You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Nik <ni...@usharesoft.com> on 2013/05/10 10:48:38 UTC
synchronization/reconciliation failure in syncope 1.1.1 and ldap
V3 (openDJ)
Hi Guys,
I have always had problems trying to get syncope synchronization (or at
least reconciliation)working in my setup.
Assumptions:
1) I can take as a given, that synchronization from ldap V3/openDJ to
syncope, of users and groups works and has been verified ( for me it
would be a basic feature of any IDM)?
2) that following the blog
http://blog.tirasa.net/blogs/index.php/ilgrosso/unlock-full-ldap-features-in
shows the correct way to enable synchronization/reconciliationfor OpenDJ
resources.
Given these 2 assumptions, I can conclude that I am missing some
important steps to configure this feature in syncopeproperly.
After I step 2) above and look at the log traces I see the following output.
10:30:46.153 DEBUG
org.identityconnectors.framework.api.operations.SearchApiOp.search
Enter: search(ObjectClass: __ACCOUNT__, null,
org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy$2@62f9d23b, OperationOptions:
{ATTRS_TO_GET:[mail,sn,description,__UID__,__NAME__,displayName,__PASSWORD__,__ENABLE__]})
10:30:46.156 WARN
org.connid.bundles.ldap.search.LdapSearch.getAttributesToGet Reading
passwords not supported
10:30:46.156 WARN
org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
LDAP attribute
10:30:46.156 DEBUG
org.connid.bundles.ldap.search.DefaultSearchStrategy.doSearch Searching
in [ou=people,o=usharesoft, ou=groups,o=usharesoft] with filter
(&(objectClass=inetOrgPerson)(uid=*)) and SearchControls:
{returningAttributes=[cn, description, displayName, mail, sn,
userPassword], scope=SUBTREE}
10:30:46.158 WARN
org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
LDAP attribute
10:30:46.159 WARN
org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
LDAP attribute
10:30:46.160 WARN
org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
LDAP attribute
10:30:46.160 WARN
org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
LDAP attribute
10:30:46.161 WARN
org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
LDAP attribute
10:30:46.162 DEBUG
org.identityconnectors.framework.api.operations.SearchApiOp.search
Exception:
java.lang.NullPointerException: null
at
org.apache.syncope.core.persistence.dao.impl.AttributableSearchDAOImpl.search(AttributableSearchDAOImpl.java:145)
~[AttributableSearchDAOImpl.class:na]
at
org.apache.syncope.core.persistence.dao.impl.AttributableSearchDAOImpl.search(AttributableSearchDAOImpl.java:133)
~[AttributableSearchDAOImpl.class:na]
at
org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.search(SyncopeSyncResultHandler.java:348)
~[SyncopeSyncResultHandler.class:na]
at
org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.findByAttributableSearch(SyncopeSyncResultHandler.java:421)
~[SyncopeSyncResultHandler.class:na]
at
org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.findExisting(SyncopeSyncResultHandler.java:453)
~[SyncopeSyncResultHandler.class:na]
at
org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.doHandle(SyncopeSyncResultHandler.java:834)
~[SyncopeSyncResultHandler.class:na]
at
org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.handle(SyncopeSyncResultHandler.java:262)
~[SyncopeSyncResultHandler.class:na]
at
org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy$2.handle(ConnectorFacadeProxy.java:367)
~[ConnectorFacadeProxy$2.class:na]
at
org.identityconnectors.framework.impl.api.StreamHandlerUtil$ObjectStreamHandlerAdapter.handle(StreamHandlerUtil.java:79)
~[connid-framework-internal-1.3.3.jar:na]
at
org.identityconnectors.framework.impl.api.BufferedResultsProxy.invoke(BufferedResultsProxy.java:268)
~[connid-framework-internal-1.3.3.jar:na]
at
org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:102)
~[connid-framework-internal-1.3.3.jar:na]
at com.sun.proxy.$Proxy182.search(Unknown Source) [na:na]
at sun.reflect.GeneratedMethodAccessor730.invoke(Unknown Source)
~[na:na]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.7.0_19]
at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_19]
at
org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:76)
~[connid-framework-internal-1.3.3.jar:na]
at com.sun.proxy.$Proxy182.search(Unknown Source) [na:na]
at
org.identityconnectors.framework.impl.api.AbstractConnectorFacade.search(AbstractConnectorFacade.java:142)
[connid-framework-internal-1.3.3.jar:na]
at
org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy.search(ConnectorFacadeProxy.java:492)
[ConnectorFacadeProxy.class:na]
at
org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy.getAllObjects(ConnectorFacadeProxy.java:357)
[ConnectorFacadeProxy.class:na]
at
org.apache.syncope.core.sync.impl.SyncJob.executeWithSecurityContext(SyncJob.java:401)
[SyncJob.class:na]
at
org.apache.syncope.core.sync.impl.SyncJob.doExecute(SyncJob.java:341)
[SyncJob.class:na]
at
org.apache.syncope.core.quartz.AbstractTaskJob.execute(AbstractTaskJob.java:104)
[AbstractTaskJob.class:na]
at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
[quartz-2.1.7.jar:na]
at
org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
[quartz-2.1.7.jar:na]
Any clues on how to proceed on getting the synchro/recon feature of
syncope working with OpenDJ?
I attach the content.xml from the setup above which fails.
rgds,
Nik
Re: synchronization/reconciliation failure in syncope 1.1.1 and ldap
V3 (openDJ)
Posted by Nik <ni...@usharesoft.com>.
That's right Francesco and thanks for responding to my mails to confirm it.
All is working now with syncope to ldap reconciliation, we will not be
using synchronization for the present.
When I understood exactly how the relationships, through the mappings
worked (my bug bear) the syncope-opendj
reconciliation worked like a charm and everything started to become a
bit clearer ;-)
Now, we need to get the REST api working to have the same behaviour with
our app as the syncope-console and
were done with the "first steps" proof of use case for our needs.
Thanks again for all the help given.
Best Regards,
Nik
> Hi Nik,
> as long as I understand from your e-mail below:
>
> The first e-mail troubles were caused by a Synchronization Policy with
> no alternative schemas set: I took anyway inspiration from that for
> making such handling more robust (and avoid NPE!).
>
> The second e-mail troubles seems to be caused by an incorrect user
> mapping: actually, it seems to me that you copied the mapping from my
> blog post but left the user attribute schemas as per the standalone
> distribution. In particular, 'userId' is configured with an e-mail
> address validator but is mapped to a DN (
> "uid=nik,ou=people,o=usharesoft" is not a valid email address).
>
> HTH
> Regards.
>
> On 10/05/2013 12:47, Nik wrote:
>> Hi Guys,
>>
>> I think I made some new progress on understanding my problems with
>> synchro/recon.
>> I started from scratch, rebuilt my env based on 1.1.2-SNAPSHOT.
>> Followed the blog and now I'm getting closer to get the ldap users
>> created on syncope (my goal).
>>
>> I believe all my issues are coming from bad mappings and bad
>> interpretation on my part from the docs:
>>
>> When I look at the sync task log I see what is failing now in my
>> mappings:
>>
>> e.g.
>>
>> Users [created/failures]: 0/13 [updated/failures]: 0/0
>> [deleted/failures]: 0/0
>> Roles [created/failures]: 0/0 [updated/failures]: 9/0
>> [deleted/failures]: 0/0
>>
>> Users failed to create: CREATE FAILURE (id/name): null/null with
>> message: {[RequiredValuesMissing [userId]], [InvalidValues [userId:
>> uid=nik,ou=people,o=usharesoft - "uid=nik,ou=people,o=usharesoft" is
>> not a valid email address]]}
>> CREATE FAILURE (id/name): null/null with message: {[InvalidValues
>> [userId: uid=olive,ou=people,o=usharesoft -
>> "uid=olive,ou=people,o=usharesoft" is not a valid email address]],
>> [RequiredValuesMissing [userId]]}
>> CREATE FAILURE (id/name): null/null with message:
>> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
>> uid=bolive,ou=people,o=usharesoft -
>> "uid=bolive,ou=people,o=usharesoft" is not a valid email address]]}
>> CREATE FAILURE (id/name): null/null with message: {[InvalidValues
>> [userId: uid=gfoe,ou=people,o=usharesoft -
>> "uid=gfoe,ou=people,o=usharesoft" is not a valid email address]],
>> [RequiredValuesMissing [userId]]}
>> CREATE FAILURE (id/name): null/null with message:
>> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
>> uid=jeff4,ou=people,o=usharesoft - "uid=jeff4,ou=people,o=usharesoft"
>> is not a valid email address]]}
>> CREATE FAILURE (id/name): null/null with message:
>> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
>> uid=Gioacchino,ou=people,o=usharesoft -
>> "uid=Gioacchino,ou=people,o=usharesoft" is not a valid email address]]}
>> CREATE FAILURE (id/name): null/null with message:
>> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
>> uid=Vincenzo,ou=people,o=usharesoft -
>> "uid=Vincenzo,ou=people,o=usharesoft" is not a valid email address]]}
>> CREATE FAILURE (id/name): null/null with message:
>> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
>> uid=moofink,ou=people,o=usharesoft -
>> "uid=moofink,ou=people,o=usharesoft" is not a valid email address]]}
>> CREATE FAILURE (id/name): null/null with message: {[InvalidValues
>> [userId: uid=moo,ou=people,o=usharesoft -
>> "uid=moo,ou=people,o=usharesoft" is not a valid email address]],
>> [RequiredValuesMissing [userId]]}
>> CREATE FAILURE (id/name): null/null with message:
>> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
>> uid=niknik,ou=people,o=usharesoft -
>> "uid=niknik,ou=people,o=usharesoft" is not a valid email address]]}
>> CREATE FAILURE (id/name): null/null with message:
>> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
>> uid=user1,ou=people,o=usharesoft - "uid=user1,ou=people,o=usharesoft"
>> is not a valid email address]]}
>> CREATE FAILURE (id/name): null/null with message:
>> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
>> uid=Gioacchino-1,ou=people,o=usharesoft -
>> "uid=Gioacchino-1,ou=people,o=usharesoft" is not a valid email address]]}
>> CREATE FAILURE (id/name): null/null with message:
>> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
>> uid=Vincenzo-1,ou=people,o=usharesoft -
>> "uid=Vincenzo-1,ou=people,o=usharesoft" is not a valid email address]]}
>>
>>
>> Users created:
>>
>> Users updated:
>>
>> Users deleted:
>>
>>
>> Roles created:
>>
>> Roles updated:
>> UPDATE SUCCESS (id/name): 119/cn=managing director,ou=groups,o=usharesoft
>> UPDATE SUCCESS (id/name): 120/cn=artdirector,ou=groups,o=usharesoft
>> UPDATE SUCCESS (id/name): 121/cn=ROLE_NAME,ou=groups,o=usharesoft
>> UPDATE SUCCESS (id/name): 122/cn=ROLE,ou=groups,o=usharesoft
>> UPDATE SUCCESS (id/name): 123/cn=tink,ou=groups,o=usharesoft
>> UPDATE SUCCESS (id/name): 124/cn=managing
>> director-1,ou=groups,o=usharesoft
>> UPDATE SUCCESS (id/name): 125/cn=managing
>> director-1-1,ou=groups,o=usharesoft
>> UPDATE SUCCESS (id/name): 126/cn=tink-1,ou=groups,o=usharesoft
>> UPDATE SUCCESS (id/name): 127/cn=tink-2,ou=groups,o=usharesoft
>>
>> Roles deleted:
>>
>>
>> rgds,
>> Nik
>>
>>> Hi Guys,
>>>
>>> I have always had problems trying to get syncope synchronization (or
>>> at least reconciliation)working in my setup.
>>>
>>> Assumptions:
>>> 1) I can take as a given, that synchronization from ldap V3/openDJ to
>>> syncope, of users and groups works and has been verified ( for me it
>>> would be a basic feature of any IDM)?
>>> 2) that following the blog
>>> http://blog.tirasa.net/blogs/index.php/ilgrosso/unlock-full-ldap-features-in
>>> shows the correct way to enable synchronization/reconciliationfor
>>> OpenDJ resources.
>>>
>>> Given these 2 assumptions, I can conclude that I am missing some
>>> important steps to configure this feature in syncopeproperly.
>>>
>>> After I step 2) above and look at the log traces I see the following
>>> output.
>>>
>>> 10:30:46.153 DEBUG
>>> org.identityconnectors.framework.api.operations.SearchApiOp.search
>>> Enter: search(ObjectClass: __ACCOUNT__, null,
>>> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy$2@62f9d23b,
>>> OperationOptions:
>>> {ATTRS_TO_GET:[mail,sn,description,__UID__,__NAME__,displayName,__PASSWORD__,__ENABLE__]})
>>> 10:30:46.156 WARN
>>> org.connid.bundles.ldap.search.LdapSearch.getAttributesToGet Reading
>>> passwords not supported
>>> 10:30:46.156 WARN
>>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>>> LDAP attribute
>>> 10:30:46.156 DEBUG
>>> org.connid.bundles.ldap.search.DefaultSearchStrategy.doSearch
>>> Searching in [ou=people,o=usharesoft, ou=groups,o=usharesoft] with
>>> filter (&(objectClass=inetOrgPerson)(uid=*)) and SearchControls:
>>> {returningAttributes=[cn, description, displayName, mail, sn,
>>> userPassword], scope=SUBTREE}
>>> 10:30:46.158 WARN
>>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>>> LDAP attribute
>>> 10:30:46.159 WARN
>>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>>> LDAP attribute
>>> 10:30:46.160 WARN
>>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>>> LDAP attribute
>>> 10:30:46.160 WARN
>>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>>> LDAP attribute
>>> 10:30:46.161 WARN
>>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>>> LDAP attribute
>>> 10:30:46.162 DEBUG
>>> org.identityconnectors.framework.api.operations.SearchApiOp.search
>>> Exception:
>>> java.lang.NullPointerException: null
>>> at
>>> org.apache.syncope.core.persistence.dao.impl.AttributableSearchDAOImpl.search(AttributableSearchDAOImpl.java:145)
>>> ~[AttributableSearchDAOImpl.class:na]
>>> at
>>> org.apache.syncope.core.persistence.dao.impl.AttributableSearchDAOImpl.search(AttributableSearchDAOImpl.java:133)
>>> ~[AttributableSearchDAOImpl.class:na]
>>> at
>>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.search(SyncopeSyncResultHandler.java:348)
>>> ~[SyncopeSyncResultHandler.class:na]
>>> at
>>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.findByAttributableSearch(SyncopeSyncResultHandler.java:421)
>>> ~[SyncopeSyncResultHandler.class:na]
>>> at
>>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.findExisting(SyncopeSyncResultHandler.java:453)
>>> ~[SyncopeSyncResultHandler.class:na]
>>> at
>>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.doHandle(SyncopeSyncResultHandler.java:834)
>>> ~[SyncopeSyncResultHandler.class:na]
>>> at
>>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.handle(SyncopeSyncResultHandler.java:262)
>>> ~[SyncopeSyncResultHandler.class:na]
>>> at
>>> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy$2.handle(ConnectorFacadeProxy.java:367)
>>> ~[ConnectorFacadeProxy$2.class:na]
>>> at
>>> org.identityconnectors.framework.impl.api.StreamHandlerUtil$ObjectStreamHandlerAdapter.handle(StreamHandlerUtil.java:79)
>>> ~[connid-framework-internal-1.3.3.jar:na]
>>> at
>>> org.identityconnectors.framework.impl.api.BufferedResultsProxy.invoke(BufferedResultsProxy.java:268)
>>> ~[connid-framework-internal-1.3.3.jar:na]
>>> at
>>> org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:102)
>>> ~[connid-framework-internal-1.3.3.jar:na]
>>> at com.sun.proxy.$Proxy182.search(Unknown Source) [na:na]
>>> at sun.reflect.GeneratedMethodAccessor730.invoke(Unknown Source)
>>> ~[na:na]
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> ~[na:1.7.0_19]
>>> at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_19]
>>> at
>>> org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:76)
>>> ~[connid-framework-internal-1.3.3.jar:na]
>>> at com.sun.proxy.$Proxy182.search(Unknown Source) [na:na]
>>> at
>>> org.identityconnectors.framework.impl.api.AbstractConnectorFacade.search(AbstractConnectorFacade.java:142)
>>> [connid-framework-internal-1.3.3.jar:na]
>>> at
>>> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy.search(ConnectorFacadeProxy.java:492)
>>> [ConnectorFacadeProxy.class:na]
>>> at
>>> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy.getAllObjects(ConnectorFacadeProxy.java:357)
>>> [ConnectorFacadeProxy.class:na]
>>> at
>>> org.apache.syncope.core.sync.impl.SyncJob.executeWithSecurityContext(SyncJob.java:401)
>>> [SyncJob.class:na]
>>> at
>>> org.apache.syncope.core.sync.impl.SyncJob.doExecute(SyncJob.java:341)
>>> [SyncJob.class:na]
>>> at
>>> org.apache.syncope.core.quartz.AbstractTaskJob.execute(AbstractTaskJob.java:104)
>>> [AbstractTaskJob.class:na]
>>> at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
>>> [quartz-2.1.7.jar:na]
>>> at
>>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
>>> [quartz-2.1.7.jar:na]
>>>
>>>
>>> Any clues on how to proceed on getting the synchro/recon feature of
>>> syncope working with OpenDJ?
>>>
>>> I attach the content.xml from the setup above which fails.
Re: synchronization/reconciliation failure in syncope 1.1.1 and ldap
V3 (openDJ)
Posted by Francesco Chicchiriccò <il...@apache.org>.
Hi Nik,
as long as I understand from your e-mail below:
The first e-mail troubles were caused by a Synchronization Policy with
no alternative schemas set: I took anyway inspiration from that for
making such handling more robust (and avoid NPE!).
The second e-mail troubles seems to be caused by an incorrect user
mapping: actually, it seems to me that you copied the mapping from my
blog post but left the user attribute schemas as per the standalone
distribution. In particular, 'userId' is configured with an e-mail
address validator but is mapped to a DN (
"uid=nik,ou=people,o=usharesoft" is not a valid email address).
HTH
Regards.
On 10/05/2013 12:47, Nik wrote:
> Hi Guys,
>
> I think I made some new progress on understanding my problems with
> synchro/recon.
> I started from scratch, rebuilt my env based on 1.1.2-SNAPSHOT.
> Followed the blog and now I'm getting closer to get the ldap users
> created on syncope (my goal).
>
> I believe all my issues are coming from bad mappings and bad
> interpretation on my part from the docs:
>
> When I look at the sync task log I see what is failing now in my
> mappings:
>
> e.g.
>
> Users [created/failures]: 0/13 [updated/failures]: 0/0
> [deleted/failures]: 0/0
> Roles [created/failures]: 0/0 [updated/failures]: 9/0
> [deleted/failures]: 0/0
>
> Users failed to create: CREATE FAILURE (id/name): null/null with
> message: {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=nik,ou=people,o=usharesoft - "uid=nik,ou=people,o=usharesoft" is
> not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message: {[InvalidValues
> [userId: uid=olive,ou=people,o=usharesoft -
> "uid=olive,ou=people,o=usharesoft" is not a valid email address]],
> [RequiredValuesMissing [userId]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=bolive,ou=people,o=usharesoft -
> "uid=bolive,ou=people,o=usharesoft" is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message: {[InvalidValues
> [userId: uid=gfoe,ou=people,o=usharesoft -
> "uid=gfoe,ou=people,o=usharesoft" is not a valid email address]],
> [RequiredValuesMissing [userId]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=jeff4,ou=people,o=usharesoft - "uid=jeff4,ou=people,o=usharesoft"
> is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=Gioacchino,ou=people,o=usharesoft -
> "uid=Gioacchino,ou=people,o=usharesoft" is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=Vincenzo,ou=people,o=usharesoft -
> "uid=Vincenzo,ou=people,o=usharesoft" is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=moofink,ou=people,o=usharesoft -
> "uid=moofink,ou=people,o=usharesoft" is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message: {[InvalidValues
> [userId: uid=moo,ou=people,o=usharesoft -
> "uid=moo,ou=people,o=usharesoft" is not a valid email address]],
> [RequiredValuesMissing [userId]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=niknik,ou=people,o=usharesoft -
> "uid=niknik,ou=people,o=usharesoft" is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=user1,ou=people,o=usharesoft - "uid=user1,ou=people,o=usharesoft"
> is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=Gioacchino-1,ou=people,o=usharesoft -
> "uid=Gioacchino-1,ou=people,o=usharesoft" is not a valid email address]]}
> CREATE FAILURE (id/name): null/null with message:
> {[RequiredValuesMissing [userId]], [InvalidValues [userId:
> uid=Vincenzo-1,ou=people,o=usharesoft -
> "uid=Vincenzo-1,ou=people,o=usharesoft" is not a valid email address]]}
>
>
> Users created:
>
> Users updated:
>
> Users deleted:
>
>
> Roles created:
>
> Roles updated:
> UPDATE SUCCESS (id/name): 119/cn=managing director,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 120/cn=artdirector,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 121/cn=ROLE_NAME,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 122/cn=ROLE,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 123/cn=tink,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 124/cn=managing
> director-1,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 125/cn=managing
> director-1-1,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 126/cn=tink-1,ou=groups,o=usharesoft
> UPDATE SUCCESS (id/name): 127/cn=tink-2,ou=groups,o=usharesoft
>
> Roles deleted:
>
>
> rgds,
> Nik
>
>> Hi Guys,
>>
>> I have always had problems trying to get syncope synchronization (or
>> at least reconciliation)working in my setup.
>>
>> Assumptions:
>> 1) I can take as a given, that synchronization from ldap V3/openDJ to
>> syncope, of users and groups works and has been verified ( for me it
>> would be a basic feature of any IDM)?
>> 2) that following the blog
>> http://blog.tirasa.net/blogs/index.php/ilgrosso/unlock-full-ldap-features-in
>> shows the correct way to enable synchronization/reconciliationfor
>> OpenDJ resources.
>>
>> Given these 2 assumptions, I can conclude that I am missing some
>> important steps to configure this feature in syncopeproperly.
>>
>> After I step 2) above and look at the log traces I see the following
>> output.
>>
>> 10:30:46.153 DEBUG
>> org.identityconnectors.framework.api.operations.SearchApiOp.search
>> Enter: search(ObjectClass: __ACCOUNT__, null,
>> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy$2@62f9d23b,
>> OperationOptions:
>> {ATTRS_TO_GET:[mail,sn,description,__UID__,__NAME__,displayName,__PASSWORD__,__ENABLE__]})
>> 10:30:46.156 WARN
>> org.connid.bundles.ldap.search.LdapSearch.getAttributesToGet Reading
>> passwords not supported
>> 10:30:46.156 WARN
>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>> LDAP attribute
>> 10:30:46.156 DEBUG
>> org.connid.bundles.ldap.search.DefaultSearchStrategy.doSearch
>> Searching in [ou=people,o=usharesoft, ou=groups,o=usharesoft] with
>> filter (&(objectClass=inetOrgPerson)(uid=*)) and SearchControls:
>> {returningAttributes=[cn, description, displayName, mail, sn,
>> userPassword], scope=SUBTREE}
>> 10:30:46.158 WARN
>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>> LDAP attribute
>> 10:30:46.159 WARN
>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>> LDAP attribute
>> 10:30:46.160 WARN
>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>> LDAP attribute
>> 10:30:46.160 WARN
>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>> LDAP attribute
>> 10:30:46.161 WARN
>> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
>> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
>> LDAP attribute
>> 10:30:46.162 DEBUG
>> org.identityconnectors.framework.api.operations.SearchApiOp.search
>> Exception:
>> java.lang.NullPointerException: null
>> at
>> org.apache.syncope.core.persistence.dao.impl.AttributableSearchDAOImpl.search(AttributableSearchDAOImpl.java:145)
>> ~[AttributableSearchDAOImpl.class:na]
>> at
>> org.apache.syncope.core.persistence.dao.impl.AttributableSearchDAOImpl.search(AttributableSearchDAOImpl.java:133)
>> ~[AttributableSearchDAOImpl.class:na]
>> at
>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.search(SyncopeSyncResultHandler.java:348)
>> ~[SyncopeSyncResultHandler.class:na]
>> at
>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.findByAttributableSearch(SyncopeSyncResultHandler.java:421)
>> ~[SyncopeSyncResultHandler.class:na]
>> at
>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.findExisting(SyncopeSyncResultHandler.java:453)
>> ~[SyncopeSyncResultHandler.class:na]
>> at
>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.doHandle(SyncopeSyncResultHandler.java:834)
>> ~[SyncopeSyncResultHandler.class:na]
>> at
>> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.handle(SyncopeSyncResultHandler.java:262)
>> ~[SyncopeSyncResultHandler.class:na]
>> at
>> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy$2.handle(ConnectorFacadeProxy.java:367)
>> ~[ConnectorFacadeProxy$2.class:na]
>> at
>> org.identityconnectors.framework.impl.api.StreamHandlerUtil$ObjectStreamHandlerAdapter.handle(StreamHandlerUtil.java:79)
>> ~[connid-framework-internal-1.3.3.jar:na]
>> at
>> org.identityconnectors.framework.impl.api.BufferedResultsProxy.invoke(BufferedResultsProxy.java:268)
>> ~[connid-framework-internal-1.3.3.jar:na]
>> at
>> org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:102)
>> ~[connid-framework-internal-1.3.3.jar:na]
>> at com.sun.proxy.$Proxy182.search(Unknown Source) [na:na]
>> at sun.reflect.GeneratedMethodAccessor730.invoke(Unknown Source)
>> ~[na:na]
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> ~[na:1.7.0_19]
>> at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_19]
>> at
>> org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:76)
>> ~[connid-framework-internal-1.3.3.jar:na]
>> at com.sun.proxy.$Proxy182.search(Unknown Source) [na:na]
>> at
>> org.identityconnectors.framework.impl.api.AbstractConnectorFacade.search(AbstractConnectorFacade.java:142)
>> [connid-framework-internal-1.3.3.jar:na]
>> at
>> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy.search(ConnectorFacadeProxy.java:492)
>> [ConnectorFacadeProxy.class:na]
>> at
>> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy.getAllObjects(ConnectorFacadeProxy.java:357)
>> [ConnectorFacadeProxy.class:na]
>> at
>> org.apache.syncope.core.sync.impl.SyncJob.executeWithSecurityContext(SyncJob.java:401)
>> [SyncJob.class:na]
>> at
>> org.apache.syncope.core.sync.impl.SyncJob.doExecute(SyncJob.java:341)
>> [SyncJob.class:na]
>> at
>> org.apache.syncope.core.quartz.AbstractTaskJob.execute(AbstractTaskJob.java:104)
>> [AbstractTaskJob.class:na]
>> at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
>> [quartz-2.1.7.jar:na]
>> at
>> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
>> [quartz-2.1.7.jar:na]
>>
>>
>> Any clues on how to proceed on getting the synchro/recon feature of
>> syncope working with OpenDJ?
>>
>> I attach the content.xml from the setup above which fails.
--
Francesco Chicchiriccò
ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member
http://people.apache.org/~ilgrosso/
Re: synchronization/reconciliation failure in syncope 1.1.1 and ldap
V3 (openDJ)
Posted by Nik <ni...@usharesoft.com>.
Hi Guys,
I think I made some new progress on understanding my problems with
synchro/recon.
I started from scratch, rebuilt my env based on 1.1.2-SNAPSHOT.
Followed the blog and now I'm getting closer to get the ldap users
created on syncope (my goal).
I believe all my issues are coming from bad mappings and bad
interpretation on my part from the docs:
When I look at the sync task log I see what is failing now in my mappings:
e.g.
Users [created/failures]: 0/13 [updated/failures]: 0/0 [deleted/failures]: 0/0
Roles [created/failures]: 0/0 [updated/failures]: 9/0 [deleted/failures]: 0/0
Users failed to create: CREATE FAILURE (id/name): null/null with message: {[RequiredValuesMissing [userId]], [InvalidValues [userId: uid=nik,ou=people,o=usharesoft - "uid=nik,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message: {[InvalidValues [userId: uid=olive,ou=people,o=usharesoft - "uid=olive,ou=people,o=usharesoft" is not a valid email address]], [RequiredValuesMissing [userId]]}
CREATE FAILURE (id/name): null/null with message: {[RequiredValuesMissing [userId]], [InvalidValues [userId: uid=bolive,ou=people,o=usharesoft - "uid=bolive,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message: {[InvalidValues [userId: uid=gfoe,ou=people,o=usharesoft - "uid=gfoe,ou=people,o=usharesoft" is not a valid email address]], [RequiredValuesMissing [userId]]}
CREATE FAILURE (id/name): null/null with message: {[RequiredValuesMissing [userId]], [InvalidValues [userId: uid=jeff4,ou=people,o=usharesoft - "uid=jeff4,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message: {[RequiredValuesMissing [userId]], [InvalidValues [userId: uid=Gioacchino,ou=people,o=usharesoft - "uid=Gioacchino,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message: {[RequiredValuesMissing [userId]], [InvalidValues [userId: uid=Vincenzo,ou=people,o=usharesoft - "uid=Vincenzo,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message: {[RequiredValuesMissing [userId]], [InvalidValues [userId: uid=moofink,ou=people,o=usharesoft - "uid=moofink,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message: {[InvalidValues [userId: uid=moo,ou=people,o=usharesoft - "uid=moo,ou=people,o=usharesoft" is not a valid email address]], [RequiredValuesMissing [userId]]}
CREATE FAILURE (id/name): null/null with message: {[RequiredValuesMissing [userId]], [InvalidValues [userId: uid=niknik,ou=people,o=usharesoft - "uid=niknik,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message: {[RequiredValuesMissing [userId]], [InvalidValues [userId: uid=user1,ou=people,o=usharesoft - "uid=user1,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message: {[RequiredValuesMissing [userId]], [InvalidValues [userId: uid=Gioacchino-1,ou=people,o=usharesoft - "uid=Gioacchino-1,ou=people,o=usharesoft" is not a valid email address]]}
CREATE FAILURE (id/name): null/null with message: {[RequiredValuesMissing [userId]], [InvalidValues [userId: uid=Vincenzo-1,ou=people,o=usharesoft - "uid=Vincenzo-1,ou=people,o=usharesoft" is not a valid email address]]}
Users created:
Users updated:
Users deleted:
Roles created:
Roles updated:
UPDATE SUCCESS (id/name): 119/cn=managing director,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 120/cn=artdirector,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 121/cn=ROLE_NAME,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 122/cn=ROLE,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 123/cn=tink,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 124/cn=managing director-1,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 125/cn=managing director-1-1,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 126/cn=tink-1,ou=groups,o=usharesoft
UPDATE SUCCESS (id/name): 127/cn=tink-2,ou=groups,o=usharesoft
Roles deleted:
rgds,
Nik
> Hi Guys,
>
> I have always had problems trying to get syncope synchronization (or
> at least reconciliation)working in my setup.
>
> Assumptions:
> 1) I can take as a given, that synchronization from ldap V3/openDJ to
> syncope, of users and groups works and has been verified ( for me it
> would be a basic feature of any IDM)?
> 2) that following the blog
> http://blog.tirasa.net/blogs/index.php/ilgrosso/unlock-full-ldap-features-in
> shows the correct way to enable synchronization/reconciliationfor
> OpenDJ resources.
>
> Given these 2 assumptions, I can conclude that I am missing some
> important steps to configure this feature in syncopeproperly.
>
> After I step 2) above and look at the log traces I see the following
> output.
>
> 10:30:46.153 DEBUG
> org.identityconnectors.framework.api.operations.SearchApiOp.search
> Enter: search(ObjectClass: __ACCOUNT__, null,
> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy$2@62f9d23b,
> OperationOptions:
> {ATTRS_TO_GET:[mail,sn,description,__UID__,__NAME__,displayName,__PASSWORD__,__ENABLE__]})
> 10:30:46.156 WARN
> org.connid.bundles.ldap.search.LdapSearch.getAttributesToGet Reading
> passwords not supported
> 10:30:46.156 WARN
> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
> LDAP attribute
> 10:30:46.156 DEBUG
> org.connid.bundles.ldap.search.DefaultSearchStrategy.doSearch
> Searching in [ou=people,o=usharesoft, ou=groups,o=usharesoft] with
> filter (&(objectClass=inetOrgPerson)(uid=*)) and SearchControls:
> {returningAttributes=[cn, description, displayName, mail, sn,
> userPassword], scope=SUBTREE}
> 10:30:46.158 WARN
> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
> LDAP attribute
> 10:30:46.159 WARN
> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
> LDAP attribute
> 10:30:46.160 WARN
> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
> LDAP attribute
> 10:30:46.160 WARN
> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
> LDAP attribute
> 10:30:46.161 WARN
> org.connid.bundles.ldap.schema.LdapSchemaMapping.getLdapAttribute
> Attribute __ENABLE__ of object class __ACCOUNT__ is not mapped to an
> LDAP attribute
> 10:30:46.162 DEBUG
> org.identityconnectors.framework.api.operations.SearchApiOp.search
> Exception:
> java.lang.NullPointerException: null
> at
> org.apache.syncope.core.persistence.dao.impl.AttributableSearchDAOImpl.search(AttributableSearchDAOImpl.java:145)
> ~[AttributableSearchDAOImpl.class:na]
> at
> org.apache.syncope.core.persistence.dao.impl.AttributableSearchDAOImpl.search(AttributableSearchDAOImpl.java:133)
> ~[AttributableSearchDAOImpl.class:na]
> at
> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.search(SyncopeSyncResultHandler.java:348)
> ~[SyncopeSyncResultHandler.class:na]
> at
> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.findByAttributableSearch(SyncopeSyncResultHandler.java:421)
> ~[SyncopeSyncResultHandler.class:na]
> at
> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.findExisting(SyncopeSyncResultHandler.java:453)
> ~[SyncopeSyncResultHandler.class:na]
> at
> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.doHandle(SyncopeSyncResultHandler.java:834)
> ~[SyncopeSyncResultHandler.class:na]
> at
> org.apache.syncope.core.sync.impl.SyncopeSyncResultHandler.handle(SyncopeSyncResultHandler.java:262)
> ~[SyncopeSyncResultHandler.class:na]
> at
> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy$2.handle(ConnectorFacadeProxy.java:367)
> ~[ConnectorFacadeProxy$2.class:na]
> at
> org.identityconnectors.framework.impl.api.StreamHandlerUtil$ObjectStreamHandlerAdapter.handle(StreamHandlerUtil.java:79)
> ~[connid-framework-internal-1.3.3.jar:na]
> at
> org.identityconnectors.framework.impl.api.BufferedResultsProxy.invoke(BufferedResultsProxy.java:268)
> ~[connid-framework-internal-1.3.3.jar:na]
> at
> org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:102)
> ~[connid-framework-internal-1.3.3.jar:na]
> at com.sun.proxy.$Proxy182.search(Unknown Source) [na:na]
> at sun.reflect.GeneratedMethodAccessor730.invoke(Unknown Source)
> ~[na:na]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[na:1.7.0_19]
> at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_19]
> at
> org.identityconnectors.framework.impl.api.LoggingProxy.invoke(LoggingProxy.java:76)
> ~[connid-framework-internal-1.3.3.jar:na]
> at com.sun.proxy.$Proxy182.search(Unknown Source) [na:na]
> at
> org.identityconnectors.framework.impl.api.AbstractConnectorFacade.search(AbstractConnectorFacade.java:142)
> [connid-framework-internal-1.3.3.jar:na]
> at
> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy.search(ConnectorFacadeProxy.java:492)
> [ConnectorFacadeProxy.class:na]
> at
> org.apache.syncope.core.propagation.impl.ConnectorFacadeProxy.getAllObjects(ConnectorFacadeProxy.java:357)
> [ConnectorFacadeProxy.class:na]
> at
> org.apache.syncope.core.sync.impl.SyncJob.executeWithSecurityContext(SyncJob.java:401)
> [SyncJob.class:na]
> at
> org.apache.syncope.core.sync.impl.SyncJob.doExecute(SyncJob.java:341)
> [SyncJob.class:na]
> at
> org.apache.syncope.core.quartz.AbstractTaskJob.execute(AbstractTaskJob.java:104)
> [AbstractTaskJob.class:na]
> at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
> [quartz-2.1.7.jar:na]
> at
> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
> [quartz-2.1.7.jar:na]
>
>
> Any clues on how to proceed on getting the synchro/recon feature of
> syncope working with OpenDJ?
>
> I attach the content.xml from the setup above which fails.
>
> rgds,
> Nik