[midPoint] Error add credential
Щенев Антон Вячеславович
anton.shchenev at beeper.ru
Tue May 26 12:35:35 CEST 2020
Hi, Ivan,Davy
Thanks for your reply
I'm trying ssl(636 port) ..before that I 've got server certificate(openssl : openssl s_client -connect server.mydomain.com:636) and have imported (keytool -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass changeit -import -alias servercert -trustcacerts -file servercert.pem)
After then I' ve modified ExecStart directive in the midpoint.service file and restarted midPoint.
ExecStart=/usr/bin/java -Xmx12288m -Dmidpoint.home=/opt/midpoint-4.0.1/var -Djavax.net.ssl.trustStore=/opt/midpoint-4.0.1/var/keystore.jceks -Djavax.net.ssl.trustStoreType=jceks -jar /opt/midpoint-4.0.1/lib/midpoint.war
But I 'm getting all the time the same error as if the option(-Djavax.net.ssl.trustStore=/opt/midpoint-4.0.1/var/keystore.jceks -Djavax.net.ssl.trustStoreType=jceks ) does not work
Connection failed: org.identityconnectors.framework.common.exceptions.ConnectionFailedException(Unable to connect to LDAP server.mydomain.com:636: ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Failed to build certification path: unable to find valid certification path to requested target
How to make sure the option works?
С уважением,
Щенев Антон
-----Original Message-----
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of midpoint-request at lists.evolveum.com
Sent: Monday, May 25, 2020 4:23 PM
To: midpoint at lists.evolveum.com
Subject: midPoint Digest, Vol 97, Issue 54
Send midPoint mailing list submissions to
midpoint at lists.evolveum.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.evolveum.com/mailman/listinfo/midpoint
or, via email, send a message with subject or body 'help' to
midpoint-request at lists.evolveum.com
You can reach the person managing the list at
midpoint-owner at lists.evolveum.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of midPoint digest..."
Today's Topics:
1. Re: Error add credential
(Щенев Антон Вячеславович)
2. Re: Error add credential (Davy Priem)
3. Re: Error add credential (Ivan Noris)
----------------------------------------------------------------------
Message: 1
Date: Mon, 25 May 2020 10:05:42 +0000
From: Щенев Антон Вячеславович
<anton.shchenev at beeper.ru>
To: "midpoint at lists.evolveum.com" <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Error add credential
Message-ID:
<651689E53CC19841968296084942E1E849E87158 at ekt-asbt-mxs001.beeper.ru>
Content-Type: text/plain; charset="utf-8"
Hi, Ivan
I apologize for my carelessness, of courses I used <outbound>(copy-past from other script very similar )
I think that bind DN must be with the rights to change the password..
С уважением,
Щенев Антон
-----Original Message-----
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of midpoint-request at lists.evolveum.com
Sent: Monday, May 25, 2020 2:49 PM
To: midpoint at lists.evolveum.com
Subject: midPoint Digest, Vol 97, Issue 53
Send midPoint mailing list submissions to
midpoint at lists.evolveum.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.evolveum.com/mailman/listinfo/midpoint
or, via email, send a message with subject or body 'help' to
midpoint-request at lists.evolveum.com
You can reach the person managing the list at
midpoint-owner at lists.evolveum.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of midPoint digest..."
Today's Topics:
1. Re: Error add credential (Ivan Noris)
2. User password expiration notifications (Vladislavs Filipciks)
3. Re: User password expiration notifications (Pálos Gustáv)
----------------------------------------------------------------------
Message: 1
Date: Mon, 25 May 2020 08:17:03 +0200
From: Ivan Noris <ivan.noris at evolveum.com>
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Error add credential
Message-ID: <27dda94a-a83f-8222-1790-ff34ca25a01c at evolveum.com>
Content-Type: text/plain; charset="utf-8"
Hi,
if you get permission denied exception from AD, then the error probably
happens somewhere else and not in the inbound password mapping you
pasted. Is there any outbound mapping for password as well?
Ivan
On 23. 5. 2020 17:14, Щенев Антон Вячеславович wrote:
>
> Hi,
>
> I get
> error(org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
> adding LDAP entry CN=????: unwillingToPerform: 0000001F: SvcErr:
> DSID-031A1254, problem 5003 (WILL_NOT_PERFORM), data 0?? (53)))
>
> when I try to add user
>
> Is there not enough rights for this operation?
> It’s absolutely certain that this problem is due to a password.
>
>
>
> <credentials>
>
> <password>
>
> <inbound>
>
> <strength>weak</strength>
>
> <expression>
>
> <script>
>
> <code>basic.encrypt("??????????")</code>
>
> </script>
>
> </expression>
>
> </inbound>
>
> </password>
>
> </credentials>
>
>
>
> Описание: Описание: Описание: cid:image004.png at 01D47D0D.3B8B0380
>
>
>
>
>
> Суважением,
>
> Щенев Антон Вячеславович
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/bdcb7784/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1457 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/bdcb7784/attachment-0001.png>
------------------------------
Message: 2
Date: Mon, 25 May 2020 11:55:03 +0300 (EEST)
From: Vladislavs Filipciks <vladislavs.filipciks at csolutions.lv>
To: midpoint <midpoint at lists.evolveum.com>
Subject: [midPoint] User password expiration notifications
Message-ID:
<24589014.5114809.1590396903451.JavaMail.zimbra at csolutions.lv>
Content-Type: text/plain; charset="utf-8"
Hello,
does MidPoint have any functionality to notify user about soon expiring password, that it should be changed?
I found possibility to notify user by e-mail about new password generated for him, but how to handle notification about expiring password? I didn't find any examples or topic in documentation for that.
Thank You in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/96dae07d/attachment-0001.htm>
------------------------------
Message: 3
Date: Mon, 25 May 2020 11:48:19 +0200
From: Pálos Gustáv <gustav.palos at gmail.com>
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] User password expiration notifications
Message-ID:
<CAPXQVkema8VDymG5goPwSDV3yqKSD7mdRV-Bs2i=6QwvcW45OQ at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi Vladislavs,
please see:
https://evolveum.com/how-to-notify-future-account-expiration/
Best regards,
Gustav
po 25. 5. 2020 o 10:55 Vladislavs Filipciks <
vladislavs.filipciks at csolutions.lv> napísal(a):
> Hello,
>
> does MidPoint have any functionality to notify user about soon expiring
> password, that it should be changed?
> I found possibility to notify user by e-mail about new password generated
> for him, but how to handle notification about expiring password? I didn't
> find any examples or topic in documentation for that.
>
> Thank You in advance.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
--
s pozdravom
Gustáv Pálos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/675f77c4/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
------------------------------
End of midPoint Digest, Vol 97, Issue 53
****************************************
------------------------------
Message: 2
Date: Mon, 25 May 2020 10:45:15 +0000
From: Davy Priem <davy.priem at vives.be>
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Error add credential
Message-ID: <9358FD7B-E018-4912-96F0-8055054D42F9 at vives.be>
Content-Type: text/plain; charset="utf-8"
Hi,
You should also have a secure connection to the AD LDAP server.
Best regards,
Davy Priem
> Op 25 mei 2020, om 12:05 heeft Щенев Антон Вячеславович <anton.shchenev at beeper.ru> het volgende geschreven:
>
> Hi, Ivan
> I apologize for my carelessness, of courses I used <outbound>(copy-past from other script very similar )
> I think that bind DN must be with the rights to change the password..
>
>
>
> С уважением,
> Щенев Антон
>
> -----Original Message-----
> From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of midpoint-request at lists.evolveum.com
> Sent: Monday, May 25, 2020 2:49 PM
> To: midpoint at lists.evolveum.com
> Subject: midPoint Digest, Vol 97, Issue 53
>
> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
> 1. Re: Error add credential (Ivan Noris)
> 2. User password expiration notifications (Vladislavs Filipciks)
> 3. Re: User password expiration notifications (Pálos Gustáv)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 25 May 2020 08:17:03 +0200
> From: Ivan Noris <ivan.noris at evolveum.com>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] Error add credential
> Message-ID: <27dda94a-a83f-8222-1790-ff34ca25a01c at evolveum.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> if you get permission denied exception from AD, then the error probably
> happens somewhere else and not in the inbound password mapping you
> pasted. Is there any outbound mapping for password as well?
>
> Ivan
>
> On 23. 5. 2020 17:14, Щенев Антон Вячеславович wrote:
>>
>> Hi,
>>
>> I get
>> error(org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
>> adding LDAP entry CN=????: unwillingToPerform: 0000001F: SvcErr:
>> DSID-031A1254, problem 5003 (WILL_NOT_PERFORM), data 0?? (53)))
>>
>> when I try to add user
>>
>> Is there not enough rights for this operation?
>> It’s absolutely certain that this problem is due to a password.
>>
>>
>>
>> <credentials>
>>
>> <password>
>>
>> <inbound>
>>
>> <strength>weak</strength>
>>
>> <expression>
>>
>> <script>
>>
>> <code>basic.encrypt("??????????")</code>
>>
>> </script>
>>
>> </expression>
>>
>> </inbound>
>>
>> </password>
>>
>> </credentials>
>>
>>
>>
>> Описание: Описание: Описание: cid:image004.png at 01D47D0D.3B8B0380
>>
>>
>>
>>
>>
>> Суважением,
>>
>> Щенев Антон Вячеславович
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/bdcb7784/attachment-0001.htm>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image001.png
> Type: image/png
> Size: 1457 bytes
> Desc: not available
> URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/bdcb7784/attachment-0001.png>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 25 May 2020 11:55:03 +0300 (EEST)
> From: Vladislavs Filipciks <vladislavs.filipciks at csolutions.lv>
> To: midpoint <midpoint at lists.evolveum.com>
> Subject: [midPoint] User password expiration notifications
> Message-ID:
> <24589014.5114809.1590396903451.JavaMail.zimbra at csolutions.lv>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> does MidPoint have any functionality to notify user about soon expiring password, that it should be changed?
> I found possibility to notify user by e-mail about new password generated for him, but how to handle notification about expiring password? I didn't find any examples or topic in documentation for that.
>
> Thank You in advance.
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/96dae07d/attachment-0001.htm>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 25 May 2020 11:48:19 +0200
> From: Pálos Gustáv <gustav.palos at gmail.com>
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Subject: Re: [midPoint] User password expiration notifications
> Message-ID:
> <CAPXQVkema8VDymG5goPwSDV3yqKSD7mdRV-Bs2i=6QwvcW45OQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Vladislavs,
>
> please see:
> https://evolveum.com/how-to-notify-future-account-expiration/
>
> Best regards,
>
> Gustav
>
> po 25. 5. 2020 o 10:55 Vladislavs Filipciks <
> vladislavs.filipciks at csolutions.lv> napísal(a):
>
>> Hello,
>>
>> does MidPoint have any functionality to notify user about soon expiring
>> password, that it should be changed?
>> I found possibility to notify user by e-mail about new password generated
>> for him, but how to handle notification about expiring password? I didn't
>> find any examples or topic in documentation for that.
>>
>> Thank You in advance.
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> --
> s pozdravom
>
> Gustáv Pálos
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/675f77c4/attachment.htm>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 97, Issue 53
> ****************************************
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
------------------------------
Message: 3
Date: Mon, 25 May 2020 13:22:56 +0200
From: Ivan Noris <ivan.noris at evolveum.com>
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Error add credential
Message-ID: <95d2173f-ad65-bfd9-1243-1a8089507d5e at evolveum.com>
Content-Type: text/plain; charset=utf-8
Hi Anton,
yes, definitely should have permissions for that.
Please check in
https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector
"Reset user passwords and force password change at next logon"
And as Davy mentioned, you also need to go with port 636 and not 389.
Last thing I remember is that AD has its own password complexity
checking and your password cannot contain username or some other AD
account attributes. You would get Unwilling to perform then.
If you encounter any incorrect documentation, please let us know.
Thanks.
Best regards,
Ivan
On 25. 5. 2020 12:05, Щенев Антон Вячеславович wrote:
> Hi, Ivan
> I apologize for my carelessness, of courses I used <outbound>(copy-past from other script very similar )
> I think that bind DN must be with the rights to change the password..
>
>
>
> С уважением,
> Щенев Антон
>
> -----Original Message-----
> From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of midpoint-request at lists.evolveum.com
> Sent: Monday, May 25, 2020 2:49 PM
> To: midpoint at lists.evolveum.com
> Subject: midPoint Digest, Vol 97, Issue 53
>
> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
> 1. Re: Error add credential (Ivan Noris)
> 2. User password expiration notifications (Vladislavs Filipciks)
> 3. Re: User password expiration notifications (Pálos Gustáv)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 25 May 2020 08:17:03 +0200
> From: Ivan Noris <ivan.noris at evolveum.com>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] Error add credential
> Message-ID: <27dda94a-a83f-8222-1790-ff34ca25a01c at evolveum.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> if you get permission denied exception from AD, then the error probably
> happens somewhere else and not in the inbound password mapping you
> pasted. Is there any outbound mapping for password as well?
>
> Ivan
>
> On 23. 5. 2020 17:14, Щенев Антон Вячеславович wrote:
>> Hi,
>>
>> I get
>> error(org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
>> adding LDAP entry CN=????: unwillingToPerform: 0000001F: SvcErr:
>> DSID-031A1254, problem 5003 (WILL_NOT_PERFORM), data 0?? (53)))
>>
>> when I try to add user
>>
>> Is there not enough rights for this operation?
>> It’s absolutely certain that this problem is due to a password.
>>
>>
>>
>> <credentials>
>>
>> <password>
>>
>> <inbound>
>>
>> <strength>weak</strength>
>>
>> <expression>
>>
>> <script>
>>
>> <code>basic.encrypt("??????????")</code>
>>
>> </script>
>>
>> </expression>
>>
>> </inbound>
>>
>> </password>
>>
>> </credentials>
>>
>>
>>
>> Описание: Описание: Описание: cid:image004.png at 01D47D0D.3B8B0380
>>
>>
>>
>>
>>
>> Суважением,
>>
>> Щенев Антон Вячеславович
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
------------------------------
Subject: Digest Footer
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
------------------------------
End of midPoint Digest, Vol 97, Issue 54
****************************************
More information about the midPoint
mailing list