[midPoint] Error add credential

Davy Priem davy.priem at vives.be
Tue May 26 12:50:25 CEST 2020 

Hi,

In the first case your keystore is /opt/midpoint/var/keystore.jceks. In the second case you use /opt/midpoint-4.0.1/var/keystore.jceks. You should also import your CA cert and not the server cert in your keystore.  In a testing env where you don’t have real users and password you can set the 'Allow untrusted SSL/TLS’-option on the AD resource.

Best regards
Davy

Op 26 mei 2020, om 12:35 heeft Щенев Антон Вячеславович <anton.shchenev at beeper.ru<mailto:anton.shchenev at beeper.ru>> het volgende geschreven:

Hi, Ivan,Davy
Thanks for your reply
I'm  trying  ssl(636 port)  ..before that  I 've  got server certificate(openssl : openssl s_client -connect server.mydomain.com:636<http://server.mydomain.com:636>) and have imported (keytool -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass changeit -import -alias servercert -trustcacerts -file servercert.pem)
After then I' ve modified ExecStart directive in the midpoint.service file and restarted midPoint.
ExecStart=/usr/bin/java -Xmx12288m -Dmidpoint.home=/opt/midpoint-4.0.1/var  -Djavax.net.ssl.trustStore=/opt/midpoint-4.0.1/var/keystore.jceks -Djavax.net.ssl.trustStoreType=jceks  -jar /opt/midpoint-4.0.1/lib/midpoint.war

But I 'm getting all the time the same error as if the option(-Djavax.net.ssl.trustStore=/opt/midpoint-4.0.1/var/keystore.jceks -Djavax.net.ssl.trustStoreType=jceks  ) does not work


Connection failed: org.identityconnectors.framework.common.exceptions.ConnectionFailedException(Unable to connect to LDAP server.mydomain.com:636<http://server.mydomain.com:636>: ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Failed to build certification path: unable to find valid certification path to requested target

How to make sure  the option works?

С уважением,
Щенев Антон
-----Original Message-----
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of midpoint-request at lists.evolveum.com<mailto:midpoint-request at lists.evolveum.com>
Sent: Monday, May 25, 2020 4:23 PM
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Subject: midPoint Digest, Vol 97, Issue 54

Send midPoint mailing list submissions to
midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.evolveum.com/mailman/listinfo/midpoint
or, via email, send a message with subject or body 'help' to
midpoint-request at lists.evolveum.com

You can reach the person managing the list at
midpoint-owner at lists.evolveum.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of midPoint digest..."


Today's Topics:

  1. Re: Error add credential
     (Щенев Антон Вячеславович)
  2. Re: Error add credential (Davy Priem)
  3. Re: Error add credential (Ivan Noris)


----------------------------------------------------------------------

Message: 1
Date: Mon, 25 May 2020 10:05:42 +0000
From: Щенев Антон Вячеславович
<anton.shchenev at beeper.ru>
To: "midpoint at lists.evolveum.com" <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Error add credential
Message-ID:
<651689E53CC19841968296084942E1E849E87158 at ekt-asbt-mxs001.beeper.ru>
Content-Type: text/plain; charset="utf-8"

Hi, Ivan
I apologize for my carelessness, of courses I used <outbound>(copy-past from other script very similar )
I think that  bind DN  must be with the rights to change the password..



С уважением,
Щенев Антон

-----Original Message-----
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of midpoint-request at lists.evolveum.com
Sent: Monday, May 25, 2020 2:49 PM
To: midpoint at lists.evolveum.com
Subject: midPoint Digest, Vol 97, Issue 53

Send midPoint mailing list submissions to
midpoint at lists.evolveum.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.evolveum.com/mailman/listinfo/midpoint
or, via email, send a message with subject or body 'help' to
midpoint-request at lists.evolveum.com

You can reach the person managing the list at
midpoint-owner at lists.evolveum.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of midPoint digest..."


Today's Topics:

  1. Re: Error add credential (Ivan Noris)
  2. User password expiration notifications (Vladislavs Filipciks)
  3. Re: User password expiration notifications (Pálos Gustáv)


----------------------------------------------------------------------

Message: 1
Date: Mon, 25 May 2020 08:17:03 +0200
From: Ivan Noris <ivan.noris at evolveum.com>
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Error add credential
Message-ID: <27dda94a-a83f-8222-1790-ff34ca25a01c at evolveum.com>
Content-Type: text/plain; charset="utf-8"

Hi,

if you get permission denied exception from AD, then the error probably
happens somewhere else and not in the inbound password mapping you
pasted. Is there any outbound mapping for password as well?

Ivan

On 23. 5. 2020 17:14, Щенев Антон Вячеславович wrote:

Hi,

I get
error(org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
adding LDAP entry CN=????: unwillingToPerform: 0000001F: SvcErr:
DSID-031A1254, problem 5003 (WILL_NOT_PERFORM), data 0?? (53)))

when I try to add user

Is there not enough rights for this operation?
It’s absolutely certain that this problem is due to a password.



<credentials>

            <password>

               <inbound>

                  <strength>weak</strength>

                  <expression>

                     <script>

                        <code>basic.encrypt("??????????")</code>

                     </script>

                  </expression>

               </inbound>

            </password>

         </credentials>



Описание: Описание: Описание: cid:image004.png at 01D47D0D.3B8B0380





Суважением,

Щенев Антон Вячеславович




_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint

--
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/bdcb7784/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1457 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/bdcb7784/attachment-0001.png>

------------------------------

Message: 2
Date: Mon, 25 May 2020 11:55:03 +0300 (EEST)
From: Vladislavs Filipciks <vladislavs.filipciks at csolutions.lv>
To: midpoint <midpoint at lists.evolveum.com>
Subject: [midPoint] User password expiration notifications
Message-ID:
<24589014.5114809.1590396903451.JavaMail.zimbra at csolutions.lv>
Content-Type: text/plain; charset="utf-8"

Hello,

does MidPoint have any functionality to notify user about soon expiring password, that it should be changed?
I found possibility to notify user by e-mail about new password generated for him, but how to handle notification about expiring password? I didn't find any examples or topic in documentation for that.

Thank You in advance.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/96dae07d/attachment-0001.htm>

------------------------------

Message: 3
Date: Mon, 25 May 2020 11:48:19 +0200
From: Pálos Gustáv <gustav.palos at gmail.com>
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] User password expiration notifications
Message-ID:
<CAPXQVkema8VDymG5goPwSDV3yqKSD7mdRV-Bs2i=6QwvcW45OQ at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hi Vladislavs,

please see:
https://evolveum.com/how-to-notify-future-account-expiration/

Best regards,

Gustav

po 25. 5. 2020 o 10:55 Vladislavs Filipciks <
vladislavs.filipciks at csolutions.lv> napísal(a):

Hello,

does MidPoint have any functionality to notify user about soon expiring
password, that it should be changed?
I found possibility to notify user by e-mail about new password generated
for him, but how to handle notification about expiring password? I didn't
find any examples or topic in documentation for that.

Thank You in advance.

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint



--
s pozdravom

Gustáv Pálos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/675f77c4/attachment.htm>

------------------------------

Subject: Digest Footer

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint


------------------------------

End of midPoint Digest, Vol 97, Issue 53
****************************************

------------------------------

Message: 2
Date: Mon, 25 May 2020 10:45:15 +0000
From: Davy Priem <davy.priem at vives.be>
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Error add credential
Message-ID: <9358FD7B-E018-4912-96F0-8055054D42F9 at vives.be>
Content-Type: text/plain; charset="utf-8"

Hi,

You should also have a secure connection to the AD LDAP server.

Best regards,
Davy Priem

Op 25 mei 2020, om 12:05 heeft Щенев Антон Вячеславович <anton.shchenev at beeper.ru> het volgende geschreven:

Hi, Ivan
I apologize for my carelessness, of courses I used <outbound>(copy-past from other script very similar )
I think that  bind DN  must be with the rights to change the password..



С уважением,
Щенев Антон

-----Original Message-----
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of midpoint-request at lists.evolveum.com
Sent: Monday, May 25, 2020 2:49 PM
To: midpoint at lists.evolveum.com
Subject: midPoint Digest, Vol 97, Issue 53

Send midPoint mailing list submissions to
midpoint at lists.evolveum.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.evolveum.com/mailman/listinfo/midpoint
or, via email, send a message with subject or body 'help' to
midpoint-request at lists.evolveum.com

You can reach the person managing the list at
midpoint-owner at lists.evolveum.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of midPoint digest..."


Today's Topics:

 1. Re: Error add credential (Ivan Noris)
 2. User password expiration notifications (Vladislavs Filipciks)
 3. Re: User password expiration notifications (Pálos Gustáv)


----------------------------------------------------------------------

Message: 1
Date: Mon, 25 May 2020 08:17:03 +0200
From: Ivan Noris <ivan.noris at evolveum.com>
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Error add credential
Message-ID: <27dda94a-a83f-8222-1790-ff34ca25a01c at evolveum.com>
Content-Type: text/plain; charset="utf-8"

Hi,

if you get permission denied exception from AD, then the error probably
happens somewhere else and not in the inbound password mapping you
pasted. Is there any outbound mapping for password as well?

Ivan

On 23. 5. 2020 17:14, Щенев Антон Вячеславович wrote:

Hi,

I get
error(org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
adding LDAP entry CN=????: unwillingToPerform: 0000001F: SvcErr:
DSID-031A1254, problem 5003 (WILL_NOT_PERFORM), data 0?? (53)))

when I try to add user

Is there not enough rights for this operation?
It’s absolutely certain that this problem is due to a password.



<credentials>

           <password>

              <inbound>

                 <strength>weak</strength>

                 <expression>

                    <script>

                       <code>basic.encrypt("??????????")</code>

                    </script>

                 </expression>

              </inbound>

           </password>

        </credentials>



Описание: Описание: Описание: cid:image004.png at 01D47D0D.3B8B0380





Суважением,

Щенев Антон Вячеславович




_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint

--
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/bdcb7784/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1457 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/bdcb7784/attachment-0001.png>

------------------------------

Message: 2
Date: Mon, 25 May 2020 11:55:03 +0300 (EEST)
From: Vladislavs Filipciks <vladislavs.filipciks at csolutions.lv>
To: midpoint <midpoint at lists.evolveum.com>
Subject: [midPoint] User password expiration notifications
Message-ID:
<24589014.5114809.1590396903451.JavaMail.zimbra at csolutions.lv>
Content-Type: text/plain; charset="utf-8"

Hello,

does MidPoint have any functionality to notify user about soon expiring password, that it should be changed?
I found possibility to notify user by e-mail about new password generated for him, but how to handle notification about expiring password? I didn't find any examples or topic in documentation for that.

Thank You in advance.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/96dae07d/attachment-0001.htm>

------------------------------

Message: 3
Date: Mon, 25 May 2020 11:48:19 +0200
From: Pálos Gustáv <gustav.palos at gmail.com>
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] User password expiration notifications
Message-ID:
<CAPXQVkema8VDymG5goPwSDV3yqKSD7mdRV-Bs2i=6QwvcW45OQ at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hi Vladislavs,

please see:
https://evolveum.com/how-to-notify-future-account-expiration/

Best regards,

Gustav

po 25. 5. 2020 o 10:55 Vladislavs Filipciks <
vladislavs.filipciks at csolutions.lv> napísal(a):

Hello,

does MidPoint have any functionality to notify user about soon expiring
password, that it should be changed?
I found possibility to notify user by e-mail about new password generated
for him, but how to handle notification about expiring password? I didn't
find any examples or topic in documentation for that.

Thank You in advance.

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint



--
s pozdravom

Gustáv Pálos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200525/675f77c4/attachment.htm>

------------------------------

Subject: Digest Footer

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint


------------------------------

End of midPoint Digest, Vol 97, Issue 53
****************************************
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint


------------------------------

Message: 3
Date: Mon, 25 May 2020 13:22:56 +0200
From: Ivan Noris <ivan.noris at evolveum.com>
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Error add credential
Message-ID: <95d2173f-ad65-bfd9-1243-1a8089507d5e at evolveum.com>
Content-Type: text/plain; charset=utf-8

Hi Anton,

yes, definitely should have permissions for that.

Please check in
https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector

"Reset user passwords and force password change at next logon"

And as Davy mentioned, you also need to go with port 636 and not 389.

Last thing I remember is that AD has its own password complexity
checking and your password cannot contain username or some other AD
account attributes. You would get Unwilling to perform then.

If you encounter any incorrect documentation, please let us know.

Thanks.

Best regards,

Ivan

On 25. 5. 2020 12:05, Щенев Антон Вячеславович wrote:
Hi, Ivan
I apologize for my carelessness, of courses I used <outbound>(copy-past from other script very similar )
I think that  bind DN  must be with the rights to change the password..



С уважением,
Щенев Антон

-----Original Message-----
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of midpoint-request at lists.evolveum.com
Sent: Monday, May 25, 2020 2:49 PM
To: midpoint at lists.evolveum.com
Subject: midPoint Digest, Vol 97, Issue 53

Send midPoint mailing list submissions to
midpoint at lists.evolveum.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.evolveum.com/mailman/listinfo/midpoint
or, via email, send a message with subject or body 'help' to
midpoint-request at lists.evolveum.com

You can reach the person managing the list at
midpoint-owner at lists.evolveum.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of midPoint digest..."


Today's Topics:

  1. Re: Error add credential (Ivan Noris)
  2. User password expiration notifications (Vladislavs Filipciks)
  3. Re: User password expiration notifications (Pálos Gustáv)


----------------------------------------------------------------------

Message: 1
Date: Mon, 25 May 2020 08:17:03 +0200
From: Ivan Noris <ivan.noris at evolveum.com>
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Error add credential
Message-ID: <27dda94a-a83f-8222-1790-ff34ca25a01c at evolveum.com>
Content-Type: text/plain; charset="utf-8"

Hi,

if you get permission denied exception from AD, then the error probably
happens somewhere else and not in the inbound password mapping you
pasted. Is there any outbound mapping for password as well?

Ivan

On 23. 5. 2020 17:14, Щенев Антон Вячеславович wrote:
Hi,

I get
error(org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
adding LDAP entry CN=????: unwillingToPerform: 0000001F: SvcErr:
DSID-031A1254, problem 5003 (WILL_NOT_PERFORM), data 0?? (53)))

when I try to add user

Is there not enough rights for this operation?
It’s absolutely certain that this problem is due to a password.



<credentials>

            <password>

               <inbound>

                  <strength>weak</strength>

                  <expression>

                     <script>

                        <code>basic.encrypt("??????????")</code>

                     </script>

                  </expression>

               </inbound>

            </password>

         </credentials>



Описание: Описание: Описание: cid:image004.png at 01D47D0D.3B8B0380





Суважением,

Щенев Антон Вячеславович




_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint

--
Ivan Noris
Senior Identity Engineer
evolveum.com



------------------------------

Subject: Digest Footer

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint


------------------------------

End of midPoint Digest, Vol 97, Issue 54
****************************************
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200526/df8c9b06/attachment.htm>

More information about the midPoint mailing list