<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
I have seen similar issue with TLS-enabled OpenLDAP. It looks like
the default setting for TLS ciphers in OpenLDAP and some Java
versions do not match. The problem is made worse by the notoriously
bad error reporting and diagnostics in JCE. And honestly Apache
Directory API is also not entirely perfect in this aspect. And that
was also the reason for false "green" light the last time when I
have experienced a similar behavior. Yet, according to your
description this does not seem to be a TLS problem.<br>
<br>
Anyway, there is nice way how to troubleshoot the LDAP connector by
enabling the logging. I have just realized that it is not documented
anywhere, so I have documented it just now:
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting">https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting</a><br>
<br>
Therefore please enable the connector logging. It will give you more
details. However I'm a bit afraid that the "operationsError: (1)"
suggests an error on the server side. You may need to enable logging
on the OpenLDAP server to see what is the root cause. The OpenLDAP
is indeed a great directory server. But it is not easy to manage it
or to diagnose the issues. Sometimes you just have to guess. But
let's see the LDAP request and response. Maybe it will contain some
hint.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<div class="moz-cite-prefix">On 05/24/2016 01:46 AM, Florin.
Stingaciu wrote:<br>
</div>
<blockquote
cite="mid:CAMQHPY1h9uYfT0yqaKkqL9dd+N3LLW5y1ejRiRn=h8f0CVYsyw@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>I'm running into this strange issue where I defined a
resource, an OpenLDAP backend. I made sure to import the
appropriate certificate within the keystore. After importing
the resource, I test the connection and everything is green
and good to go, however, if I try to assign an account to a
user on this resource I get the following error:</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Could
not create
object=cn=testGroup,ou=Groups,dc=mgmt,dc=example,dc=net on the
resource, because resource: OpenLDAP Accounts Schema
(OID:fd6c4614-3f1d-42c6-aec5-3d367ce04f40) is unreachable at
the moment. Shadow is stored in the repository and the
resource object will be created when the resource goes online</blockquote>
<div><br>
</div>
<div>The above error is taken from the GUI. In the logs, I have
the following:</div>
<div><br>
</div>
<div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> ICF
Exception
org.identityconnectors.framework.common.exceptions.ConnectorIOException
in connector:5b12de31-8e0c-48ab-8e5b-199467c16eab(ICF
com.evolveum.polygon.connector.ldap.LdapConnector
v1.4.3.0-SNAPSHOT):
<a class="moz-txt-link-freetext" href="resource:fd6c4614-3f1d-42c6-aec5-3d367ce04f40(OpenLDAP">resource:fd6c4614-3f1d-42c6-aec5-3d367ce04f40(OpenLDAP</a>
Accounts Schema): Error adding LDAP entry
cn=testGroup,ou=Groups,dc=mgmt,dc=example,dc=net:
operationsError: (1)</blockquote>
<br>
I've done this numerous times and never had this issue. I've
tried debuging it for the last two hours but I'm coming up
empty handed. Here's my connector config:</div>
<div><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> <icfc:configurationProperties
xmlns:gen36="<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector</a>"><br>
<gen36:host><a moz-do-not-send="true"
href="http://example.symcpe.net">example.symcpe.net</a></gen36:host><br>
<gen36:port>389</gen36:port><br>
<gen36:connectionSecurity>starttls</gen36:connectionSecurity><br>
<gen36:bindDn>cn=admin</gen36:bindDn><br>
<gen36:bindPassword><br>
<t:encryptedData><br>
<t:encryptionMethod><br>
<t:algorithm><a
moz-do-not-send="true"
href="http://www.w3.org/2001/04/xmlenc#aes128-cbc"><a class="moz-txt-link-freetext" href="http://www.w3.org/2001/04/xmlenc#aes128-cbc">http://www.w3.org/2001/04/xmlenc#aes128-cbc</a></a></t:algorithm><br>
</t:encryptionMethod><br>
<t:keyInfo><br>
<t:keyName>hJhPsasaSRiv/SoyMVjnDmRq3PKNuwQ=</t:keyName><br>
</t:keyInfo><br>
<t:cipherData><br>
<t:cipherValue>ukt6JOfbox28PwIWwN4xnzg8/q8ZUHPlQyRm1IevYom6eaqUkzpxSiPKLxF6p4yO+v19fgegOwfqDxaXumzIQ==</t:cipherValue><br>
</t:cipherData><br>
</t:encryptedData><br>
</gen36:bindPassword><br>
<gen36:baseContext>dc=mgmt,dc=example,dc=net</gen36:baseContext><br>
<gen36:passwordHashAlgorithm>SSHA</gen36:passwordHashAlgorithm><br>
<gen36:pagingStrategy>auto</gen36:pagingStrategy><br>
<gen36:vlvSortAttribute>uid</gen36:vlvSortAttribute><br>
<gen36:vlvSortOrderingRule>2.5.13.3</gen36:vlvSortOrderingRule><br>
<gen36:uidAttribute>dn</gen36:uidAttribute><br>
<gen36:operationalAttributes>memberOf</gen36:operationalAttributes><br>
</icfc:configurationProperties><br>
</connectorConfiguration></blockquote>
<div><br>
Any help in debugging this issue would be greatly
appreciated. Oh also, yes I do have write access to this
ldap server :) </div>
</div>
<div><br>
</div>
<div>Thanks, </div>
<div>-F </div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>