WSO2IS 5.10.0 - Can't create/update user on Active Directory

0
votes

For a client, we have to connect a WSO2IS 5.10.0 to an Active Directory. For that we have created a secondary user Store with this configuration:

WSO2IS can connect to Active Directory as we can retrieve users and roles. Before doing any claim mapping we have tried to edit and create user without any problems. And then we have mapped some claims to retrieve more information from Active Directory. And here come our problems:

  • We can't create a user in Active Directory
  • We can't update a user in Active Directory

This two problem gives us this error :

Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090C45, comment: Error in attribute conversion operation, data 0, v1db1

Things that we have tried:

  • Check (and check a second and third time) that all our claims are mapped correctly (and they are)
  • Reset all claims to default mapping (on the state where we where able to create/update user)
  • Set User DN Pattern (as explained here)
  • Restart on a fresh instance of WSO2IS 5.10.0

But all things that we have tried are not helping and we are stuck.

Any help would be hugely appreciated. Thank you for any suggestions.

As asked, this is the AD attribut we have mapped :

  • sn
  • givenName
  • cn
  • displayName
  • name
  • description
  • mail
  • sAMAccountName
  • userPrincipalName
  • accountExpires
  • pwdLastSet
  • userAccountControl
  • scriptPath
  • homePhone
  • mobile
  • facsimileTelephoneNumber
  • title
  • department
  • company
1
active-directorywso2wso2is
Can you add the claim configs you have tried to modify and what are the mapped attributes in AD you have used?Maduranga Siriwardena

1 Answers

1
votes

Here the issue is LDAP_NO_SUCH_ATTRIBUTE returned from the AD.

  1. We don't know which attribute is missing on AD side.
  2. From the existing DEBUG logs of the server, probably you wouldn't be able to log all the attributes that WSO2 is going to update. Therefore, you have to choose an alternative option.
  3. Manual check - Even though there are only few attributes configured (and verified) by you, there are other claims with default attribute mappings. Please check all the mapped attributes that are there in the http://wso2.org/claim dialect.
  4. Remote debug - Remote DEBUG the server to check what are the attributes WSO2 is trying to write in to. (Smaller subset than previous approach) Then verify if those exist.
  5. To do this remote debugging you can check out the Kernel source code from here.
  6. To find out the correct tag to checkout, you can find the kernel version of your identity server version from this release matrix.
  7. Once you clone and checkout the correct tag, you can use IntelliJ Idea or a capable IDE to remote debug the server as explained in the this blog.
  8. Though it's hard to point an exact line of code, you can put DEBUG points to ActiveDirectoryUserStoreManager.doAddUser() and ActiveDirectoryUserStoreManager.doSetUserClaimValue() methods and start from there.

P.S. You can also check if the carbon log's stack trace contains any clue of the failing attribute or the respective claim, so that you can check validate it.