<div dir="ltr">Hey Radovan, <div><br></div><div>Thanks for you reply. Upon further debugging, it turns out there was a problem with my server as you had suggested. There must've been some character encoding issue when I added the Groups OU (I'm assuming it must've been a trailing space character) and thus Midpoint couldn't write to that location as it did not exist. </div><div><br></div><div>Also thanks for the write up on debugging the LDAP connector! That will definitely come in handy at some point. </div><div><br></div><div>Thanks, </div><div>-F </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 24, 2016 at 3:34 AM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
I have seen similar issue with TLS-enabled OpenLDAP. It looks like
the default setting for TLS ciphers in OpenLDAP and some Java
versions do not match. The problem is made worse by the notoriously
bad error reporting and diagnostics in JCE. And honestly Apache
Directory API is also not entirely perfect in this aspect. And that
was also the reason for false "green" light the last time when I
have experienced a similar behavior. Yet, according to your
description this does not seem to be a TLS problem.<br>
<br>
Anyway, there is nice way how to troubleshoot the LDAP connector by
enabling the logging. I have just realized that it is not documented
anywhere, so I have documented it just now:
<a href="https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting" target="_blank">https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting</a><br>
<br>
Therefore please enable the connector logging. It will give you more
details. However I'm a bit afraid that the "operationsError: (1)"
suggests an error on the server side. You may need to enable logging
on the OpenLDAP server to see what is the root cause. The OpenLDAP
is indeed a great directory server. But it is not easy to manage it
or to diagnose the issues. Sometimes you just have to guess. But
let's see the LDAP request and response. Maybe it will contain some
hint.<br>
<br>
<pre cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre><div><div class="h5">
<br>
<br>
<div>On 05/24/2016 01:46 AM, Florin.
Stingaciu wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">Hello,
<div><br>
</div>
<div>I'm running into this strange issue where I defined a
resource, an OpenLDAP backend. I made sure to import the
appropriate certificate within the keystore. After importing
the resource, I test the connection and everything is green
and good to go, however, if I try to assign an account to a
user on this resource I get the following error:</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Could
not create
object=cn=testGroup,ou=Groups,dc=mgmt,dc=example,dc=net on the
resource, because resource: OpenLDAP Accounts Schema
(OID:fd6c4614-3f1d-42c6-aec5-3d367ce04f40) is unreachable at
the moment. Shadow is stored in the repository and the
resource object will be created when the resource goes online</blockquote>
<div><br>
</div>
<div>The above error is taken from the GUI. In the logs, I have
the following:</div>
<div><br>
</div>
<div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> ICF
Exception
org.identityconnectors.framework.common.exceptions.ConnectorIOException
in connector:5b12de31-8e0c-48ab-8e5b-199467c16eab(ICF
com.evolveum.polygon.connector.ldap.LdapConnector
v1.4.3.0-SNAPSHOT):
<a>resource:fd6c4614-3f1d-42c6-aec5-3d367ce04f40(OpenLDAP</a>
Accounts Schema): Error adding LDAP entry
cn=testGroup,ou=Groups,dc=mgmt,dc=example,dc=net:
operationsError: (1)</blockquote>
<br>
I've done this numerous times and never had this issue. I've
tried debuging it for the last two hours but I'm coming up
empty handed. Here's my connector config:</div>
<div><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> <icfc:configurationProperties
xmlns:gen36="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector" target="_blank">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector</a>"><br>
<gen36:host><a href="http://example.symcpe.net" target="_blank">example.symcpe.net</a></gen36:host><br>
<gen36:port>389</gen36:port><br>
<gen36:connectionSecurity>starttls</gen36:connectionSecurity><br>
<gen36:bindDn>cn=admin</gen36:bindDn><br>
<gen36:bindPassword><br>
<t:encryptedData><br>
<t:encryptionMethod><br>
<t:algorithm><a href="http://www.w3.org/2001/04/xmlenc#aes128-cbc" target="_blank"></a><a href="http://www.w3.org/2001/04/xmlenc#aes128-cbc" target="_blank">http://www.w3.org/2001/04/xmlenc#aes128-cbc</a></t:algorithm><br>
</t:encryptionMethod><br>
<t:keyInfo><br>
<t:keyName>hJhPsasaSRiv/SoyMVjnDmRq3PKNuwQ=</t:keyName><br>
</t:keyInfo><br>
<t:cipherData><br>
<t:cipherValue>ukt6JOfbox28PwIWwN4xnzg8/q8ZUHPlQyRm1IevYom6eaqUkzpxSiPKLxF6p4yO+v19fgegOwfqDxaXumzIQ==</t:cipherValue><br>
</t:cipherData><br>
</t:encryptedData><br>
</gen36:bindPassword><br>
<gen36:baseContext>dc=mgmt,dc=example,dc=net</gen36:baseContext><br>
<gen36:passwordHashAlgorithm>SSHA</gen36:passwordHashAlgorithm><br>
<gen36:pagingStrategy>auto</gen36:pagingStrategy><br>
<gen36:vlvSortAttribute>uid</gen36:vlvSortAttribute><br>
<gen36:vlvSortOrderingRule>2.5.13.3</gen36:vlvSortOrderingRule><br>
<gen36:uidAttribute>dn</gen36:uidAttribute><br>
<gen36:operationalAttributes>memberOf</gen36:operationalAttributes><br>
</icfc:configurationProperties><br>
</connectorConfiguration></blockquote>
<div><br>
Any help in debugging this issue would be greatly
appreciated. Oh also, yes I do have write access to this
ldap server :) </div>
</div>
<div><br>
</div>
<div>Thanks, </div>
<div>-F </div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>