<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1025401659;
mso-list-type:hybrid;
mso-list-template-ids:979521736 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">We have troubleshooted this issue following the instructions provided by the midPoint supporting engineers Claude and Keith.
<o:p></o:p></p>
<p class="MsoNormal"><a href="https://claude.ai/share/67073561-d22d-43fe-8423-df33ad26cbf4">https://claude.ai/share/67073561-d22d-43fe-8423-df33ad26cbf4</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Unfortunately, we were not able to figure out the cause of the problem. Any advice is deeply appreciated.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We confirmed our AD setting:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Active Directory DS supports the full function level of 2016 and is deployed on Windows 2019.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">The user account is in the Domain Admin group.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">The user account has both the additional permissions required by midPoint provisioning operations:<o:p></o:p></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level2 lfo1"><b>Replicating Directory Changes</b>
<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level2 lfo1"><b>Replicating Directory Changes All</b><o:p></o:p></li></ul>
</ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The midPoint application is the release of 4.9.9<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We turned the midPoint application “Class Logger” for Provisioning logger at the Debug level. It showed that the AD connector worked successfully in “returning clone” AD user data. But it failed at the step “ Start synchronization of resource
object” . The logger error message is here:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2025-06-26 09:04:16,246 [PROVISIONING] [midPointScheduler_Worker-5] DEBUG (com.evolveum.midpoint.provisioning.impl.resources.ResourceCache): HIT(returning clone) for resource:51996605-7561-457f-b6f0-6502a67990db(NIST AD LDAP connector 2
-- only use one object schema: user) (v128)<o:p></o:p></p>
<p class="MsoNormal">2025-06-26 09:04:16,246 [PROVISIONING] [midPointScheduler_Worker-5] DEBUG (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Start synchronization of resource:51996605-7561-457f-b6f0-6502a67990db(NIST AD LDAP connector 2
-- only use one object schema: user)<o:p></o:p></p>
<p class="MsoNormal">2025-06-26 09:04:16,430 [] [midPointScheduler_Worker-5] ERROR (com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy): method: null msg:LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment:
Error processing control, data 0, v4563? (50)<o:p></o:p></p>
<p class="MsoNormal">2025-06-26 09:04:16,431 [] [midPointScheduler_Worker-5] WARN (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId exception (might be handled by upper layers later) org.identityconnectors.framework.common.exceptions.PermissionDeniedException
in NIST AD LDAP connector 2 -- only use one object schema: user: ConnectorSpec.Main(resource:51996605-7561-457f-b6f0-6502a67990db(NIST AD LDAP connector 2 -- only use one object schema: user)): LDAP error during DirSync search: insufficientAccessRights: 00002105:
LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50), reason: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50) (class org.identityconnectors.framework.common.exceptions.PermissionDeniedException)<o:p></o:p></p>
<p class="MsoNormal">2025-06-26 09:04:16,431 [] [midPointScheduler_Worker-5] DEBUG (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId exception (might be handled by upper layers later) org.identityconnectors.framework.common.exceptions.PermissionDeniedException
in NIST AD LDAP connector 2 -- only use one object schema: user: ConnectorSpec.Main(resource:51996605-7561-457f-b6f0-6502a67990db(NIST AD LDAP connector 2 -- only use one object schema: user)): LDAP error during DirSync search: insufficientAccessRights: 00002105:
LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50).<o:p></o:p></p>
<p class="MsoNormal">org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.polygon.connector.ldap.ErrorHandler.processLdapResult(ErrorHandler.java:156)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.polygon.connector.ldap.ad.AdErrorHandler.processLdapResult(AdErrorHandler.java:63)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.polygon.connector.ldap.sync.AdDirSyncStrategy.getLatestSyncToken(AdDirSyncStrategy.java:254)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.polygon.connector.ldap.AbstractLdapConnector.getLatestSyncToken(AbstractLdapConnector.java:1865)<o:p></o:p></p>
<p class="MsoNormal"> at org.identityconnectors.framework.impl.api.local.operations.SyncImpl.getLatestSyncToken(SyncImpl.java:147)<o:p></o:p></p>
<p class="MsoNormal"> at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)<o:p></o:p></p>
<p class="MsoNormal"> at java.base/java.lang.reflect.Method.invoke(Method.java:580)<o:p></o:p></p>
<p class="MsoNormal"> at org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:99)<o:p></o:p></p>
<p class="MsoNormal"> at jdk.proxy2/jdk.proxy2.$Proxy213.getLatestSyncToken(Unknown Source)<o:p></o:p></p>
<p class="MsoNormal"> at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)<o:p></o:p></p>
<p class="MsoNormal"> at java.base/java.lang.reflect.Method.invoke(Method.java:580)<o:p></o:p></p>
<p class="MsoNormal"> at org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)<o:p></o:p></p>
<p class="MsoNormal"> at jdk.proxy2/jdk.proxy2.$Proxy213.getLatestSyncToken(Unknown Source)<o:p></o:p></p>
<p class="MsoNormal"> at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)<o:p></o:p></p>
<p class="MsoNormal"> at java.base/java.lang.reflect.Method.invoke(Method.java:580)<o:p></o:p></p>
<p class="MsoNormal"> at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99)<o:p></o:p></p>
<p class="MsoNormal"> at jdk.proxy2/jdk.proxy2.$Proxy213.getLatestSyncToken(Unknown Source)<o:p></o:p></p>
<p class="MsoNormal"> at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)<o:p></o:p></p>
<p class="MsoNormal"> at java.base/java.lang.reflect.Method.invoke(Method.java:580)<o:p></o:p></p>
<p class="MsoNormal"> at org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:89)<o:p></o:p></p>
<p class="MsoNormal"> at jdk.proxy2/jdk.proxy2.$Proxy213.getLatestSyncToken(Unknown Source)<o:p></o:p></p>
<p class="MsoNormal"> at org.identityconnectors.framework.impl.api.AbstractConnectorFacade.getLatestSyncToken(AbstractConnectorFacade.java:289)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchCurrentToken(ConnectorInstanceConnIdImpl.java:1416)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.fetchCurrentToken(ResourceObjectConverter.java:278)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.fetchAndRememberCurrentToken(LiveSynchronizer.java:202)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:79)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:252)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.model.impl.sync.tasks.sync.LiveSyncActivityRun.iterateOverItemsInBucket(LiveSyncActivityRun.java:130)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processSingleBucket(IterativeActivityRun.java:457)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processOrAnalyzeOrSkipSingleBucket(IterativeActivityRun.java:414)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.doRun(IterativeActivityRun.java:245)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.runLocally(IterativeActivityRun.java:185)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.repo.common.activity.run.LocalActivityRun.runInternal(LocalActivityRun.java:99)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.repo.common.activity.run.AbstractActivityRun.runTreatingExceptions(AbstractActivityRun.java:271)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.repo.common.activity.run.AbstractActivityRun.run(AbstractActivityRun.java:228)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.repo.common.activity.run.task.ActivityBasedTaskRun.run(ActivityBasedTaskRun.java:82)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.repo.common.activity.run.task.ActivityBasedTaskHandler.run(ActivityBasedTaskHandler.java:80)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.task.quartzimpl.run.HandlerExecutor.executeHandler(HandlerExecutor.java:37)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.executeHandler(TaskCycleExecutor.java:134)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.executeTaskCycleRun(TaskCycleExecutor.java:127)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.executeRecurringTask(TaskCycleExecutor.java:97)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.task.quartzimpl.run.TaskCycleExecutor.execute(TaskCycleExecutor.java:70)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.task.quartzimpl.run.JobExecutor.executeHandler(JobExecutor.java:157)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.task.quartzimpl.run.JobExecutor.executeInternal(JobExecutor.java:126)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.task.quartzimpl.run.JobExecutor.execute(JobExecutor.java:69)<o:p></o:p></p>
<p class="MsoNormal"> at org.quartz.core.JobRunShell.run(JobRunShell.java:202)<o:p></o:p></p>
<p class="MsoNormal"> at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:588)<o:p></o:p></p>
<p class="MsoNormal">2025-06-26 09:04:16,432 [PROVISIONING] [midPointScheduler_Worker-5] DEBUG (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50), reason: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException:
LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr: DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50) (class com.evolveum.midpoint.util.exception.SystemException)<o:p></o:p></p>
<p class="MsoNormal">2025-06-26 09:04:16,432 [PROVISIONING] [midPointScheduler_Worker-5] ERROR (com.evolveum.midpoint.repo.common.activity.run.ActivityRunResult): Unhandled exception in root activity in 'Sync AD LDAP Users' task (OID 14413783-ccae-4605-baf5-5fec2a47828d).<o:p></o:p></p>
<p class="MsoNormal">com.evolveum.midpoint.util.exception.SystemException: Got unexpected exception: org.identityconnectors.framework.common.exceptions.PermissionDeniedException: LDAP error during DirSync search: insufficientAccessRights: 00002105: LdapErr:
DSID-0C090CC1, comment: Error processing control, data 0, v4563? (50)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.fetchCurrentToken(ConnectorInstanceConnIdImpl.java:1435)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.fetchCurrentToken(ResourceObjectConverter.java:278)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.fetchAndRememberCurrentToken(LiveSynchronizer.java:202)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.provisioning.impl.shadows.sync.LiveSynchronizer.synchronize(LiveSynchronizer.java:79)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:252)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.model.impl.sync.tasks.sync.LiveSyncActivityRun.iterateOverItemsInBucket(LiveSyncActivityRun.java:130)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processSingleBucket(IterativeActivityRun.java:457)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.processOrAnalyzeOrSkipSingleBucket(IterativeActivityRun.java:414)<o:p></o:p></p>
<p class="MsoNormal"> at com.evolveum.midpoint.repo.common.activity.run.IterativeActivityRun.doRun(IterativeActivityRun.java:245)<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Eugene (<i>Yujin</i>) Wang<o:p></o:p></p>
<p class="MsoNormal">(301)975-3621 (office)<o:p></o:p></p>
<p class="MsoNormal">(240)386-9234 (mobile)<o:p></o:p></p>
<p class="MsoNormal">IT Specialist <span style="font-size:10.0pt;color:black">- Application Systems Division</span><o:p></o:p></p>
<p class="MsoNormal"><b>Office of Information Management (OISM), NIST<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>