Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-7556

AD connector and minimal fetch strategy

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 4.4
    • Fix Version/s: backlog
    • Component/s: Connectors, Provisioning
    • Labels:
      None
    • Subscription:
      No subscription (community)

      Description

      Minimal fetch strategy does not work reliably. LDAP has no way to specify that the connector wants to fetch all regular attributes except for one. Therefore, the connector has to list all the other attributes of an object, except the one expensive attribute (such as jpegPhoto or member). However, Active Directory has attributes that cannot be used it a regular (subtree) search. If the list of attributes happen to contain such an "unsearchable" attribute, the request fails. Even worse, AD is not exposing information about search limitations in standard LDAP schema. Therefore, this LDAP-based connector has no way to find out which attributes are not searchable.

      A symptom of this problem is usually an error: 00002120: SvcErr: DSID-…​…​., problem 5012 a.k.a. ERROR_DS_NON_BASE_SEARCH.

      Possible solution is to use non-standard schema definition data structures which are native to Active Directory. However, this code is not production-ready yet.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            semancik Radovan Semancik
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: