[midPoint] AD LDAP connector question
Colin Foley
caf209 at lehigh.edu
Tue Mar 10 14:54:28 CET 2020
Hi John,
What does your <synchronization> section of your resource definition look
like? The error you're receiving makes me think that the midPoint account
is not linked to your AD resource's shadow (if that's even possible, since
you said some of it is actually syncing).
On Tue, Mar 10, 2020 at 2:14 AM John Kamminga <jkamminga at ucmerced.edu>
wrote:
> We are a member of InCommon and are in the process of setting up midPoint
> for our Identity Registry and user provisioning to LDAP and Active
> Directory. We have LDAP working but I’m having an issue with Active
> Directory. We were using the AdLdapConnector 2.0 connector but were
> having problems syncing the password and the userAccountControll attribute.
> After looking at this page:
> https://wiki.evolveum.com/pages/viewpage.action?pageId=22741393 I see
> that those issues may be fixed, so I upgraded to AdLdapConnector 2.3. The
> good news is the password seems to be syncing fine and midPoint can create
> a new user in AD; however, now it can’t update any of the other attributes.
>
>
>
> If I try and update a user Attribute directly in the GUI on the Resource
> page here is the error that I get:
>
>
>
> *Operation*
>
> *Save account (Gui)*
>
> *Message*
>
> Couldn't save account.
>
>
>
> *Error*
>
> Object to modify not found:
> org.identityconnectors.framework.common.exceptions.UnknownUidException(Entry
> for GUID cn=cerri,ou=people,dc=test,dc=edu was not found)
>
>
>
>
>
> *Operation*
>
> *Modify object (Provisioning)*
>
> *Message*
>
> Object to modify not found:
> org.identityconnectors.framework.common.exceptions.UnknownUidException(Entry
> for GUID cn=cerri,ou=people,dc=test,dc=edu was not found)
>
> *Parameters*
>
> *options*
>
> [ProvisioningOperationOptions((empty))]
>
> *oid*
>
> [ff2cc3fd-142a-4c8b-8631-c6d2a7faf152]
>
> *scripts*
>
>
> [com.evolveum.midpoint.xml.ns._public.common.common_3.OperationProvisioningScriptsType at 3131a937
> [script=<null>]]
>
> *modifications*
>
> [PropertyDelta(attributes / {.../resource/instance-3}givenName, REPLACE),
> PropertyDelta(metadata / {.../common/common-3}modifyChannel, REPLACE),
> PropertyDelta(metadata / {.../common/common-3}modifyTimestamp, REPLACE),
> ReferenceDelta(metadata / {.../common/common-3}modifierRef, REPLACE),
> ReferenceDelta(metadata / {.../common/common-3}modifyTaskRef, REPLACE),
> ReferenceDelta(metadata / {.../common/common-3}modifyApproverRef, REPLACE),
> PropertyDelta(metadata / {.../common/common-3}modifyApprovalComment,
> REPLACE)]
>
> *Context*
>
> *implementationClass*
>
> [class com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl]
>
> *Error*
>
> Object to modify not found:
> org.identityconnectors.framework.common.exceptions.UnknownUidException(Entry
> for GUID cn=cerri,ou=people,dc=test,dc=edu was not found)
>
>
>
>
>
> I’m using the same configuration that I was in the 2.0 connector.
>
> <connectorConfiguration xmlns:icfc="
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3
> ">
>
> <icfc:resultsHandlerConfiguration>
>
>
> <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
>
>
> <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
>
>
> <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
>
> </icfc:resultsHandlerConfiguration>
>
> <icfc:configurationProperties xmlns:gen880="
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.ad.AdLdapConnector
> ">
>
> <gen880:host>addc01.test.edu</gen880:host>
>
> <gen880:port>636</gen880:port>
>
> <gen880:connectionSecurity>ssl</gen880:connectionSecurity>
>
>
> <gen880:authenticationType>simple</gen880:authenticationType>
>
> <gen880:bindDn>***DC=test,DC=edu</gen880:bindDn>
>
> <gen880:bindPassword>
>
> </t:encryptedData>
>
> </gen880:bindPassword>
>
>
> <gen880:baseContext>OU=people,dc=test,dc=edu</gen880:baseContext>
>
>
> <gen880:passwordAttribute>userPassword</gen880:passwordAttribute>
>
> <gen880:pagingStrategy>auto</gen880:pagingStrategy>
>
> <gen880:uidAttribute>dn</gen880:uidAttribute>
>
> <gen880:readSchema>true</gen880:readSchema>
>
>
> <gen880:objectClassesToSynchronize>user</gen880:objectClassesToSynchronize>
>
>
> <gen880:objectClassesToSynchronize>account</gen880:objectClassesToSynchronize>
>
>
> <gen880:objectClassesToSynchronize>inetOrgPerson</gen880:objectClassesToSynchronize>
>
>
> <gen880:attributesToSynchronize>dn</gen880:attributesToSynchronize>
>
>
> <gen880:attributesToSynchronize>cn</gen880:attributesToSynchronize>
>
>
> <gen880:attributesToSynchronize>sAMAccountName</gen880:attributesToSynchronize>
>
>
> <gen880:attributesToSynchronize>sn</gen880:attributesToSynchronize>
>
>
> <gen880:attributesToSynchronize>givenName</gen880:attributesToSynchronize>
>
>
> <gen880:rawUserAccountControlAttribute>true</gen880:rawUserAccountControlAttribute>
>
> </icfc:configurationProperties>
>
> </connectorConfiguration>
>
>
>
>
>
> If I run an import sync that would update the same attribute in AD, I get
> about the same error, and it disconnects the AD Resource from the user.
>
>
>
> SystemException: Object to modify not found:
> org.identityconnectors.framework.common.exceptions.UnknownUidException(Entry
> for GUID CN=cerri,OU=people,DC=test,DC=edu was not found)
>
>
>
>
>
> Do I need to use different configuration for the AdLdapConnector 2.3 ?
>
>
>
> Thanks,
>
> *John Kamminga*
>
> Identity Management Architect
>
> University of California Merced, Office of Information Technology
>
> jkamminga at ucmerced.edu| it.ucmerced.edu <http://it.ucmerced.edu/>
> | 209.205.0372
>
> Facebook <https://www.facebook.com/UCMercedITdep/> | Twitter
> <https://twitter.com/ucmit> | Linkedin
> <https://www.linkedin.com/company/uc-merced>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
--
Colin A Foley, CISSP
Information Security Architect
(610) 758-3072
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200310/c43a0e8a/attachment.htm>
More information about the midPoint
mailing list