[midPoint] Synchronization Trouble - Active Directory to MP
Gus Lou
gugalou38 at gmail.com
Mon Dec 14 17:51:24 CET 2020
My Active Directory is running on Windows Server 2016, does anyone run this
version with Midpoint 4.1 or 4.2?
Regards
Gus
Em seg., 14 de dez. de 2020 às 10:37, Al Lilianstrom via midPoint <
midpoint at lists.evolveum.com> escreveu:
> Also
>
> Check your System and Directory Service event logs on the Domain
> Controllers. There might be a hint there as to the problem.
>
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> www.fnal.gov
> lilstrom at fnal.gov
>
>
> ________________________________________
> From: Al Lilianstrom <lilstrom at fnal.gov>
> Sent: Monday, December 14, 2020 7:19 AM
> To: midPoint General Discussion
> Subject: Re: [midPoint] Synchronization Trouble - Active Directory to MP
>
>
> Gus,
>
> Please pull the DA permissions as soon as you can
>
> Replicating directory changes is necessary. Check for that.
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> www.fnal.gov
> lilstrom at fnal.gov
>
>
> ________________________________________
> From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Gus Lou
> via midPoint <midpoint at lists.evolveum.com>
> Sent: Monday, December 14, 2020 7:00 AM
> To: midPoint General Discussion
> Cc: Gus Lou
> Subject: Re: [midPoint] Synchronization Trouble - Active Directory to MP
>
> Hi Ivan
>
> I'm checking the permissions again. I assigned full control permission at
> the domain level to the midpoint bind account in the active directory and
> enabled inheritance for all objects. It also assigns domain admin
> permission as well. I know that both permissions are not necessary and not
> recommended as they are highly permissive, but it was the way I found to
> try to eliminate possible permission errors.
> But unfortunately the problems persist.
> I will continue to investigate.
>
> Regards
>
> Gus
>
>
> Em seg., 14 de dez. de 2020 às 09:49, Ivan Noris via midPoint <
> midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> escreveu:
>
> Hi Gus,
>
> seems to be permission problem in your AD.
>
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
>
>
> Best regards,
>
> Ivan
>
> On 12. 12. 2020 18:38, Gus Lou via midPoint wrote:
> Hi Richard
> I checked the permissions of the midpooint account in AD again and it is
> in accordance with the guidelines in the link below:
> Active Directory with LDAP connector - midPoint - Evolveum Confluence<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2Bwith-2BLDAP-2Bconnector&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=lHe5YrQxLZ9dY8yXVQ8agTsQ5ligaXbx6hhseaon4ig&e=
> >
>
> I applied permissions at the domain level xyz.net<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__xyz.net&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=x6rOMc9P-OQ_aUeBF43Xg7Vv_j0lMAyQgdUdwLIbiFk&e=
> >
>
> Here it is part of midpoint log:
>
> ----------------------------------------------------------------------------------------------------------------
> 2020-12-11 16:53:22,996 [] [Thread-327] ERROR
> (com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy): method: null
> msg:LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> 2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] WARN
> (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId
> exception (might be handled by upper layers later)
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException
> in connector:a0c5bb85-f4f0-4954-af1d-17ec4f27233e(ConnId
> com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v3.1):
> ConnectorSpec(resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa Active
> Directory (LDAP)), name=null, oid=a0c5bb85-f4f0-4954-af1d-17ec4f27233e):
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50), reason: LDAP error during DirSync search: insufficientAccessRights:
> 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data
> 0, v3839? (50) (class
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException)
> 2020-12-11 16:53:22,997 [PROVISIONING] [midPointScheduler_Worker-2] ERROR
> (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Got
> unexpected exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> com.evolveum.midpoint.util.exception.SystemException: Got unexpected
> exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> at
> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
> at
> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
> at
> com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
> at
> com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
> at
> com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
> at
> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
> Caused by:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> at
> com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
> at com.evolveum.polygon.connector.ldap.ad
> .AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
> at
> com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
> at
> com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
> at
> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
> at com.sun.proxy.$Proxy249.sync(Unknown Source)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
> at com.sun.proxy.$Proxy249.sync(Unknown Source)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
> 2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] ERROR
> (com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler): Live Sync:
> Unspecified error: Got unexpected exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> com.evolveum.midpoint.util.exception.SystemException: Got unexpected
> exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> at
> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
> at
> com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
> at
> com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
> at
> com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
> at
> com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
> at
> com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
> at
> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
> Caused by:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
> LDAP error during DirSync search: insufficientAccessRights: 00002105:
> LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839?
> (50)
> at
> com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
> at com.evolveum.polygon.connector.ldap.ad
> .AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
> at
> com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
> at
> com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
> at
> org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
> at com.sun.proxy.$Proxy249.sync(Unknown Source)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
> at com.sun.proxy.$Proxy249.sync(Unknown Source)
> at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
> 2020-12-11 16:53:23,015 [] [midPointScheduler_Worker-2] INFO
> (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Task
> encountered permanent error, suspending the task. Task =
> Task(id:1546210629125-0-1, name:Sync: Active Directory (Groups),
> oid:36d98518-9db1-49ce-a4d7-75be1047bac6)
> 2020-12-11 16:53:23,015 [TASK_MANAGER] [midPointScheduler_Worker-2] INFO
> (com.evolveum.midpoint.task.quartzimpl.TaskManagerQuartzImpl): Suspending
> tasks [Task(id:1546210629125-0-1, name:Sync: Active Directory (Groups),
> oid:36d98518-9db1-49ce-a4d7-75be1047bac6)]; do not stop tasks.
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Best Regards
>
> Gus
>
>
>
> Em sex., 11 de dez. de 2020 às 20:22, Richard Richter via midPoint <
> midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> escreveu:
> Hello
>
> I have no idea why this happens, just looking at the message, it seems to
> come from java.util.Base64.decode(...) call, it is in the code and probably
> some Base64 encoded string is not correct.
> It always helps if you can provide also a stacktrace, part of the log or
> something. If it's easy to answer without it, it doesn't hurt. Here, I have
> no idea where the call originates from.
>
> Regards
>
> Richard Richter
> midPoint developer
>
> ________________________________
> From: "midPoint General Discussion" <midpoint at lists.evolveum.com<mailto:
> midpoint at lists.evolveum.com>>
> To: "midPoint General Discussion" <midpoint at lists.evolveum.com<mailto:
> midpoint at lists.evolveum.com>>
> Cc: "Gus Lou" <gugalou38 at gmail.com<mailto:gugalou38 at gmail.com>>
> Sent: Friday, December 11, 2020 11:44:56 PM
> Subject: [midPoint] Synchronization Trouble - Active Directory to MP
>
> Hi Guys
>
> I need to import groups, users and users and their existing access into
> Active Directory to Midpoint (MP version 4.2, ADLdapConector 3.1)
>
> To achieve this goal, I did the following:
>
> 1-I imported the active directory resource template from the address below:
>
> https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/ad-ldap-medusa-medium.xml
> <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Evolveum_midpoint-2Dsamples_blob_master_samples_resources_ad-2Dldap_ad-2Dldap-2Dmedusa-2Dmedium.xml&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=bVVmWuKEVUDl6AusI04NjeiRqTBkD2Ktg23DkJaiIZI&e=
> >
>
> 2-I created two synchronization tasks, one for users and one for groups.
>
> When I run the synchronization tasks, I get the following error:
>
> Unspecified error: Got unexpected exception:
> java.lang.IllegalArgumentException: Last unit does not have enough valid
> bits
>
> I have already checked the required permissions following the guidelines
> in the link below:
>
> https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector
> <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2Bwith-2BLDAP-2Bconnector&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=lHe5YrQxLZ9dY8yXVQ8agTsQ5ligaXbx6hhseaon4ig&e=
> >
>
>
> Does anyone have any ideas to resolve or any other documentation that I
> can review.?
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=
> >
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=
> >
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=
> >
>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__evolveum.com&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=JqE8PF_lIP5TxW9nhmnWfhsO2uYb3OrjAV8HReP_WN4&e=
> >
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=
> >
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20201214/88fc3aa4/attachment-0001.htm>
More information about the midPoint
mailing list