<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head><body text="#000000" bgcolor="#FFFFFF">Hi Oleksandr,<br>
Thanks for the response!!<br>
I guess I should have posted the connectorConfiguration section too.
I've already included memberOf. Here's that section of the LDAP
Resource:<br>
<br>
<connectorConfiguration <br>
xmlns:icfc=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"</a><br>
xmlns:icfcldap=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector"</a>><br>
<icfc:configurationProperties><br>
<icfcldap:port>636</icfcldap:port><br>
<icfcldap:host>ldap02.example.com</icfcldap:host><br>
<icfcldap:baseContext>ou=users,ou=accounts,dc=example,dc=com</icfcldap:baseContext><br>
<icfcldap:bindDn>cn=admin,dc=example,dc=com</icfcldap:bindDn><br>
<icfcldap:bindPassword><t:clearValue>secret</t:clearValue></icfcldap:bindPassword><br>
<icfcldap:connectionSecurity>ssl</icfcldap:connectionSecurity><br>
<icfcldap:usePermissiveModify>always</icfcldap:usePermissiveModify><br>
<icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy><br>
<icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm><br>
<icfcldap:vlvSortAttribute>cn</icfcldap:vlvSortAttribute><br>
<icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule><br>
<icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes><br>
<icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes><br>
</icfc:configurationProperties><br>
<icfc:resultsHandlerConfiguration><br>
<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler><br>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler><br>
<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler><br>
</icfc:resultsHandlerConfiguration><br>
</connectorConfiguration><br>
<br>
Do you see anything else that I might be missing?<br>
Thanks again!<br>
<span><br>
Oleksandr Nekriach wrote on 5/17/19 10:53 AM:</span><br>
<blockquote type="cite"
cite="mid:CANb693QdPwkwW97aXNyW_0wnQOXa7Vkzv3nrXwffJmSp1mE-5A@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div dir="ltr"><div dir="ltr"><div>Hi Brad,</div><div>Try to add value
"memberOf" into configuration settings operationalAttributes on your
LDAP resource in IDM</div><div><br></div><div>Best regards,</div><div>Oleksandr<br></div></div></div>
<br>
<div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 17
May 2019 at 18:34, Brad Firestone <<a
href="mailto:bhotrock@gmail.com" moz-do-not-send="true">bhotrock@gmail.com</a>>
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div
style="color:rgb(0,0,0);background-color:rgb(255,255,255)"
bgcolor="#FFFFFF">
I'm running midPoint 3.9 with LDAP connector 2.0 Connecting to OpenLDAP
version 2.4.45+dfsg-1ubuntu1 memberOf, refInt, lastBind, and sssvlv
overlays are installed.<br>
<br>
I've been trying to setup LDAP group management according to the Wiki
and other docs I've found. Automatic groupOfNames creation in
"ou=roles,ou=accounts,dc=example,dc=com" is working fine when I create a
Role with an Assignment of the LDAP Group Metarole. So that seems like
most of the connection is working correctly.<br>
<br>
But I'm getting the following error message when I try to add a user to a
Role that should put them in the LDAP Group.<br>
-------<br>
Operation:
operation.org.identityconnectors.framework.api.ConnectorFacade.updateDelta<br>
<br>
Message: Unknown UID: LDAP entry for UID Attribute: {Name=__UID__,
Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
{Name=__NAME__, Value=[cn=test
role,ou=roles,ou=accounts,dc=example,dc=com]}}
was not found<br>
<br>
Parameters: uid [caed9d00-0c8c-1039-98e5-a53942dc29e0]<br>
attributesDelta: [[Attribute: {Name=member,
ValuesToAdd=[cn=testuser,ou=users,ou=accounts,dc=example,dc=com],
ValuesToRemove=null,
ValuesToReplace=null}]]<br>
objectClass: [crOCD
({<a class="gmail-m_2343431558516907905moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
target="_blank" moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}groupOfNames)]<br>
options: [OperationOptions: {}]<br>
<br>
Context: connector [class
org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl]<br>
<br>
Error:
org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
entry for UID Attribute: {Name=__UID__,
Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
{Name=__NAME__, Value=[cn=test
role,ou=roles,ou=accounts,dc=example,dc=com]}}
was not found)<br>
-------<br>
<br>
Here is the Association section from the LDAP Resource:<br>
<association><br>
<ref>ri:ldapGroup</ref><br>
<tolerant>false</tolerant><br>
<displayName>LDAP Group
Membership</displayName><br>
<kind>entitlement</kind><br>
<intent>ldapGroup</intent><br>
<direction>objectToSubject</direction><br>
<associationAttribute>ri:member</associationAttribute><br>
<valueAttribute>ri:dn</valueAttribute><br>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<br>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity><br>
</association><br>
<br>
And the Entitlement Object section from the LDAP Resource:<br>
<objectType><br>
<kind>entitlement</kind><br>
<intent>ldapGroup</intent><br>
<displayName>LDAP Group</displayName><br>
<objectClass>ri:groupOfNames</objectClass><br>
<br>
<attribute><br>
<ref>ri:dn</ref><br>
<matchingRule>mr:distinguishedName</matchingRule><br>
<outbound><br>
<!-- Name cannot be weak. Changes in name trigger
object rename. --><br>
<source><br>
<path>$focus/name</path><br>
</source><br>
<expression><br>
<script><br>
<code><br>
import javax.naming.ldap.Rdn<br>
import javax.naming.ldap.LdapName<br>
<br>
dn = new
LdapName('ou=roles,ou=accounts,dc=example,dc=org')<br>
dn.add(new Rdn('cn', name.toString()))<br>
return dn.toString()<br>
</code><br>
</script><br>
</expression><br>
</outbound><br>
</attribute><br>
<attribute><br>
<ref>ri:member</ref><br>
<matchingRule>mr:distinguishedName</matchingRule><br>
<fetchStrategy>minimal</fetchStrategy><br>
<outbound><br>
<strength>strong</strength><br>
<!-- Workaround - groupOfNames MUST have at least
one member. Even non-existent DN. --><br>
<expression><br>
<value>cn=dummy,o=whatever</value><br>
</expression><br>
</outbound><br>
</attribute> <br>
<attribute><br>
<ref>ri:cn</ref><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<outbound><br>
<strength>weak</strength><br>
<source><br>
<path>$focus/name</path><br>
</source><br>
</outbound><br>
</attribute><br>
<attribute><br>
<ref>ri:description</ref><br>
<outbound><br>
<source><br>
<path>description</path><br>
</source><br>
</outbound><br>
</attribute><br>
<configuredCapabilities><br>
<cap:pagedSearch><br>
<cap:defaultSortField>ri:cn</cap:defaultSortField><br>
</cap:pagedSearch><br>
</configuredCapabilities><br>
</objectType><br>
<br>
I'm not sure if there are other important configs that would be helpful
to see. I'll be happy to post anything that's helpful.<br>
<br>
This may be a related issue that might help locate the issue: When I
look at the Accounts tab of the Resource in the GUI, Search In: Resource
gives a list of Accounts on the server. However, doing the same in the
Entitlements tab, with the Intent set to ldapGroup, does not display
any entries, even though there are groups on the server.<br>
<br>
One last thing that might help diagnose this: If I try to remove the
LDAP Group Metarole assignment from the Role, (hoping it would delete
the groupOfNames from the server, I get the following error:<br>
--------<br>
<span>Can't delete object
shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=test
role,ou=roles,ou=accounts,dc=example,dc=com). Reason:
org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
entry for UID Attribute: {Name=__UID__,
Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
{Name=__NAME__, Value=[cn=test
role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found): Can't
delete object shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=Test
Role,ou=roles,ou=accounts,dc=example,dc=com). Reason:
org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
entry for UID Attribute: {Name=__UID__,
Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
{Name=__NAME__, Value=[cn=test
role,ou=roles,ou=accounts,dc=example,dc=com]}}
was not found)</span><br>
<br>
-------<br>
I'm reasonably sure I just have something out of place somewhere.
Hopefully someone can spot what I've done wrong.<br>
Thank you!<br>
Brad <br>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br></blockquote></div>
<br clear="all">
<br>
-- <br>
<div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div
dir="ltr"><span style="color:rgb(76,76,76)">Best regards, <br><br><img
src="cid:part5.3DF2C1D2.1522E928@gmail.com" name="image.png"> <br><br>Oleksandr
Nekriach | Identity and access management engineer <br><br>Dynatech, <a
href="https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=%213m1%214b1%214m5%213m4%211s0x46eecf5753e42351:0x23b120b9745cae62%218m2%213d56.9575205%214d24.1129122"
target="_blank" moz-do-not-send="true">Jeruzalemes iela 1, Rīga,
LV-1010, Latvia</a><br><br><div style="display:inline-block"><a
href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank"
moz-do-not-send="true">+37125314685</a></div>, <div
style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv"
target="_blank" moz-do-not-send="true">o.nekriach@dynatech.lv</a></div> |
<div style="display:inline-block"><a href="http://www.dynatech.lv"
target="_blank" moz-do-not-send="true">www.dynatech.lv</a></div> <br><br>Stay
connected: <br><div style="display:inline-block;margin:5px 5px 0px 0px"><a
href="https://www.facebook.com/DynatechLatvia/?ref=br_rs"
target="_blank" moz-do-not-send="true"><img
src="cid:part10.E6D6AD05.55F5CBD2@gmail.com" name="image.png"></a></div><div
style="display:inline-block;margin:5px 0px 0px"><a
href="https://www.linkedin.com/company-beta/17893047/" target="_blank"
moz-do-not-send="true"><img src="cid:part12.CD97D550.3DD01663@gmail.com"
name="image.png"></a></div><br><br><span
style="font-size:11px;color:rgb(161,161,161)">Confidentiality
Notice: This message contains confidential information and is intended
only for the named recipient(s). If you are not the addressee you may
not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please
notify us by e-mail immediately. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses.</span></span></div></div></div></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body></html>