[midPoint] AD LDAP connector question

John Kamminga jkamminga at ucmerced.edu
Thu Mar 12 22:54:06 CET 2020 

Thanks Colin, yes it was in the synchronization.

I changed the Correlation from:
                                             <correlation>
                                                            <q:equal>
                                                                           <q:path>c:name</q:path>
                                                                           <expression>
                                                                                          <path>$shadow/attributes/sAMAccountName</path>
                                                                           </expression>
                                                            </q:equal>
                                             </correlation>
To:
                <correlation>
                    <q:equal>
                        <q:path>c:name</q:path>
                        <expression xmlns="">
                            <path>declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
                                 $account/attributes/ri:cn
                            </path>
                        </expression>
                    </q:equal>
                </correlation>

Now midPoint is updating AD again! And it's creating new accounts in AD with the random pwd, woohoo!
Next I will work on the userAccountControl  attribute.

Thanks,

John Kamminga
Identity Management Architect
University of California Merced, Office of Information Technology
jkamminga at ucmerced.edu<mailto:jkamminga at ucmerced.edu>| it.ucmerced.edu <http://it.ucmerced.edu/> | 209.205.0372
Facebook<https://www.facebook.com/UCMercedITdep/> | Twitter<https://twitter.com/ucmit> | Linkedin<https://www.linkedin.com/company/uc-merced>

From: John Kamminga
Sent: Monday, March 9, 2020 11:14 PM
To: midpoint at lists.evolveum.com
Subject: AD LDAP connector question

We are a member of InCommon and are in the process of setting up midPoint for our Identity Registry and user provisioning to LDAP and Active Directory. We have LDAP working but I'm having an issue with Active Directory. We were using the AdLdapConnector<javascript:;> 2.0 connector but were having problems syncing the password and the userAccountControll attribute. After looking at this page: https://wiki.evolveum.com/pages/viewpage.action?pageId=22741393 I see that those issues may be fixed, so I upgraded to AdLdapConnector<javascript:;> 2.3. The good news is the password seems to be syncing fine and midPoint can create a new user in AD; however, now it can't update any of the other attributes.

If I try and update a user Attribute directly in the GUI on the Resource page here is the error that I get:

Operation
Save account (Gui)
Message
Couldn't save account.

Error
Object to modify not found: org.identityconnectors.framework.common.exceptions.UnknownUidException(Entry for GUID cn=cerri,ou=people,dc=test,dc=edu was not found)


Operation
Modify object (Provisioning)
Message
Object to modify not found: org.identityconnectors.framework.common.exceptions.UnknownUidException(Entry for GUID cn=cerri,ou=people,dc=test,dc=edu was not found)
Parameters
options
[ProvisioningOperationOptions((empty))]
oid
[ff2cc3fd-142a-4c8b-8631-c6d2a7faf152]
scripts
[com.evolveum.midpoint.xml.ns._public.common.common_3.OperationProvisioningScriptsType at 3131a937[script=<null>]]
modifications
[PropertyDelta(attributes / {.../resource/instance-3}givenName, REPLACE), PropertyDelta(metadata / {.../common/common-3}modifyChannel, REPLACE), PropertyDelta(metadata / {.../common/common-3}modifyTimestamp, REPLACE), ReferenceDelta(metadata / {.../common/common-3}modifierRef, REPLACE), ReferenceDelta(metadata / {.../common/common-3}modifyTaskRef, REPLACE), ReferenceDelta(metadata / {.../common/common-3}modifyApproverRef, REPLACE), PropertyDelta(metadata / {.../common/common-3}modifyApprovalComment, REPLACE)]
Context
implementationClass
[class com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl]
Error
Object to modify not found: org.identityconnectors.framework.common.exceptions.UnknownUidException(Entry for GUID cn=cerri,ou=people,dc=test,dc=edu was not found)


I'm using the same configuration that I was in the 2.0 connector.
        <connectorConfiguration xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
            <icfc:resultsHandlerConfiguration>
                <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
                <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
                <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
            </icfc:resultsHandlerConfiguration>
            <icfc:configurationProperties xmlns:gen880="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.ad.AdLdapConnector">
                <gen880:host>addc01.test.edu</gen880:host>
                <gen880:port>636</gen880:port>
                <gen880:connectionSecurity>ssl</gen880:connectionSecurity>
                <gen880:authenticationType>simple</gen880:authenticationType>
                <gen880:bindDn>***DC=test,DC=edu</gen880:bindDn>
                <gen880:bindPassword>
                    </t:encryptedData>
                </gen880:bindPassword>
                <gen880:baseContext>OU=people,dc=test,dc=edu</gen880:baseContext>
                <gen880:passwordAttribute>userPassword</gen880:passwordAttribute>
                <gen880:pagingStrategy>auto</gen880:pagingStrategy>
                <gen880:uidAttribute>dn</gen880:uidAttribute>
                <gen880:readSchema>true</gen880:readSchema>
                <gen880:objectClassesToSynchronize>user</gen880:objectClassesToSynchronize>
                <gen880:objectClassesToSynchronize>account</gen880:objectClassesToSynchronize>
                <gen880:objectClassesToSynchronize>inetOrgPerson</gen880:objectClassesToSynchronize>
                <gen880:attributesToSynchronize>dn</gen880:attributesToSynchronize>
                <gen880:attributesToSynchronize>cn</gen880:attributesToSynchronize>
                <gen880:attributesToSynchronize>sAMAccountName</gen880:attributesToSynchronize>
                <gen880:attributesToSynchronize>sn</gen880:attributesToSynchronize>
                <gen880:attributesToSynchronize>givenName</gen880:attributesToSynchronize>
                <gen880:rawUserAccountControlAttribute>true</gen880:rawUserAccountControlAttribute>
            </icfc:configurationProperties>
        </connectorConfiguration>


If I run an import sync that would update the same attribute in AD, I get about the same error, and it disconnects the AD Resource from the user.

SystemException: Object to modify not found: org.identityconnectors.framework.common.exceptions.UnknownUidException(Entry for GUID CN=cerri,OU=people,DC=test,DC=edu was not found)


Do I need to use different configuration for the AdLdapConnector<javascript:;> 2.3  ?

Thanks,
John Kamminga
Identity Management Architect
University of California Merced, Office of Information Technology
jkamminga at ucmerced.edu<mailto:jkamminga at ucmerced.edu>| it.ucmerced.edu <http://it.ucmerced.edu/> | 209.205.0372
Facebook<https://www.facebook.com/UCMercedITdep/> | Twitter<https://twitter.com/ucmit> | Linkedin<https://www.linkedin.com/company/uc-merced>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200312/02cd587d/attachment.htm>

More information about the midPoint mailing list