Re: synchronization/reconciliation failure in syncope 1.1.1 and ldap V3 (openDJ)

Wed, 15 May 2013 00:41:51 -0700 

Hi Nik,
as long as I understand from your e-mail below:

The first e-mail troubles were caused by a Synchronization Policy with
no alternative schemas set: I took anyway inspiration from that for
making such handling more robust (and avoid NPE!).

The second e-mail troubles seems to be caused by an incorrect user
mapping: actually, it seems to me that you copied the mapping from my
blog post but left the user attribute schemas as per the standalone
distribution. In particular, 'userId' is configured with an e-mail
address validator but is mapped to a DN (
"uid=nik,ou=people,o=usharesoft" is not a valid email address).

HTH
Regards.

On 10/05/2013 12:47, Nik wrote:
> Hi Guys,
>
> I think I made some new progress on understanding my problems with
> synchro/recon.
> I started from scratch, rebuilt my env based on 1.1.2-SNAPSHOT.
> Followed the blog and now I'm getting closer to get the ldap users
> created on syncope (my goal).
>
> I believe all my issues are coming from bad mappings and bad
> interpretation on my part from the docs:
>
> When I look at the sync task log I see what is failing now in my
> mappings:
>
> e.g.
>
> Users [created/failures]: 0/13 [updated/failures]: 0/0
> [deleted/failures]: 0/0
> Roles [created/failures]: 0/0 [updated/failures]: 9/0
> [deleted/failures]: 0/0
>
> Users failed to create: CREATE FAILURE (id/name): null/null with
> message: {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=nik,ou=people,o=usharesoft - "uid=nik,ou=people,o=usharesoft" is
> not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message: {[InvalidValues
> [userId: uid=olive,ou=people,o=usharesoft -
> "uid=olive,ou=people,o=usharesoft" is not a valid email address]],
> [RequiredValuesMissing [userId]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=bolive,ou=people,o=usharesoft -
> "uid=bolive,ou=people,o=usharesoft" is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message: {[InvalidValues
> [userId: uid=gfoe,ou=people,o=usharesoft -
> "uid=gfoe,ou=people,o=usharesoft" is not a valid email address]],
> [RequiredValuesMissing [userId]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=jeff4,ou=people,o=usharesoft - "uid=jeff4,ou=people,o=usharesoft"
> is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=Gioacchino,ou=people,o=usharesoft -
> "uid=Gioacchino,ou=people,o=usharesoft" is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=Vincenzo,ou=people,o=usharesoft -
> "uid=Vincenzo,ou=people,o=usharesoft" is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=moofink,ou=people,o=usharesoft -
> "uid=moofink,ou=people,o=usharesoft" is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message: {[InvalidValues
> [userId: uid=moo,ou=people,o=usharesoft -
> "uid=moo,ou=people,o=usharesoft" is not a valid email address]],
> [RequiredValuesMissing [userId]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=niknik,ou=people,o=usharesoft -
> "uid=niknik,ou=people,o=usharesoft" is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=user1,ou=people,o=usharesoft - "uid=user1,ou=people,o=usharesoft"
> is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=Gioacchino-1,ou=people,o=usharesoft -
> "uid=Gioacchino-1,ou=people,o=usharesoft" is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=Vincenzo-1,ou=people,o=usharesoft -
> "uid=Vincenzo-1,ou=people,o=usharesoft" is not a valid email address]]}
>
>
> Users created:
>
> Users updated:
>
> Users deleted:
>
>
> Roles created:
>
> Roles updated:
> UPDATE SUCCESS (id/name): 119/cn=managing director,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 120/cn=artdirector,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 121/cn=ROLE_NAME,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 122/cn=ROLE,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 123/cn=tink,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 124/cn=managing
> director-1,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 125/cn=managing
> director-1-1,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 126/cn=tink-1,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 127/cn=tink-2,ou=groups,o=usharesoft
>
> Roles deleted:
>
>
> rgds,
> Nik
>
>> Hi Guys,
>>
>> I have always had problems trying to get syncope synchronization (or
>> at least reconciliation)working in my setup.
>>
>> Assumptions:
>> 1) I can take as a given, that synchronization from ldap V3/openDJ to
>> syncope, of users and groups works and has been verified ( for me it
>> would be a basic feature of any IDM)?
>> 2) that following the blog
>> http://blog.tirasa.net/blogs/index.php/ilgrosso/unlock-full-ldap-features-in
>> shows the correct way to enable synchronization/reconciliationfor
>> OpenDJ resources.
>>
>> Given these 2 assumptions, I can conclude that I am missing some
>> important steps to configure this feature in syncopeproperly.
>>
>> After I step 2) above and look at the log traces I see the following
>> output.
>>
>> 10:30:46.153 DEBUG
>> org.identityconnectors.framework.api.operations.SearchApiOp.search
>> Enter: search(ObjectClass: __ACCOUNT__, null,
>> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy$2@62f9d23b,
>> OperationOptions:
>> {ATTRS_TO_GET:[mail,sn,description,__UID__,__NAME__,displayName,__PASSWORD__,__ENABLE__]})
>> 10:30:46.156 WARN
>> org.connid.bundles.ldap.search.LdapSearch.getAttributesToGet Reading
>> passwords not supported
>> 10:30:46.156 WARN
>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>> LDAP attribute
>> 10:30:46.156 DEBUG
>> org.connid.bundles.ldap.search.DefaultSearchStrategy.doSearch
>> Searching in [ou=people,o=usharesoft, ou=groups,o=usharesoft] with
>> filter (&(objectClass=inetOrgPerson)(uid=*)) and SearchControls:
>> {returningAttributes=[cn, description, displayName, mail, sn,
>> userPassword], scope=SUBTREE}
>> 10:30:46.158 WARN
>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>> LDAP attribute
>> 10:30:46.159 WARN
>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>> LDAP attribute
>> 10:30:46.160 WARN
>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>> LDAP attribute
>> 10:30:46.160 WARN
>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>> LDAP attribute
>> 10:30:46.161 WARN
>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>> LDAP attribute
>> 10:30:46.162 DEBUG
>> org.identityconnectors.framework.api.operations.SearchApiOp.search
>> Exception:
>> java.lang.NullPointerException: null
>>     at
>> org.apache.syncope.core.persistence.dao.impl.AttributableSearchDAOImpl.search(AttributableSearchDAOImpl.java:145)
>> ~[AttributableSearchDAOImpl.class:na]
>>     at
>> org.apache.syncope.core.persistence.dao.impl.AttributableSearchDAOImpl.search(AttributableSearchDAOImpl.java:133)
>> ~[AttributableSearchDAOImpl.class:na]
>>     at
>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.search(SyncopeSyncResultHandler.java:348)
>> ~[SyncopeSyncResultHandler.class:na]
>>     at
>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.findByAttributableSearch(SyncopeSyncResultHandler.java:421)
>> ~[SyncopeSyncResultHandler.class:na]
>>     at
>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.findExisting(SyncopeSyncResultHandler.java:453)
>> ~[SyncopeSyncResultHandler.class:na]
>>     at
>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.doHandle(SyncopeSyncResultHandler.java:834)
>> ~[SyncopeSyncResultHandler.class:na]
>>     at
>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.handle(SyncopeSyncResultHandler.java:262)
>> ~[SyncopeSyncResultHandler.class:na]
>>     at
>> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy$2.handle(ConnectorFacadeProxy.java:367)
>> ~[ConnectorFacadeProxy$2.class:na]
>>     at
>> org.identityconnectors.framework.impl.api.StreamHandlerUtil$ObjectStreamHandlerAdapter.handle(StreamHandlerUtil.java:79)
>> ~[connid-framework-internal-1.3.3.jar:na]
>>     at
>> org.identityconnectors.framework.impl.api.BufferedResultsProxy.invoke(BufferedResultsProxy.java:268)
>> ~[connid-framework-internal-1.3.3.jar:na]
>>     at
>> org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:102)
>> ~[connid-framework-internal-1.3.3.jar:na]
>>     at com.sun.proxy.$Proxy182.search(Unknown Source) [na:na]
>>     at sun.reflect.GeneratedMethodAccessor730.invoke(Unknown Source)
>> ~[na:na]
>>     at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> ~[na:1.7.0_19]
>>     at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_19]
>>     at
>> org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:76)
>> ~[connid-framework-internal-1.3.3.jar:na]
>>     at com.sun.proxy.$Proxy182.search(Unknown Source) [na:na]
>>     at
>> org.identityconnectors.framework.impl.api.AbstractConnectorFacade.search(AbstractConnectorFacade.java:142)
>> [connid-framework-internal-1.3.3.jar:na]
>>     at
>> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy.search(ConnectorFacadeProxy.java:492)
>> [ConnectorFacadeProxy.class:na]
>>     at
>> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy.getAllObjects(ConnectorFacadeProxy.java:357)
>> [ConnectorFacadeProxy.class:na]
>>     at
>> org.apache.syncope.core.sync.impl.SyncJob.executeWithSecurityContext(SyncJob.java:401)
>> [SyncJob.class:na]
>>     at
>> org.apache.syncope.core.sync.impl.SyncJob.doExecute(SyncJob.java:341)
>> [SyncJob.class:na]
>>     at
>> org.apache.syncope.core.quartz.AbstractTaskJob.execute(AbstractTaskJob.java:104)
>> [AbstractTaskJob.class:na]
>>     at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
>> [quartz-2.1.7.jar:na]
>>     at
>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
>> [quartz-2.1.7.jar:na]
>>
>>
>> Any clues on how to proceed on getting the synchro/recon feature of
>> syncope working with OpenDJ?
>>
>> I attach the content.xml from the setup above which fails.

-- 
Francesco Chicchiriccò

ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/

Reply via email to