This topic contains 5 replies, has 2 voices, and was last updated by 
-
Posts
-
I am trying to map an AD to my SCIM endpoint. I configured SCIM connector and use BASIC authentication in the configuration. When I did the Reconcile, i got the below exception in the audit log:
{“transactionId”:”e34be636-4238-4e15-8a29-310f15b34cd8-442″,”timestamp”:”2019-01-31T18:52:37.621Z”,”eventName”:”recon”,”userId”:”openidm-admin”,”exception”:null,”linkQualifier”:null,”mapping”:”systemAd1Account_systemScimAccount”,”message”:”Reconciliation initiated by openidm-admin”,”sourceObjectId”:null,”targetObjectId”:null,”reconciling”:null,”ambiguousTargetObjectIds”:null,”reconAction”:”recon”,”entryType”:”start”,”reconId”:”e34be636-4238-4e15-8a29-310f15b34cd8-453″,”_id”:”e34be636-4238-4e15-8a29-310f15b34cd8-467″}
{“transactionId”:”e34be636-4238-4e15-8a29-310f15b34cd8-442″,”timestamp”:”2019-01-31T18:52:38.027Z”,”eventName”:”recon”,”userId”:”openidm-admin”,”exception”:”org.forgerock.openidm.sync.SynchronizationException: Invalid credential has been provided to operation QUERY for system object\r\n\tat org.forgerock.openidm.sync.ReconTypeBase.query(ReconTypeBase.java:261)\r\n\tat org.forgerock.openidm.sync.ReconTypeByQuery.queryTarget(ReconTypeByQuery.java:58)\r\n\tat org.forgerock.openidm.sync.ReconciliationContext.queryTarget(ReconciliationContext.java:328)\r\n\tat org.forgerock.openidm.sync.ObjectMapping.doRecon(ObjectMapping.java:997)\r\n\tat org.forgerock.openidm.sync.ObjectMapping.lambda$newReconDelegate$1(ObjectMapping.java:362)\r\n\tat org.forgerock.openidm.sync.ObjectMapping.lambda$recon$4(ObjectMapping.java:950)\r\n\tat org.forgerock.openidm.metrics.MetricsCollector.time(MetricsCollector.java:83)\r\n\tat org.forgerock.openidm.metrics.MetricsCollector.time(MetricsCollector.java:98)\r\n\tat org.forgerock.openidm.sync.ObjectMapping.recon(ObjectMapping.java:950)\r\n\tat org.forgerock.openidm.sync.ReconciliationService.reconcile(ReconciliationService.java:522)\r\n\tat org.forgerock.openidm.sync.ReconciliationService.access$000(ReconciliationService.java:105)\r\n\tat org.forgerock.openidm.sync.ReconciliationService$1.run(ReconciliationService.java:469)\r\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)\r\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)\r\n\tat java.lang.Thread.run(Unknown Source)\r\nCaused by: org.forgerock.json.resource.PermanentException: Invalid credential has been provided to operation QUERY for system object\r\n\tat org.forgerock.json.resource.ResourceException.newResourceException(ResourceException.java:261)\r\n\tat org.forgerock.openidm.provisioner.openicf.impl.ExceptionHelper.adaptConnectorException(ExceptionHelper.java:117)\r\n\tat org.forgerock.openidm.provisioner.openicf.impl.ObjectClassResourceProvider.handleQuery(ObjectClassResourceProvider.java:519)\r\n\tat org.forgerock.openidm.provisioner.openicf.impl.ObjectClassRequestHandler.handleQuery(ObjectClassRequestHandler.java:132)\r\n\tat org.forgerock.json.resource.Router.handleQuery(Router.java:317)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:95)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:84)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:84)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:84)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.openidm.audit.filter.AuditFilter.lambda$filterQuery$4(AuditFilter.java:143)\r\n\tat org.forgerock.openidm.audit.filter.AuditFilter.logAuditAccessEntry(AuditFilter.java:175)\r\n\tat org.forgerock.openidm.audit.filter.AuditFilter.filterQuery(AuditFilter.java:143)\r\n\tat org.forgerock.openidm.router.filter.MutableFilterDecorator.filterQuery(MutableFilterDecorator.java:90)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:82)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3.lambda$filterQuery$4(ServletConnectionFactory.java:403)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3.handleRequestWithLogging(ServletConnectionFactory.java:436)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3.filterQuery(ServletConnectionFactory.java:403)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.openidm.router.filter.PassthroughFilter.filterQuery(PassthroughFilter.java:66)\r\n\tat org.forgerock.openidm.router.filter.MutableFilterDecorator.filterQuery(MutableFilterDecorator.java:90)\r\n\tat org.forgerock.openidm.router.filter.MutableFilterDecorator.filterQuery(MutableFilterDecorator.java:90)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:84)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.json.resource.FilterChain.handleQuery(FilterChain.java:250)\r\n\tat org.forgerock.json.resource.InternalConnection.queryAsync(InternalConnection.java:74)\r\n\tat org.forgerock.json.resource.AbstractAsynchronousConnection.query(AbstractAsynchronousConnection.java:72)\r\n\tat org.forgerock.json.resource.AbstractConnectionWrapper.query(AbstractConnectionWrapper.java:165)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$InternalConnectionWrapper.lambda$query$12(ServletConnectionFactory.java:363)\r\n\tat org.forgerock.openidm.metrics.MetricsCollector.time(MetricsCollector.java:51)\r\n\tat org.forgerock.openidm.metrics.MetricsCollector.time(MetricsCollector.java:68)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$InternalConnectionWrapper.time(ServletConnectionFactory.java:278)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$InternalConnectionWrapper.query(ServletConnectionFactory.java:363)\r\n\tat org.forgerock.json.resource.AbstractConnectionWrapper.query(AbstractConnectionWrapper.java:165)\r\n\tat org.forgerock.openidm.sync.ReconTypeBase.query(ReconTypeBase.java:230)\r\n\t… 14 more\r\nCaused by: org.identityconnectors.framework.common.exceptions.InvalidCredentialException: 401: Unauthorized\r\n\tat org.forgerock.openicf.connectors.scim.client.ScimClient.query(ScimClient.java:394)\r\n\tat org.forgerock.openicf.connectors.scim.ScimConnector.executeQuery(ScimConnector.java:314)\r\n\tat org.forgerock.openicf.connectors.scim.ScimConnector.executeQuery(ScimConnector.java:67)\r\n\tat org.identityconnectors.framework.impl.api.local.operations.SearchImpl.rawSearch(SearchImpl.java:162)\r\n\tat org.identityconnectors.framework.impl.api.local.operations.SearchImpl.search(SearchImpl.java:118)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)\r\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\r\n\tat java.lang.reflect.Method.invoke(Unknown Source)\r\n\tat org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:104)\r\n\tat com.sun.proxy.$Proxy72.search(Unknown Source)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)\r\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\r\n\tat java.lang.reflect.Method.invoke(Unknown Source)\r\n\tat org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)\r\n\tat com.sun.proxy.$Proxy72.search(Unknown Source)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)\r\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\r\n\tat java.lang.reflect.Method.invoke(Unknown Source)\r\n\tat org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:157)\r\n”,”linkQualifier”:null,”mapping”:”systemAd1Account_systemScimAccount”,”message”:”SOURCE_IGNORED: 0 FOUND_ALREADY_LINKED: 0 UNQUALIFIED: 0 ABSENT: 0 TARGET_IGNORED: 0 MISSING: 0 ALL_GONE: 0 UNASSIGNED: 0 AMBIGUOUS: 0 CONFIRMED: 0 LINK_ONLY: 0 SOURCE_MISSING: 0 FOUND: 0 “,”messageDetail”:{“_id”:”e34be636-4238-4e15-8a29-310f15b34cd8-453″,”mapping”:”systemAd1Account_systemScimAccount”,”state”:”FAILED”,”stage”:”COMPLETED_FAILED”,”stageDescription”:”reconciliation failed”,”progress”:{“source”:{“existing”:{“processed”:0,”total”:”5″}},”target”:{“existing”:{“processed”:0,”total”:”?”},”created”:0},”links”:{“existing”:{“processed”:0,”total”:”?”},”created”:0}},”situationSummary”:{“SOURCE_IGNORED”:0,”FOUND_ALREADY_LINKED”:0,”UNQUALIFIED”:0,”ABSENT”:0,”TARGET_IGNORED”:0,”MISSING”:0,”ALL_GONE”:0,”UNASSIGNED”:0,”AMBIGUOUS”:0,”CONFIRMED”:0,”LINK_ONLY”:0,”SOURCE_MISSING”:0,”FOUND”:0},”statusSummary”:{“SUCCESS”:0,”FAILURE”:0},”durationSummary”:{“sourceQuery”:{“min”:280,”max”:280,”mean”:280,”count”:1,”sum”:280,”stdDev”:0},”onReconScript”:{“min”:77,”max”:77,”mean”:77,”count”:1,”sum”:77,”stdDev”:0},”auditLog”:{“min”:1,”max”:1,”mean”:1,”count”:1,”sum”:1,”stdDev”:0}},”parameters”:{“sourceQuery”:{“resourceName”:”system/AD1/account”,”queryId”:”query-all-ids”},”targetQuery”:{“resourceName”:”system/scim/account”,”queryId”:”query-all-ids”}},”started”:”2019-01-31T18:52:37.496Z”,”ended”:”2019-01-31T18:52:38.027Z”,”duration”:531,”sourceProcessedByNode”:{}},”sourceObjectId”:null,”status”:”FAILURE”,”targetObjectId”:null,”reconciling”:null,”ambiguousTargetObjectIds”:null,”reconAction”:”recon”,”entryType”:”summary”,”reconId”:”e34be636-4238-4e15-8a29-310f15b34cd8-453″,”_id”:”e34be636-4238-4e15-8a29-310f15b34cd8-485″}I ran the below command to test the connector, the status is ok:
curl \
–header “X-OpenIDM-Username: openidm-admin” \
–header “X-OpenIDM-Password: openidm-admin” \
–request POST \
“http://localhost:8080/openidm/system?_action=test”[{“name”:”scim”,”enabled”:true,”config”:”config/provisioner.openicf/scim”,”connectorRef”:{“bundleVersion”:”[1.4.0.0,1.5.0.0]”,”bundleName”:”org.forgerock.openicf.connectors.scim-connector”,”connectorName”:”org.forgerock.openicf.connectors.scim.ScimConnector”},”displayName”:”Scim Connector”,”objectTypes”:[“__ALL__”,”account”,”group”],”ok”:true},{“name”:”sciminterop1″,”enabled”:true,”config”:”config/provisioner.openicf/sciminterop1″,”connectorRef”:{“bundleVersion”:”1.4.3.0″,”bundleName”:”org.forgerock.openicf.connectors.scim-connector”,”connectorName”:”org.forgerock.openicf.connectors.scim.ScimConnector”},”displayName”:”Scim Connector”,”objectTypes”:[“__ACCOUNT__”,”__ALL__”,”__GROUP__”],”ok”:true},{“name”:”AD1″,”enabled”:true,”config”:”config/provisioner.openicf/AD1″,”connectorRef”:{“bundleVersion”:”[1.4.0.0,1.5.0.0)”,”bundleName”:”org.forgerock.open
And I also checked the credentials via sending the request to the SCIM endpoint using the same username and password, it works.
What else I can check to find the issue?
Thanks
Ellen-
This topic was modified 2 weeks, 2 days ago by
ellen.zhang@globalrelay.net.
Can you share your SCIM provisioner file from openidm/conf folder?
Here is the “provisioner.openicf-sciminterop1.json”
{
“connectorRef” : {
“displayName” : “Scim Connector”,
“bundleVersion” : “1.4.3.0”,
“systemType” : “provisioner.openicf”,
“bundleName” : “org.forgerock.openicf.connectors.scim-connector”,
“connectorName” : “org.forgerock.openicf.connectors.scim.ScimConnector”
},
“poolConfigOption” : {
“maxObjects” : 10,
“maxIdle” : 10,
“maxWait” : 150000,
“minEvictableIdleTimeMillis” : 120000,
“minIdle” : 1
},
“resultsHandlerConfig” : {
“enableNormalizingResultsHandler” : false,
“enableFilteredResultsHandler” : false,
“enableCaseInsensitiveFilter” : false,
“enableAttributesToGetSearchResultsHandler” : true
},
“operationTimeout” : {
“CREATE” : -1,
“UPDATE” : -1,
“DELETE” : -1,
“TEST” : -1,
“SCRIPT_ON_CONNECTOR” : -1,
“SCRIPT_ON_RESOURCE” : -1,
“GET” : -1,
“RESOLVEUSERNAME” : -1,
“AUTHENTICATE” : -1,
“SEARCH” : -1,
“VALIDATE” : -1,
“SYNC” : -1,
“SCHEMA” : -1
},
“configurationProperties” : {
“SCIMEndpoint” : “https://lb-scim-interopsnap1-nvan.dev-globalrelay.net/scim/v1”,
“SCIMVersion” : “1”,
“authenticationMethod” : “BASIC”,
“user” : “sysuser@jvesazvw.test”,
“password” : {
“$crypto” : {
“type” : “x-simple-encryption”,
“value” : {
“cipher” : “AES/CBC/PKCS5Padding”,
“stableId” : “openidm-sym-default”,
“salt” : “sdMSR3U1SCA/A0lJzKEdTA==”,
“data” : “wcOhSXBSQ9QLuldwgCbxyA==”,
“keySize” : 16,
“purpose” : “idm.config.encryption”,
“iv” : “h6aZ9q+Ay8KnNIG2BZOH/A==”,
“mac” : “mbDg1agFbWl2hAs0x4xAoA==”
}
}
}
},
“enabled” : true,
“tokenEndpoint” : null,
“clientId” : “interop1”,
“clientSecret” : null,
“authToken” : null,
“acceptSelfSignedCertificates” : false,
“disableHostNameVerifier” : false,
“disableHttpCompression” : false,
“clientCertAlias” : null,
“clientCertPassword” : null,
“maximumConnections” : “10”,
“httpProxyHost” : null,
“httpProxyPort” : null
}Hi Gael, thanks for the following up. Did I provide the correct configuration file you need? Thanks
EllenYour configuration looks ok and the error you get is:
InvalidCredentialException: 401: UnauthorizedSo it seems to be a user/password issue.
What kind of test/query you do to validate the user/password ?I made a curl command call to check the connection set:
curl \
–header “X-OpenIDM-Username: openidm-admin” \
–header “X-OpenIDM-Password: openidm-admin” \
–request POST \
“http://localhost:8080/openidm/system?_action=test”[{“name”:”scim”,”enabled”:true,”config”:”config/provisioner.openicf/scim”,”connectorRef”:{“bundleVersion”:”[1.4.0.0,1.5.0.0]”,”bundleName”:”org.forgerock.openicf.connectors.scim-connector”,”connectorName”:”org.forgerock.openicf.connectors.scim.ScimConnector”},”displayName”:”Scim Connector”,”objectTypes”:[“__ALL__”,”account”,”group”],”ok”:true},{“name”:”sciminterop1″,”enabled”:true,”config”:”config/provisioner.openicf/sciminterop1″,”connectorRef”:{“bundleVersion”:”1.4.3.0″,”bundleName”:”org.forgerock.openicf.connectors.scim-connector”,”connectorName”:”org.forgerock.openicf.connectors.scim.ScimConnector”},”displayName”:”Scim Connector”,”objectTypes”:[“__ACCOUNT__”,”__ALL__”,”__GROUP__”],”ok”:true},{“name”:”AD1″,”enabled”:true,”config”:”config/provisioner.openicf/AD1″,”connectorRef”:{“bundleVersion”:”[1.4.0.0,1.5.0.0)”,”bundleName”:”org.forgerock.open
And I also checked the credentials via sending the request to the SCIM endpoint from the same ForgeRock Directory server using the same username and password, it worked:
c:\curl>curl -v -X GET https://lb-scim-interopsnap1-nvan.dev-globalrelay.net/scim/v1/Users/11111111111111 -u sysuser@jvesazvw.test:Password1
Note: Unnecessary use of -X or –request, GET is already inferred.
* timeout on name lookup is not supported
* Trying 10.178.203.217…
* TCP_NODELAY set
* Connected to lb-scim-interopsnap1-nvan.dev-globalrelay.net (10.178.203.217) port 443 (#0)
* schannel: SSL/TLS connection with lb-scim-interopsnap1-nvan.dev-globalrelay.net port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 222 bytes…
* schannel: sent initial handshake data: sent 222 bytes
* schannel: SSL/TLS connection with lb-scim-interopsnap1-nvan.dev-globalrelay.net port 443 (step 2/3)
* schannel: encrypted data buffer: offset 4016 length 4096
* schannel: sending next handshake data: sending 182 bytes…
* schannel: SSL/TLS connection with lb-scim-interopsnap1-nvan.dev-globalrelay.net port 443 (step 2/3)
* schannel: encrypted data buffer: offset 330 length 4096
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with lb-scim-interopsnap1-nvan.dev-globalrelay.net port 443 (step 3/3)
* schannel: stored credential handle in session cache
* Server auth using Basic with user ‘sysuser@jvesazvw.test’
> GET /scim/v1/Users/11111111111111 HTTP/1.1
> Host: lb-scim-interopsnap1-nvan.dev-globalrelay.net
> Authorization: Basic c3lzdXNlckBqdmVzYXp2dy50ZXN0OlBhc3N3b3JkMQ==
> User-Agent: curl/7.53.1
> Accept: */*
>
* schannel: client wants to read 16384 bytes
* schannel: encdata_buffer resized 17408
* schannel: encrypted data buffer: offset 0 length 17408
* schannel: encrypted data got 245
* schannel: encrypted data buffer: offset 245 length 17408
* schannel: decrypted data length: 175
* schannel: decrypted data added: 175
* schannel: decrypted data cached: offset 175 length 16384
* schannel: encrypted data buffer: offset 0 length 17408
* schannel: decrypted data buffer: offset 175 length 16384
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 175
* schannel: decrypted data buffer: offset 0 length 16384
< HTTP/1.1 404 Not Found
< Content-Length: 0
< Server:
< Date: Thu, 14 Feb 2019 20:00:52 GMT
< Strict-Transport-Security: max-age=15768000
< Set-Cookie: grsh=all; path=/; Secure
<
* Connection #0 to host lb-scim-interopsnap1-nvan.dev-globalrelay.net left intact -
This topic was modified 2 weeks, 2 days ago by
You must be logged in to reply to this topic.
