<div dir="ltr">Hey Radovan, <div><br></div><div>Thanks for you reply. Upon further debugging, it turns out there was a problem with my server as you had suggested. There must've been some character encoding issue when I added the Groups OU (I'm assuming it must've been a trailing space character) and thus Midpoint couldn't write to that location as it did not exist. </div><div><br></div><div>Also thanks for the write up on debugging the LDAP connector! That will definitely come in handy at some point. </div><div><br></div><div>Thanks, </div><div>-F </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 24, 2016 at 3:34 AM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    Hi,<br>
    <br>
    I have seen similar issue with TLS-enabled OpenLDAP. It looks like
    the default setting for TLS ciphers in OpenLDAP and some Java
    versions do not match. The problem is made worse by the notoriously
    bad error reporting and diagnostics in JCE. And honestly Apache
    Directory API is also not entirely perfect in this aspect. And that
    was also the reason for false "green" light the last time when I
    have experienced a similar behavior. Yet, according to your
    description this does not seem to be a TLS problem.<br>
    <br>
    Anyway, there is nice way how to troubleshoot the LDAP connector by
    enabling the logging. I have just realized that it is not documented
    anywhere, so I have documented it just now:
<a href="https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting" target="_blank">https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting</a><br>
    <br>
    Therefore please enable the connector logging. It will give you more
    details. However I'm a bit afraid that the "operationsError:  (1)"
    suggests an error on the server side. You may need to enable logging
    on the OpenLDAP server to see what is the root cause. The OpenLDAP
    is indeed a great directory server. But it is not easy to manage it
    or to diagnose the issues. Sometimes you just have to guess. But
    let's see the LDAP request and response. Maybe it will contain some
    hint.<br>
    <br>
    <pre cols="72">-- 
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre><div><div class="h5">
    <br>
    <br>
    <div>On 05/24/2016 01:46 AM, Florin.
      Stingaciu wrote:<br>
    </div>
    </div></div><blockquote type="cite"><div><div class="h5">
      <div dir="ltr">Hello, 
        <div><br>
        </div>
        <div>I'm running into this strange issue where I defined a
          resource, an OpenLDAP backend. I made sure to import the
          appropriate certificate within the keystore. After importing
          the resource, I test the connection and everything is green
          and good to go, however, if I try to assign an account to a
          user on this resource I get the following error:</div>
        <div><br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Could
          not create
          object=cn=testGroup,ou=Groups,dc=mgmt,dc=example,dc=net on the
          resource, because resource: OpenLDAP Accounts Schema
          (OID:fd6c4614-3f1d-42c6-aec5-3d367ce04f40) is unreachable at
          the moment. Shadow is stored in the repository and the
          resource object will be created when the resource goes online</blockquote>
        <div><br>
        </div>
        <div>The above error is taken from the GUI. In the logs, I have
          the following:</div>
        <div><br>
        </div>
        <div>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> ICF
            Exception
            org.identityconnectors.framework.common.exceptions.ConnectorIOException
            in connector:5b12de31-8e0c-48ab-8e5b-199467c16eab(ICF
            com.evolveum.polygon.connector.ldap.LdapConnector
            v1.4.3.0-SNAPSHOT):
            <a>resource:fd6c4614-3f1d-42c6-aec5-3d367ce04f40(OpenLDAP</a>
            Accounts Schema): Error adding LDAP entry
            cn=testGroup,ou=Groups,dc=mgmt,dc=example,dc=net:
            operationsError:  (1)</blockquote>
          <br>
          I've done this numerous times and never had this issue. I've
          tried debuging it for the last two hours but I'm coming up
          empty handed. Here's my connector config:</div>
        <div><br>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> <icfc:configurationProperties
            xmlns:gen36="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector" target="_blank">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector</a>"><br>
                     <gen36:host><a href="http://example.symcpe.net" target="_blank">example.symcpe.net</a></gen36:host><br>
                     <gen36:port>389</gen36:port><br>
                   
 <gen36:connectionSecurity>starttls</gen36:connectionSecurity><br>
                     <gen36:bindDn>cn=admin</gen36:bindDn><br>
                     <gen36:bindPassword><br>
                        <t:encryptedData><br>
                           <t:encryptionMethod><br>
                              <t:algorithm><a href="http://www.w3.org/2001/04/xmlenc#aes128-cbc" target="_blank"></a><a href="http://www.w3.org/2001/04/xmlenc#aes128-cbc" target="_blank">http://www.w3.org/2001/04/xmlenc#aes128-cbc</a></t:algorithm><br>
                           </t:encryptionMethod><br>
                           <t:keyInfo><br>
                             
            <t:keyName>hJhPsasaSRiv/SoyMVjnDmRq3PKNuwQ=</t:keyName><br>
                           </t:keyInfo><br>
                           <t:cipherData><br>
                       
 <t:cipherValue>ukt6JOfbox28PwIWwN4xnzg8/q8ZUHPlQyRm1IevYom6eaqUkzpxSiPKLxF6p4yO+v19fgegOwfqDxaXumzIQ==</t:cipherValue><br>
                           </t:cipherData><br>
                        </t:encryptedData><br>
                     </gen36:bindPassword><br>
                   
 <gen36:baseContext>dc=mgmt,dc=example,dc=net</gen36:baseContext><br>
                   
 <gen36:passwordHashAlgorithm>SSHA</gen36:passwordHashAlgorithm><br>
                   
             <gen36:pagingStrategy>auto</gen36:pagingStrategy><br>
                   
             <gen36:vlvSortAttribute>uid</gen36:vlvSortAttribute><br>
                   
 <gen36:vlvSortOrderingRule>2.5.13.3</gen36:vlvSortOrderingRule><br>
                   
             <gen36:uidAttribute>dn</gen36:uidAttribute><br>
                   
 <gen36:operationalAttributes>memberOf</gen36:operationalAttributes><br>
                  </icfc:configurationProperties><br>
               </connectorConfiguration></blockquote>
          <div><br>
            Any help in debugging this issue would be greatly
            appreciated.  Oh also, yes I do have write access to this
            ldap server :) </div>
        </div>
        <div><br>
        </div>
        <div>Thanks, </div>
        <div>-F </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      </div></div><pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </div>

<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>