Active Directory Password Sync Errors

Home Forums ForgeRock Products Identity Management Active Directory Password Sync Errors

Learn more about our upcoming Identity Summits

This topic has 4 replies, 4 voices, and was last updated 6 years, 10 months ago by [email protected].

  • Author
    Posts
  • December 5, 2014 at 7:34 pm #1597
     [email protected]
    Participant

    Hello,

    We’re attempting to set up AD password synchronization service with openIDM 3.0 and are failing miserably. I’m at a bit of a loss as to why I am unable to get the AD password sync to work. I believe that I have followed the instructions in the integrators guide properly and have used the sample keytool commands in samples/security/keystore_readme.txt to create the keystore and certificates.

    There is nothing in the openIDM logs unless I turn up the log level to FINER where I can see the request. There is a success entry in the audit log.

    The Password Sync Service throws the following in the error log:

    2014-12-05 12:23:29.073 -0600 [1496:524] service init

    #######################################
    # OpenIDM Password Sync Service #
    # Version: 2.1.0 #
    # Revision: 35 #
    # Build date: Jun 13 2013 15:57:46 #
    #######################################

    2014-12-05 12:23:29.089 -0600 DEBUG [1496:2076] directory_time_worker(): starting (will fire at 60 second intervals)…
    2014-12-05 12:23:30.165 -0600 DEBUG [1496:2276] file_worker(): authType set to “idm”
    2014-12-05 12:23:30.165 -0600 DEBUG [1496:2276] file_worker(): authToken0 set to “openidm-admin”
    2014-12-05 12:23:30.165 -0600 DEBUG [1496:2276] file_worker(): idmURL set to “http://10.128.101.32:8080/openidm/managed/user?_action=patch&_queryId=for-userName&uid=${samaccountname}”
    2014-12-05 12:23:30.165 -0600 DEBUG [1496:2276] file_worker(): processing C:/sync/queue (1 files)
    2014-12-05 12:23:30.165 -0600 DEBUG [1496:2276] file_worker(): reading file C:/sync/queue/D41D8CD98F00B204E9800998ECF8427E-20141205121059021.json
    2014-12-05 12:23:30.228 -0600 DEBUG [1496:2276] file_worker(): data from user “tuser”
    2014-12-05 12:23:30.228 -0600 DEBUG [1496:2276] send_post_request(): request uri:
    /openidm/managed/user?_action=patch&_queryId=for-userName&uid=tuser
    2014-12-05 12:23:30.228 -0600 DEBUG [1496:2276] send_post_request(): post size: 1430, data:
    [{ “replace” : “/adPassword”, “value” : { “$crypto” : { “value” : { “data” : “w7aSxxfhkE2gUPEd4TfNfPseCPb7ri7pq8kMF3r30rE=”, “cipher” : “AES/ECB/PKCS5Padding”, “key” : { “data” : “LuD64zLKg+EyRMlyux1tYu1qAQ0QBIBpjxSXfv4fEdiZRNhLBfIZC+94CLfWw11lXu82x1tC4lQ5Aw0TUx6Vp8LuJ2SA+zIwEGqFi6FlTy3se7uSnTA71IOwmvYrgvALrEjcIh6NDhTPcnLYokvYdFlSxBNnymnWvdgqBIBG3JG88gi/hE18SqCdAGuHA0yzW9JRL1qVCkwB8WPzG9YbHULyE1LXoZI4v53eTBXV4EbEg0mqktPXF+5Fx0rV7PvrxEjKdqp4BfdV2/rNa3orYcnRumI9A/Uw6NDK6NGJaOqdkoxJOAHOVJZmhuuJ85oQyVnuWRQclQ5EEpaHLr23qg==”, “cipher” : “RSA/ECB/PKCS1Padding”, “key” : “openidm-localhost” } }, “type” : “x-simple-encryption” } }}]
    2014-12-05 12:23:30.821 -0600 DEBUG [1496:2276] read_sync_response(): status code: 400, content length: 170
    2014-12-05 12:23:30.821 -0600 ERROR [1496:2276] file_worker(): change request for user “tuser” failed. Network status: 400, error: 0, code: 0, response size: 170
    2014-12-05 12:23:30.821 -0600 DEBUG [1496:2276] file_worker(): response:
    {“code”:400,”reason”:”Bad Request”,”message”:”The request could not be processed because the provided content is not a valid JSON patch: /0/operation: Expecting a value”}

    Has anyone seen this error before or have any ideas as to what I can do to fix this issue?

    Thanks for your help!

    Pete

    December 5, 2014 at 9:42 pm #1600
     Aron Kozak
    Spectator

    I’m looking internally, trying to get the right person to help answer this. Back soon!

    December 5, 2014 at 11:40 pm #1604
     tim.sedlack
    Participant

    Hi Pete –

    I think your request to replace the password is formed incorrectly – but trying to find the correct syntax for a replace is proving more difficult than I thought.

    Are you actually doing curl commands here – or is this the sync service that’s returning this 400 error?

    If it’s the service, then I suspect your keystore values/files have something amiss.

    Is there a support case on this by chance?

    Tim

    December 6, 2014 at 1:49 am #1606
     Mike Jang
    Spectator

    Hi Pete,

    We’ve recently released a new version of the AD password sync plugin for production users, available from https://backstage.forgerock.com/#!/downloads/enterprise/OpenIDM .

    If you haven’t yet tried the new plugin, you might try it. I know we’ve seen similar errors such as OPENIDM-1322.

    FYI, we have also updated the documentation to reflect the changes associated with the password sync plugin in the Integrator’s Guide.

    Let us know if that helps. We appreciate the feedback!

    Thanks,
    Mike

    December 8, 2014 at 4:30 pm #1717
     [email protected]
    Participant

    Thanks Guys. I’ll give that a shot.

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.
Visit our blog

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?