Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-7371

Reconciliation aborts after processing exactly 5000 AD entries

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 4.4
    • Connectors
    • None
    • Active subscription

    Description

      Hi,

      when performing a reconciliation of the AD resource, the reconciliation always aborts after 5000 entries with the following error. The duration of the reconciliation does not appear to be a factor, but the 5000 entries is constant. 

      We are using midpoint 4.3 but using the AD LDAP connector 3.3 (as I saw you fixed some issues with rebinding).

      Is there something we are missing in the domain controller configuration? We have multiple domain controllers. In our dev environment where we only have one domain controller this is not happening.

       

      Security violation: Security violation communicating with the connector ConnectorInstanceIcfImpl(connector:1d3deca9-9f97-4d6f-a35b-497c995383a2(ConnId com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v3.3)): Security violation: org.identityconnectors.framework.common.exceptions.ConnectorSecurityException(000004DC: LdapErr: DSID-0C090A71, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839?: X_BIND_REQUIRED: In order to perform this operation a successful bind must be completed on the connection)

       

      Here is our connector configuration (bindDN and bind password have been removed):

      <connectorConfiguration xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
    <icfc:connectorPoolConfiguration>
        <icfc:minEvictableIdleTimeMillis>120000</icfc:minEvictableIdleTimeMillis>
        <icfc:minIdle>1</icfc:minIdle>
        <icfc:maxIdle>1</icfc:maxIdle>
        <icfc:maxObjects>10</icfc:maxObjects>
        <icfc:maxWait>150000</icfc:maxWait>
    </icfc:connectorPoolConfiguration>
    <icfc:timeouts>
        <icfc:create>60000</icfc:create>
        <icfc:get>60000</icfc:get>
        <icfc:update>60000</icfc:update>
        <icfc:delete>60000</icfc:delete>
        <icfc:test>60000</icfc:test>
        <icfc:scriptOnConnector>60000</icfc:scriptOnConnector>
        <icfc:scriptOnResource>60000</icfc:scriptOnResource>
        <icfc:authentication>60000</icfc:authentication>
        <!-- <icfc:search>240000</icfc:search> -->
        <icfc:validate>60000</icfc:validate>
        <!-- <icfc:sync>240000</icfc:sync> -->
        <icfc:schema>60000</icfc:schema>
    </icfc:timeouts>
    <icfc:resultsHandlerConfiguration>
        <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
        <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
        <icfc:filteredResultsHandlerInValidationMode>false</icfc:filteredResultsHandlerInValidationMode>
        <icfc:enableCaseInsensitiveFilter>false</icfc:enableCaseInsensitiveFilter>
        <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
    </icfc:resultsHandlerConfiguration>
    <icfc:configurationProperties xmlns:gen2="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.ad.AdLdapConnector">
        <gen2:host>xxxx.xxxx.net</gen2:host>
        <gen2:port>636</gen2:port>
        <gen2:connectionSecurity>ssl</gen2:connectionSecurity>
        <gen2:sslProtocol>TLSv1.2</gen2:sslProtocol>
        <gen2:enabledSecurityProtocols>TLSv1.2</gen2:enabledSecurityProtocols>
        <gen2:authenticationType>simple</gen2:authenticationType>        
        <!-- <gen2:connectTimeout>60000</gen2:connectTimeout> -->
        <gen2:baseContext>dc=xxx,dc=xxx</gen2:baseContext>
        <gen2:pagingStrategy>spr</gen2:pagingStrategy>
        <gen2:pagingBlockSize>1000</gen2:pagingBlockSize>
        <gen2:uidAttribute>objectGUID</gen2:uidAttribute>
        <gen2:operationalAttributes>uidNumber</gen2:operationalAttributes>
        <gen2:operationalAttributes>loginShell</gen2:operationalAttributes>
        <gen2:operationalAttributes>employeeID</gen2:operationalAttributes>
        <gen2:operationalAttributes>employeeType</gen2:operationalAttributes>
        <gen2:operationalAttributes>unixHomeDirectory</gen2:operationalAttributes>
        <gen2:operationalAttributes>gecos</gen2:operationalAttributes>
        <gen2:operationalAttributes>gidNumber</gen2:operationalAttributes>
        <gen2:readSchema>true</gen2:readSchema>
        <gen2:schemaQuirksMode>true</gen2:schemaQuirksMode>
        <gen2:allowUnknownAttributes>true</gen2:allowUnknownAttributes>
        <gen2:nativeAdSchema>true</gen2:nativeAdSchema>
        <gen2:tweakSchema>true</gen2:tweakSchema>
        <gen2:synchronizationStrategy>modifyTimestamp</gen2:synchronizationStrategy>
        <gen2:userObjectClass>user</gen2:userObjectClass>
        <gen2:groupObjectClass>group</gen2:groupObjectClass>
        <gen2:referralStrategy>ignore</gen2:referralStrategy>
        <gen2:connectTimeout>800000</gen2:connectTimeout>
        <gen2:checkAliveRootDse>true</gen2:checkAliveRootDse>
        <gen2:tcpKeepAlive>true</gen2:tcpKeepAlive>
        <gen2:timeout>800000</gen2:timeout>
    </icfc:configurationProperties>
</connectorConfiguration>

       

      Attachments

        Activity

          People

            chris83527 Chris Woods
            chris83527 Chris Woods
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: