[midPoint] Synchronization Trouble - Active Directory to MP

Gus Lou gugalou38 at gmail.com
Mon Dec 14 14:18:49 CET 2020 

Hi Ivan

Initially I followed the instruction to assign the Replicating Directory
Changes permission to the midpoint bind account in the active directory.
But the problem continued. Then I increased the account's permission level
to full control for all objects, but the error persists.
I'm doing tests with some tools to validate the LDAP dirsync functions with
the midpoint bind account in the active directory.

Regards

Gus

Em seg., 14 de dez. de 2020 às 10:08, Ivan Noris via midPoint <
midpoint at lists.evolveum.com> escreveu:

> Hi Gus,
>
> I have not yet done this personally, but according to our wiki, you also
> need Replicating Directory Changes permission.
>
> Source:
> https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector#ActiveDirectorywithLDAPconnector-AdministrativeAccountforProvisioning/Synchronization
>
> For LiveSync, you also need "Replicating Directory Changes" permission
> (please refer to https://support.microsoft.com/en-us/help/303972 and
> https://support.microsoft.com/en-ae/help/891995/how-to-poll-for-object-attribute-changes-in-active-directory-on-window
> ).
>
> Best regards,
>
> Ivan
> On 14. 12. 2020 14:00, Gus Lou via midPoint wrote:
>
> Hi Ivan
>
> I'm checking the permissions again. I assigned full control permission at
> the domain level to the midpoint bind account in the active directory and
> enabled inheritance for all objects. It also assigns domain admin
> permission as well. I know that both permissions are not necessary and not
> recommended as they are highly permissive, but it was the way I found to
> try to eliminate possible permission errors.
> But unfortunately the problems persist.
> I will continue to investigate.
>
> Regards
>
> Gus
>
>
> Em seg., 14 de dez. de 2020 às 09:49, Ivan Noris via midPoint <
> midpoint at lists.evolveum.com> escreveu:
>
>> Hi Gus,
>>
>> seems to be permission problem in your AD.
>>
>> LDAP error during DirSync search: insufficientAccessRights: 00002105:
>> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
>> (50)
>>
>>
>> Best regards,
>>
>> Ivan
>> On 12. 12. 2020 18:38, Gus Lou via midPoint wrote:
>>
>> Hi Richard
>> I checked the permissions of the midpooint account in AD again and it is
>> in accordance with the guidelines in the link below:
>> Active Directory with LDAP connector - midPoint - Evolveum Confluence
>> <https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector>
>>
>> I applied permissions at the domain level xyz.net
>>
>> Here it is part of midpoint log:
>>
>> ----------------------------------------------------------------------------------------------------------------
>> 2020-12-11 16:53:22,996 [] [Thread-327] ERROR
>> (com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy): method: null
>> msg:LDAP error during DirSync search: insufficientAccessRights: 00002105:
>> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
>> (50)
>> 2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] WARN
>> (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId
>> exception (might be handled by upper layers later)
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException
>> in connector:a0c5bb85-f4f0-4954-af1d-17ec4f27233e(ConnId
>> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v3.1): ConnectorSpec(
>> resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa Active Directory
>> (LDAP)), name=null, oid=a0c5bb85-f4f0-4954-af1d-17ec4f27233e): LDAP error
>> during DirSync search: insufficientAccessRights: 00002105: LdapErr:
>> DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50),
>> reason: LDAP error during DirSync search: insufficientAccessRights:
>> 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data
>> 0, v3839? (50) (class
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException)
>> 2020-12-11 16:53:22,997 [PROVISIONING] [midPointScheduler_Worker-2] ERROR
>> (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Got
>> unexpected exception:
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
>> LDAP error during DirSync search: insufficientAccessRights: 00002105:
>> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
>> (50)
>> com.evolveum.midpoint.util.exception.SystemException: Got unexpected
>> exception:
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
>> LDAP error during DirSync search: insufficientAccessRights: 00002105:
>> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
>> (50)
>> at
>> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
>> at
>> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
>> at
>> com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
>> at
>> com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
>> at
>> com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
>> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>> at
>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
>> Caused by:
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
>> LDAP error during DirSync search: insufficientAccessRights: 00002105:
>> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
>> (50)
>> at
>> com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
>> at
>> com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
>> at
>> com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
>> at
>> com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
>> at
>> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
>> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at
>> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
>> at com.sun.proxy.$Proxy249.sync(Unknown Source)
>> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at
>> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
>> at com.sun.proxy.$Proxy249.sync(Unknown Source)
>> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at
>> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
>> 2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] ERROR
>> (com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler): Live Sync:
>> Unspecified error: Got unexpected exception:
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
>> LDAP error during DirSync search: insufficientAccessRights: 00002105:
>> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
>> (50)
>> com.evolveum.midpoint.util.exception.SystemException: Got unexpected
>> exception:
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
>> LDAP error during DirSync search: insufficientAccessRights: 00002105:
>> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
>> (50)
>> at
>> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
>> at
>> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
>> at
>> com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
>> at
>> com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
>> at
>> com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
>> at
>> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
>> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
>> at
>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
>> Caused by:
>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
>> LDAP error during DirSync search: insufficientAccessRights: 00002105:
>> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
>> (50)
>> at
>> com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
>> at
>> com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
>> at
>> com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
>> at
>> com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
>> at
>> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
>> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at
>> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
>> at com.sun.proxy.$Proxy249.sync(Unknown Source)
>> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at
>> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
>> at com.sun.proxy.$Proxy249.sync(Unknown Source)
>> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at
>> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
>> 2020-12-11 16:53:23,015 [] [midPointScheduler_Worker-2] INFO
>> (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Task
>> encountered permanent error, suspending the task. Task =
>> Task(id:1546210629125-0-1, name:Sync: Active Directory (Groups),
>> oid:36d98518-9db1-49ce-a4d7-75be1047bac6)
>> 2020-12-11 16:53:23,015 [TASK_MANAGER] [midPointScheduler_Worker-2] INFO
>> (com.evolveum.midpoint.task.quartzimpl.TaskManagerQuartzImpl): Suspending
>> tasks [Task(id:1546210629125-0-1, name:Sync: Active Directory (Groups),
>> oid:36d98518-9db1-49ce-a4d7-75be1047bac6)]; do not stop tasks.
>>
>> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> Best Regards
>>
>> Gus
>>
>>
>>
>> Em sex., 11 de dez. de 2020 às 20:22, Richard Richter via midPoint <
>> midpoint at lists.evolveum.com> escreveu:
>>
>>> Hello
>>>
>>> I have no idea why this happens, just looking at the message, it seems
>>> to come from *java.util.Base64.decode(...)* call, it is in the code and
>>> probably some Base64 encoded string is not correct.
>>> It always helps if you can provide also a stacktrace, part of the log or
>>> something. If it's easy to answer without it, it doesn't hurt. Here, I have
>>> no idea where the call originates from.
>>>
>>> Regards
>>>
>>> Richard Richter
>>> midPoint developer
>>>
>>> ------------------------------
>>> *From: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>>> *Cc: *"Gus Lou" <gugalou38 at gmail.com>
>>> *Sent: *Friday, December 11, 2020 11:44:56 PM
>>> *Subject: *[midPoint] Synchronization Trouble - Active Directory to MP
>>>
>>> Hi Guys
>>>
>>> I need to import groups, users and users and their existing access into
>>> Active Directory to Midpoint (MP version 4.2, ADLdapConector 3.1)
>>>
>>> To achieve this goal, I did the following:
>>>
>>> 1-I imported the active directory resource template from the address
>>> below:
>>>
>>> https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/ad-ldap-medusa-medium.xml
>>>
>>> 2-I created two synchronization tasks, one for users and one for groups.
>>>
>>> When I run the synchronization tasks, I get the following error:
>>>
>>> *Unspecified error: Got unexpected exception:
>>> java.lang.IllegalArgumentException: Last unit does not have enough valid
>>> bits*
>>>
>>> I have already checked the required permissions following the guidelines
>>> in the link below:
>>>
>>> https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector
>>>
>>>
>>> Does anyone have any ideas to resolve or any other documentation that I
>>> can review.?
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20201214/a3e268c0/attachment-0001.htm>

More information about the midPoint mailing list