<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
I was curious. I have checked my testing AD 2012R2. And it works
well with VLV:<br>
<br>
Search REQ base=CN=Users,DC=ad,DC=evolveum,DC=com,
filter=(objectClass=user), scope=sub,<br>
attributes=[*, unicodePwd, userAccountControl, createTimeStamp,
msExchHideFromAddressLists, objectGUID, objectClass],
controls=Sort(cn:null:A),,VLV(beforeCount=0, afterCount=1,
offset=2, contentCount=0, contextID=null)<br>
<br>
Maybe the problem is not VLV by itself, maybe the problem is that
sort? Maybe it works only for some attributes? <br>
Or maybe there is some special configuration in your case? My AD
instance is pretty much default configuration.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com</pre>
<br>
<br>
On 7/30/19 2:48 PM, <a class="moz-txt-link-abbreviated" href="mailto:JStanczak@vinu.edu">JStanczak@vinu.edu</a> wrote:<br>
</div>
<blockquote type="cite"
cite="mid:OFA1887D52.FC536D31-ON85258447.00453ED3-85258447.004662E6@vinu.edu">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<font size="2" face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif">
<div>Windows Server 2012 R2. </div>
<div><span style="font-size: 12.8px;"><br>
</span></div>
<div><span style="font-size: 12.8px;">Ya I've tried several
codes. Nothing seems to work. Many of the codes were from
Ldp.exe. SPR is ok for now but I will have to loop back and
fix this issue later. I'm kind of at a loss for the moment.</span><br>
</div>
<div><br>
</div>
<div>Thanks. </div>
<br>
<br>
<font color="#990099">-----"midPoint" <<a
href="mailto:midpoint-bounces@lists.evolveum.com"
target="_blank" moz-do-not-send="true">midpoint-bounces@lists.evolveum.com</a>>
wrote: -----</font>
<div class="iNotesHistory" style="padding-left:5px;">
<div
style="padding-right:0px;padding-left:5px;border-left:solid
black 2px;">To: <a
href="mailto:midpoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true">midpoint@lists.evolveum.com</a><br>
From: "Radovan Semancik" <radovan.semancik@evolveum.com><br>
Sent by: "midPoint" <midpoint-bounces@lists.evolveum.com><br>
Date: 07/30/2019 04:01AM<br>
Subject: Re: [midPoint] unavailableCriticalExtension:
000020EF: SvcErr: DSID-03140552, problem 5010
(UNAVAIL_EXTENSION)<br>
<br>
<!--Notes ACF
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">-->
<div class="moz-cite-prefix">Hi,<br>
<br>
Ordering rule 2.5.13.3 works for OpenLDAP. It is
perhaps worth trying. The trouble with AD is that it
does not specify any matching rules in its LDAP
schema. Therefore this is all pretty much a guesswork.<br>
<br>
However, I'm quite curious. What version/flavor of AD
are you using? I have tested the connector with
several versions and configurations, but I have never
run into this problem. Paging/sorting worked without
any need for special configuration. I wonder what
might me the root cause.<br>
<br>
<div><font size="2" face="Courier
New,Courier,monospace">-- <br>
Radovan Semancik<br>
Software Architect<br>
evolveum.com</font></div>
<br>
<br>
<br>
On 7/29/19 5:50 PM, <a
class="moz-txt-link-abbreviated"
href="mailto:JStanczak@vinu.edu"
moz-do-not-send="true">JStanczak@vinu.edu</a> wrote:<br>
</div>
<blockquote type="cite"
cite="mid:OFE896DA2F.E968812E-ON85258443.00707F15-85258446.005701FB@vinu.edu">
<!--Notes ACF
<meta http-equiv="content-type" content="text/html; charset=windows-1252">-->
<font size="2" face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif"><font
size="2" face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif">
<div style="font-family: Verdana, Arial,
Helvetica, sans-serif;">That helps. It's the VLV
causing it. I think I have it almost there but
I'm not sure what ordering rule (VLV ordering
rule) to use. </div>
<div style="font-family: Verdana, Arial,
Helvetica, sans-serif;"><br>
</div>
<div style=""><font face="Verdana, Arial,
Helvetica, sans-serif">controls=Sort(uid:<????>:A)
<-- I've tried several numbers and each
time I get unavailableCriticalExtension. </font><br>
</div>
<div style=""><br>
</div>
<div style="">Setting to SPR works just fine but
it would be nice to use VLV if it's better. </div>
<div style=""><br>
</div>
<div style="">Thanks.</div>
<div style=""><font face="Verdana, Arial,
Helvetica, sans-serif"><br>
</font></div>
<div style=""><font face="Verdana, Arial,
Helvetica, sans-serif"><br>
</font></div>
<br>
<br>
<font style="font-family: Verdana, Arial,
Helvetica, sans-serif;" color="#990099">-----"midPoint"
<<a
href="mailto:midpoint-bounces@lists.evolveum.com"
target="_blank" moz-do-not-send="true">midpoint-bounces@lists.evolveum.com</a>>
wrote: -----</font>
<div class="iNotesHistory" style="font-family:
Verdana, Arial, Helvetica, sans-serif;
padding-left: 5px;">
<div
style="padding-right:0px;padding-left:5px;border-left:solid
black 2px;">To: <a
href="mailto:midpoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true">midpoint@lists.evolveum.com</a><br>
From: "Radovan Semancik"
<!--Notes ACF
<radovan.semancik@evolveum.com>--><br>
Sent by: "midPoint"
<!--Notes ACF
<midpoint-bounces@lists.evolveum.com>--><br>
Date: 07/25/2019 05:27AM<br>
Subject: Re: [midPoint]
unavailableCriticalExtension: 000020EF:
SvcErr: DSID-03140552, problem 5010
(UNAVAIL_EXTENSION)<br>
<br>
<!--Notes ACF
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">-->
<div class="moz-cite-prefix">Hi,<br>
<br>
LDAP protocol is extensible by using a
mechanisms of extended operations and
controls. This error suggests, that AD does
not support one of the controls that are
used in operation that midPoint has
requested. You can have a look at AD log
files and hope that you will find more
information as to which particular control
is not supported. Or you can contact
Microsoft support. However, according to my
experience, both are quite pointless
exercises. When it comes to that particular
technology, trial-and-error is the best
approach that I could find.<br>
<br>
Therefore I would suggest to follow our
troubleshooting guide:<br>
<br>
<a class="moz-txt-link-freetext"
href="https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting"
moz-do-not-send="true">https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting</a><br>
<br>
I would recommend to find the LDAP operation
that caused the error. The connector should
log all important parts of the operations,
including the controls. Look for
"controls=....". One of those controls is
probably the cause of the problem. Once you
know what control is the problem, you can
try enable that control in the AD. Or, if
that is not possible, then the connector has
several configuration options that control
the use those LDAP controls. However, the
connector is only using a very basic set of
controls that make LDAP protocol barely
usable for IDM purposes. Disabling any of
them may affect usability of midPoint's
connection to AD. But I'm speculating here.
Let's see what control is the problem first.<br>
<br>
<div><font size="2" face="Courier
New,Courier,monospace">-- <br>
Radovan Semancik<br>
Software Architect<br>
evolveum.com</font></div>
<br>
<br>
On 7/24/19 3:44 PM, <a
class="moz-txt-link-abbreviated"
href="mailto:JStanczak@vinu.edu"
moz-do-not-send="true">JStanczak@vinu.edu</a>
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:OFBBED4F62.FB37290F-ON85258441.004B7D8C-85258441.004B7D8C@vinu.edu">
<!--Notes ACF
<meta http-equiv="content-type" content="text/html; charset=windows-1252">-->
<font size="2" face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif">
<div style="">
<div style=""><font face="Verdana,
Arial, Helvetica, sans-serif">When
accessing all users on the resource
I get the below error. Searching for
users works fine too. Is this some
AD limitation?</font></div>
<div style=""><font face="Verdana,
Arial, Helvetica, sans-serif"><br>
</font></div>
<div style=""><font face="Verdana,
Arial, Helvetica, sans-serif"><br>
</font></div>
<div style=""><font face="Verdana,
Arial, Helvetica, sans-serif">
<div>
<div>com.evolveum.polygon.connector.ldap.ad.AdLdapConnector
- <span style="font-size:
12.8px;">2.0</span></div>
</div>
<div>java.version - 1.8.0_191</div>
</font></div>
<div style=""><font face="Verdana,
Arial, Helvetica, sans-serif">
<div>Version - 3.9</div>
</font></div>
<div style=""><font face="Verdana,
Arial, Helvetica, sans-serif">
<div>ConnId framework version -
1.5.0.0</div>
<div><br>
</div>
</font></div>
<div style=""><font face="Verdana,
Arial, Helvetica, sans-serif">com.evolveum.midpoint.util.exception.CommunicationException:
Error communicating with the
connector
ConnectorInstanceIcfImpl(connector:cd7ec95b-9007-47b4-b6f6-9a95ec085f68(ConnId
com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v2.0)): IO error:
org.identityconnectors.framework.common.exceptions.ConnectorIOException(LDAP
error during search in
DC=local-test,DC=vinu,DC=edu:
unavailableCriticalExtension:
000020EF: SvcErr: DSID-03140552,
problem 5010 (UNAVAIL_EXTENSION),
data 0?? (12))</font></div>
<div style=""><font face="Verdana,
Arial, Helvetica, sans-serif"><span style="white-space: pre;"> </span>at
com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.searchResourceObjects(ResourceObjectConverter.java:1330)</font></div>
<div style=""><font face="Verdana,
Arial, Helvetica, sans-serif"><br>
</font></div>
<div style=""><font face="Verdana,
Arial, Helvetica, sans-serif">Thanks.</font></div>
</div>
</font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<div><font size="2" face="Courier
New,Courier,monospace">_______________________________________________<br>
midPoint mailing list<br>
<a class="moz-txt-link-abbreviated"
href="mailto:midPoint@lists.evolveum.com"
moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a class="moz-txt-link-freetext"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</font></div>
</blockquote>
<br>
<br>
<div><font size="2" face="Courier
New,Courier,monospace">_______________________________________________<br>
midPoint mailing list<br>
<a
href="mailto:midPoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</font></div>
<!--Notes ACF
</midpoint-bounces@lists.evolveum.com>--><!--Notes ACF
</radovan.semancik@evolveum.com>--></div>
</div>
</font></font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<div><font size="2" face="Courier
New,Courier,monospace">_______________________________________________<br>
midPoint mailing list<br>
<a class="moz-txt-link-abbreviated"
href="mailto:midPoint@lists.evolveum.com"
moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a class="moz-txt-link-freetext"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</font></div>
</blockquote>
<br>
<br>
<div><font size="2" face="Courier New,Courier,monospace">_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</font></div>
</midpoint-bounces@lists.evolveum.com></radovan.semancik@evolveum.com></div>
</div>
</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">
</pre>
</body>
</html>