[midPoint] insufficientAccessRights.

Wang, Eugene Mr. (Fed) yujin.wang at nist.gov
Fri Jun 20 22:26:50 CEST 2025 

Dear midPoint Support Team:
I am testing the provisioning and account sync functionalities of the midPoint AD LDAP connector. We deployed the midPoint version 4.9.9 application and set up the resource connector:
com.evolveum.polygon.connector.ldap.ad.AdLdapConnector

The connector successfully loads the AD user's account data to the midPoint application, but it fails the provisioning tasks.  The midPoint logger shows the "insufficientAccessRights" error message below:

com.evolveum.midpoint.util.exception.SystemException: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50)
                at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchCurrentToken(ConnectorInstanceConnIdImpl.java:1435)
                at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.fetchCurrentToken(ResourceObjectConverter.java:278)
                at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.fetchAndRememberCurrentToken(LiveSynchronizer.java:202)


We confirmed with our AD owner that the account used for the connection is in the "Domain Admin" group and has full create/update/delete permissions. We also confirmed that using Apache Studio, we can successfully modify any user's attribute.

We confirmed with our AD owner that our system is running on a Windows 2019 Server with a full implementation of AD DS, and it reports a functionality level of 2016. The midPoint docs state that it supports "Active Directory Domain Services (AD DS), Windows Server 2019", so our AD system fulfills the midPoint application.

My question is: In order to set up a midPoint provisioning connector,  is there any special feature to be configured (turned on) in the AD DS system?

Thanks,

Eugene (Yujin) Wang
(301)975-3621 (office)
(240)386-9234 (mobile)
IT Specialist - Application Systems Division
Office of Information Management (OISM), NIST

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250620/f29ddc84/attachment.htm>

More information about the midPoint mailing list