[midPoint] Synchronization Trouble - Active Directory to MP

Gus Lou gugalou38 at gmail.com
Mon Dec 14 17:43:31 CET 2020


Hi Al Lilianstrom

Thanks for your help. I checked the event viewer (Directory Service
session) on the domain controller, but not found errors.

Regards

Gus

Em seg., 14 de dez. de 2020 às 10:37, Al Lilianstrom via midPoint <
midpoint at lists.evolveum.com> escreveu:

> Also
>
> Check your System and Directory Service event logs on the Domain
> Controllers. There might be a hint there as to the problem.
>
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> www.fnal.gov
> lilstrom at fnal.gov
>
>
> ________________________________________
> From: Al Lilianstrom <lilstrom at fnal.gov>
> Sent: Monday, December 14, 2020 7:19 AM
> To: midPoint General Discussion
> Subject: Re: [midPoint] Synchronization Trouble - Active Directory to MP
>
>
> Gus,
>
> Please pull the DA permissions as soon as you can
>
> Replicating directory changes is necessary. Check for that.
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> www.fnal.gov
> lilstrom at fnal.gov
>
>
> ________________________________________
> From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Gus Lou
> via midPoint <midpoint at lists.evolveum.com>
> Sent: Monday, December 14, 2020 7:00 AM
> To: midPoint General Discussion
> Cc: Gus Lou
> Subject: Re: [midPoint] Synchronization Trouble - Active Directory to MP
>
> Hi Ivan
>
> I'm checking the permissions again. I assigned full control permission at
> the domain level to the midpoint bind account in the active directory and
> enabled inheritance for all objects. It also assigns domain admin
> permission as well. I know that both permissions are not necessary and not
> recommended as they are highly permissive, but it was the way I found to
> try to eliminate possible permission errors.
> But unfortunately the problems persist.
> I will continue to investigate.
>
> Regards
>
> Gus
>
>
> Em seg., 14 de dez. de 2020 às 09:49, Ivan Noris via midPoint <
> midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> escreveu:
>
> Hi Gus,
>
> seems to be permission problem in your AD.
>
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
>
>
> Best regards,
>
> Ivan
>
> On 12. 12. 2020 18:38, Gus Lou via midPoint wrote:
> Hi Richard
> I checked the permissions of the midpooint account in AD again and it is
> in accordance with the guidelines in the link below:
> Active Directory with LDAP connector - midPoint - Evolveum Confluence<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2Bwith-2BLDAP-2Bconnector&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=lHe5YrQxLZ9dY8yXVQ8agTsQ5ligaXbx6hhseaon4ig&e=
> >
>
> I applied permissions at the domain level xyz.net<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__xyz.net&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=x6rOMc9P-OQ_aUeBF43Xg7Vv_j0lMAyQgdUdwLIbiFk&e=
> >
>
> Here it is part of midpoint log:
>
> ----------------------------------------------------------------------------------------------------------------
> 2020-12-11 16:53:22,996 [] [Thread-327] ERROR
> (com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy): method: null
> msg:LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> 2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] WARN
> (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId
> exception (might be handled by upper layers later)
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException
> in connector:a0c5bb85-f4f0-4954-af1d-17ec4f27233e(ConnId
> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v3.1):
> ConnectorSpec(resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa Active
> Directory (LDAP)), name=null, oid=a0c5bb85-f4f0-4954-af1d-17ec4f27233e):
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50), reason: LDAP error during DirSync search: insufficientAccessRights:
> 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data
> 0, v3839? (50) (class
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException)
> 2020-12-11 16:53:22,997 [PROVISIONING] [midPointScheduler_Worker-2] ERROR
> (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Got
> unexpected exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> com.evolveum.midpoint.util.exception.SystemException: Got unexpected
> exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> at
> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
> at
> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
> at
> com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
> at
> com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
> at
> com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
> at
> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
> Caused by:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> at
> com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
> at com.evolveum.polygon.connector.ldap.ad
> .AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
> at
> com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
> at
> com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
> at
> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
> at com.sun.proxy.$Proxy249.sync(Unknown Source)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
> at com.sun.proxy.$Proxy249.sync(Unknown Source)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
> 2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] ERROR
> (com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler): Live Sync:
> Unspecified error: Got unexpected exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> com.evolveum.midpoint.util.exception.SystemException: Got unexpected
> exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> at
> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
> at
> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
> at
> com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
> at
> com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
> at
> com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
> at
> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
> Caused by:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> at
> com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
> at com.evolveum.polygon.connector.ldap.ad
> .AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
> at
> com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
> at
> com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
> at
> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
> at com.sun.proxy.$Proxy249.sync(Unknown Source)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
> at com.sun.proxy.$Proxy249.sync(Unknown Source)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
> 2020-12-11 16:53:23,015 [] [midPointScheduler_Worker-2] INFO
> (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Task
> encountered permanent error, suspending the task. Task =
> Task(id:1546210629125-0-1, name:Sync: Active Directory (Groups),
> oid:36d98518-9db1-49ce-a4d7-75be1047bac6)
> 2020-12-11 16:53:23,015 [TASK_MANAGER] [midPointScheduler_Worker-2] INFO
> (com.evolveum.midpoint.task.quartzimpl.TaskManagerQuartzImpl): Suspending
> tasks [Task(id:1546210629125-0-1, name:Sync: Active Directory (Groups),
> oid:36d98518-9db1-49ce-a4d7-75be1047bac6)]; do not stop tasks.
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Best Regards
>
> Gus
>
>
>
> Em sex., 11 de dez. de 2020 às 20:22, Richard Richter via midPoint <
> midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> escreveu:
> Hello
>
> I have no idea why this happens, just looking at the message, it seems to
> come from java.util.Base64.decode(...) call, it is in the code and probably
> some Base64 encoded string is not correct.
> It always helps if you can provide also a stacktrace, part of the log or
> something. If it's easy to answer without it, it doesn't hurt. Here, I have
> no idea where the call originates from.
>
> Regards
>
> Richard Richter
> midPoint developer
>
> ________________________________
> From: "midPoint General Discussion" <midpoint at lists.evolveum.com<mailto:
> midpoint at lists.evolveum.com>>
> To: "midPoint General Discussion" <midpoint at lists.evolveum.com<mailto:
> midpoint at lists.evolveum.com>>
> Cc: "Gus Lou" <gugalou38 at gmail.com<mailto:gugalou38 at gmail.com>>
> Sent: Friday, December 11, 2020 11:44:56 PM
> Subject: [midPoint] Synchronization Trouble - Active Directory to MP
>
> Hi Guys
>
> I need to import groups, users and users and their existing access into
> Active Directory to Midpoint (MP version 4.2, ADLdapConector 3.1)
>
> To achieve this goal, I did the following:
>
> 1-I imported the active directory resource template from the address below:
>
> https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/ad-ldap-medusa-medium.xml
> <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Evolveum_midpoint-2Dsamples_blob_master_samples_resources_ad-2Dldap_ad-2Dldap-2Dmedusa-2Dmedium.xml&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=bVVmWuKEVUDl6AusI04NjeiRqTBkD2Ktg23DkJaiIZI&e=
> >
>
> 2-I created two synchronization tasks, one for users and one for groups.
>
> When I run the synchronization tasks, I get the following error:
>
> Unspecified error: Got unexpected exception:
> java.lang.IllegalArgumentException: Last unit does not have enough valid
> bits
>
> I have already checked the required permissions following the guidelines
> in the link below:
>
> https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector
> <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2Bwith-2BLDAP-2Bconnector&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=lHe5YrQxLZ9dY8yXVQ8agTsQ5ligaXbx6hhseaon4ig&e=
> >
>
>
> Does anyone have any ideas to resolve or any other documentation that I
> can review.?
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=
> >
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=
> >
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=
> >
>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__evolveum.com&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=JqE8PF_lIP5TxW9nhmnWfhsO2uYb3OrjAV8HReP_WN4&e=
> >
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=
> >
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20201214/c428a10c/attachment-0001.htm>


More information about the midPoint mailing list