.lang.IllegalArgumentException: Last unit does not have
>> enough valid bits*
>>
>> I have already checked the required permissions following the
>> guidelines in the link below:
>> https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector
>>
>>
>> Does anyone have any ideas to resolve or any other
>> documentation that I can review.?
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com <http://evolveum.com>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20201214/9c6a7349/attachment-0001.htm>
More information about the midPoint
mailing list