[midPoint] AD Connector: Cannot list any group - Failed to convert query. Reason: Syntax error: Unexpected an identifier language concept 'return'

Frech, Robin robin.frech at enventa-group.com
Tue Jul 15 10:16:46 CEST 2025 

Hello all,
I am having trouble with ~6 our Active Directories (Windows ADs).
All of them are separated environments (abc.local, bef.local,...), running Windows Server 2016+ and Domain functional level 2016.
One domain controller is running Windows Server 2022. I don't think that really matters.

I am able to see all users.
Some of them are an English / German mix. Some are clean English and AD attributes from ADSI look OK. For me I skip this in mind.
In GUI resource (AD_XY) > resource objects > group > "Fatal error". No red / yellow banner only text in result table.

I am digging deeper and deeper and got this error message every time I am accessing groups.
The default AD template from GitHub splits groups to universal, distribution groups,....
I tried to refresh schema, removed schema from XML, rebuilt things, disabled mappings, disabled role and entitlements, sync, correlation, changing from older to latest AD connector, toggled Native AD schema, paging strategy, read schema, search scope, logSchemaErrors.display, Base context to other OU,....

Looks like a connector problem? Are some attributes faulty? I cannot find a specific reason.
Looks like only specific groups cannot be resolved.
I toggled some AD/LDAP connector specific logs.
But without knowing which group / search is failing, it is really hard to understand what's going on. See error messages below.

Maybe we can find out what is causing the problem. This would be really nice!

Best regards
Robin

Version     4.9.1
Branch      support-4.9
Git describe      v4.9.1
Built at    Thu, 30 Jan 2025 10:28:02 +0000
 Official build by Evolveum

com.evolveum.polygon.connector.ldap.ad.AdLdapConnector
3.9.1


2025-07-15 01:18:26,257 [] [Thread-31] DEBUG (com.evolveum.polygon.connector.ldap.OperationLog): method: null msg:ldaps://XXXXXXXXX/ Search RES Done:
        Ldap Result
            Result code : (SUCCESS) success
            Matched Dn : ''
            Diagnostic message : ''

2025-07-15 01:18:26,259 [] [http-nio-8080-exec-10] WARN (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId exception (might be handled by upper layers later) com.evolveum.midpoint.util.exception.TunnelException in AD_XXXXXXX: ConnectorSpec.Main(resource:9199f6c9-f6eb-4216-98a3-0985f42e8b5c(AD_XXXXXXXX_local)): com.evolveum.midpoint.util.exception.SchemaException: Failed to convert query. Reason: Syntax error: Unexpected an identifier language concept 'return', reason: com.evolveum.midpoint.util.exception.SchemaException: Failed to convert query. Reason: Syntax error: Unexpected an identifier language concept 'return' (class com.evolveum.midpoint.util.exception.TunnelException)
2025-07-15 01:18:26,260 [MODEL] [http-nio-8080-exec-10] WARN (com.evolveum.midpoint.model.impl.controller.ModelController): Couldn't search objects in provisioning, reason: Problem while executing the search using connector ConnectorInstanceIcfImpl(connector:7771c03b-13b1-4e09-b779-ae584b95d89e(ConnId com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v3.9.1)): Failed to convert query. Reason: Syntax error: Unexpected an identifier language concept 'return' (class com.evolveum.midpoint.util.exception.SchemaException)
2025-07-15 01:18:26,260 [] [http-nio-8080-exec-10] ERROR (com.evolveum.midpoint.gui.impl.component.data.provider.SelectableBeanContainerDataProvider): Couldn't list objects.
com.evolveum.midpoint.util.exception.SchemaException: Problem while executing the search using connector ConnectorInstanceIcfImpl(connector:7771c03b-13b1-4e09-b779-ae584b95d89e(ConnId com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v3.9.1)): Failed to convert query. Reason: Syntax error: Unexpected an identifier language concept 'return'
        at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
        at com.evolveum.midpoint.util.MiscUtil.createSame(MiscUtil.java:1060)
        at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectSearchOperation.execute(ResourceObjectSearchOperation.java:168)
        at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectSearchOperation.execute(ResourceObjectSearchOperation.java:87)
        at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.searchResourceObjects(ResourceObjectConverter.java:151)
        at com.evolveum.midpoint.provisioning.impl.shadows.ShadowSearchLikeOperation.executeIterativeSearchOnResource(ShadowSearchLikeOperation.java:180)
        at com.evolveum.midpoint.provisioning.impl.shadows.ShadowSearchLikeOperation.executeNonIterativeSearch(ShadowSearchLikeOperation.java:132)
        at com.evolveum.midpoint.provisioning.impl.shadows.ShadowsFacade.searchShadows(ShadowsFacade.java:175)
        at com.evolveum.midpoint.provisioning.impl.operations.ProvisioningSearchLikeOperation.executeSearch(ProvisioningSearchLikeOperation.java:91)
        at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.searchObjects(ProvisioningServiceImpl.java:340)
        at com.evolveum.midpoint.provisioning.api.ProvisioningService.searchObjects(ProvisioningService.java:668)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250715/001f127e/attachment-0001.htm>

More information about the midPoint mailing list