[midPoint] Synchronization Trouble - Active Directory to MP

Al Lilianstrom lilstrom at fnal.gov
Mon Dec 14 20:21:11 CET 2020


Check your paging settings

AD defaults to 1000 for a page size so make sure you're set to that or less

I found that

pagingStrategy spr
pagingBlockSize 500

worked in my domain with ~7000 users in a single OU


--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov
lilstrom at fnal.gov


________________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Gus Lou via midPoint <midpoint at lists.evolveum.com>
Sent: Monday, December 14, 2020 1:06 PM
To: midPoint General Discussion
Cc: Gus Lou
Subject: Re: [midPoint] Synchronization Trouble - Active Directory to MP

Sorry

PS:
The group synchronization task is now running and did not show any errors.

The task of synchronizing users continues to show errors.

Regards

Gus


Em seg., 14 de dez. de 2020 às 16:03, Gus Lou <gugalou38 at gmail.com<mailto:gugalou38 at gmail.com>> escreveu:
Hi Al Lilianstrom
I changed baseContext from "OU=Funcionarios,OU=Usuarios,DC=xyz,DC=net" to "DC=xyz,DC=net"

The task of synchronizing users continues to show errors.
I'm still investigating, but at least one item has evolved.
Thanks for the tip about baseContext

Regards

Gus


Em seg., 14 de dez. de 2020 às 14:03, Al Lilianstrom via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> escreveu:
My test environment is midPoint 4.2 and Windows Server 2016

AD sync account is non DA and granted Directory sync access at the root of the domain.

One issue I had in getting sync to work properly was to set the baseContext for the AD connector to the root of the domain. I had set it originally to the OU I was trying to restrict my testing to and that prevented sync from working.

--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov<http://www.fnal.gov>
lilstrom at fnal.gov<mailto:lilstrom at fnal.gov>


________________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Gus Lou via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Sent: Monday, December 14, 2020 10:51 AM
To: midPoint General Discussion
Cc: Gus Lou
Subject: Re: [midPoint] Synchronization Trouble - Active Directory to MP



My Active Directory is running on Windows Server 2016, does anyone run this version with Midpoint 4.1 or 4.2?

Regards

Gus

Em seg., 14 de dez. de 2020 às 10:37, Al Lilianstrom via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>> escreveu:
Also

Check your System and Directory Service event logs on the Domain Controllers. There might be a hint there as to the problem.


--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov<http://www.fnal.gov><http://www.fnal.gov>
lilstrom at fnal.gov<mailto:lilstrom at fnal.gov><mailto:lilstrom at fnal.gov<mailto:lilstrom at fnal.gov>>


________________________________________
From: Al Lilianstrom <lilstrom at fnal.gov<mailto:lilstrom at fnal.gov><mailto:lilstrom at fnal.gov<mailto:lilstrom at fnal.gov>>>
Sent: Monday, December 14, 2020 7:19 AM
To: midPoint General Discussion
Subject: Re: [midPoint] Synchronization Trouble - Active Directory to MP


Gus,

Please pull the DA permissions as soon as you can

Replicating directory changes is necessary. Check for that.

--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov<http://www.fnal.gov><http://www.fnal.gov>
lilstrom at fnal.gov<mailto:lilstrom at fnal.gov><mailto:lilstrom at fnal.gov<mailto:lilstrom at fnal.gov>>


________________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com><mailto:midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>>> on behalf of Gus Lou via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>>
Sent: Monday, December 14, 2020 7:00 AM
To: midPoint General Discussion
Cc: Gus Lou
Subject: Re: [midPoint] Synchronization Trouble - Active Directory to MP

Hi Ivan

I'm checking the permissions again. I assigned full control permission at the domain level to the midpoint bind account in the active directory and enabled inheritance for all objects. It also assigns domain admin permission as well. I know that both permissions are not necessary and not recommended as they are highly permissive, but it was the way I found to try to eliminate possible permission errors.
But unfortunately the problems persist.
I will continue to investigate.

Regards

Gus


Em seg., 14 de dez. de 2020 às 09:49, Ivan Noris via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>>> escreveu:

Hi Gus,

seems to be permission problem in your AD.

LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)


Best regards,

Ivan

On 12. 12. 2020 18:38, Gus Lou via midPoint wrote:
Hi Richard
I checked the permissions of the midpooint account in AD again and it is in accordance with the guidelines in the link below:
Active Directory with LDAP connector - midPoint - Evolveum Confluence<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2Bwith-2BLDAP-2Bconnector&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=lHe5YrQxLZ9dY8yXVQ8agTsQ5ligaXbx6hhseaon4ig&e=>

I applied permissions at the domain level xyz.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__xyz.net&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=rMOLUi8qLyBnZOHEAECxMhI3cUYgoP2tCJjXS_JPnII&e=><https://urldefense.proofpoint.com/v2/url?u=http-3A__xyz.net&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=GpSagELmz_koDWUzSAJN_NRBaoW_Iu2SMLtXsJwLbwE&s=eviNFLKCYKRsy_ywcGQhBQDY4-yWtipRraU9QTwXaFg&e=><https://urldefense.proofpoint.com/v2/url?u=http-3A__xyz.net&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=x6rOMc9P-OQ_aUeBF43Xg7Vv_j0lMAyQgdUdwLIbiFk&e=>

Here it is part of midpoint log:
----------------------------------------------------------------------------------------------------------------
2020-12-11 16:53:22,996 [] [Thread-327] ERROR (com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy): method: null msg:LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] WARN (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId exception (might be handled by upper layers later) org.identityconnectors.framework.common.exceptions.PermissionDeniedException in connector:a0c5bb85-f4f0-4954-af1d-17ec4f27233e(ConnId com.evolveum.polygon.connector.ldap.ad<https://urldefense.proofpoint.com/v2/url?u=http-3A__com.evolveum.polygon.connector.ldap.ad&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=cT-zPgsJDBPSqaQZqtskqYDtVq9NPqNLyUw9UWUa-zk&e=><https://urldefense.proofpoint.com/v2/url?u=http-3A__connector.ldap.ad&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=GpSagELmz_koDWUzSAJN_NRBaoW_Iu2SMLtXsJwLbwE&s=zPKSSIXl3fZVpNvhm4TkLk4tj7Rnyo-UssDnjCMdYUE&e=>.AdLdapConnector v3.1): ConnectorSpec(resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa Active Directory (LDAP)), name=null, oid=a0c5bb85-f4f0-4954-af1d-17ec4f27233e): LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50), reason: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50) (class org.identityconnectors.framework.common.exceptions.PermissionDeniedException)
2020-12-11 16:53:22,997 [PROVISIONING] [midPointScheduler_Worker-2] ERROR (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
com.evolveum.midpoint.util.exception.SystemException: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
at com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
at com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
at com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
at com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
Caused by: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
at com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
at com.evolveum.polygon.connector.ldap.ad<https://urldefense.proofpoint.com/v2/url?u=http-3A__com.evolveum.polygon.connector.ldap.ad&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=cT-zPgsJDBPSqaQZqtskqYDtVq9NPqNLyUw9UWUa-zk&e=><https://urldefense.proofpoint.com/v2/url?u=http-3A__connector.ldap.ad&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=GpSagELmz_koDWUzSAJN_NRBaoW_Iu2SMLtXsJwLbwE&s=zPKSSIXl3fZVpNvhm4TkLk4tj7Rnyo-UssDnjCMdYUE&e=>.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
at com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
at org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
at com.sun.proxy.$Proxy249.sync(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
at com.sun.proxy.$Proxy249.sync(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
2020-12-11 16:53:22,997 [] [midPointScheduler_Worker-2] ERROR (com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler): Live Sync: Unspecified error: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
com.evolveum.midpoint.util.exception.SystemException: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)
at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)
at com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)
at com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)
at com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)
at com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
Caused by: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C0909A9, comment: Error processing control, data 0, v3839? (50)
at com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)
at com.evolveum.polygon.connector.ldap.ad<https://urldefense.proofpoint.com/v2/url?u=http-3A__com.evolveum.polygon.connector.ldap.ad&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=cT-zPgsJDBPSqaQZqtskqYDtVq9NPqNLyUw9UWUa-zk&e=><https://urldefense.proofpoint.com/v2/url?u=http-3A__connector.ldap.ad&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=GpSagELmz_koDWUzSAJN_NRBaoW_Iu2SMLtXsJwLbwE&s=zPKSSIXl3fZVpNvhm4TkLk4tj7Rnyo-UssDnjCMdYUE&e=>.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
at com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)
at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)
at org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)
at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
at com.sun.proxy.$Proxy249.sync(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
at com.sun.proxy.$Proxy249.sync(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)
2020-12-11 16:53:23,015 [] [midPointScheduler_Worker-2] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Task encountered permanent error, suspending the task. Task = Task(id:1546210629125-0-1, name:Sync: Active Directory (Groups), oid:36d98518-9db1-49ce-a4d7-75be1047bac6)
2020-12-11 16:53:23,015 [TASK_MANAGER] [midPointScheduler_Worker-2] INFO (com.evolveum.midpoint.task.quartzimpl.TaskManagerQuartzImpl): Suspending tasks [Task(id:1546210629125-0-1, name:Sync: Active Directory (Groups), oid:36d98518-9db1-49ce-a4d7-75be1047bac6)]; do not stop tasks.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Best Regards

Gus



Em sex., 11 de dez. de 2020 às 20:22, Richard Richter via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>>> escreveu:
Hello

I have no idea why this happens, just looking at the message, it seems to come from java.util.Base64.decode(...) call, it is in the code and probably some Base64 encoded string is not correct.
It always helps if you can provide also a stacktrace, part of the log or something. If it's easy to answer without it, it doesn't hurt. Here, I have no idea where the call originates from.

Regards

Richard Richter
midPoint developer

________________________________
From: "midPoint General Discussion" <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>>>
To: "midPoint General Discussion" <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>>>
Cc: "Gus Lou" <gugalou38 at gmail.com<mailto:gugalou38 at gmail.com><mailto:gugalou38 at gmail.com<mailto:gugalou38 at gmail.com>><mailto:gugalou38 at gmail.com<mailto:gugalou38 at gmail.com><mailto:gugalou38 at gmail.com<mailto:gugalou38 at gmail.com>>>>
Sent: Friday, December 11, 2020 11:44:56 PM
Subject: [midPoint] Synchronization Trouble - Active Directory to MP

Hi Guys

I need to import groups, users and users and their existing access into Active Directory to Midpoint (MP version 4.2, ADLdapConector 3.1)

To achieve this goal, I did the following:

1-I imported the active directory resource template from the address below:
https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/ad-ldap-medusa-medium.xml<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Evolveum_midpoint-2Dsamples_blob_master_samples_resources_ad-2Dldap_ad-2Dldap-2Dmedusa-2Dmedium.xml&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=-xqRAsLpPFBzE5ODRgR5fCE370DVC2JI8f3fO6aL00Y&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Evolveum_midpoint-2Dsamples_blob_master_samples_resources_ad-2Dldap_ad-2Dldap-2Dmedusa-2Dmedium.xml&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=GpSagELmz_koDWUzSAJN_NRBaoW_Iu2SMLtXsJwLbwE&s=9yP12hvPUSwi7Te3O8h4xFggK_S13QJjJ1R_9jqdYvw&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Evolveum_midpoint-2Dsamples_blob_master_samples_resources_ad-2Dldap_ad-2Dldap-2Dmedusa-2Dmedium.xml&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=bVVmWuKEVUDl6AusI04NjeiRqTBkD2Ktg23DkJaiIZI&e=>

2-I created two synchronization tasks, one for users and one for groups.

When I run the synchronization tasks, I get the following error:

Unspecified error: Got unexpected exception: java.lang.IllegalArgumentException: Last unit does not have enough valid bits

I have already checked the required permissions following the guidelines in the link below:
https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2Bwith-2BLDAP-2Bconnector&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=K1xYLaOcB5ZHRfg5Aow3RbCAWnJrtdodhX0vaAct7eQ&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2Bwith-2BLDAP-2Bconnector&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=GpSagELmz_koDWUzSAJN_NRBaoW_Iu2SMLtXsJwLbwE&s=4iyUJ5oQ6Ewa9sZDg6ax3PxmA4HkygIkWSNExdZshSg&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2Bwith-2BLDAP-2Bconnector&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=lHe5YrQxLZ9dY8yXVQ8agTsQ5ligaXbx6hhseaon4ig&e=>


Does anyone have any ideas to resolve or any other documentation that I can review.?


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>>>
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=fB6dtwHjhFwkI16IiimCy3fhh63poBycUhh0n2M2x_w&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=GpSagELmz_koDWUzSAJN_NRBaoW_Iu2SMLtXsJwLbwE&s=ATLdnWzKazUTJXbWbc0e8YoGe6hA1j_6j8U92u2ncNc&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=>
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>>>
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=fB6dtwHjhFwkI16IiimCy3fhh63poBycUhh0n2M2x_w&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=GpSagELmz_koDWUzSAJN_NRBaoW_Iu2SMLtXsJwLbwE&s=ATLdnWzKazUTJXbWbc0e8YoGe6hA1j_6j8U92u2ncNc&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=>



_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>>>
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=fB6dtwHjhFwkI16IiimCy3fhh63poBycUhh0n2M2x_w&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=GpSagELmz_koDWUzSAJN_NRBaoW_Iu2SMLtXsJwLbwE&s=ATLdnWzKazUTJXbWbc0e8YoGe6hA1j_6j8U92u2ncNc&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=>


--
Ivan Noris
Senior Identity Engineer
evolveum.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__evolveum.com&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=Oao-ew8EOECZQ9Hg_5yGPi2OCqArBqHEh6DW5DO3NIM&e=><https://urldefense.proofpoint.com/v2/url?u=http-3A__evolveum.com&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=GpSagELmz_koDWUzSAJN_NRBaoW_Iu2SMLtXsJwLbwE&s=yCD-kBBZoT459ZC4HFqoU4CaOUXZ0ifqSglVGxcOEUU&e=><https://urldefense.proofpoint.com/v2/url?u=http-3A__evolveum.com&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=JqE8PF_lIP5TxW9nhmnWfhsO2uYb3OrjAV8HReP_WN4&e=>


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>>>
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=fB6dtwHjhFwkI16IiimCy3fhh63poBycUhh0n2M2x_w&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=GpSagELmz_koDWUzSAJN_NRBaoW_Iu2SMLtXsJwLbwE&s=ATLdnWzKazUTJXbWbc0e8YoGe6hA1j_6j8U92u2ncNc&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=t3Y2sKnNRhcFDCgp_cjRSkN2sOieLk7ktdB0p5trDAg&s=fu0kKh3PJtFtx1S7XMUYcbuU4mxOMy_qdu1CnIGOi1s&e=>
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com><mailto:midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>>
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=fB6dtwHjhFwkI16IiimCy3fhh63poBycUhh0n2M2x_w&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=GpSagELmz_koDWUzSAJN_NRBaoW_Iu2SMLtXsJwLbwE&s=ATLdnWzKazUTJXbWbc0e8YoGe6hA1j_6j8U92u2ncNc&e=>
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=UB88hlhLNHTOiEXGUk7yMagyQiQ9mFigIhYYxng3NnQ&s=fB6dtwHjhFwkI16IiimCy3fhh63poBycUhh0n2M2x_w&e=>


More information about the midPoint mailing list