<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} p
{margin-top:0;
margin-bottom:0}--></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hello,</p>
<p><br>
</p>
<p>we finally figured out the problem. For the record:</p>
<p><br>
</p>
<p>Background: We've defined an admin role with limited authorizations. Such admins can do little more than assign/unassign roles to users. The roles induce some
</p>
<p>group memberships in LDAP. The "Connector reference missing" error occurred whenever an admin tried to assign roles to anyone in the midPoint GUI. Assignment through the REST API has worked fine all the time.<br>
</p>
<p><br>
</p>
<p>Fix/workaround: added the following authorization for the admin:</p>
<p><br>
</p>
<p> <authorization id="9"><br>
<name>read-resource-and-connector</name><br>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action><br>
<object><br>
<type>ResourceType</type><br>
</object><br>
<object><br>
<type>ConnectorType</type><br>
</object><br>
</authorization><br>
</p>
<p><br>
</p>
<p>(Access to ConnectorType is not strictly needed, but it seems that without that midPoint creates a new connector instance as it cannot resolve the reference in the resource configuration. Authorization for execution phase only does not suffice, but request
phase is also needed here.<br>
</p>
<p><br>
</p>
<p>I have no time to bisect our history to see which configuration change has made this autz necessary.)<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Pondering: it seems that midPoint cannot read the resource and/or connector due to the authorizations, and then goes on to update some cache with information "there is no connectorRef in this Resource". This smells like a bug in midPoint 3.5: one failed
authorization should just yield an "access denied" response instead of taking the whole installation into unusable state.<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Mikko Pekkarinen<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div dir="ltr" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>Lähettäjä:</b> midPoint <midpoint-bounces@lists.evolveum.com> käyttäjän puolestaPertti Kellomäki <pertti.kellomaki@datactica.fi><br>
<b>Lähetetty:</b> 22. helmikuuta 2018 15:56<br>
<b>Vastaanottaja:</b> midpoint@lists.evolveum.com<br>
<b>Aihe:</b> [midPoint] Connector reference goes missing</font>
<div> </div>
</div>
<div>
<p>Hi all,</p>
<p><br>
</p>
<p>Bit of a long shot I know, but has anyone encountered connector references going missing all of a sudden? It has started to happen in our test environment seemingly out of the blue. Livesyncing the resource works without problems until the connector reference
goes missing and we get errors like the following in idm.log. The resource shows in the Resources list as "null(FATAL_ERROR)". The connector does show up in Configuration -> Repository objects -> connector, however.<br>
</p>
<p><br>
</p>
<p>The java process does grow very large, almost 2 gigabytes. Could this be a problem? I don't see anything relevant in the logs though.</p>
<p><br>
</p>
<p>TIA,</p>
<p><br>
</p>
<p>Pertti<br>
</p>
<p><br>
</p>
<p>2018-02-22 13:22:26,667 [] [midPointScheduler_Worker-6] ERROR (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Synchronization error: configuration problem: Connector reference missing in the resource resource:a6cd7bc2-de59-11e6-a6a9-10bf4876d25a(null)<br>
com.evolveum.midpoint.util.exception.ConfigurationException: Connector reference missing in the resource resource:a6cd7bc2-de59-11e6-a6a9-10bf4876d25a(null)<br>
at com.evolveum.midpoint.provisioning.impl.ProvisioningContext.getConnectorInstance(ProvisioningContext.java:274) ~[provisioning-impl-3.5.jar:na]<br>
at com.evolveum.midpoint.provisioning.impl.ProvisioningContext.getConnector(ProvisioningContext.java:184) ~[provisioning-impl-3.5.jar:na]<br>
at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1573) ~[provisioning-impl-3.5.jar:na]<br>
at com.evolveum.midpoint.provisioning.impl.ShadowCache.synchronize(ShadowCache.java:1239) ~[provisioning-impl-3.5.jar:na]<br>
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:426) ~[provisioning-impl-3.5.jar:na]<br>
at com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.runInternal(LiveSyncTaskHandler.java:197) [model-impl-3.5.jar:na]<br>
at com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:84) [model-impl-3.5.jar:na]<br>
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:648) [task-quartz-impl-3.5.jar:na]<br>
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:528) [task-quartz-impl-3.5.jar:na]<br>
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:171) [task-quartz-impl-3.5.jar:na]<br>
at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.2.3.jar:na]<br>
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.2.3.jar:na]<br>
Caused by: com.evolveum.midpoint.util.exception.ObjectNotFoundException: Connector reference missing in the resource resource:a6cd7bc2-de59-11e6-a6a9-10bf4876d25a(null)<br>
at com.evolveum.midpoint.provisioning.impl.ConnectorManager.getConnectorTypeReadOnly(ConnectorManager.java:205) ~[provisioning-impl-3.5.jar:na]<br>
at com.evolveum.midpoint.provisioning.impl.ConnectorManager.createConfiguredConnectorInstance(ConnectorManager.java:150) ~[provisioning-impl-3.5.jar:na]<br>
at com.evolveum.midpoint.provisioning.impl.ConnectorManager.getConfiguredConnectorInstance(ConnectorManager.java:134) ~[provisioning-impl-3.5.jar:na]<br>
at com.evolveum.midpoint.provisioning.impl.ProvisioningContext.getConnectorInstance(ProvisioningContext.java:265) ~[provisioning-impl-3.5.jar:na]<br>
... 11 common frames omitted<br>
</p>
</div>
</div>
</body>
</html>