[midPoint] AD LDAP connector: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50)
Keith Hazelton
hazelton at internet2.edu
Wed Jul 2 21:18:14 CEST 2025
Mr Wang,
Seems there is a small miscommunication in our recent email conversations. You say you are on midPoint version 4.9.9, but as far as I know, the latest release is 4.9.3. Just want to be sure we are looking at the same version.
--Keith - hazelton at internet2.edu
________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Wang, Eugene Mr. (Fed) via midPoint <midpoint at lists.evolveum.com>
Sent: Thursday, June 26, 2025 9:07 AM
To: midpoint at lists.evolveum.com <midpoint at lists.evolveum.com>
Cc: Wang, Eugene Mr. (Fed) <yujin.wang at nist.gov>; Withers, Timothy J. (Fed) <timothy.withers at nist.gov>; Jiang, Scott Zhihua (Fed) <scott.jiang at nist.gov>; Wei, Jingfang (Jenny) (Fed) <jingfang.wei at nist.gov>
Subject: [midPoint] AD LDAP connector: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50)
We have troubleshooted this issue following the instructions provided by the midPoint supporting engineers Claude and Keith.
https://claude.ai/share/67073561-d22d-43fe-8423-df33ad26cbf4
Unfortunately, we were not able to figure out the cause of the problem. Any advice is deeply appreciated.
We confirmed our AD setting:
* Active Directory DS supports the full function level of 2016 and is deployed on Windows 2019.
* The user account is in the Domain Admin group.
* The user account has both the additional permissions required by midPoint provisioning operations:
* Replicating Directory Changes
* Replicating Directory Changes All
The midPoint application is the release of 4.9.9
We turned the midPoint application “Class Logger” for Provisioning logger at the Debug level. It showed that the AD connector worked successfully in “returning clone” AD user data. But it failed at the step “ Start synchronization of resource object” . The logger error message is here:
2025-06-26 09:04:16,246 [PROVISIONING] [midPointScheduler_Worker-5] DEBUG (com.evolveum.midpoint.provisioning.impl.resources.ResourceCache): HIT(returning clone) for resource:51996605-7561-457f-b6f0-6502a67990db(NIST AD LDAP connector 2 -- only use one object schema: user) (v128)
2025-06-26 09:04:16,246 [PROVISIONING] [midPointScheduler_Worker-5] DEBUG (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Start synchronization of resource:51996605-7561-457f-b6f0-6502a67990db(NIST AD LDAP connector 2 -- only use one object schema: user)
2025-06-26 09:04:16,430 [] [midPointScheduler_Worker-5] ERROR (com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy): method: null msg:LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50)
2025-06-26 09:04:16,431 [] [midPointScheduler_Worker-5] WARN (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId exception (might be handled by upper layers later) org.identityconnectors.framework.common.exceptions.PermissionDeniedException in NIST AD LDAP connector 2 -- only use one object schema: user: ConnectorSpec.Main(resource:51996605-7561-457f-b6f0-6502a67990db(NIST AD LDAP connector 2 -- only use one object schema: user)): LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50), reason: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50) (class org.identityconnectors.framework.common.exceptions.PermissionDeniedException)
2025-06-26 09:04:16,431 [] [midPointScheduler_Worker-5] DEBUG (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId exception (might be handled by upper layers later) org.identityconnectors.framework.common.exceptions.PermissionDeniedException in NIST AD LDAP connector 2 -- only use one object schema: user: ConnectorSpec.Main(resource:51996605-7561-457f-b6f0-6502a67990db(NIST AD LDAP connector 2 -- only use one object schema: user)): LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50).
org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50)
at com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:156)
at com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)
at com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.getLatestSyncToken(AdDirSyncStrategy.java:254)
at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.getLatestSyncToken(AbstractLdapConnector.java:1865)
at org.identityconnectors.framework.impl.api.local.operations.SyncImpl.getLatestSyncToken(SyncImpl.java:147)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)
at jdk.proxy2/jdk.proxy2.$Proxy213.getLatestSyncToken(Unknown Source)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)
at jdk.proxy2/jdk.proxy2.$Proxy213.getLatestSyncToken(Unknown Source)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99)
at jdk.proxy2/jdk.proxy2.$Proxy213.getLatestSyncToken(Unknown Source)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:89)
at jdk.proxy2/jdk.proxy2.$Proxy213.getLatestSyncToken(Unknown Source)
at org.identityconnectors.framework.impl.api.AbstractConnectorFacade.getLatestSyncToken(AbstractConnectorFacade.java:289)
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchCurrentToken(ConnectorInstanceConnIdImpl.java:1416)
at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.fetchCurrentToken(ResourceObjectConverter.java:278)
at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.fetchAndRememberCurrentToken(LiveSynchronizer.java:202)
at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:79)
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:252)
at com.evolveum.midpoint.model.impl.sync.tasks.sync.LiveSyncActivityRun.iterateOverItemsInBucket(LiveSyncActivityRun.java:130)
at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processSingleBucket(IterativeActivityRun.java:457)
at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processOrAnalyzeOrSkipSingleBucket(IterativeActivityRun.java:414)
at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.doRun(IterativeActivityRun.java:245)
at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.runLocally(IterativeActivityRun.java:185)
at com.evolveum.midpoint.repo.common.activity.run.LocalActivityRun.runInternal(LocalActivityRun.java:99)
at com.evolveum.midpoint.repo.common.activity.run.AbstractActivityRun.runTreatingExceptions(AbstractActivityRun.java:271)
at com.evolveum.midpoint.repo.common.activity.run.AbstractActivityRun.run(AbstractActivityRun.java:228)
at com.evolveum.midpoint.repo.common.activity.run.task.ActivityBasedTaskRun.run(ActivityBasedTaskRun.java:82)
at com.evolveum.midpoint.repo.common.activity.run.task.ActivityBasedTaskHandler.run(ActivityBasedTaskHandler.java:80)
at com.evolveum.midpoint.task.quartzimpl.run.HandlerExecutor.executeHandler(HandlerExecutor.java:37)
at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.executeHandler(TaskCycleExecutor.java:134)
at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.executeTaskCycleRun(TaskCycleExecutor.java:127)
at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.executeRecurringTask(TaskCycleExecutor.java:97)
at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.execute(TaskCycleExecutor.java:70)
at com.evolveum.midpoint.task.quartzimpl.run.JobExecutor.executeHandler(JobExecutor.java:157)
at com.evolveum.midpoint.task.quartzimpl.run.JobExecutor.executeInternal(JobExecutor.java:126)
at com.evolveum.midpoint.task.quartzimpl.run.JobExecutor.execute(JobExecutor.java:69)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)
2025-06-26 09:04:16,432 [PROVISIONING] [midPointScheduler_Worker-5] DEBUG (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50), reason: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50) (class com.evolveum.midpoint.util.exception.SystemException)
2025-06-26 09:04:16,432 [PROVISIONING] [midPointScheduler_Worker-5] ERROR (com.evolveum.midpoint.repo.common.activity.run.ActivityRunResult): Unhandled exception in root activity in 'Sync AD LDAP Users' task (OID 14413783-ccae-4605-baf5-5fec2a47828d).
com.evolveum.midpoint.util.exception.SystemException: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50)
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchCurrentToken(ConnectorInstanceConnIdImpl.java:1435)
at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.fetchCurrentToken(ResourceObjectConverter.java:278)
at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.fetchAndRememberCurrentToken(LiveSynchronizer.java:202)
at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:79)
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:252)
at com.evolveum.midpoint.model.impl.sync.tasks.sync.LiveSyncActivityRun.iterateOverItemsInBucket(LiveSyncActivityRun.java:130)
at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processSingleBucket(IterativeActivityRun.java:457)
at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processOrAnalyzeOrSkipSingleBucket(IterativeActivityRun.java:414)
at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.doRun(IterativeActivityRun.java:245)
Thanks,
Eugene (Yujin) Wang
(301)975-3621 (office)
(240)386-9234 (mobile)
IT Specialist - Application Systems Division
Office of Information Management (OISM), NIST
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250702/db15ade8/attachment-0001.htm>
More information about the midPoint
mailing list