[midPoint] Synchronization Trouble - Active Directory to MP
Al Lilianstrom
lilstrom at fnal.gov
Mon Dec 14 14:37:36 CET 2020
Also
Check your System and Directory Service event logs on the Domain Controllers. There might be a hint there as to the problem.
--
Al Lilianstrom
Authentication Services
Fermi National Accelerator Laboratory
www.fnal.gov
lilstrom at fnal.gov
________________________________________
From: Al Lilianstrom <lilstrom at fnal.gov>
Sent: Monday, December 14, 2020 7:19 AM
To: midPoint General Discussion
Subject: Re: [midPoint] Synchronization Trouble - Active Directory to MP
Gus,
Please pull the DA permissions as soon as you can
Replicating directory changes is necessary. Check for that.
--
Al Lilianstrom
Authentication Services
Fermi National Accelerator Laboratory
www.fnal.gov
lilstrom at fnal.gov
________________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Gus Lou via midPoint <midpoint at lists.evolveum.com>
Sent: Monday, December 14, 2020 7:00 AM
To: midPoint General Discussion
Cc: Gus Lou
Subject: Re: [midPoint] Synchronization Trouble - Active Directory to MP
Hi Ivan
I'm checking the permissions again. I assigned full control permission at the domain level to the midpoint bind account in the active directory and enabled inheritance for all objects. It also assigns domain admin permission as well. I know that both permissions are not necessary and not recommended as they are highly permissive, but it was the way I found to try to eliminate possible permission errors.
But unfortunately the problems persist.
I will continue to investigate.
Regards
Gus
Em seg., 14 de dez. de 2020 às 09:49, Ivan Noris via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> escreveu:
Hi Gus,
seems to be permission problem in your AD.
LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
Best regards,
Ivan
On 12. 12. 2020 18:38, Gus Lou via midPoint wrote:
Hi Richard
I checked the permissions of the midpooint account in AD again and it is in accordance with the guidelines in the link below:
Active Directory with LDAP connector - midPoint - Evolveum Confluence<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2Bwith-2BLDAP-2Bconnector&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=lHe5YrQxLZ9dY8yXVQ8agTsQ5ligaXbx6hhseaon4ig&e=>
I applied permissions at the domain level xyz.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__xyz.net&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=x6rOMc9P-OQ_aUeBF43Xg7Vv_j0lMAyQgdUdwLIbiFk&e=>
Here it is part of midpoint log:
----------------------------------------------------------------------------------------------------------------
2020-12-11 16:53:22,996 [] [Thread-327] ERROR (com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy): method: null msg:LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] WARN (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId exception (might be handled by upper layers later) org.identityconnectors.framework.common.exceptions.PermissionDeniedException in connector:a0c5bb85-f4f0-4954-af1d-17ec4f27233e(ConnId com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v3.1): ConnectorSpec(resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa Active Directory (LDAP)), name=null, oid=a0c5bb85-f4f0-4954-af1d-17ec4f27233e): LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50), reason: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50) (class org.identityconnectors.framework.common.exceptions.PermissionDeniedException)
2020-12-11 16:53:22,997 [PROVISIONING] [midPointScheduler_Worker-2] ERROR (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
com.evolveum.midpoint.util.exception.SystemException: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
at com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
at com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
at com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
at com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
Caused by: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
at com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
at com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
at com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
at org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
at com.sun.proxy.$Proxy249.sync(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
at com.sun.proxy.$Proxy249.sync(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] ERROR (com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler): Live Sync: Unspecified error: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
com.evolveum.midpoint.util.exception.SystemException: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
at com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
at com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
at com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
at com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
Caused by: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
at com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
at com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
at com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
at org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
at com.sun.proxy.$Proxy249.sync(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
at com.sun.proxy.$Proxy249.sync(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
2020-12-11 16:53:23,015 [] [midPointScheduler_Worker-2] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Task encountered permanent error, suspending the task. Task = Task(id:1546210629125-0-1, name:Sync: Active Directory (Groups), oid:36d98518-9db1-49ce-a4d7-75be1047bac6)
2020-12-11 16:53:23,015 [TASK_MANAGER] [midPointScheduler_Worker-2] INFO (com.evolveum.midpoint.task.quartzimpl.TaskManagerQuartzImpl): Suspending tasks [Task(id:1546210629125-0-1, name:Sync: Active Directory (Groups), oid:36d98518-9db1-49ce-a4d7-75be1047bac6)]; do not stop tasks.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Best Regards
Gus
Em sex., 11 de dez. de 2020 às 20:22, Richard Richter via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> escreveu:
Hello
I have no idea why this happens, just looking at the message, it seems to come from java.util.Base64.decode(...) call, it is in the code and probably some Base64 encoded string is not correct.
It always helps if you can provide also a stacktrace, part of the log or something. If it's easy to answer without it, it doesn't hurt. Here, I have no idea where the call originates from.
Regards
Richard Richter
midPoint developer
________________________________
From: "midPoint General Discussion" <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
To: "midPoint General Discussion" <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Cc: "Gus Lou" <gugalou38 at gmail.com<mailto:gugalou38 at gmail.com>>
Sent: Friday, December 11, 2020 11:44:56 PM
Subject: [midPoint] Synchronization Trouble - Active Directory to MP
Hi Guys
I need to import groups, users and users and their existing access into Active Directory to Midpoint (MP version 4.2, ADLdapConector 3.1)
To achieve this goal, I did the following:
1-I imported the active directory resource template from the address below:
https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/ad-ldap-medusa-medium.xml<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Evolveum_midpoint-2Dsamples_blob_master_samples_resources_ad-2Dldap_ad-2Dldap-2Dmedusa-2Dmedium.xml&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=bVVmWuKEVUDl6AusI04NjeiRqTBkD2Ktg23DkJaiIZI&e=>
2-I created two synchronization tasks, one for users and one for groups.
When I run the synchronization tasks, I get the following error:
Unspecified error: Got unexpected exception: java.lang.IllegalArgumentException: Last unit does not have enough valid bits
I have already checked the required permissions following the guidelines in the link below:
https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2Bwith-2BLDAP-2Bconnector&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=lHe5YrQxLZ9dY8yXVQ8agTsQ5ligaXbx6hhseaon4ig&e=>
Does anyone have any ideas to resolve or any other documentation that I can review.?
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=>
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=>
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=>
--
Ivan Noris
Senior Identity Engineer
evolveum.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__evolveum.com&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=JqE8PF_lIP5TxW9nhmnWfhsO2uYb3OrjAV8HReP_WN4&e=>
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=>
More information about the midPoint
mailing list