<div dir="ltr">Hi,<div>I think we had the same issue when trying to access all users on an Active Directory Resource.</div><div><br></div><div>After doing some research, what worked for us was adding this line inside <connectorConfiguration>:</div><div><br><pagingBlockSize>5</pagingBlockSize><br></div><div><br></div><div>Let me know if this works for you.</div><div>Regards.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jul 31, 2019 at 9:15 AM Radovan Semancik <<a href="mailto:radovan.semancik@evolveum.com">radovan.semancik@evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="gmail-m_1128383676612133110moz-cite-prefix">Hi,<br>
<br>
I was curious. I have checked my testing AD 2012R2. And it works
well with VLV:<br>
<br>
Search REQ base=CN=Users,DC=ad,DC=evolveum,DC=com,
filter=(objectClass=user), scope=sub,<br>
attributes=[*, unicodePwd, userAccountControl, createTimeStamp,
msExchHideFromAddressLists, objectGUID, objectClass],
controls=Sort(cn:null:A),,VLV(beforeCount=0, afterCount=1,
offset=2, contentCount=0, contextID=null)<br>
<br>
Maybe the problem is not VLV by itself, maybe the problem is that
sort? Maybe it works only for some attributes? <br>
Or maybe there is some special configuration in your case? My AD
instance is pretty much default configuration.<br>
<br>
<pre class="gmail-m_1128383676612133110moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a></pre>
<br>
<br>
On 7/30/19 2:48 PM, <a class="gmail-m_1128383676612133110moz-txt-link-abbreviated" href="mailto:JStanczak@vinu.edu" target="_blank">JStanczak@vinu.edu</a> wrote:<br>
</div>
<blockquote type="cite">
<font size="2" face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif">
<div>Windows Server 2012 R2. </div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">Ya I've tried several
codes. Nothing seems to work. Many of the codes were from
Ldp.exe. SPR is ok for now but I will have to loop back and
fix this issue later. I'm kind of at a loss for the moment.</span><br>
</div>
<div><br>
</div>
<div>Thanks. </div>
<br>
<br>
<font color="#990099">-----"midPoint" <<a href="mailto:midpoint-bounces@lists.evolveum.com" target="_blank">midpoint-bounces@lists.evolveum.com</a>>
wrote: -----</font>
<div class="gmail-m_1128383676612133110iNotesHistory" style="padding-left:5px">
<div style="padding-right:0px;padding-left:5px;border-left:2px solid black">To: <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
From: "Radovan Semancik" <u></u><br>
Sent by: "midPoint" <u></u><br>
Date: 07/30/2019 04:01AM<br>
Subject: Re: [midPoint] unavailableCriticalExtension:
000020EF: SvcErr: DSID-03140552, problem 5010
(UNAVAIL_EXTENSION)<br>
<br>
<div class="gmail-m_1128383676612133110moz-cite-prefix">Hi,<br>
<br>
Ordering rule 2.5.13.3 works for OpenLDAP. It is
perhaps worth trying. The trouble with AD is that it
does not specify any matching rules in its LDAP
schema. Therefore this is all pretty much a guesswork.<br>
<br>
However, I'm quite curious. What version/flavor of AD
are you using? I have tested the connector with
several versions and configurations, but I have never
run into this problem. Paging/sorting worked without
any need for special configuration. I wonder what
might me the root cause.<br>
<br>
<div><font size="2" face="Courier
New,Courier,monospace">-- <br>
Radovan Semancik<br>
Software Architect<br>
<a href="http://evolveum.com" target="_blank">evolveum.com</a></font></div>
<br>
<br>
<br>
On 7/29/19 5:50 PM, <a class="gmail-m_1128383676612133110moz-txt-link-abbreviated" href="mailto:JStanczak@vinu.edu" target="_blank">JStanczak@vinu.edu</a> wrote:<br>
</div>
<blockquote type="cite">
<font size="2" face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif"><font size="2" face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif">
<div style="font-family:Verdana,Arial,Helvetica,sans-serif">That helps. It's the VLV
causing it. I think I have it almost there but
I'm not sure what ordering rule (VLV ordering
rule) to use. </div>
<div style="font-family:Verdana,Arial,Helvetica,sans-serif"><br>
</div>
<div><font face="Verdana, Arial,
Helvetica, sans-serif">controls=Sort(uid:<????>:A)
<-- I've tried several numbers and each
time I get unavailableCriticalExtension. </font><br>
</div>
<div><br>
</div>
<div>Setting to SPR works just fine but
it would be nice to use VLV if it's better. </div>
<div><br>
</div>
<div>Thanks.</div>
<div><font face="Verdana, Arial,
Helvetica, sans-serif"><br>
</font></div>
<div><font face="Verdana, Arial,
Helvetica, sans-serif"><br>
</font></div>
<br>
<br>
<font style="font-family:Verdana,Arial,Helvetica,sans-serif" color="#990099">-----"midPoint"
<<a href="mailto:midpoint-bounces@lists.evolveum.com" target="_blank">midpoint-bounces@lists.evolveum.com</a>>
wrote: -----</font>
<div class="gmail-m_1128383676612133110iNotesHistory" style="font-family:Verdana,Arial,Helvetica,sans-serif;padding-left:5px">
<div style="padding-right:0px;padding-left:5px;border-left:2px solid black">To: <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
From: "Radovan Semancik"
<br>
Sent by: "midPoint"
<br>
Date: 07/25/2019 05:27AM<br>
Subject: Re: [midPoint]
unavailableCriticalExtension: 000020EF:
SvcErr: DSID-03140552, problem 5010
(UNAVAIL_EXTENSION)<br>
<br>
<div class="gmail-m_1128383676612133110moz-cite-prefix">Hi,<br>
<br>
LDAP protocol is extensible by using a
mechanisms of extended operations and
controls. This error suggests, that AD does
not support one of the controls that are
used in operation that midPoint has
requested. You can have a look at AD log
files and hope that you will find more
information as to which particular control
is not supported. Or you can contact
Microsoft support. However, according to my
experience, both are quite pointless
exercises. When it comes to that particular
technology, trial-and-error is the best
approach that I could find.<br>
<br>
Therefore I would suggest to follow our
troubleshooting guide:<br>
<br>
<a class="gmail-m_1128383676612133110moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting" target="_blank">https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Troubleshooting</a><br>
<br>
I would recommend to find the LDAP operation
that caused the error. The connector should
log all important parts of the operations,
including the controls. Look for
"controls=....". One of those controls is
probably the cause of the problem. Once you
know what control is the problem, you can
try enable that control in the AD. Or, if
that is not possible, then the connector has
several configuration options that control
the use those LDAP controls. However, the
connector is only using a very basic set of
controls that make LDAP protocol barely
usable for IDM purposes. Disabling any of
them may affect usability of midPoint's
connection to AD. But I'm speculating here.
Let's see what control is the problem first.<br>
<br>
<div><font size="2" face="Courier
New,Courier,monospace">-- <br>
Radovan Semancik<br>
Software Architect<br>
<a href="http://evolveum.com" target="_blank">evolveum.com</a></font></div>
<br>
<br>
On 7/24/19 3:44 PM, <a class="gmail-m_1128383676612133110moz-txt-link-abbreviated" href="mailto:JStanczak@vinu.edu" target="_blank">JStanczak@vinu.edu</a>
wrote:<br>
</div>
<blockquote type="cite">
<font size="2" face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif">
<div>
<div><font face="Verdana,
Arial, Helvetica, sans-serif">When
accessing all users on the resource
I get the below error. Searching for
users works fine too. Is this some
AD limitation?</font></div>
<div><font face="Verdana,
Arial, Helvetica, sans-serif"><br>
</font></div>
<div><font face="Verdana,
Arial, Helvetica, sans-serif"><br>
</font></div>
<div><font face="Verdana,
Arial, Helvetica, sans-serif">
<div>
<div>com.evolveum.polygon.connector.ldap.ad.AdLdapConnector
- <span style="font-size:12.8px">2.0</span></div>
</div>
<div>java.version - 1.8.0_191</div>
</font></div>
<div><font face="Verdana,
Arial, Helvetica, sans-serif">
<div>Version - 3.9</div>
</font></div>
<div><font face="Verdana,
Arial, Helvetica, sans-serif">
<div>ConnId framework version -
1.5.0.0</div>
<div><br>
</div>
</font></div>
<div><font face="Verdana,
Arial, Helvetica, sans-serif">com.evolveum.midpoint.util.exception.CommunicationException:
Error communicating with the
connector
ConnectorInstanceIcfImpl(connector:cd7ec95b-9007-47b4-b6f6-9a95ec085f68(ConnId
com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v2.0)): IO error:
org.identityconnectors.framework.common.exceptions.ConnectorIOException(LDAP
error during search in
DC=local-test,DC=vinu,DC=edu:
unavailableCriticalExtension:
000020EF: SvcErr: DSID-03140552,
problem 5010 (UNAVAIL_EXTENSION),
data 0?? (12))</font></div>
<div><font face="Verdana,
Arial, Helvetica, sans-serif"><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.searchResourceObjects(ResourceObjectConverter.java:1330)</font></div>
<div><font face="Verdana,
Arial, Helvetica, sans-serif"><br>
</font></div>
<div><font face="Verdana,
Arial, Helvetica, sans-serif">Thanks.</font></div>
</div>
</font> <br>
<fieldset class="gmail-m_1128383676612133110mimeAttachmentHeader"></fieldset>
<div><font size="2" face="Courier
New,Courier,monospace">_______________________________________________<br>
midPoint mailing list<br>
<a class="gmail-m_1128383676612133110moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a class="gmail-m_1128383676612133110moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</font></div>
</blockquote>
<br>
<br>
<div><font size="2" face="Courier
New,Courier,monospace">_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</font></div>
</div>
</div>
</font></font> <br>
<fieldset class="gmail-m_1128383676612133110mimeAttachmentHeader"></fieldset>
<div><font size="2" face="Courier
New,Courier,monospace">_______________________________________________<br>
midPoint mailing list<br>
<a class="gmail-m_1128383676612133110moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a class="gmail-m_1128383676612133110moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</font></div>
</blockquote>
<br>
<br>
<div><font size="2" face="Courier New,Courier,monospace">_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</font></div>
<u></u><u></u></div>
</div>
</font>
<br>
<fieldset class="gmail-m_1128383676612133110mimeAttachmentHeader"></fieldset>
<pre class="gmail-m_1128383676612133110moz-quote-pre">_______________________________________________
midPoint mailing list
<a class="gmail-m_1128383676612133110moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="gmail-m_1128383676612133110moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<pre class="gmail-m_1128383676612133110moz-signature" cols="72"></pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><font face="arial, helvetica, sans-serif" style="font-size:12.8px"><font style="background-color:rgb(255,255,255)" color="#000000">Javier Martínez</font></font></div><font face="arial, helvetica, sans-serif" style="font-size:12.8px"><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank">www.identicum.com</a></font></font><div style="font-size:12.8px"></div><div><font face="arial, helvetica, sans-serif" style="font-size:12.8px"><br></font></div></div></div>