<div dir="ltr">Most of those settings are standard ldap related, for AD it seems to not like most of the settings. We are using AD/LDAP connector on 2019 without issue, results config is below, everything else is undefined<div><br></div><div> <icfc:resultsHandlerConfiguration><br> <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler><br> <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler><br> <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler><br> </icfc:resultsHandlerConfiguration></div><div><br><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 30, 2019 at 7:48 AM <<a href="mailto:JStanczak@vinu.edu">JStanczak@vinu.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif" size="2"><div>Windows Server 2012 R2. </div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Ya I've tried several codes. Nothing seems to work. Many of the codes were from Ldp.exe. SPR is ok for now but I will have to loop back and fix this issue later. I'm kind of at a loss for the moment.</span><br></div><div><br></div><div>Thanks. </div><br><br><font color="#990099">-----"midPoint" <<a href="mailto:midpoint-bounces@lists.evolveum.com" target="_blank">midpoint-bounces@lists.evolveum.com</a>> wrote: -----</font><div class="gmail-m_-1087027223243158808iNotesHistory" style="padding-left:5px"><div style="padding-right:0px;padding-left:5px;border-left:2px solid black">To: <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>From: "Radovan Semancik" <u></u><br>Sent by: "midPoint" <u></u><br>Date: 07/30/2019 04:01AM<br>Subject: Re: [midPoint] unavailableCriticalExtension: 000020EF: SvcErr: DSID-03140552, problem 5010 (UNAVAIL_EXTENSION)<br><br>
<div class="gmail-m_-1087027223243158808moz-cite-prefix">Hi,<br>
<br>
Ordering rule 2.5.13.3 works for OpenLDAP. It is perhaps worth
trying. The trouble with AD is that it does not specify any
matching rules in its LDAP schema. Therefore this is all pretty
much a guesswork.<br>
<br>
However, I'm quite curious. What version/flavor of AD are you
using? I have tested the connector with several versions and
configurations, but I have never run into this problem.
Paging/sorting worked without any need for special configuration.
I wonder what might me the root cause.<br>
<br>
<div><font face="Courier New,Courier,monospace" size="2">-- <br>Radovan Semancik<br>Software Architect<br><a href="http://evolveum.com" target="_blank">evolveum.com</a></font></div>
<br>
<br>
<br>
On 7/29/19 5:50 PM, <a class="gmail-m_-1087027223243158808moz-txt-link-abbreviated" href="mailto:JStanczak@vinu.edu" target="_blank">JStanczak@vinu.edu</a> wrote:<br>
</div>
<blockquote type="cite">
<font size="2" face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><font size="2" face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif">
<div style="font-family:Verdana,Arial,Helvetica,sans-serif">That helps. It's the VLV causing it. I think I
have it almost there but I'm not sure what ordering rule
(VLV ordering rule) to use. </div>
<div style="font-family:Verdana,Arial,Helvetica,sans-serif"><br>
</div>
<div><font face="Verdana, Arial, Helvetica, sans-serif">controls=Sort(uid:<????>:A) <-- I've
tried several numbers and each time I get
unavailableCriticalExtension. </font><br>
</div>
<div><br>
</div>
<div>Setting to SPR works just fine but it would be
nice to use VLV if it's better. </div>
<div><br>
</div>
<div>Thanks.</div>
<div><font face="Verdana, Arial, Helvetica, sans-serif"><br>
</font></div>
<div><font face="Verdana, Arial, Helvetica, sans-serif"><br>
</font></div>
<br>
<br>
<font style="font-family:Verdana,Arial,Helvetica,sans-serif" color="#990099">-----"midPoint" <<a href="mailto:midpoint-bounces@lists.evolveum.com" target="_blank">midpoint-bounces@lists.evolveum.com</a>>
wrote: -----</font>
<div class="gmail-m_-1087027223243158808iNotesHistory" style="font-family:Verdana,Arial,Helvetica,sans-serif;padding-left:5px">
<div style="padding-right:0px;padding-left:5px;border-left:2px solid black">To: <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
From: "Radovan Semancik"
<br>
Sent by: "midPoint"
<br>
Date: 07/25/2019 05:27AM<br>
Subject: Re: [midPoint] unavailableCriticalExtension:
000020EF: SvcErr: DSID-03140552, problem 5010
(UNAVAIL_EXTENSION)<br>
<br>
<div class="gmail-m_-1087027223243158808moz-cite-prefix">Hi,<br>
<br>
LDAP protocol is extensible by using a mechanisms of
extended operations and controls. This error suggests,
that AD does not support one of the controls that are
used in operation that midPoint has requested. You can
have a look at AD log files and hope that you will find
more information as to which particular control is not
supported. Or you can contact Microsoft support.
However, according to my experience, both are quite
pointless exercises. When it comes to that particular
technology, trial-and-error is the best approach that I
could find.<br>
<br>
Therefore I would suggest to follow our troubleshooting
guide:<br>
<br>
<a class="gmail-m_-1087027223243158808moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting" target="_blank">https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting</a><br>
<br>
I would recommend to find the LDAP operation that caused
the error. The connector should log all important parts
of the operations, including the controls. Look for
"controls=....". One of those controls is probably the
cause of the problem. Once you know what control is the
problem, you can try enable that control in the AD. Or,
if that is not possible, then the connector has several
configuration options that control the use those LDAP
controls. However, the connector is only using a very
basic set of controls that make LDAP protocol barely
usable for IDM purposes. Disabling any of them may
affect usability of midPoint's connection to AD. But I'm
speculating here. Let's see what control is the problem
first.<br>
<br>
<div><font size="2" face="Courier New,Courier,monospace">--
<br>
Radovan Semancik<br>
Software Architect<br>
<a href="http://evolveum.com" target="_blank">evolveum.com</a></font></div>
<br>
<br>
On 7/24/19 3:44 PM, <a class="gmail-m_-1087027223243158808moz-txt-link-abbreviated" href="mailto:JStanczak@vinu.edu" target="_blank">JStanczak@vinu.edu</a> wrote:<br>
</div>
<blockquote type="cite">
<font size="2" face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif">
<div>
<div><font face="Verdana, Arial, Helvetica, sans-serif">When accessing all users on the
resource I get the below error. Searching for
users works fine too. Is this some AD
limitation?</font></div>
<div><font face="Verdana, Arial, Helvetica, sans-serif"><br>
</font></div>
<div><font face="Verdana, Arial, Helvetica, sans-serif"><br>
</font></div>
<div><font face="Verdana, Arial, Helvetica, sans-serif">
<div>
<div>com.evolveum.polygon.connector.ldap.ad.AdLdapConnector
- <span style="font-size:12.8px">2.0</span></div>
</div>
<div>java.version - 1.8.0_191</div>
</font></div>
<div><font face="Verdana, Arial, Helvetica, sans-serif">
<div>Version - 3.9</div>
</font></div>
<div><font face="Verdana, Arial, Helvetica, sans-serif">
<div>ConnId framework version - 1.5.0.0</div>
<div><br>
</div>
</font></div>
<div><font face="Verdana, Arial, Helvetica, sans-serif">com.evolveum.midpoint.util.exception.CommunicationException:
Error communicating with the connector
ConnectorInstanceIcfImpl(connector:cd7ec95b-9007-47b4-b6f6-9a95ec085f68(ConnId
com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v2.0)): IO error:
org.identityconnectors.framework.common.exceptions.ConnectorIOException(LDAP
error during search in
DC=local-test,DC=vinu,DC=edu:
unavailableCriticalExtension: 000020EF: SvcErr:
DSID-03140552, problem 5010 (UNAVAIL_EXTENSION),
data 0?? (12))</font></div>
<div><font face="Verdana, Arial, Helvetica, sans-serif"><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.searchResourceObjects(ResourceObjectConverter.java:1330)</font></div>
<div><font face="Verdana, Arial, Helvetica, sans-serif"><br>
</font></div>
<div><font face="Verdana, Arial, Helvetica, sans-serif">Thanks.</font></div>
</div>
</font> <br>
<fieldset class="gmail-m_-1087027223243158808mimeAttachmentHeader"></fieldset>
<div><font size="2" face="Courier New,Courier,monospace">_______________________________________________<br>
midPoint mailing list<br>
<a class="gmail-m_-1087027223243158808moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a class="gmail-m_-1087027223243158808moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</font></div>
</blockquote>
<br>
<br>
<div><font size="2" face="Courier New,Courier,monospace">_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</font></div>
</div>
</div>
</font></font>
<br>
<fieldset class="gmail-m_-1087027223243158808mimeAttachmentHeader"></fieldset>
<div><font face="Courier New,Courier,monospace" size="2">_______________________________________________<br>midPoint mailing list<br><a class="gmail-m_-1087027223243158808moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br><a class="gmail-m_-1087027223243158808moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br></font></div>
</blockquote>
<br>
<br>
<div><font face="Courier New,Courier,monospace" size="2"></font></div>
<div><font face="Courier New,Courier,monospace" size="2">_______________________________________________<br>midPoint mailing list<br><a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br></font></div><u></u><u></u></div></div></font>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>