Re: Configuring LDAP connector

Tue, 20 Dec 2016 14:24:40 -0800 

Dear Francesco,
we modified the JEXL expression putting the same expression your proposed (adapted to our LDAP), but when we enter in the explore resource we just have a drop down where is present "USER", down to it there are __UID__ , __NAME__ and __ENABLE__ , but there is nothing else, even if I supposed that something should appear. 

Have you any idea of what could it be?

Thanks






On 2016-12-19 10:26, Francesco Chicchiriccò wrote:

Hi,
I have just replicated your configuration below to ensure I was
providing adequate answers: see my replies below.

Regards.

On 17/12/2016 20:19, PSYND wrote:

Dear Experts,

we are trying to configure the OLDAP connector with Syncope 2.0.1.

We are using bundle 1.5.1.


We create a connector, we don't configure anything else but admin 
username, password, rootcontext, server and port.


We save and we create a resource connected to the connector:
- In the first page we don't modify anything
- in the second page we select all the Capabilities
- No policies (Account, pwd and pull)
We finish.

After we edit the provisioning rules:
- We select USER (__ACCOUNT__)
- No auxiliary classes
- Mapping:
--- username -> cn (key)
--- email -> mail
--- lastName -> sn
--- username -> uid
- No Object Link


This is the problem: an "Object Link" for ConnId is something that is
generally not used unless a hierarchical resource (e.g. LDAP or Active
Directory) is to be linked.

Object Link is a JEXL expression that is used as model for generating
the target DN on the external resource which corresponds to an
internal entity.
Hence, given your mapping above, a value for object link could be

'cn=' + username + ',ou=People,dc=tirasa,dc=net'

Once the mapping is defined, the easiest way to check that everything
is working is to click on the "Explore resource" link from the given
resource's contextual menu in the Topology.


We save, we try to provision but there is a failure:


How are you trying to provision? The stacktrace below is definitely an
error that must be handled, but I wasn't able to reproduce.
Which language were you using? English / Italian / Brazilian
Portuguese / Russian?

Please be sure to read

https://syncope.apache.org/docs/reference-guide.html#provisioning

to understand how the provisioning process is managed.

In particular, consider the difference between Propagation

https://syncope.apache.org/docs/reference-guide.html#propagation

and Push

https://syncope.apache.org/docs/reference-guide.html#provisioning-push


Root cause:


java.util.MissingResourceException: Unable to find property: 'start' 
for component: 
body:toggle:outerObjectsRepeater:1:outer:form:content:tasks:secondLevelContainer:second:executions:secondLevelContainer:second:container:selectedObjects:topToolbars:toolbars:2:headers:2:header:orderByLink:header_body:label 
[class=org.apache.wicket.markup.html.basic.Label]. Locale: null, 
style: null

     at org.apache.wicket.Localizer.getString(Localizer.java:268)

     at 
org.apache.wicket.model.ResourceModel$AssignmentWrapper.load(ResourceModel.java:129)
     at 
org.apache.wicket.model.ResourceModel$AssignmentWrapper.load(ResourceModel.java:99)
     at 
org.apache.wicket.model.LoadableDetachableModel.getObject(LoadableDetachableModel.java:134)
     at 
org.apache.wicket.Component.getDefaultModelObject(Component.java:1626)
     at 
org.apache.wicket.Component.getDefaultModelObjectAsString(Component.java:1654)
     at 
org.apache.wicket.markup.html.basic.Label.onComponentTagBody(Label.java:115)
     at 
org.apache.wicket.markup.html.panel.DefaultMarkupSourcingStrategy.onComponentTagBody(DefaultMarkupSourcingStrategy.java:70)
     at 
org.apache.wicket.Component.internalRenderComponent(Component.java:2565)
     at 
org.apache.wicket.markup.html.WebComponent.onRender(WebComponent.java:60)
     at 
org.apache.wicket.Component.internalRender(Component.java:2380)

     at org.apache.wicket.Component.render(Component.java:2308)

     at 
org.apache.wicket.MarkupContainer.renderNext(MarkupContainer.java:1521)



We tried to clone the resource with the same information but using 
pull instead of push.

We launch the scheduler and we have this:

JobExecutionException: While pulling from connector

org.quartz.JobExecutionException: While pulling from connector [See 
nested exception: 
org.identityconnectors.framework.common.exceptions.ConnectorException: 
No attribute named entryUUID found in the search result]
    at 
org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:284)
    at 
org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:60)
    at 
org.apache.syncope.core.provisioning.java.pushpull.AbstractProvisioningJobDelegate.doExecute(AbstractProvisioningJobDelegate.java:558)
    at 
org.apache.syncope.core.provisioning.java.job.AbstractSchedTaskJobDelegate.execute(AbstractSchedTaskJobDelegate.java:96)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:498)

    at 
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)





apparently is missing the entryUUID, that it's missing in our OLDAP.


We removed this reference from the Connector and we changed entryUUID 
with UID


As specified by the configuration reference for the ConnId bundle that
you are using:

https://connid.atlassian.net/wiki/display/BASE/LDAP

entryUUID is the default value for 'uidAttribute'; since you are
setting 'cn' to be the remote key (as stated above), here's why you
need to change the LDAP connector configuration accordingly,


we launch again the scheduler :

JobExecutionException: While pulling from connector

org.quartz.JobExecutionException: While pulling from connector [See 
nested exception: java.lang.IllegalArgumentException: Must be a single 
value.]
    at 
org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:284)
    at 
org.apache.syncope.core.provisioning.java.pushpull.PullJobDelegate.doExecuteProvisioning(PullJobDelegate.java:60)
    at 
org.apache.syncope.core.provisioning.java.pushpull.AbstractProvisioningJobDelegate.doExecute(AbstractProvisioningJobDelegate.java:558)


This error means that, giving the mapping defined above, there are
multiple matching for something that is instead supposed to uniquely
identify the object.

You can naturally find much details in the logs, in particular 
core-connid.log


Please also consider that, for OpenLDAP, the ConnId LDAP connector
does not implement yet the SYNC operation, hence the INCREMENTAL pull
mode is not working; more at

https://syncope.apache.org/docs/reference-guide.html#pull-mode






















					Reply via email to