[midPoint] AD LDAP connector question

John Kamminga jkamminga at ucmerced.edu
Tue Mar 10 07:14:25 CET 2020 

We are a member of InCommon and are in the process of setting up midPoint for our Identity Registry and user provisioning to LDAP and Active Directory. We have LDAP working but I'm having an issue with Active Directory. We were using the AdLdapConnector<javascript:;> 2.0 connector but were having problems syncing the password and the userAccountControll attribute. After looking at this page: https://wiki.evolveum.com/pages/viewpage.action?pageId=22741393 I see that those issues may be fixed, so I upgraded to AdLdapConnector<javascript:;> 2.3. The good news is the password seems to be syncing fine and midPoint can create a new user in AD; however, now it can't update any of the other attributes.

If I try and update a user Attribute directly in the GUI on the Resource page here is the error that I get:

Operation
Save account (Gui)
Message
Couldn't save account.

Error
Object to modify not found: org.identityconnectors.framework.common.exceptions.UnknownUidException(Entry for GUID cn=cerri,ou=people,dc=test,dc=edu was not found)


Operation
Modify object (Provisioning)
Message
Object to modify not found: org.identityconnectors.framework.common.exceptions.UnknownUidException(Entry for GUID cn=cerri,ou=people,dc=test,dc=edu was not found)
Parameters
options
[ProvisioningOperationOptions((empty))]
oid
[ff2cc3fd-142a-4c8b-8631-c6d2a7faf152]
scripts
[com.evolveum.midpoint.xml.ns._public.common.common_3.OperationProvisioningScriptsType at 3131a937[script=<null>]]
modifications
[PropertyDelta(attributes / {.../resource/instance-3}givenName, REPLACE), PropertyDelta(metadata / {.../common/common-3}modifyChannel, REPLACE), PropertyDelta(metadata / {.../common/common-3}modifyTimestamp, REPLACE), ReferenceDelta(metadata / {.../common/common-3}modifierRef, REPLACE), ReferenceDelta(metadata / {.../common/common-3}modifyTaskRef, REPLACE), ReferenceDelta(metadata / {.../common/common-3}modifyApproverRef, REPLACE), PropertyDelta(metadata / {.../common/common-3}modifyApprovalComment, REPLACE)]
Context
implementationClass
[class com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl]
Error
Object to modify not found: org.identityconnectors.framework.common.exceptions.UnknownUidException(Entry for GUID cn=cerri,ou=people,dc=test,dc=edu was not found)


I'm using the same configuration that I was in the 2.0 connector.
        <connectorConfiguration xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
            <icfc:resultsHandlerConfiguration>
                <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
                <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
                <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
            </icfc:resultsHandlerConfiguration>
            <icfc:configurationProperties xmlns:gen880="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.ad.AdLdapConnector">
                <gen880:host>addc01.test.edu</gen880:host>
                <gen880:port>636</gen880:port>
                <gen880:connectionSecurity>ssl</gen880:connectionSecurity>
                <gen880:authenticationType>simple</gen880:authenticationType>
                <gen880:bindDn>***DC=test,DC=edu</gen880:bindDn>
                <gen880:bindPassword>
                    </t:encryptedData>
                </gen880:bindPassword>
                <gen880:baseContext>OU=people,dc=test,dc=edu</gen880:baseContext>
                <gen880:passwordAttribute>userPassword</gen880:passwordAttribute>
                <gen880:pagingStrategy>auto</gen880:pagingStrategy>
                <gen880:uidAttribute>dn</gen880:uidAttribute>
                <gen880:readSchema>true</gen880:readSchema>
                <gen880:objectClassesToSynchronize>user</gen880:objectClassesToSynchronize>
                <gen880:objectClassesToSynchronize>account</gen880:objectClassesToSynchronize>
                <gen880:objectClassesToSynchronize>inetOrgPerson</gen880:objectClassesToSynchronize>
                <gen880:attributesToSynchronize>dn</gen880:attributesToSynchronize>
                <gen880:attributesToSynchronize>cn</gen880:attributesToSynchronize>
                <gen880:attributesToSynchronize>sAMAccountName</gen880:attributesToSynchronize>
                <gen880:attributesToSynchronize>sn</gen880:attributesToSynchronize>
                <gen880:attributesToSynchronize>givenName</gen880:attributesToSynchronize>
                <gen880:rawUserAccountControlAttribute>true</gen880:rawUserAccountControlAttribute>
            </icfc:configurationProperties>
        </connectorConfiguration>


If I run an import sync that would update the same attribute in AD, I get about the same error, and it disconnects the AD Resource from the user.

SystemException: Object to modify not found: org.identityconnectors.framework.common.exceptions.UnknownUidException(Entry for GUID CN=cerri,OU=people,DC=test,DC=edu was not found)


Do I need to use different configuration for the AdLdapConnector<javascript:;> 2.3  ?

Thanks,
John Kamminga
Identity Management Architect
University of California Merced, Office of Information Technology
jkamminga at ucmerced.edu<mailto:jkamminga at ucmerced.edu>| it.ucmerced.edu <http://it.ucmerced.edu/> | 209.205.0372
Facebook<https://www.facebook.com/UCMercedITdep/> | Twitter<https://twitter.com/ucmit> | Linkedin<https://www.linkedin.com/company/uc-merced>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200310/6bc8c9e7/attachment.htm>

More information about the midPoint mailing list