You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@syncope.apache.org by Antony Pulicken <an...@gmail.com> on 2012/03/13 06:38:59 UTC

Syncope | Error while provisioning user to LDAP

Hi,

I'm getting the following error while provisioning a user from syncope to
LDAP.

org.identityconnectors.framework.common.exceptions.ConnectorException:
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Entry
uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added because it
includes attribute *entryUUID* which is defined as NO-USER-MODIFICATION in
the server schema]; remaining name
'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
    at
org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325)
~[na:na]
    at
org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144)
~[na:na]
    at
org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75)
~[na:na]

I think the attribute '*entryUUID'* is getting included because we are
setting one of the field/mapping as the account Id (and it's mandatory to
do that in Syncope).

It worked only when I added a check for '*entryUUID' *and excluded the same
from the attributes while creating the sub context in the LDAP connector
code (LdapSchemaMapping.create()). Please let me know whether there is any
better way to make it work?

I have also attached the screen shot of my LDAP Resource mapping un syncope.






Regards,
Antony.

Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP

Posted by Antony Pulicken <an...@gmail.com>.

Hi Fabio,

Further to the mail below, please find the log messages from OpenDS,
especially the line that I have highlighted in bold. Please let me know
your comments.

[15/Mar/2012:11:17:34 +0100] SEARCH REQ conn=12 op=17 msgID=18 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[15/Mar/2012:11:17:34 +0100] SEARCH RES conn=12 op=17 msgID=18 result=0
nentries=1 etime=1
[15/Mar/2012:11:17:34 +0100] SEARCH REQ conn=12 op=18 msgID=19
*base="ou=people,dc=opensso,dc=java,dc=net"
scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(entryUUID=syncopeuser004))"
*attrs="audio,businessCategory,carLicense,cn,departmentNumber,description,destinationIndicator,displayName,employeeNumber,employeeType,entryUUID,facsimileTelephoneNumber,givenName,homePhone,homePostalAddress,initials,internationaliSDNNumber,jpegPhoto,l,labeledURI,mail,manager,mobile,o,objectClass,ou,pager,photo,physicalDeliveryOfficeName,postalAddress,postalCode,postOfficeBox,preferredDeliveryMethod,preferredLanguage,registeredAddress,roomNumber,secretary,seeAlso,sn,st,street,telephoneNumber,teletexTerminalIdentifier,telexNumber,title,uid,userCertificate;binary,userPassword,userPKCS12,userSMIMECertificate,x121Address,x500UniqueIdentifier"
[15/Mar/2012:11:17:34 +0100] SEARCH RES conn=12 op=18 msgID=19 result=0
nentries=0 etime=4
[15/Mar/2012:11:17:34 +0100] SEARCH REQ conn=12 op=19 msgID=20 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[15/Mar/2012:11:17:34 +0100] SEARCH RES conn=12 op=19 msgID=20 result=0
nentries=1 etime=1
[15/Mar/2012:11:17:34 +0100] ADD REQ conn=12 op=20 msgID=21
dn="uid=syncopeuser004,ou=people,dc=opensso,dc=java,dc=net"
[15/Mar/2012:11:17:34 +0100] ADD RES conn=12 op=20 msgID=21 result=68
message="The entry uid=syncopeuser004,ou=people,dc=opensso,dc=java,dc=net
cannot be added because an entry with that name already exists" etime=1
[15/Mar/2012:11:18:57 +0100] SEARCH REQ conn=12 op=21 msgID=22 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[15/Mar/2012:11:18:57 +0100] SEARCH RES conn=12 op=21 msgID=22 result=0
nentries=1 etime=0


Regards,
Antony.

On Thu, Mar 15, 2012 at 3:29 PM, Antony Pulicken
<an...@gmail.com>wrote:

> Thanks a lot Fabio and get well soon :-)
>
> 1. We are using OpenDS
> 2. I have attached the screenshots of mapping and the connector
> configuration
>
> I'm facing another issue now. I doubt it is occurring because the LDAP
> connector configuration is incorrect. The issue is the updates from AD are
> not getting synced to LDAP. When an update happens in AD, it's getting
> synced to syncope and then the LDAP search is getting invoked. Even though
> the user exists in LDAP, it's returning null and because of that Create is
> getting triggered. Can you please take a look at the configuration and spot
> anything that is obvious ?
>
> Regards,
> Antony.
>
>
>
>
> On Thu, Mar 15, 2012 at 1:33 PM, Fabio Martelli <fa...@gmail.com>wrote:
>
>> Hi Antony, could you give me more info to reproduce the problem?
>>
>> 1. What ldap server are you using?
>> 2. Can you provide your connector configuration screenshot?
>>
>> I am sick at the moment but  I will do my best to reply to you asap.
>>
>> Regards,
>> F.
>> Il giorno 14/mar/2012 04:39, "Antony Pulicken" <an...@gmail.com>
>> ha scritto:
>>
>>  Thanks fabio for the response. I removed the Uid attribute mapping, but
>>> the result is the same.  The javax.naming.directory.Attributes object
>>> passed to the LdapSchemaMapping.create() still has 'entryuuid=entryUUID:
>>> user314' as one of the value and it fails if I don't add the check that I
>>> mentioned in my earlier mail.
>>>
>>> Regards,
>>> Antony.
>>>
>>> On Tue, Mar 13, 2012 at 3:32 PM, Fabio Martelli <
>>> fabio.martelli@gmail.com> wrote:
>>>
>>>>
>>>> Il giorno 13/mar/2012, alle ore 06.43, Antony Pulicken ha scritto:
>>>>
>>>> Attaching the screenshots again as there was some issue last time....
>>>>
>>>> On Tue, Mar 13, 2012 at 11:08 AM, Antony Pulicken <
>>>> antony.pulicken@gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm getting the following error while provisioning a user from syncope
>>>>> to LDAP.
>>>>>
>>>>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>>>>> javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Entry
>>>>> uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added because it
>>>>> includes attribute *entryUUID* which is defined as
>>>>> NO-USER-MODIFICATION in the server schema]; remaining name
>>>>> 'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
>>>>>     at
>>>>> org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325)
>>>>> ~[na:na]
>>>>>     at
>>>>> org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144)
>>>>> ~[na:na]
>>>>>     at
>>>>> org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75)
>>>>> ~[na:na]
>>>>>
>>>>> I think the attribute '*entryUUID'* is getting included because we
>>>>> are setting one of the field/mapping as the account Id (and it's mandatory
>>>>> to do that in Syncope).
>>>>>
>>>>> It worked only when I added a check for '*entryUUID' *and excluded
>>>>> the same from the attributes while creating the sub context in the LDAP
>>>>> connector code (LdapSchemaMapping.create()). Please let me know whether
>>>>> there is any better way to make it work?
>>>>>
>>>>> I have also attached the screen shot of my LDAP Resource mapping un
>>>>> syncope.
>>>>>
>>>>
>>>> Hi Antony,
>>>> you don't have to map uid. Uid attribute mapping will be generated
>>>> implicitly  be defining the AccountId.
>>>>
>>>> Let me know if the problem persists.
>>>>
>>>> Regards,
>>>> F.
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>> Antony.
>>>>>
>>>>
>>>> <Screen Shot 2012-03-13 at 11.12.23 AM.png><Screen Shot 2012-03-13 at
>>>> 11.12.43 AM.png>
>>>>
>>>>
>>>>
>>>
>

Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP

Posted by Fabio Martelli <fa...@gmail.com>.

Il giorno 15/mar/2012, alle ore 11.52, Emmanuel Lécharny ha scritto:

> Le 3/15/12 11:27 AM, Fabio Martelli a écrit :
>> Il giorno 15/mar/2012, alle ore 10.59, Antony Pulicken ha scritto:
>> 
>>> Thanks a lot Fabio and get well soon :-)
>>> 
>>> 1. We are using OpenDS
>>> 2. I have attached the screenshots of mapping and the connector configuration
>>> 
>>> I'm facing another issue now. I doubt it is occurring because the LDAP connector configuration is incorrect. The issue is the updates from AD are not getting synced to LDAP. When an update happens in AD, it's getting synced to syncope and then the LDAP search is getting invoked. Even though the user exists in LDAP, it's returning null and because of that Create is getting triggered. Can you please take a look at the configuration and spot anything that is obvious ?
>> Hi Antony,
>> you are using uid in your AccountLink and Username as AccountId -->  this could generate problems ....
>> 
>> 1. Consider that in this way syncope will create users with specified DN (AccountLink) but it will search for users using the Username
>> 2. In a certain way you are creating an entry specifying two UIDs:  as far as I know, this happens because you are creating an entry specifying the dn (including the former uid value) and the uid attribute (latter uid value). This is absolutely normal if and only if the two UIDs are the same.
> 
> FYI, a decent LDAP server will add the uid found in the DN if it's not present in the entry. For instance, adding :
> 
> dn: uid=jdoe,dc=example,dc=com
> ...
> uid:jacme
> ...
> 
> will create this entry :
> dn: uid=jdoe,dc=example,dc=com
> ...
> uid: jacme
> uid: jdoe
> ...
> 
> as the uid AT is multi-valued.
> 
> Now, this might not be the expected things.

This is exactly what I mean.
Thank you Emmanuel for your observation.

Regards,
F.

> -- 
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>

Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP

Posted by Emmanuel Lécharny <el...@gmail.com>.

Le 3/15/12 11:27 AM, Fabio Martelli a écrit :
> Il giorno 15/mar/2012, alle ore 10.59, Antony Pulicken ha scritto:
>
>> Thanks a lot Fabio and get well soon :-)
>>
>> 1. We are using OpenDS
>> 2. I have attached the screenshots of mapping and the connector configuration
>>
>> I'm facing another issue now. I doubt it is occurring because the LDAP connector configuration is incorrect. The issue is the updates from AD are not getting synced to LDAP. When an update happens in AD, it's getting synced to syncope and then the LDAP search is getting invoked. Even though the user exists in LDAP, it's returning null and because of that Create is getting triggered. Can you please take a look at the configuration and spot anything that is obvious ?
> Hi Antony,
> you are using uid in your AccountLink and Username as AccountId -->  this could generate problems ....
>
> 1. Consider that in this way syncope will create users with specified DN (AccountLink) but it will search for users using the Username
> 2. In a certain way you are creating an entry specifying two UIDs:  as far as I know, this happens because you are creating an entry specifying the dn (including the former uid value) and the uid attribute (latter uid value). This is absolutely normal if and only if the two UIDs are the same.

FYI, a decent LDAP server will add the uid found in the DN if it's not 
present in the entry. For instance, adding :

dn: uid=jdoe,dc=example,dc=com
...
uid:jacme
...

will create this entry :
dn: uid=jdoe,dc=example,dc=com
...
uid: jacme
uid: jdoe
...

as the uid AT is multi-valued.

Now, this might not be the expected things.


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP

Posted by Antony Pulicken <an...@gmail.com>.

Thanks Marco. That helped.

The resource mapping looks clean now as the account link is fine and I have
removed the 'ui'd mapping that I created as a workaround.

But I still have the issue where in LDAP search is returning null and hence
a LDAP create is getting triggered instead of LDAP Update when an 'update
Sync' is triggered from AD. Please find the latest logs from OpenDS: I have
also attached the latest resource mapping and connector configuration
screenshots.

[16/Mar/2012:02:06:28 +0100] SEARCH REQ conn=10 op=38 msgID=39 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[16/Mar/2012:02:06:28 +0100] SEARCH RES conn=10 op=38 msgID=39 result=0
nentries=1 etime=1
[16/Mar/2012:02:06:28 +0100] SEARCH REQ conn=10 op=39 msgID=40
base="ou=people,dc=opensso,dc=java,dc=net" scope=wholeSubtree
filter="(&(&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(
*entryUUID=syncopeuser011*))"
attrs="audio,businessCategory,carLicense,cn,departmentNumber,description,destinationIndicator,displayName,employeeNumber,employeeType,entryUUID,facsimileTelephoneNumber,givenName,homePhone,homePostalAddress,initials,internationaliSDNNumber,jpegPhoto,l,labeledURI,mail,manager,mobile,o,objectClass,ou,pager,photo,physicalDeliveryOfficeName,postalAddress,postalCode,postOfficeBox,preferredDeliveryMethod,preferredLanguage,registeredAddress,roomNumber,secretary,seeAlso,sn,st,street,telephoneNumber,teletexTerminalIdentifier,telexNumber,title,uid,userCertificate;binary,userPassword,userPKCS12,userSMIMECertificate,x121Address,x500UniqueIdentifier"
[16/Mar/2012:02:06:28 +0100] SEARCH RES conn=10 op=39 msgID=40 result=0
nentries=0 etime=4
[16/Mar/2012:02:06:28 +0100] SEARCH REQ conn=10 op=40 msgID=41 base=""
scope=baseObject filter="(objectClass=*)" attrs="subschemaSubentry"
[16/Mar/2012:02:06:28 +0100] SEARCH RES conn=10 op=40 msgID=41 result=0
nentries=1 etime=1
[16/Mar/2012:02:06:28 +0100] ADD REQ conn=10 op=41 msgID=42
dn="uid=syncopeuser011,ou=people,dc=opensso,dc=java,dc=net"
[16/Mar/2012:02:06:28 +0100] ADD RES conn=10 op=41 msgID=42 result=68
message="The entry uid=syncopeuser011,ou=people,dc=opensso,dc=java,dc=net
cannot be added because an entry with that name already exists" etime=0


Thanks and Regards,
Antony.

On Thu, Mar 15, 2012 at 9:02 PM, Marco Di Sabatino Di Diodoro <
marco.disabatino@tirasa.net> wrote:

>
> On Mar 15, 2012, at 4:22 PM, Antony Pulicken wrote:
>
> Hi Fabio,
>
> Do you have any idea why the Username is not getting populated on the
> account link? Is it working on your side ? Please let me know.
>
> Regards,
> Antony.
>
> On Thu, Mar 15, 2012 at 4:23 PM, Antony Pulicken <
> antony.pulicken@gmail.com> wrote:
>
>> I had tried that before and tried it again now. If I configure 'Username'
>> in the account link, LDAP create will fail with this error:
>>
>> uid=,ou=people,dc=opensso,dc=java,dc=net: [LDAP: error code 34 - The provided value "uid=,ou=people,dc=opensso,dc=java,dc=net"
>>
>> could not be parsed as a valid distinguished name because an attribute value started with a character at position 5 that needs to be escaped]
>>
>>
>> Even though the user is created in syncope with a valid 'Username', it
>> doesn't get populated in the account link and that is why I added uid as a
>> workaround. Seems like a defect to me. What do you think?
>>
>
> username must be written all in lower case
>
> Regards
> Marco
>
>
>> Regards,
>> Antony.
>>
>>
>> On Thu, Mar 15, 2012 at 3:57 PM, Fabio Martelli <fabio.martelli@gmail.com
>> > wrote:
>>
>>>
>>> Il giorno 15/mar/2012, alle ore 10.59, Antony Pulicken ha scritto:
>>>
>>> Thanks a lot Fabio and get well soon :-)
>>>
>>> 1. We are using OpenDS
>>>
>>> 2. I have attached the screenshots of mapping and the connector
>>> configuration
>>>
>>> I'm facing another issue now. I doubt it is occurring because the LDAP
>>> connector configuration is incorrect. The issue is the updates from AD are
>>> not getting synced to LDAP. When an update happens in AD, it's getting
>>> synced to syncope and then the LDAP search is getting invoked. Even though
>>> the user exists in LDAP, it's returning null and because of that Create is
>>> getting triggered. Can you please take a look at the configuration and spot
>>> anything that is obvious ?
>>>
>>>
>>> Hi Antony,
>>> you are using uid in your AccountLink and Username as AccountId --> this
>>> could generate problems ....
>>>
>>> 1. Consider that in this way syncope will create users with specified DN
>>> (AccountLink) but it will search for users using the Username
>>> 2. In a certain way you are creating an entry specifying two UIDs:  as
>>> far as I know, this happens because you are creating an entry specifying
>>> the dn (including the former uid value) and the uid attribute (latter uid
>>> value). This is absolutely normal if and only if the two UIDs are the same.
>>>
>>> Can you try to use Username into the AccountLink as well.
>>>
>>> Regards,
>>> F.
>>>
>>>
>>> Regards,
>>> Antony.
>>>
>>>
>>>
>>> On Thu, Mar 15, 2012 at 1:33 PM, Fabio Martelli <
>>> fabio.martelli@gmail.com> wrote:
>>>
>>>> Hi Antony, could you give me more info to reproduce the problem?
>>>>
>>>> 1. What ldap server are you using?
>>>> 2. Can you provide your connector configuration screenshot?
>>>>
>>>> I am sick at the moment but  I will do my best to reply to you asap.
>>>>
>>>> Regards,
>>>> F.
>>>> Il giorno 14/mar/2012 04:39, "Antony Pulicken" <
>>>> antony.pulicken@gmail.com> ha scritto:
>>>>
>>>>  Thanks fabio for the response. I removed the Uid attribute mapping,
>>>>> but the result is the same.  The javax.naming.directory.Attributes object
>>>>> passed to the LdapSchemaMapping.create() still has 'entryuuid=entryUUID:
>>>>> user314' as one of the value and it fails if I don't add the check that I
>>>>> mentioned in my earlier mail.
>>>>>
>>>>> Regards,
>>>>> Antony.
>>>>>
>>>>> On Tue, Mar 13, 2012 at 3:32 PM, Fabio Martelli <
>>>>> fabio.martelli@gmail.com> wrote:
>>>>>
>>>>>>
>>>>>> Il giorno 13/mar/2012, alle ore 06.43, Antony Pulicken ha scritto:
>>>>>>
>>>>>> Attaching the screenshots again as there was some issue last time....
>>>>>>
>>>>>> On Tue, Mar 13, 2012 at 11:08 AM, Antony Pulicken <
>>>>>> antony.pulicken@gmail.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'm getting the following error while provisioning a user from
>>>>>>> syncope to LDAP.
>>>>>>>
>>>>>>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>>>>>>> javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Entry
>>>>>>> uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added because it
>>>>>>> includes attribute *entryUUID* which is defined as
>>>>>>> NO-USER-MODIFICATION in the server schema]; remaining name
>>>>>>> 'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
>>>>>>>     at
>>>>>>> org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325)
>>>>>>> ~[na:na]
>>>>>>>     at
>>>>>>> org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144)
>>>>>>> ~[na:na]
>>>>>>>     at
>>>>>>> org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75)
>>>>>>> ~[na:na]
>>>>>>>
>>>>>>> I think the attribute '*entryUUID'* is getting included because we
>>>>>>> are setting one of the field/mapping as the account Id (and it's mandatory
>>>>>>> to do that in Syncope).
>>>>>>>
>>>>>>> It worked only when I added a check for '*entryUUID' *and excluded
>>>>>>> the same from the attributes while creating the sub context in the LDAP
>>>>>>> connector code (LdapSchemaMapping.create()). Please let me know whether
>>>>>>> there is any better way to make it work?
>>>>>>>
>>>>>>> I have also attached the screen shot of my LDAP Resource mapping un
>>>>>>> syncope.
>>>>>>>
>>>>>>
>>>>>> Hi Antony,
>>>>>> you don't have to map uid. Uid attribute mapping will be generated
>>>>>> implicitly  be defining the AccountId.
>>>>>>
>>>>>> Let me know if the problem persists.
>>>>>>
>>>>>> Regards,
>>>>>> F.
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Antony.
>>>>>>>
>>>>>>
>>>>>> <Screen Shot 2012-03-13 at 11.12.23 AM.png><Screen Shot 2012-03-13
>>>>>> at 11.12.43 AM.png>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>> <Screen Shot 2012-03-15 at 3.26.51 PM.png><Screen Shot 2012-03-15 at
>>> 3.27.08 PM.png><Screen Shot 2012-03-15 at 3.28.07 PM.png>
>>>
>>>
>>>
>>
>
> --
>
> Dott. Marco Di Sabatino Di Diodoro
> Tel. +39 3939065570
>
> Tirasa S.r.l.
> Viale D'Annunzio 267 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
> http://www.tirasa.net
>
> Apache Syncope PPMC Member
> http://people.apache.org/~mdisabatino
>
>
>
>
>

Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP

Posted by Marco Di Sabatino Di Diodoro <ma...@tirasa.net>.

On Mar 15, 2012, at 4:22 PM, Antony Pulicken wrote:

> Hi Fabio,
> 
> Do you have any idea why the Username is not getting populated on the account link? Is it working on your side ? Please let me know.
> 
> Regards,
> Antony.
> 
> On Thu, Mar 15, 2012 at 4:23 PM, Antony Pulicken <an...@gmail.com> wrote:
> I had tried that before and tried it again now. If I configure 'Username' in the account link, LDAP create will fail with this error: 
> 
> uid=,ou=people,dc=opensso,dc=java,dc=net: [LDAP: error code 34 - The provided value "uid=,ou=people,dc=opensso,dc=java,dc=net" 
> 
> could not be parsed as a valid distinguished name because an attribute value started with a character at position 5 that needs to be escaped]
> 
> Even though the user is created in syncope with a valid 'Username', it doesn't get populated in the account link and that is why I added uid as a workaround. Seems like a defect to me. What do you think?

username must be written all in lower case

Regards
Marco

> 
> Regards,
> Antony.
> 
> 
> On Thu, Mar 15, 2012 at 3:57 PM, Fabio Martelli <fa...@gmail.com> wrote:
> 
> Il giorno 15/mar/2012, alle ore 10.59, Antony Pulicken ha scritto:
> 
>> Thanks a lot Fabio and get well soon :-)
>> 
>> 1. We are using OpenDS 
>> 2. I have attached the screenshots of mapping and the connector configuration
>> 
>> I'm facing another issue now. I doubt it is occurring because the LDAP connector configuration is incorrect. The issue is the updates from AD are not getting synced to LDAP. When an update happens in AD, it's getting synced to syncope and then the LDAP search is getting invoked. Even though the user exists in LDAP, it's returning null and because of that Create is getting triggered. Can you please take a look at the configuration and spot anything that is obvious ?
> 
> Hi Antony,
> you are using uid in your AccountLink and Username as AccountId --> this could generate problems ....
> 
> 1. Consider that in this way syncope will create users with specified DN (AccountLink) but it will search for users using the Username
> 2. In a certain way you are creating an entry specifying two UIDs:  as far as I know, this happens because you are creating an entry specifying the dn (including the former uid value) and the uid attribute (latter uid value). This is absolutely normal if and only if the two UIDs are the same.
> 
> Can you try to use Username into the AccountLink as well.
> 
> Regards,
> F.
> 
>> 
>> Regards,
>> Antony.
>> 
>> 
>> 
>> On Thu, Mar 15, 2012 at 1:33 PM, Fabio Martelli <fa...@gmail.com> wrote:
>> Hi Antony, could you give me more info to reproduce the problem?
>> 
>> 1. What ldap server are you using?
>> 2. Can you provide your connector configuration screenshot?
>> 
>> I am sick at the moment but  I will do my best to reply to you asap.
>> 
>> Regards,
>> F.
>> 
>> Il giorno 14/mar/2012 04:39, "Antony Pulicken" <an...@gmail.com> ha scritto:
>> 
>> Thanks fabio for the response. I removed the Uid attribute mapping, but the result is the same.  The javax.naming.directory.Attributes object passed to the LdapSchemaMapping.create() still has 'entryuuid=entryUUID: user314' as one of the value and it fails if I don't add the check that I mentioned in my earlier mail.
>> 
>> Regards,
>> Antony.
>> 
>> On Tue, Mar 13, 2012 at 3:32 PM, Fabio Martelli <fa...@gmail.com> wrote:
>> 
>> Il giorno 13/mar/2012, alle ore 06.43, Antony Pulicken ha scritto:
>> 
>>> Attaching the screenshots again as there was some issue last time....
>>> 
>>> On Tue, Mar 13, 2012 at 11:08 AM, Antony Pulicken <an...@gmail.com> wrote:
>>> Hi,
>>> 
>>> I'm getting the following error while provisioning a user from syncope to LDAP. 
>>> 
>>> org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Entry uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added because it includes attribute entryUUID which is defined as NO-USER-MODIFICATION in the server schema]; remaining name 'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
>>>     at org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325) ~[na:na]
>>>     at org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144) ~[na:na]
>>>     at org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75) ~[na:na]
>>> 
>>> I think the attribute 'entryUUID' is getting included because we are setting one of the field/mapping as the account Id (and it's mandatory to do that in Syncope).  
>>> 
>>> It worked only when I added a check for 'entryUUID' and excluded the same from the attributes while creating the sub context in the LDAP connector code (LdapSchemaMapping.create()). Please let me know whether there is any better way to make it work? 
>>> 
>>> I have also attached the screen shot of my LDAP Resource mapping un syncope.
>> 
>> Hi Antony,
>> you don't have to map uid. Uid attribute mapping will be generated implicitly  be defining the AccountId.
>> 
>> Let me know if the problem persists.
>> 
>> Regards,
>> F.
>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Regards,
>>> Antony.
>>> 
>>> <Screen Shot 2012-03-13 at 11.12.23 AM.png><Screen Shot 2012-03-13 at 11.12.43 AM.png>
>> 
>> 
>> 
>> <Screen Shot 2012-03-15 at 3.26.51 PM.png><Screen Shot 2012-03-15 at 3.27.08 PM.png><Screen Shot 2012-03-15 at 3.28.07 PM.png>
> 
> 
> 

--

Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PPMC Member
http://people.apache.org/~mdisabatino

Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP

Posted by Antony Pulicken <an...@gmail.com>.

Hi Fabio,

Do you have any idea why the Username is not getting populated on the
account link? Is it working on your side ? Please let me know.

Regards,
Antony.

On Thu, Mar 15, 2012 at 4:23 PM, Antony Pulicken
<an...@gmail.com>wrote:

> I had tried that before and tried it again now. If I configure 'Username'
> in the account link, LDAP create will fail with this error:
>
> uid=,ou=people,dc=opensso,dc=java,dc=net: [LDAP: error code 34 - The provided value "uid=,ou=people,dc=opensso,dc=java,dc=net"
>
> could not be parsed as a valid distinguished name because an attribute value started with a character at position 5 that needs to be escaped]
>
>
> Even though the user is created in syncope with a valid 'Username', it
> doesn't get populated in the account link and that is why I added uid as a
> workaround. Seems like a defect to me. What do you think?
>
> Regards,
> Antony.
>
>
> On Thu, Mar 15, 2012 at 3:57 PM, Fabio Martelli <fa...@gmail.com>wrote:
>
>>
>> Il giorno 15/mar/2012, alle ore 10.59, Antony Pulicken ha scritto:
>>
>> Thanks a lot Fabio and get well soon :-)
>>
>> 1. We are using OpenDS
>>
>> 2. I have attached the screenshots of mapping and the connector
>> configuration
>>
>> I'm facing another issue now. I doubt it is occurring because the LDAP
>> connector configuration is incorrect. The issue is the updates from AD are
>> not getting synced to LDAP. When an update happens in AD, it's getting
>> synced to syncope and then the LDAP search is getting invoked. Even though
>> the user exists in LDAP, it's returning null and because of that Create is
>> getting triggered. Can you please take a look at the configuration and spot
>> anything that is obvious ?
>>
>>
>> Hi Antony,
>> you are using uid in your AccountLink and Username as AccountId --> this
>> could generate problems ....
>>
>> 1. Consider that in this way syncope will create users with specified DN
>> (AccountLink) but it will search for users using the Username
>> 2. In a certain way you are creating an entry specifying two UIDs:  as
>> far as I know, this happens because you are creating an entry specifying
>> the dn (including the former uid value) and the uid attribute (latter uid
>> value). This is absolutely normal if and only if the two UIDs are the same.
>>
>> Can you try to use Username into the AccountLink as well.
>>
>> Regards,
>> F.
>>
>>
>> Regards,
>> Antony.
>>
>>
>>
>> On Thu, Mar 15, 2012 at 1:33 PM, Fabio Martelli <fabio.martelli@gmail.com
>> > wrote:
>>
>>> Hi Antony, could you give me more info to reproduce the problem?
>>>
>>> 1. What ldap server are you using?
>>> 2. Can you provide your connector configuration screenshot?
>>>
>>> I am sick at the moment but  I will do my best to reply to you asap.
>>>
>>> Regards,
>>> F.
>>> Il giorno 14/mar/2012 04:39, "Antony Pulicken" <
>>> antony.pulicken@gmail.com> ha scritto:
>>>
>>>  Thanks fabio for the response. I removed the Uid attribute mapping, but
>>>> the result is the same.  The javax.naming.directory.Attributes object
>>>> passed to the LdapSchemaMapping.create() still has 'entryuuid=entryUUID:
>>>> user314' as one of the value and it fails if I don't add the check that I
>>>> mentioned in my earlier mail.
>>>>
>>>> Regards,
>>>> Antony.
>>>>
>>>> On Tue, Mar 13, 2012 at 3:32 PM, Fabio Martelli <
>>>> fabio.martelli@gmail.com> wrote:
>>>>
>>>>>
>>>>> Il giorno 13/mar/2012, alle ore 06.43, Antony Pulicken ha scritto:
>>>>>
>>>>> Attaching the screenshots again as there was some issue last time....
>>>>>
>>>>> On Tue, Mar 13, 2012 at 11:08 AM, Antony Pulicken <
>>>>> antony.pulicken@gmail.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'm getting the following error while provisioning a user from
>>>>>> syncope to LDAP.
>>>>>>
>>>>>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>>>>>> javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Entry
>>>>>> uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added because it
>>>>>> includes attribute *entryUUID* which is defined as
>>>>>> NO-USER-MODIFICATION in the server schema]; remaining name
>>>>>> 'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
>>>>>>     at
>>>>>> org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325)
>>>>>> ~[na:na]
>>>>>>     at
>>>>>> org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144)
>>>>>> ~[na:na]
>>>>>>     at
>>>>>> org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75)
>>>>>> ~[na:na]
>>>>>>
>>>>>> I think the attribute '*entryUUID'* is getting included because we
>>>>>> are setting one of the field/mapping as the account Id (and it's mandatory
>>>>>> to do that in Syncope).
>>>>>>
>>>>>> It worked only when I added a check for '*entryUUID' *and excluded
>>>>>> the same from the attributes while creating the sub context in the LDAP
>>>>>> connector code (LdapSchemaMapping.create()). Please let me know whether
>>>>>> there is any better way to make it work?
>>>>>>
>>>>>> I have also attached the screen shot of my LDAP Resource mapping un
>>>>>> syncope.
>>>>>>
>>>>>
>>>>> Hi Antony,
>>>>> you don't have to map uid. Uid attribute mapping will be generated
>>>>> implicitly  be defining the AccountId.
>>>>>
>>>>> Let me know if the problem persists.
>>>>>
>>>>> Regards,
>>>>> F.
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Antony.
>>>>>>
>>>>>
>>>>> <Screen Shot 2012-03-13 at 11.12.23 AM.png><Screen Shot 2012-03-13 at
>>>>> 11.12.43 AM.png>
>>>>>
>>>>>
>>>>>
>>>>
>> <Screen Shot 2012-03-15 at 3.26.51 PM.png><Screen Shot 2012-03-15 at
>> 3.27.08 PM.png><Screen Shot 2012-03-15 at 3.28.07 PM.png>
>>
>>
>>
>

Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP

Posted by Antony Pulicken <an...@gmail.com>.

I had tried that before and tried it again now. If I configure 'Username'
in the account link, LDAP create will fail with this error:

uid=,ou=people,dc=opensso,dc=java,dc=net: [LDAP: error code 34 - The
provided value "uid=,ou=people,dc=opensso,dc=java,dc=net"
could not be parsed as a valid distinguished name because an attribute
value started with a character at position 5 that needs to be escaped]


Even though the user is created in syncope with a valid 'Username', it
doesn't get populated in the account link and that is why I added uid as a
workaround. Seems like a defect to me. What do you think?

Regards,
Antony.

On Thu, Mar 15, 2012 at 3:57 PM, Fabio Martelli <fa...@gmail.com>wrote:

>
> Il giorno 15/mar/2012, alle ore 10.59, Antony Pulicken ha scritto:
>
> Thanks a lot Fabio and get well soon :-)
>
> 1. We are using OpenDS
>
> 2. I have attached the screenshots of mapping and the connector
> configuration
>
> I'm facing another issue now. I doubt it is occurring because the LDAP
> connector configuration is incorrect. The issue is the updates from AD are
> not getting synced to LDAP. When an update happens in AD, it's getting
> synced to syncope and then the LDAP search is getting invoked. Even though
> the user exists in LDAP, it's returning null and because of that Create is
> getting triggered. Can you please take a look at the configuration and spot
> anything that is obvious ?
>
>
> Hi Antony,
> you are using uid in your AccountLink and Username as AccountId --> this
> could generate problems ....
>
> 1. Consider that in this way syncope will create users with specified DN
> (AccountLink) but it will search for users using the Username
> 2. In a certain way you are creating an entry specifying two UIDs:  as far
> as I know, this happens because you are creating an entry specifying the dn
> (including the former uid value) and the uid attribute (latter uid value).
> This is absolutely normal if and only if the two UIDs are the same.
>
> Can you try to use Username into the AccountLink as well.
>
> Regards,
> F.
>
>
> Regards,
> Antony.
>
>
>
> On Thu, Mar 15, 2012 at 1:33 PM, Fabio Martelli <fa...@gmail.com>wrote:
>
>> Hi Antony, could you give me more info to reproduce the problem?
>>
>> 1. What ldap server are you using?
>> 2. Can you provide your connector configuration screenshot?
>>
>> I am sick at the moment but  I will do my best to reply to you asap.
>>
>> Regards,
>> F.
>> Il giorno 14/mar/2012 04:39, "Antony Pulicken" <an...@gmail.com>
>> ha scritto:
>>
>>  Thanks fabio for the response. I removed the Uid attribute mapping, but
>>> the result is the same.  The javax.naming.directory.Attributes object
>>> passed to the LdapSchemaMapping.create() still has 'entryuuid=entryUUID:
>>> user314' as one of the value and it fails if I don't add the check that I
>>> mentioned in my earlier mail.
>>>
>>> Regards,
>>> Antony.
>>>
>>> On Tue, Mar 13, 2012 at 3:32 PM, Fabio Martelli <
>>> fabio.martelli@gmail.com> wrote:
>>>
>>>>
>>>> Il giorno 13/mar/2012, alle ore 06.43, Antony Pulicken ha scritto:
>>>>
>>>> Attaching the screenshots again as there was some issue last time....
>>>>
>>>> On Tue, Mar 13, 2012 at 11:08 AM, Antony Pulicken <
>>>> antony.pulicken@gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm getting the following error while provisioning a user from syncope
>>>>> to LDAP.
>>>>>
>>>>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>>>>> javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Entry
>>>>> uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added because it
>>>>> includes attribute *entryUUID* which is defined as
>>>>> NO-USER-MODIFICATION in the server schema]; remaining name
>>>>> 'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
>>>>>     at
>>>>> org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325)
>>>>> ~[na:na]
>>>>>     at
>>>>> org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144)
>>>>> ~[na:na]
>>>>>     at
>>>>> org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75)
>>>>> ~[na:na]
>>>>>
>>>>> I think the attribute '*entryUUID'* is getting included because we
>>>>> are setting one of the field/mapping as the account Id (and it's mandatory
>>>>> to do that in Syncope).
>>>>>
>>>>> It worked only when I added a check for '*entryUUID' *and excluded
>>>>> the same from the attributes while creating the sub context in the LDAP
>>>>> connector code (LdapSchemaMapping.create()). Please let me know whether
>>>>> there is any better way to make it work?
>>>>>
>>>>> I have also attached the screen shot of my LDAP Resource mapping un
>>>>> syncope.
>>>>>
>>>>
>>>> Hi Antony,
>>>> you don't have to map uid. Uid attribute mapping will be generated
>>>> implicitly  be defining the AccountId.
>>>>
>>>> Let me know if the problem persists.
>>>>
>>>> Regards,
>>>> F.
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>> Antony.
>>>>>
>>>>
>>>> <Screen Shot 2012-03-13 at 11.12.23 AM.png><Screen Shot 2012-03-13 at
>>>> 11.12.43 AM.png>
>>>>
>>>>
>>>>
>>>
> <Screen Shot 2012-03-15 at 3.26.51 PM.png><Screen Shot 2012-03-15 at
> 3.27.08 PM.png><Screen Shot 2012-03-15 at 3.28.07 PM.png>
>
>
>

Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP

Posted by Fabio Martelli <fa...@gmail.com>.

Il giorno 15/mar/2012, alle ore 10.59, Antony Pulicken ha scritto:

> Thanks a lot Fabio and get well soon :-)
> 
> 1. We are using OpenDS 
> 2. I have attached the screenshots of mapping and the connector configuration
> 
> I'm facing another issue now. I doubt it is occurring because the LDAP connector configuration is incorrect. The issue is the updates from AD are not getting synced to LDAP. When an update happens in AD, it's getting synced to syncope and then the LDAP search is getting invoked. Even though the user exists in LDAP, it's returning null and because of that Create is getting triggered. Can you please take a look at the configuration and spot anything that is obvious ?

Hi Antony,
you are using uid in your AccountLink and Username as AccountId --> this could generate problems ....

1. Consider that in this way syncope will create users with specified DN (AccountLink) but it will search for users using the Username
2. In a certain way you are creating an entry specifying two UIDs:  as far as I know, this happens because you are creating an entry specifying the dn (including the former uid value) and the uid attribute (latter uid value). This is absolutely normal if and only if the two UIDs are the same.

Can you try to use Username into the AccountLink as well.

Regards,
F.

> 
> Regards,
> Antony.
> 
> 
> 
> On Thu, Mar 15, 2012 at 1:33 PM, Fabio Martelli <fa...@gmail.com> wrote:
> Hi Antony, could you give me more info to reproduce the problem?
> 
> 1. What ldap server are you using?
> 2. Can you provide your connector configuration screenshot?
> 
> I am sick at the moment but  I will do my best to reply to you asap.
> 
> Regards,
> F.
> 
> Il giorno 14/mar/2012 04:39, "Antony Pulicken" <an...@gmail.com> ha scritto:
> 
> Thanks fabio for the response. I removed the Uid attribute mapping, but the result is the same.  The javax.naming.directory.Attributes object passed to the LdapSchemaMapping.create() still has 'entryuuid=entryUUID: user314' as one of the value and it fails if I don't add the check that I mentioned in my earlier mail.
> 
> Regards,
> Antony.
> 
> On Tue, Mar 13, 2012 at 3:32 PM, Fabio Martelli <fa...@gmail.com> wrote:
> 
> Il giorno 13/mar/2012, alle ore 06.43, Antony Pulicken ha scritto:
> 
>> Attaching the screenshots again as there was some issue last time....
>> 
>> On Tue, Mar 13, 2012 at 11:08 AM, Antony Pulicken <an...@gmail.com> wrote:
>> Hi,
>> 
>> I'm getting the following error while provisioning a user from syncope to LDAP. 
>> 
>> org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Entry uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added because it includes attribute entryUUID which is defined as NO-USER-MODIFICATION in the server schema]; remaining name 'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
>>     at org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325) ~[na:na]
>>     at org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144) ~[na:na]
>>     at org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75) ~[na:na]
>> 
>> I think the attribute 'entryUUID' is getting included because we are setting one of the field/mapping as the account Id (and it's mandatory to do that in Syncope).  
>> 
>> It worked only when I added a check for 'entryUUID' and excluded the same from the attributes while creating the sub context in the LDAP connector code (LdapSchemaMapping.create()). Please let me know whether there is any better way to make it work? 
>> 
>> I have also attached the screen shot of my LDAP Resource mapping un syncope.
> 
> Hi Antony,
> you don't have to map uid. Uid attribute mapping will be generated implicitly  be defining the AccountId.
> 
> Let me know if the problem persists.
> 
> Regards,
> F.
> 
>> 
>> 
>> 
>> 
>> 
>> 
>> Regards,
>> Antony.
>> 
>> <Screen Shot 2012-03-13 at 11.12.23 AM.png><Screen Shot 2012-03-13 at 11.12.43 AM.png>
> 
> 
> 
> <Screen Shot 2012-03-15 at 3.26.51 PM.png><Screen Shot 2012-03-15 at 3.27.08 PM.png><Screen Shot 2012-03-15 at 3.28.07 PM.png>

Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP

Posted by Antony Pulicken <an...@gmail.com>.

Thanks a lot Fabio and get well soon :-)

1. We are using OpenDS
2. I have attached the screenshots of mapping and the connector
configuration

I'm facing another issue now. I doubt it is occurring because the LDAP
connector configuration is incorrect. The issue is the updates from AD are
not getting synced to LDAP. When an update happens in AD, it's getting
synced to syncope and then the LDAP search is getting invoked. Even though
the user exists in LDAP, it's returning null and because of that Create is
getting triggered. Can you please take a look at the configuration and spot
anything that is obvious ?

Regards,
Antony.



On Thu, Mar 15, 2012 at 1:33 PM, Fabio Martelli <fa...@gmail.com>wrote:

> Hi Antony, could you give me more info to reproduce the problem?
>
> 1. What ldap server are you using?
> 2. Can you provide your connector configuration screenshot?
>
> I am sick at the moment but  I will do my best to reply to you asap.
>
> Regards,
> F.
> Il giorno 14/mar/2012 04:39, "Antony Pulicken" <an...@gmail.com>
> ha scritto:
>
> Thanks fabio for the response. I removed the Uid attribute mapping, but
>> the result is the same.  The javax.naming.directory.Attributes object
>> passed to the LdapSchemaMapping.create() still has 'entryuuid=entryUUID:
>> user314' as one of the value and it fails if I don't add the check that I
>> mentioned in my earlier mail.
>>
>> Regards,
>> Antony.
>>
>> On Tue, Mar 13, 2012 at 3:32 PM, Fabio Martelli <fabio.martelli@gmail.com
>> > wrote:
>>
>>>
>>> Il giorno 13/mar/2012, alle ore 06.43, Antony Pulicken ha scritto:
>>>
>>> Attaching the screenshots again as there was some issue last time....
>>>
>>> On Tue, Mar 13, 2012 at 11:08 AM, Antony Pulicken <
>>> antony.pulicken@gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm getting the following error while provisioning a user from syncope
>>>> to LDAP.
>>>>
>>>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>>>> javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Entry
>>>> uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added because it
>>>> includes attribute *entryUUID* which is defined as
>>>> NO-USER-MODIFICATION in the server schema]; remaining name
>>>> 'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
>>>>     at
>>>> org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325)
>>>> ~[na:na]
>>>>     at
>>>> org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144)
>>>> ~[na:na]
>>>>     at
>>>> org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75)
>>>> ~[na:na]
>>>>
>>>> I think the attribute '*entryUUID'* is getting included because we are
>>>> setting one of the field/mapping as the account Id (and it's mandatory to
>>>> do that in Syncope).
>>>>
>>>> It worked only when I added a check for '*entryUUID' *and excluded the
>>>> same from the attributes while creating the sub context in the LDAP
>>>> connector code (LdapSchemaMapping.create()). Please let me know whether
>>>> there is any better way to make it work?
>>>>
>>>> I have also attached the screen shot of my LDAP Resource mapping un
>>>> syncope.
>>>>
>>>
>>> Hi Antony,
>>> you don't have to map uid. Uid attribute mapping will be generated
>>> implicitly  be defining the AccountId.
>>>
>>> Let me know if the problem persists.
>>>
>>> Regards,
>>> F.
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Regards,
>>>> Antony.
>>>>
>>>
>>> <Screen Shot 2012-03-13 at 11.12.23 AM.png><Screen Shot 2012-03-13 at
>>> 11.12.43 AM.png>
>>>
>>>
>>>
>>

Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP

Posted by Fabio Martelli <fa...@gmail.com>.

Hi Antony, could you give me more info to reproduce the problem?

1. What ldap server are you using?
2. Can you provide your connector configuration screenshot?

I am sick at the moment but  I will do my best to reply to you asap.

Regards,
F.
Il giorno 14/mar/2012 04:39, "Antony Pulicken" <an...@gmail.com>
ha scritto:

> Thanks fabio for the response. I removed the Uid attribute mapping, but
> the result is the same.  The javax.naming.directory.Attributes object
> passed to the LdapSchemaMapping.create() still has 'entryuuid=entryUUID:
> user314' as one of the value and it fails if I don't add the check that I
> mentioned in my earlier mail.
>
> Regards,
> Antony.
>
> On Tue, Mar 13, 2012 at 3:32 PM, Fabio Martelli <fa...@gmail.com>wrote:
>
>>
>> Il giorno 13/mar/2012, alle ore 06.43, Antony Pulicken ha scritto:
>>
>> Attaching the screenshots again as there was some issue last time....
>>
>> On Tue, Mar 13, 2012 at 11:08 AM, Antony Pulicken <
>> antony.pulicken@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I'm getting the following error while provisioning a user from syncope
>>> to LDAP.
>>>
>>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>>> javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Entry
>>> uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added because it
>>> includes attribute *entryUUID* which is defined as NO-USER-MODIFICATION
>>> in the server schema]; remaining name
>>> 'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
>>>     at
>>> org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325)
>>> ~[na:na]
>>>     at
>>> org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144)
>>> ~[na:na]
>>>     at
>>> org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75)
>>> ~[na:na]
>>>
>>> I think the attribute '*entryUUID'* is getting included because we are
>>> setting one of the field/mapping as the account Id (and it's mandatory to
>>> do that in Syncope).
>>>
>>> It worked only when I added a check for '*entryUUID' *and excluded the
>>> same from the attributes while creating the sub context in the LDAP
>>> connector code (LdapSchemaMapping.create()). Please let me know whether
>>> there is any better way to make it work?
>>>
>>> I have also attached the screen shot of my LDAP Resource mapping un
>>> syncope.
>>>
>>
>> Hi Antony,
>> you don't have to map uid. Uid attribute mapping will be generated
>> implicitly  be defining the AccountId.
>>
>> Let me know if the problem persists.
>>
>> Regards,
>> F.
>>
>>
>>>
>>>
>>>
>>>
>>>
>>> Regards,
>>> Antony.
>>>
>>
>> <Screen Shot 2012-03-13 at 11.12.23 AM.png><Screen Shot 2012-03-13 at
>> 11.12.43 AM.png>
>>
>>
>>
>

Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP

Posted by Antony Pulicken <an...@gmail.com>.

Thanks fabio for the response. I removed the Uid attribute mapping, but the
result is the same.  The javax.naming.directory.Attributes object passed to
the LdapSchemaMapping.create() still has 'entryuuid=entryUUID: user314' as
one of the value and it fails if I don't add the check that I mentioned in
my earlier mail.

Regards,
Antony.

On Tue, Mar 13, 2012 at 3:32 PM, Fabio Martelli <fa...@gmail.com>wrote:

>
> Il giorno 13/mar/2012, alle ore 06.43, Antony Pulicken ha scritto:
>
> Attaching the screenshots again as there was some issue last time....
>
> On Tue, Mar 13, 2012 at 11:08 AM, Antony Pulicken <
> antony.pulicken@gmail.com> wrote:
>
>> Hi,
>>
>> I'm getting the following error while provisioning a user from syncope to
>> LDAP.
>>
>> org.identityconnectors.framework.common.exceptions.ConnectorException:
>> javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Entry
>> uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added because it
>> includes attribute *entryUUID* which is defined as NO-USER-MODIFICATION
>> in the server schema]; remaining name
>> 'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
>>     at
>> org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325)
>> ~[na:na]
>>     at
>> org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144)
>> ~[na:na]
>>     at
>> org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75)
>> ~[na:na]
>>
>> I think the attribute '*entryUUID'* is getting included because we are
>> setting one of the field/mapping as the account Id (and it's mandatory to
>> do that in Syncope).
>>
>> It worked only when I added a check for '*entryUUID' *and excluded the
>> same from the attributes while creating the sub context in the LDAP
>> connector code (LdapSchemaMapping.create()). Please let me know whether
>> there is any better way to make it work?
>>
>> I have also attached the screen shot of my LDAP Resource mapping un
>> syncope.
>>
>
> Hi Antony,
> you don't have to map uid. Uid attribute mapping will be generated
> implicitly  be defining the AccountId.
>
> Let me know if the problem persists.
>
> Regards,
> F.
>
>
>>
>>
>>
>>
>>
>> Regards,
>> Antony.
>>
>
> <Screen Shot 2012-03-13 at 11.12.23 AM.png><Screen Shot 2012-03-13 at
> 11.12.43 AM.png>
>
>
>

Re: [connid-users] Re: Syncope | Error while provisioning user to LDAP

Posted by Fabio Martelli <fa...@gmail.com>.

Il giorno 13/mar/2012, alle ore 06.43, Antony Pulicken ha scritto:

> Attaching the screenshots again as there was some issue last time....
> 
> On Tue, Mar 13, 2012 at 11:08 AM, Antony Pulicken <an...@gmail.com> wrote:
> Hi,
> 
> I'm getting the following error while provisioning a user from syncope to LDAP. 
> 
> org.identityconnectors.framework.common.exceptions.ConnectorException: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Entry uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added because it includes attribute entryUUID which is defined as NO-USER-MODIFICATION in the server schema]; remaining name 'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
>     at org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325) ~[na:na]
>     at org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144) ~[na:na]
>     at org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75) ~[na:na]
> 
> I think the attribute 'entryUUID' is getting included because we are setting one of the field/mapping as the account Id (and it's mandatory to do that in Syncope).  
> 
> It worked only when I added a check for 'entryUUID' and excluded the same from the attributes while creating the sub context in the LDAP connector code (LdapSchemaMapping.create()). Please let me know whether there is any better way to make it work? 
> 
> I have also attached the screen shot of my LDAP Resource mapping un syncope.

Hi Antony,
you don't have to map uid. Uid attribute mapping will be generated implicitly  be defining the AccountId.

Let me know if the problem persists.

Regards,
F.

> 
> 
> 
> 
> 
> 
> Regards,
> Antony.
> 
> <Screen Shot 2012-03-13 at 11.12.23 AM.png><Screen Shot 2012-03-13 at 11.12.43 AM.png>

Re: Syncope | Error while provisioning user to LDAP

Posted by Antony Pulicken <an...@gmail.com>.

Attaching the screenshots again as there was some issue last time....

On Tue, Mar 13, 2012 at 11:08 AM, Antony Pulicken <antony.pulicken@gmail.com
> wrote:

> Hi,
>
> I'm getting the following error while provisioning a user from syncope to
> LDAP.
>
> org.identityconnectors.framework.common.exceptions.ConnectorException:
> javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Entry
> uid=user201,ou=people,dc=opensso,dc=java,dc=net cannot be added because it
> includes attribute *entryUUID* which is defined as NO-USER-MODIFICATION
> in the server schema]; remaining name
> 'uid=user201,ou=people,dc=opensso,dc=java,dc=net'
>     at
> org.identityconnectors.ldap.schema.LdapSchemaMapping.create(LdapSchemaMapping.java:325)
> ~[na:na]
>     at
> org.identityconnectors.ldap.modify.LdapCreate$1.access(LdapCreate.java:144)
> ~[na:na]
>     at
> org.identityconnectors.ldap.schema.GuardedPasswordAttribute$Simple$1.access(GuardedPasswordAttribute.java:75)
> ~[na:na]
>
> I think the attribute '*entryUUID'* is getting included because we are
> setting one of the field/mapping as the account Id (and it's mandatory to
> do that in Syncope).
>
> It worked only when I added a check for '*entryUUID' *and excluded the
> same from the attributes while creating the sub context in the LDAP
> connector code (LdapSchemaMapping.create()). Please let me know whether
> there is any better way to make it work?
>
> I have also attached the screen shot of my LDAP Resource mapping un
> syncope.
>
>
>
>
>
>
> Regards,
> Antony.
>