[midPoint] insufficientAccessRights.

Keith Hazelton hazelton at internet2.edu
Sat Jun 21 15:14:26 CEST 2025 

Eugene,

I am testing Claude.ai at several tasks. I submitted your email and got this response.  I'd be interested in what you make of this response or if it is misdirecting.https://claude.ai/share/67073561-d22d-43fe-8423-df33ad26cbf4

     —Keith Hazelton (hazelton at internet2.edu)
[https://claude.ai/images/claude_ogimage.png]<https://claude.ai/share/67073561-d22d-43fe-8423-df33ad26cbf4>
midPoint AD LDAP Connector Configuration<https://claude.ai/share/67073561-d22d-43fe-8423-df33ad26cbf4>
Shared via Claude, an AI assistant from Anthropic
claude.ai





________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Wang, Eugene Mr. (Fed) via midPoint <midpoint at lists.evolveum.com>
Sent: Friday, June 20, 2025 3:26 PM
To: midpoint at lists.evolveum.com <midpoint at lists.evolveum.com>
Cc: Wang, Eugene Mr. (Fed) <yujin.wang at nist.gov>; Jiang, Scott Zhihua (Fed) <scott.jiang at nist.gov>; Wei, Jingfang (Jenny) (Fed) <jingfang.wei at nist.gov>
Subject: [midPoint] insufficientAccessRights.


Dear midPoint Support Team:
I am testing the provisioning and account sync functionalities of the midPoint AD LDAP connector. We deployed the midPoint version 4.9.9 application and set up the resource connector:
com.evolveum.polygon.connector.ldap.ad.AdLdapConnector



The connector successfully loads the AD user’s account data to the midPoint application, but it fails the provisioning tasks.  The midPoint logger shows the “insufficientAccessRights” error message below:



com.evolveum.midpoint.util.exception.SystemException: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50)

                at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchCurrentToken(ConnectorInstanceConnIdImpl.java:1435)

                at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.fetchCurrentToken(ResourceObjectConverter.java:278)

                at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.fetchAndRememberCurrentToken(LiveSynchronizer.java:202)





We confirmed with our AD owner that the account used for the connection is in the “Domain Admin” group and has full create/update/delete permissions. We also confirmed that using Apache Studio, we can successfully modify any user’s attribute.



We confirmed with our AD owner that our system is running on a Windows 2019 Server with a full implementation of AD DS, and it reports a functionality level of 2016. The midPoint docs state that it supports “Active Directory Domain Services (AD DS), Windows Server 2019“, so our AD system fulfills the midPoint application.



My question is: In order to set up a midPoint provisioning connector,  is there any special feature to be configured (turned on) in the AD DS system?



Thanks,



Eugene (Yujin) Wang

(301)975-3621 (office)

(240)386-9234 (mobile)

IT Specialist - Application Systems Division

Office of Information Management (OISM), NIST


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250621/67e7f6e6/attachment.htm>

More information about the midPoint mailing list