incubator-syncope-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony Pulicken <antony.pulic...@gmail.com>
Subject Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP
Date Fri, 16 Mar 2012 01:23:47 GMT
Thanks Marco. That helped.

The resource mapping looks clean now as the account link is fine and I have
removed the 'ui'd mapping that I created as a workaround.

But I still have the issue where in LDAP search is returning null and hence
a LDAP create is getting triggered instead of LDAP Update when an 'update
Sync' is triggered from AD. Please find the latest logs from OpenDS: I have
also attached the latest resource mapping and connector configuration
screenshots.

[16/Mar/2012:02:06:28 +0100] SEARCH REQ conn=10 op=38 msgID=39 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[16/Mar/2012:02:06:28 +0100] SEARCH RES conn=10 op=38 msgID=39 result=0
nentries=1 etime=1
[16/Mar/2012:02:06:28 +0100] SEARCH REQ conn=10 op=39 msgID=40
base="ou=people,dc=opensso,dc=java,dc=net" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(
*entryUUID=syncopeuser011*))"
attrs="audio,businessCategory,carLicense,cn,departmentNumber,description,destinationIndicator,displayName,employeeNumber,employeeType,entryUUID,facsimileTelephoneNumber,givenName,homePhone,homePostalAddress,initials,internationaliSDNNumber,jpegPhoto,l,labeledURI,mail,manager,mobile,o,objectClass,ou,pager,photo,physicalDeliveryOfficeName,postalAddress,postalCode,postOfficeBox,preferredDeliveryMethod,preferredLanguage,registeredAddress,roomNumber,secretary,seeAlso,sn,st,street,telephoneNumber,teletexTerminalIdentifier,telexNumber,title,uid,userCertificate;binary,userPassword,userPKCS12,userSMIMECertificate,x121Address,x500UniqueIdentifier"
[16/Mar/2012:02:06:28 +0100] SEARCH RES conn=10 op=39 msgID=40 result=0
nentries=0 etime=4
[16/Mar/2012:02:06:28 +0100] SEARCH REQ conn=10 op=40 msgID=41 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[16/Mar/2012:02:06:28 +0100] SEARCH RES conn=10 op=40 msgID=41 result=0
nentries=1 etime=1
[16/Mar/2012:02:06:28 +0100] ADD REQ conn=10 op=41 msgID=42
dn="uid=syncopeuser011,ou=people,dc=opensso,dc=java,dc=net"
[16/Mar/2012:02:06:28 +0100] ADD RES conn=10 op=41 msgID=42 result=68
message="The entry uid=syncopeuser011,ou=people,dc=opensso,dc=java,dc=net
cannot be added because an entry with that name already exists" etime=0


Thanks and Regards,
Antony.

On Thu, Mar 15, 2012 at 9:02 PM, Marco Di Sabatino Di Diodoro <
marco.disabatino@tirasa.net> wrote:

>
> On Mar 15, 2012, at 4:22 PM, Antony Pulicken wrote:
>
> Hi Fabio,
>
> Do you have any idea why the Username is not getting populated on the
> account link? Is it working on your side ? Please let me know.
>
> Regards,
> Antony.
>
> On Thu, Mar 15, 2012 at 4:23 PM, Antony Pulicken <
> antony.pulicken@gmail.com> wrote:
>
>> I had tried that before and tried it again now. If I configure 'Username'
>> in the account link, LDAP create will fail with this error:
>>
>> uid=,ou=people,dc=opensso,dc=java,dc=net: [LDAP: error code 34 - The provided value
"uid=,ou=people,dc=opensso,dc=java,dc=net"
>>
>> could not be parsed as a valid distinguished name because an attribute value started
with a character at position 5 that needs to be escaped]
>>
>>
>> Even though the user is created in syncope with a valid 'Username', it
>> doesn't get populated in the account link and that is why I added uid as a
>> workaround. Seems like a defect to me. What do you think?
>>
>
> username must be written all in lower case
>
> Regards
> Marco
>
>
>> Regards,
>> Antony.
>>
>>
>> On Thu, Mar 15, 2012 at 3:57 PM, Fabio Martelli <fabio.martelli@gmail.com
>> > wrote:
>>
>>>
>>> Il giorno 15/mar/2012, alle ore 10.59, Antony Pulicken ha scritto:
>>>
>>> Thanks a lot Fabio and get well soon :-)
>>>
>>> 1. We are using OpenDS
>>>
>>> 2. I have attached the screenshots of mapping and the connector
>>> configuration
>>>
>>> I'm facing another issue now. I doubt it is occurring because the LDAP
>>> connector configuration is incorrect. The issue is the updates from AD are
>>> not getting synced to LDAP. When an update happens in AD, it's getting
>>> synced to syncope and then the LDAP search is getting invoked. Even though
>>> the user exists in LDAP, it's returning null and because of that Create is
>>> getting triggered. Can you please take a look at the configuration and spot
>>> anything that is obvious ?
>>>
>>>
>>> Hi Antony,
>>> you are using uid in your AccountLink and Username as AccountId --> this
>>> could generate problems ....
>>>
>>> 1. Consider that in this way syncope will create users with specified DN
>>> (AccountLink) but it will search for users using the Username
>>> 2. In a certain way you are creating an entry specifying two UIDs:  as
>>> far as I know, this happens because you are creating an entry specifying
>>> the dn (including the former uid value) and the uid attribute (latter uid
>>> value). This is absolutely normal if and only if the two UIDs are the same.
>>>
>>> Can you try to use Username into the AccountLink as well.
>>>
>>> Regards,
>>> F.
>>>
>>>
>>> Regards,
>>> Antony.
>>>
>>>
>>>
>>> On Thu, Mar 15, 2012 at 1:33 PM, Fabio Martelli <
>>> fabio.martelli@gmail.com> wrote:
>>>
>>>> Hi Antony, could you give me more info to reproduce the problem?
>>>>
>>>> 1. What ldap server are you using?
>>>> 2. Can you provide your connector configuration screenshot?
>>>>
>>>> I am sick at the moment but  I will do my best to reply to you asap.
>>>>
>>>> Regards,
>>>> F.
>>>> Il giorno 14/mar/2012 04:39, "Antony Pulicken" <
>>>> antony.pulicken@gmail.com> ha scritto:
>>>>
>>>>  Thanks fabio for the response. I removed the Uid attribute mapping,
>>>>> but the result is the same.  The javax.naming.directory.Attributes object
>>>>> passed to the LdapSchemaMapping.create() still has 'entryuuid=entryUUID:
>>>>> user314' as one of the value and it fails if I don't add the check that
I
>>>>> mentioned in my earlier mail.
>>>>>
>>>>> Regards,
>>>>> Antony.
>>>>>
>>>>> On Tue, Mar 13, 2012 at 3:32 PM, Fabio Martelli <
>>>>> fabio.martelli@gmail.com> wrote:
>>>>>
>>>>>>
>>>>>> Il giorno 13/mar/2012, alle ore 06.43, Antony Pulicken ha scritto:
>>>>>>
>>>>>> Attaching the screenshots again as there was some issue last time....
>>>>>>
>>>>>> On Tue, Mar 13, 2012 at 11:08 AM, Antony Pulicken <
>>>>>> antony.pulicken@gmail.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'm getting the following error while provisioning a user from
>>>>>>> syncope to LDAP.
>>>>>>>
>>>>>>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>>>>>>> javax.naming.OperationNotSupportedException: [LDAP: error code
53 - Entry
>>>>>>> uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added
because it
>>>>>>> includes attribute *entryUUID* which is defined as
>>>>>>> NO-USER-MODIFICATION in the server schema]; remaining name
>>>>>>> 'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
>>>>>>>     at
>>>>>>> org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325)
>>>>>>> ~[na:na]
>>>>>>>     at
>>>>>>> org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144)
>>>>>>> ~[na:na]
>>>>>>>     at
>>>>>>> org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75)
>>>>>>> ~[na:na]
>>>>>>>
>>>>>>> I think the attribute '*entryUUID'* is getting included because
we
>>>>>>> are setting one of the field/mapping as the account Id (and it's
mandatory
>>>>>>> to do that in Syncope).
>>>>>>>
>>>>>>> It worked only when I added a check for '*entryUUID' *and excluded
>>>>>>> the same from the attributes while creating the sub context in
the LDAP
>>>>>>> connector code (LdapSchemaMapping.create()). Please let me know
whether
>>>>>>> there is any better way to make it work?
>>>>>>>
>>>>>>> I have also attached the screen shot of my LDAP Resource mapping
un
>>>>>>> syncope.
>>>>>>>
>>>>>>
>>>>>> Hi Antony,
>>>>>> you don't have to map uid. Uid attribute mapping will be generated
>>>>>> implicitly  be defining the AccountId.
>>>>>>
>>>>>> Let me know if the problem persists.
>>>>>>
>>>>>> Regards,
>>>>>> F.
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Antony.
>>>>>>>
>>>>>>
>>>>>> <Screen Shot 2012-03-13 at 11.12.23 AM.png><Screen Shot
2012-03-13
>>>>>> at 11.12.43 AM.png>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>> <Screen Shot 2012-03-15 at 3.26.51 PM.png><Screen Shot 2012-03-15 at
>>> 3.27.08 PM.png><Screen Shot 2012-03-15 at 3.28.07 PM.png>
>>>
>>>
>>>
>>
>
> --
>
> Dott. Marco Di Sabatino Di Diodoro
> Tel. +39 3939065570
>
> Tirasa S.r.l.
> Viale D'Annunzio 267 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
> http://www.tirasa.net
>
> Apache Syncope PPMC Member
> http://people.apache.org/~mdisabatino
>
>
>
>
>

Mime
View raw message