Home Forums Identity Governance Problem buiding Primary Principal in LDAP Connector

Problem buiding Primary Principal in LDAP Connector - OpenIAM - Open Source Identity Governance & Administration, Web Access Management, MFA and CIAM Platform

Home Forums Identity Governance Problem buiding Primary Principal in LDAP Connector

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • August 28, 2020 at 7:26 am #1545
    Francisco Fernández
    Participant

    Hello Forum!

    I am evaluating OpenIAM but I am struggling trying to provision a user to OpenLDAP and/or Active Directory (have both). I have followed all the steps in the docs and have my both directories connected succesfully.

    When I assign AD or LDAP resource to a user the process always fails in the same point:

    2020-08-28 09:14:11.226 ERROR 26171 — [TaskExecutor-15] o.o.i.p.s.u.UpdateUserProvisionOperation : Can’t create login for target System=AD Managed System

    org.openiam.exception.BasicDataServiceException: null
    at org.openiam.idm.provisioning.builder.PrimaryPrincipalBuilder.buildLogin(PrimaryPrincipalBuilder.java:55) ~[classes!/:na]
    at org.openiam.idm.provisioning.service.user.AbstractUserProvisionOperation.processIdentities(AbstractUserProvisionOperation.java:356) ~[classes!/:na]
    (…continues)

    I tried to read that class decompiling it and it seems that the login field for the user was null… but I am not sure about this.

    Can anyone throw a bit of light here?

    Thanks in advaced,

    Xisco.

    August 31, 2020 at 3:21 am #1546
    suneet_shah
    Keymaster

    Hi Xisco,

    The problem is most like in the policy map or one of the groovy scripts. Can you post your managed system configuration and policy map for either one of these and we can help you troubleshoot.

    August 31, 2020 at 7:08 am #1547
    Francisco Fernández
    Participant

    Hi Suneet,

    Thanks for your response. This is the status of the Managed System:

    AD Managed System ACTIVE ldaps://vs01dc01.joopbox.local 23494@127.0.0.1 Last Date:08/31/2020 09:03:32

    Here is the config for the Managed System:

    Managed System Name: AD Managed System
    Description:Active Directory Managed System
    Active
    URL: ldaps://vs01dc01.testnet.local
    Port: 636
    Password Policy: Defult Pwd Policy
    Communication Protocol: SSL
    Login Id: CN=adminiam,CN=Users,DC=testnet,DC=local
    Password: ••••••
    Object Primary Key for User: sAMAccountName
    Base DN for User: OU=Usuarios,DC=testnet,DC=local
    Search Base DN for User: OU=Usuarios,DC=testnet,DC=local
    Search Filter for User: (&(objectclass=user)(sAMAccountName=?))
    Object Primary Key for Group: cn
    Base DN for Group: OU=Grupos,DC=testnet,DC=local
    Search Base DN for Group: OU=Grupos,DC=testnet,DC=local
    Search Filter for Group: (&(objectclass=user)(cn=?))
    Search Scope: Subtree
    Target System Type: ACTIVE DIRECTORY
    Category: DIRECTORIES

    Attributes
    Attribute Name MetaData Element Attribute Value Actions
    MANAGER_FIELD_NAME manager
    PASSWORD_FIELD_NAME unicodePwd
    GROUP_MEMBERSHIP_ENABLED Y
    INCLUDE_IN_PASSWORD_SYNC Y
    ON_DELETE DELETE
    MEMBER_FIELD_NAME member

    Authentication Providers
    No Authentication Providers found

    The policy Map associated with this managed system is this one (the one comming with the default connector):

    PRINCIPAL sAMAccountName POLICY ad-sAMAccountName STRING
    USER accountExpires POLICY ad-accountExpires STRING
    USER c POLICY ad-c STRING
    USER cn POLICY ad-cn STRING
    USER co POLICY ad-co STRING
    USER company POLICY ad-company STRING
    USER department POLICY ad-department STRING
    USER displayName POLICY ad-displayName STRING
    USER division POLICY ad-division STRING
    USER employeeID POLICY ad-employeeId STRING
    USER employeeNumber POLICY ad-employeeNumber STRING
    USER employeeType POLICY ad-employeeType STRING
    USER givenName POLICY ad-givenName STRING
    USER homeDirectory POLICY ad-homeDirectory STRING
    USER homeDrive POLICY ad-homeDrive STRING
    USER initials POLICY ad-initials STRING
    USER l POLICY ad-l STRING
    USER mail POLICY ad-mail STRING
    USER manager POLICY ad-manager STRING
    USER memberOf POLICY ad-memberOf STRING
    USER mobile POLICY ad-mobile STRING
    USER objectClass POLICY ad-objectClass STRING
    USER ou POLICY ad-ou STRING
    USER postalCode POLICY ad-postalCode STRING
    USER sn POLICY ad-sn STRING
    USER st POLICY ad-st STRING
    USER streetAddress POLICY ad-streetAddress STRING
    USER telephoneNumber POLICY ad-telephoneNumber STRING
    USER thumbnailPhoto POLICY ad-thumbnailPhoto STRING
    USER title POLICY ad-title STRING
    USER userPrincipalName POLICY ad-userPrincipalName STRING
    PASSWORD unicodePwd POLICY ad-unicodePwd STRING
    USER userAccountControl POLICY ad-userAccountControl STRING

    I have not customized any of these mappings nor any groovy script.

    If you need any other info I’ll be pleased to send it.

    Thanks in advanced,

    Xisco.

    September 1, 2020 at 8:59 am #1551
    Francisco Fernández
    Participant

    I have been doing a lot of testing, I we are going to let OpenIAM apart, it seems like community edition has no community at all, and it becomes some kind of useless.

    Getting a look at the logs I see messages like:

    idm.out:
    2020-09-01 10:36:45.998 WARN 7866 — [cTaskExecutor-1] m.g.i.ConnectorRequestServiceGatewayImpl : LDAP_Connector_1.SEARCH API Response is not received from connector!

    /var/log/messages (error related to elasticsearch)

    Sep 1 10:53:04 vs01iam01 elasticsearch: [2020-09-01 10:53:04,715][DEBUG][action.search ] [Boomslang] [2318] Failed to execute query phase
    Sep 1 10:53:04 vs01iam01 elasticsearch: RemoteTransportException[[Boomslang][127.0.0.1:9300][indices:data/read/search[phase/scan/scroll]]]; nested: SearchContextMissingException[No search context found for id [2318]];
    Sep 1 10:53:04 vs01iam01 elasticsearch: Caused by: SearchContextMissingException[No search context found for id [2318]]
    Sep 1 10:53:04 vs01iam01 elasticsearch: at org.elasticsearch.search.SearchService.findContext(SearchService.java:626)
    Sep 1 10:53:04 vs01iam01 elasticsearch: at org.elasticsearch.search.SearchService.executeScan(SearchService.java:318)
    Sep 1 10:53:04 vs01iam01 elasticsearch: at org.elasticsearch.search.action.SearchServiceTransportAction$SearchScanScrollTransportHandler.messageReceived(SearchServiceTransportAction.java:433)
    Sep 1 10:53:04 vs01iam01 elasticsearch: at org.elasticsearch.search.action.SearchServiceTransportAction$SearchScanScrollTransportHandler.messageReceived(SearchServiceTransportAction.java:430)
    Sep 1 10:53:04 vs01iam01 elasticsearch: at org.elasticsearch.transport.TransportRequestHandler.messageReceived(TransportRequestHandler.java:33)
    Sep 1 10:53:04 vs01iam01 elasticsearch: at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:77)
    Sep 1 10:53:04 vs01iam01 elasticsearch: at org.elasticsearch.transport.TransportService$4.doRun(TransportService.java:378)
    Sep 1 10:53:04 vs01iam01 elasticsearch: at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
    Sep 1 10:53:04 vs01iam01 elasticsearch: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    Sep 1 10:53:04 vs01iam01 elasticsearch: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    Sep 1 10:53:04 vs01iam01 elasticsearch: at java.lang.Thread.run(Thread.java:748)

    Can’t find sources of information regarding these errors… this is getting a little frustrating, so I give up till next version (crossing my fingers…)

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.