<div dir="ltr"><div dir="ltr">Hi Ivan<div><br><div><div>I'm checking the permissions again. I assigned full control permission at the domain level to the midpoint bind account in the active directory and enabled inheritance for all objects. It also assigns domain admin permission as well. I know that both permissions are not necessary and not recommended as they are highly permissive, but it was the way I found to try to eliminate possible permission errors.</div><div>But unfortunately the problems persist.</div><div>I will continue to investigate.</div></div><div><br></div><div>Regards</div><div><br></div><div>Gus</div><div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em seg., 14 de dez. de 2020 às 09:49, Ivan Noris via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi Gus,</p>
<p>seems to be permission problem in your AD.</p>
<p>LDAP error during DirSync search: insufficientAccessRights:
00002105: LdapErr: DSID-0C0909A9, comment: Error processing
control, data 0, v3839? (50)</p>
<p><br>
</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<div>On 12. 12. 2020 18:38, Gus Lou via
midPoint wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi Richard<br>
</div>
<div dir="ltr">I checked the permissions of the
midpooint account in AD again and it is in
accordance with the guidelines in the link
below:<br>
</div>
<div dir="ltr"><a href="https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector" target="_blank">Active Directory with
LDAP connector - midPoint - Evolveum
Confluence</a><br>
</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">I applied permissions at the domain
level <a href="http://xyz.net" target="_blank">xyz.net</a><br>
</div>
<div dir="ltr"><br>
</div>
<div>Here it is part of midpoint log:</div>
<div>----------------------------------------------------------------------------------------------------------------</div>
<div>
<div style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:16px">
<div>2020-12-11 16:53:22,996 [] [Thread-327]
ERROR
(com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy):
method: null msg:LDAP error during DirSync
search: insufficientAccessRights: 00002105:
LdapErr: DSID-0C0909A9, comment: Error
processing control, data 0, v3839? (50)</div>
<div>2020-12-11 16:53:22,997 []
[midPointScheduler_Worker-2] WARN
(com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil):
Got ConnId exception (might be handled by
upper layers later)
org.identityconnectors.framework.common.exceptions.PermissionDeniedException
in
connector:a0c5bb85-f4f0-4954-af1d-17ec4f27233e(ConnId
com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v3.1):
ConnectorSpec(<a>resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa</a>
Active Directory (LDAP)), name=null,
oid=a0c5bb85-f4f0-4954-af1d-17ec4f27233e):
LDAP error during DirSync search:
insufficientAccessRights: 00002105: LdapErr:
DSID-0C0909A9, comment: Error processing
control, data 0, v3839? (50), reason: LDAP
error during DirSync search:
insufficientAccessRights: 00002105: LdapErr:
DSID-0C0909A9, comment: Error processing
control, data 0, v3839? (50) (class
org.identityconnectors.framework.common.exceptions.PermissionDeniedException)</div>
<div>2020-12-11 16:53:22,997 [PROVISIONING]
[midPointScheduler_Worker-2] ERROR
(com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl):
Got unexpected exception:
org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
LDAP error during DirSync search:
insufficientAccessRights: 00002105: LdapErr:
DSID-0C0909A9, comment: Error processing
control, data 0, v3839? (50)</div>
<div>com.evolveum.midpoint.util.exception.SystemException:
Got unexpected exception:
org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
LDAP error during DirSync search:
insufficientAccessRights: 00002105: LdapErr:
DSID-0C0909A9, comment: Error processing
control, data 0, v3839? (50)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.quartz.core.JobRunShell.run(JobRunShell.java:202)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)</div>
<div>Caused by:
org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
LDAP error during DirSync search:
insufficientAccessRights: 00002105: LdapErr:
DSID-0C0909A9, comment: Error processing
control, data 0, v3839? (50)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)</div>
<div><span style="white-space:pre-wrap"> </span>at
jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)</div>
<div><span style="white-space:pre-wrap"> </span>at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div>
<div><span style="white-space:pre-wrap"> </span>at
java.base/java.lang.reflect.Method.invoke(Method.java:566)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.sun.proxy.$Proxy249.sync(Unknown Source)</div>
<div><span style="white-space:pre-wrap"> </span>at
jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)</div>
<div><span style="white-space:pre-wrap"> </span>at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div>
<div><span style="white-space:pre-wrap"> </span>at
java.base/java.lang.reflect.Method.invoke(Method.java:566)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.sun.proxy.$Proxy249.sync(Unknown Source)</div>
<div><span style="white-space:pre-wrap"> </span>at
jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)</div>
<div><span style="white-space:pre-wrap"> </span>at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div>
<div><span style="white-space:pre-wrap"> </span>at
java.base/java.lang.reflect.Method.invoke(Method.java:566)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)</div>
<div>2020-12-11 16:53:22,997 []
[midPointScheduler_Worker-2] ERROR
(com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler):
Live Sync: Unspecified error: Got unexpected
exception:
org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
LDAP error during DirSync search:
insufficientAccessRights: 00002105: LdapErr:
DSID-0C0909A9, comment: Error processing
control, data 0, v3839? (50)</div>
<div>com.evolveum.midpoint.util.exception.SystemException:
Got unexpected exception:
org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
LDAP error during DirSync search:
insufficientAccessRights: 00002105: LdapErr:
DSID-0C0909A9, comment: Error processing
control, data 0, v3839? (50)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchChanges(ConnectorInstanceConnIdImpl.java:1731)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1924)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.impl.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:199)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:347)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:90)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executePlainTaskHandler(HandlerExecutor.java:62)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.task.quartzimpl.execution.HandlerExecutor.executeHandler(HandlerExecutor.java:52)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:731)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:608)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:185)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.quartz.core.JobRunShell.run(JobRunShell.java:202)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)</div>
<div>Caused by:
org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
LDAP error during DirSync search:
insufficientAccessRights: 00002105: LdapErr:
DSID-0C0909A9, comment: Error processing
control, data 0, v3839? (50)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:149)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.sync(AdDirSyncStrategy.java:189)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.evolveum.polygon.connector.ldap.AbstractLdapConnector.sync(AbstractLdapConnector.java:1405)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.identityconnectors.framework.impl.api.local.operations.SyncImpl.sync(SyncImpl.java:134)</div>
<div><span style="white-space:pre-wrap"> </span>at
jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)</div>
<div><span style="white-space:pre-wrap"> </span>at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div>
<div><span style="white-space:pre-wrap"> </span>at
java.base/java.lang.reflect.Method.invoke(Method.java:566)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.sun.proxy.$Proxy249.sync(Unknown Source)</div>
<div><span style="white-space:pre-wrap"> </span>at
jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)</div>
<div><span style="white-space:pre-wrap"> </span>at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div>
<div><span style="white-space:pre-wrap"> </span>at
java.base/java.lang.reflect.Method.invoke(Method.java:566)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)</div>
<div><span style="white-space:pre-wrap"> </span>at
com.sun.proxy.$Proxy249.sync(Unknown Source)</div>
<div><span style="white-space:pre-wrap"> </span>at
jdk.internal.reflect.GeneratedMethodAccessor1305.invoke(Unknown Source)</div>
<div><span style="white-space:pre-wrap"> </span>at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div>
<div><span style="white-space:pre-wrap"> </span>at
java.base/java.lang.reflect.Method.invoke(Method.java:566)</div>
<div><span style="white-space:pre-wrap"> </span>at
org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:165)</div>
<div>2020-12-11 16:53:23,015 []
[midPointScheduler_Worker-2] INFO
(com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor):
Task encountered permanent error, suspending
the task. Task = Task(id:1546210629125-0-1,
name:Sync: Active Directory (Groups),
oid:36d98518-9db1-49ce-a4d7-75be1047bac6)</div>
<div>2020-12-11 16:53:23,015 [TASK_MANAGER]
[midPointScheduler_Worker-2] INFO
(com.evolveum.midpoint.task.quartzimpl.TaskManagerQuartzImpl):
Suspending tasks [Task(id:1546210629125-0-1,
name:Sync: Active Directory (Groups),
oid:36d98518-9db1-49ce-a4d7-75be1047bac6)];
do not stop tasks.</div>
<div>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
</div>
<div><br>
</div>
</div>
</div>
<div>Best Regards</div>
<div><br>
</div>
<div>Gus</div>
<div><br>
</div>
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Em sex., 11 de
dez. de 2020 às 20:22, Richard Richter via
midPoint <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>>
escreveu:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div style="font-family:arial,helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div>Hello<br>
</div>
<div><br>
</div>
<div>I have no idea why this happens, just
looking at the message, it seems to come
from <strong>java.util.Base64.decode(...)</strong>
call, it is in the code and probably
some Base64 encoded string is not
correct.<br>
</div>
<div>It always helps if you can provide
also a stacktrace, part of the log or
something. If it's easy to answer
without it, it doesn't hurt. Here, I
have no idea where the call originates
from.<br>
</div>
<div><br>
</div>
<div>Regards<br>
</div>
<div><br>
</div>
<div>Richard Richter<br>
</div>
<div>midPoint developer</div>
<div><br>
</div>
<hr id="gmail-m_-3499334444687013468gmail-m_-1796343538307558694zwchr">
<div><b>From: </b>"midPoint General
Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br>
<b>To: </b>"midPoint General
Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br>
<b>Cc: </b>"Gus Lou" <<a href="mailto:gugalou38@gmail.com" target="_blank">gugalou38@gmail.com</a>><br>
<b>Sent: </b>Friday, December 11, 2020
11:44:56 PM<br>
<b>Subject: </b>[midPoint]
Synchronization Trouble - Active
Directory to MP<br>
</div>
<div><br>
</div>
<div>
<div dir="ltr">
<div dir="ltr">
<div>Hi Guys</div>
<br>
<div>I need to import groups, users
and users and their existing
access into Active Directory to
Midpoint (MP version 4.2,
ADLdapConector 3.1)</div>
<br>
<div>To achieve this goal, I did the
following:</div>
<br>
<div>1-I imported the active
directory resource template from
the address below:</div>
<div><a href="https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/ad-ldap-medusa-medium.xml" rel="nofollow noopener
noreferrer" target="_blank">https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/ad-ldap-medusa-medium.xml</a><br>
</div>
<br>
<div>2-I created two synchronization
tasks, one for users and one for
groups.</div>
<br>
<div>When I run the synchronization
tasks, I get the following error:</div>
<br>
<div><b>Unspecified error: Got
unexpected exception:
java.lang.IllegalArgumentException:
Last unit does not have enough
valid bits</b></div>
<br>
<div>I have already checked the
required permissions following the
guidelines in the link below:</div>
<div><a href="https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector" rel="nofollow noopener
noreferrer" target="_blank">https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector</a><br>
</div>
<br>
<br>
<div>Does anyone have any ideas to
resolve or any other documentation
that I can review.?</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</div>
</div>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>