Re: synchronization/reconciliation failure in syncope 1.1.1 and ldap V3 (openDJ)

Nik Wed, 15 May 2013 01:18:02 -0700

That's right Francesco and thanks for responding to my mails to confirm it.

All is working now with syncope to ldap reconciliation, we will not beusing synchronization for the present.When I understood exactly how the relationships, through the mappingsworked (my bug bear) the syncope-opendjreconciliation worked like a charm and everything started to become abit clearer ;-)

Now, we need to get the REST api working to have the same behaviour withour app as the syncope-console and

were done with the "first steps" proof of use case for our needs.

Thanks again for all the help given.

Best Regards,
Nik

Hi Nik,
as long as I understand from your e-mail below:

The first e-mail troubles were caused by a Synchronization Policy with
no alternative schemas set: I took anyway inspiration from that for
making such handling more robust (and avoid NPE!).

The second e-mail troubles seems to be caused by an incorrect user
mapping: actually, it seems to me that you copied the mapping from my
blog post but left the user attribute schemas as per the standalone
distribution. In particular, 'userId' is configured with an e-mail
address validator but is mapped to a DN (
"uid=nik,ou=people,o=usharesoft" is not a valid email address).

HTH
Regards.

On 10/05/2013 12:47, Nik wrote:

Hi Guys,

I think I made some new progress on understanding my problems with
synchro/recon.
I started from scratch, rebuilt my env based on 1.1.2-SNAPSHOT.
Followed the blog and now I'm getting closer to get the ldap users
created on syncope (my goal).

I believe all my issues are coming from bad mappings and bad
interpretation on my part from the docs:

When I look at the sync task log I see what is failing now in my
mappings:

e.g.

Users [created/failures]: 0/13 [updated/failures]: 0/0
[deleted/failures]: 0/0
Roles [created/failures]: 0/0 [updated/failures]: 9/0
[deleted/failures]: 0/0

Users failed to create: CREATE FAILURE (id/name): null/null with
message: {[RequiredValuesMissing [userId]], [InvalidValues [userId:
uid=nik,ou=people,o=usharesoft - "uid=nik,ou=people,o=usharesoft" is
not a valid email address]]}
CREATE FAILURE (id/name): null/null with message: {[InvalidValues
[userId: uid=olive,ou=people,o=usharesoft -
"uid=olive,ou=people,o=usharesoft" is not a valid email address]],
[RequiredValuesMissing [userId]]}
CREATE FAILURE (id/name): null/null with message:
{[RequiredValuesMissing [userId]], [InvalidValues [userId:
uid=bolive,ou=people,o=usharesoft -
"uid=bolive,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message: {[InvalidValues
[userId: uid=gfoe,ou=people,o=usharesoft -
"uid=gfoe,ou=people,o=usharesoft" is not a valid email address]],
[RequiredValuesMissing [userId]]}
CREATE FAILURE (id/name): null/null with message:
{[RequiredValuesMissing [userId]], [InvalidValues [userId:
uid=jeff4,ou=people,o=usharesoft - "uid=jeff4,ou=people,o=usharesoft"
is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message:
{[RequiredValuesMissing [userId]], [InvalidValues [userId:
uid=Gioacchino,ou=people,o=usharesoft -
"uid=Gioacchino,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message:
{[RequiredValuesMissing [userId]], [InvalidValues [userId:
uid=Vincenzo,ou=people,o=usharesoft -
"uid=Vincenzo,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message:
{[RequiredValuesMissing [userId]], [InvalidValues [userId:
uid=moofink,ou=people,o=usharesoft -
"uid=moofink,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message: {[InvalidValues
[userId: uid=moo,ou=people,o=usharesoft -
"uid=moo,ou=people,o=usharesoft" is not a valid email address]],
[RequiredValuesMissing [userId]]}
CREATE FAILURE (id/name): null/null with message:
{[RequiredValuesMissing [userId]], [InvalidValues [userId:
uid=niknik,ou=people,o=usharesoft -
"uid=niknik,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message:
{[RequiredValuesMissing [userId]], [InvalidValues [userId:
uid=user1,ou=people,o=usharesoft - "uid=user1,ou=people,o=usharesoft"
is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message:
{[RequiredValuesMissing [userId]], [InvalidValues [userId:
uid=Gioacchino-1,ou=people,o=usharesoft -
"uid=Gioacchino-1,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message:
{[RequiredValuesMissing [userId]], [InvalidValues [userId:
uid=Vincenzo-1,ou=people,o=usharesoft -
"uid=Vincenzo-1,ou=people,o=usharesoft" is not a valid email address]]}


Users created:

Users updated:

Users deleted:


Roles created:

Roles updated:
UPDATE SUCCESS (id/name): 119/cn=managing director,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 120/cn=artdirector,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 121/cn=ROLE_NAME,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 122/cn=ROLE,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 123/cn=tink,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 124/cn=managing
director-1,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 125/cn=managing
director-1-1,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 126/cn=tink-1,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 127/cn=tink-2,ou=groups,o=usharesoft

Roles deleted:


rgds,
Nik

Hi Guys,

I have always had problems trying to get syncope synchronization (or
at least reconciliation)working in my setup.

Assumptions:
1) I can take as a given, that synchronization from ldap V3/openDJ to
syncope, of users and groups works and has been verified ( for me it
would be a basic feature of any IDM)?
2) that following the blog
http://blog.tirasa.net/blogs/index.php/ilgrosso/unlock-full-ldap-features-in
shows the correct way to enable synchronization/reconciliationfor
OpenDJ resources.

Given these 2 assumptions, I can conclude that I am missing some
important steps to configure this feature in syncopeproperly.

After I step 2) above and look at the log traces I see the following
output.

10:30:46.153 DEBUG
org.identityconnectors.framework.api.operations.SearchApiOp.search
Enter: search(ObjectClass: __ACCOUNT__, null,
org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy$2@62f9d23b,
OperationOptions:
{ATTRS_TO_GET:[mail,sn,description,__UID__,__NAME__,displayName,__PASSWORD__,__ENABLE__]})
10:30:46.156 WARN
org.connid.bundles.ldap.search.LdapSearch.getAttributesToGet Reading
passwords not supported
10:30:46.156 WARN
org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
LDAP attribute
10:30:46.156 DEBUG
org.connid.bundles.ldap.search.DefaultSearchStrategy.doSearch
Searching in [ou=people,o=usharesoft, ou=groups,o=usharesoft] with
filter (&(objectClass=inetOrgPerson)(uid=*)) and SearchControls:
{returningAttributes=[cn, description, displayName, mail, sn,
userPassword], scope=SUBTREE}
10:30:46.158 WARN
org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
LDAP attribute
10:30:46.159 WARN
org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
LDAP attribute
10:30:46.160 WARN
org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
LDAP attribute
10:30:46.160 WARN
org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
LDAP attribute
10:30:46.161 WARN
org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
LDAP attribute
10:30:46.162 DEBUG
org.identityconnectors.framework.api.operations.SearchApiOp.search
Exception:
java.lang.NullPointerException: null
     at
org.apache.syncope.core.persistence.dao.impl.AttributableSearchDAOImpl.search(AttributableSearchDAOImpl.java:145)
~[AttributableSearchDAOImpl.class:na]
     at
org.apache.syncope.core.persistence.dao.impl.AttributableSearchDAOImpl.search(AttributableSearchDAOImpl.java:133)
~[AttributableSearchDAOImpl.class:na]
     at
org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.search(SyncopeSyncResultHandler.java:348)
~[SyncopeSyncResultHandler.class:na]
     at
org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.findByAttributableSearch(SyncopeSyncResultHandler.java:421)
~[SyncopeSyncResultHandler.class:na]
     at
org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.findExisting(SyncopeSyncResultHandler.java:453)
~[SyncopeSyncResultHandler.class:na]
     at
org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.doHandle(SyncopeSyncResultHandler.java:834)
~[SyncopeSyncResultHandler.class:na]
     at
org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.handle(SyncopeSyncResultHandler.java:262)
~[SyncopeSyncResultHandler.class:na]
     at
org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy$2.handle(ConnectorFacadeProxy.java:367)
~[ConnectorFacadeProxy$2.class:na]
     at
org.identityconnectors.framework.impl.api.StreamHandlerUtil$ObjectStreamHandlerAdapter.handle(StreamHandlerUtil.java:79)
~[connid-framework-internal-1.3.3.jar:na]
     at
org.identityconnectors.framework.impl.api.BufferedResultsProxy.invoke(BufferedResultsProxy.java:268)
~[connid-framework-internal-1.3.3.jar:na]
     at
org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:102)
~[connid-framework-internal-1.3.3.jar:na]
     at com.sun.proxy.$Proxy182.search(Unknown Source) [na:na]
     at sun.reflect.GeneratedMethodAccessor730.invoke(Unknown Source)
~[na:na]
     at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.7.0_19]
     at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_19]
     at
org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:76)
~[connid-framework-internal-1.3.3.jar:na]
     at com.sun.proxy.$Proxy182.search(Unknown Source) [na:na]
     at
org.identityconnectors.framework.impl.api.AbstractConnectorFacade.search(AbstractConnectorFacade.java:142)
[connid-framework-internal-1.3.3.jar:na]
     at
org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy.search(ConnectorFacadeProxy.java:492)
[ConnectorFacadeProxy.class:na]
     at
org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy.getAllObjects(ConnectorFacadeProxy.java:357)
[ConnectorFacadeProxy.class:na]
     at
org.apache.syncope.core.sync.impl.SyncJob.executeWithSecurityContext(SyncJob.java:401)
[SyncJob.class:na]
     at
org.apache.syncope.core.sync.impl.SyncJob.doExecute(SyncJob.java:341)
[SyncJob.class:na]
     at
org.apache.syncope.core.quartz.AbstractTaskJob.execute(AbstractTaskJob.java:104)
[AbstractTaskJob.class:na]
     at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
[quartz-2.1.7.jar:na]
     at
org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
[quartz-2.1.7.jar:na]


Any clues on how to proceed on getting the synchro/recon feature of
syncope working with OpenDJ?

I attach the content.xml from the setup above which fails.

Re: synchronization/reconciliation failure in syncope 1.1.1 and ldap V3 (openDJ)

Reply via email to