Hi all I've set up FIM on a test server, and would like to try and manage the groups and users in an OpenLDAP installation we have on another server. I have installed the OpenLDAP MA, which I found here: http://sourceforge.net/projects/openldap-ma/ I have tried connecting to the LDAP using the following settings, and can't for the life of me get it to work. I have tried turning SSL off, removing the port number (defaults to 389), adding the LDAP's certificate "clientCertificate" (C:\slapd.pem), adding our namingContexts and changing "Authtype" to "External", but still no joy. I'm atempting a "Full import". All the other settings (filter, devisioning, etc.) are default. Hope someone can shed some light on my problem. Thanks, Francis

What is your error message when trying to import? Do you see error messages on the OpenLDAP system? Did you try to connect to OpenLDAP server using the manager's distinguished name, instead of the pure account name? /Matthias/Matthias

I get two error messages, depending on the settings in FIM. "stopped-server-down" when I try using SSL and port 636 "stopped-extension-dll-exception" with ssl=false and default port I have been told that "manager" is the administrator role. Do you mean I should try logging in as a specific user that has the manager role? I asked my colleague, who installed the LDAP to copy the log and send it to me: Oct 29 06:53:45 ip-xxx-xxx-xxx-xxx slapd[30430]: >>> slap_listener(ldaps:///) Oct 29 06:53:45 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_get(14): got connid=0 Oct 29 06:53:45 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_read(14): checking for input on id=0 Oct 29 06:53:45 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_get(14): got connid=0 Oct 29 06:53:45 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_read(14): checking for input on id=0 Oct 29 06:53:45 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_read(14): TLS accept failure error=-1 id=0, closing Oct 29 06:53:45 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_closing: readying conn=0 sd=14 for close Oct 29 06:53:45 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_close: conn=0 sd=-1 Oct 29 06:55:32 ip-xxx-xxx-xxx-xxx slapd[30430]: >>> slap_listener(ldap:///) Oct 29 06:55:32 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_get(14): got connid=1 Oct 29 06:55:32 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_read(14): checking for input on id=1 Oct 29 06:55:32 ip-xxx-xxx-xxx-xxx slapd[30430]: ber_get_next on fd 14 failed errno=34 (Numerical result out of range) Oct 29 06:55:32 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_closing: readying conn=1 sd=14 for close Oct 29 06:55:32 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_close: conn=1 sd=-1 Oct 29 06:55:49 ip-xxx-xxx-xxx-xxx slapd[30430]: >>> slap_listener(ldap:///) Oct 29 06:55:49 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_get(14): got connid=2 Oct 29 06:55:49 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_read(14): checking for input on id=2 Oct 29 06:55:49 ip-xxx-xxx-xxx-xxx slapd[30430]: ber_get_next on fd 14 failed errno=34 (Numerical result out of range) Oct 29 06:55:49 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_closing: readying conn=2 sd=14 for close Oct 29 06:55:49 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_close: conn=2 sd=-1 Oct 29 06:56:07 ip-xxx-xxx-xxx-xxx slapd[30430]: >>> slap_listener(ldap:///) Oct 29 06:56:07 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_get(14): got connid=3 Oct 29 06:56:07 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_read(14): checking for input on id=3 Oct 29 06:56:07 ip-xxx-xxx-xxx-xxx slapd[30430]: ber_get_next on fd 14 failed errno=34 (Numerical result out of range) Oct 29 06:56:07 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_closing: readying conn=3 sd=14 for close Oct 29 06:56:07 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_close: conn=3 sd=-1 Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: >>> slap_listener(ldap:///) Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_get(14): got connid=4 Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_read(14): checking for input on id=4 Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: do_bind Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: >>> dnPrettyNormal: <manager> Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: bind: invalid dn (manager) Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: send_ldap_result: conn=4 op=0 p=3 Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: send_ldap_response: msgid=1 tag=97 err=34 Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_get(14): got connid=4 Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_read(14): checking for input on id=4 Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: ber_get_next on fd 14 failed errno=0 (Success) Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_closing: readying conn=4 sd=14 for close Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_close: deferring conn=4 sd=-1 Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: do_unbind Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_resched: attempting closing conn=4 sd=14 Oct 29 06:59:47 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_close: conn=4 sd=-1 Oct 29 07:43:21 ip-xxx-xxx-xxx-xxx slapd[30430]: >>> slap_listener(ldaps:///) Oct 29 07:43:21 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_get(14): got connid=5 Oct 29 07:43:21 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_read(14): checking for input on id=5 Oct 29 07:43:21 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_get(14): got connid=5 Oct 29 07:43:21 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_read(14): checking for input on id=5 Oct 29 07:43:21 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_read(14): TLS accept failure error=-1 id=5, closing Oct 29 07:43:21 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_closing: readying conn=5 sd=14 for close Oct 29 07:43:21 ip-xxx-xxx-xxx-xxx slapd[30430]: connection_close: conn=5 sd=-1 Thanks! Francis

What is the exactly stopped-extension-dll-exception error? In the connect to section try to use the manager's DN instead of its account name, meaning replace manager with cn=manager,ou=xyz,dc=123,dc=xyz /Matthias/Matthias

The event viewer says this when I run the request that gives "stopped-extension-dll-exception": Log Name: Application Source: FIMSynchronizationService Date: 10/29/2010 6:07:28 PM Event ID: 6803 Task Category: Management Agent Run Profile Level: Error Keywords: Classic User: N/A Computer: computerName.myDomain Description: The management agent "testAgent" failed on run profile "Full Import" because the server encountered errors. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="FIMSynchronizationService" /> <EventID Qualifiers="49152">6803</EventID> <Level>2</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-10-29T17:07:28.000Z" /> <EventRecordID>3816</EventRecordID> <Channel>Application</Channel> <Computer>computerName.myDomain</Computer> <Security /> </System> <EventData> <Data>testAgent</Data> <Data>Full Import</Data> </EventData> </Event> When I removed manager, and replaced it with; cn=manager,dc=123,dc=xyz (123, and xyz were replaced with the proper values), I got: "stopped-bad-server-credentials" I only get this message when SSL=false, and with the default port. If SSL=true, I get the same "stopped-server-down" message. Thanks a lot for your advice and time, I really appreciate it! Francis

If you click on the stopped-server-down message in the FIM SE UI directly you'll be able to get more detailed error messages. stopped-server-down is thrown, when port=636 is defined and SSL=true, correct? It could be a problem with certificates. Note: If SSL encryption is used, the address specified in connectTo must exactly match the server common name defined in the server certificate stopped-bad-server-credentials identicates that you successfully could connect to the server, but the login failed. How was your authType setting? It should be set to "Basic" Can you connect from the ILM server to the OpenLDAP Server using the connectTo settings as specified in the MA by using a common LDAP browser, such as ldp.exe? /Matthias /Matthias

stopped-server-down is thrown, when port=636 is defined and SSL=true, correct? At which conditions stopped-extension-dll-exception are thrown? If you click on the stopped-extension-dll-exception in the FIM SE UI directly you'll be able to get more detailed error messages. It could be a problem with certificates. Note: If SSL encryption is used, the address specified in connectTo must exactly match the server common name defined in the server certificate stopped-bad-server-credentials identicates that you successfully could connect to the server, but the login failed. How was your authType setting? It should be set to "Basic" Can you connect from the ILM server to the OpenLDAP Server using the connectTo settings as specified in the MA by using a common LDAP browser, such as ldp.exe? /Matthias /Matthias

I'm sorry, but I cant seem to find the more detailed error messages. Maybe I'm looking in the wrong place? Correct I was sent the certificate by the same colleague who set up the LDAP server, I didn't make it myself. Does it somehow need to be registered, or should it be enough to specify the path; C:\slapd.pem? authType was = Basic I tried connecting via port 389 using ldp.exe, but I think the server may be set up to refuse non-ssl connections, as I get the error: "Tls confidentiality required". I did however not get the "cannot open connection" popup that I got using SSL. Thanks, Francis

Correct This only happened when I only specified "manager", "Basic", "default port" and "SSL=false". Upon changing to "cn=manager,dc=123,dc=xyz", I get "stopped-bad-server-credentials" instead, which I think is an improvement. I'm sorry, but I cant seem to find the more detailed error messages. Maybe I'm looking in the wrong place? I was sent the certificate by the same colleague who set up the LDAP server, I didn't make it myself. Does it somehow need to be registered, or should it be enough to specify the path; C:\slapd.pem? authType was = Basic. I tried connecting via port 389 using ldp.exe, but I think the server may be set up to refuse non-ssl connections, as I get the error: "Tls confidentiality required". I did however not get the "cannot open connection" popup that I got using SSL. Thanks, Francis (my previous post went funny upon editing it, so I deleted it and made a new one. Sorry for the inconvenience)

I was sent the certificate by the same colleague who set up the LDAP server, I didn't make it myself. Does it somehow need to be registered, or should it be enough to specify the path; C:\slapd.pem? To succesfully set up LDAPS you need two things: A SSL certificate on the LDAP server and some OpenLDAP configuration in the ldapd.conf or slapd.conf (not sure which one) Note: If SSL encryption is used, the address specified in FIM SE config "connectTo" must exactly match the server common name defined in the server certificate The CA certificate installed on each client system that wants to establish a LDAPS connection with the LDAP-Server - in your case the FIM SE Server. This certificate must be placed in the computer's trusted Root Certifcation Authorities /Matthias/Matthias

Thanks, I think I now understand how to get SSL working! It turned out that I had been given an incorrect login, it was supposed to be: "cn=manager,o=123,dc=xyz". My colleague opened for non-SSL connections to the LDAP, and FIM connected using Basic! The only remaining problem is that it says "unmappable-object-type" under "Discovery-errors" (Status: completed-discovery-errors). I tried connecting to the LDAP using a standalone client, and did not get any such errors. Thanks, Francis

Do you have mor details about "unmappable-object-type"? /Matthias/Matthias

I get this view after doing a full import (I had 20 "Adds" the first time I ran a full import): Thanks, Francis

Did you specify a proper object mapping for dc, ou, o objects in the Map Object Types section of the MA configuration? /Matthias/Matthias

No, I simply went with the default settings from "configure aditional parameters" and downwards. thanks, Francis

The unmappable-object-type error is caused by the ordering of object classes in the import file. You have to list every possible order on the page in the MA where you configure your object types. Sorry I'm not sounding very specific here as I'm going from memory. I can get onto the system I manage with an openldap ma later on today if you need more details.http://www.wapshere.com/missmiis

Thankyou! That would be very helpful! Regards, Francis

OK a bit more info. In the MA config, on the "Map Object Types" page you have to configure all the object types you expect to import, along with their dependent objectClasses. If there are object types you don't care about then just list them here with no sub-objectClasses, and then add them in as "excludedTypes" on the Configure Additional Parameters page. So, for example, I have: excludedTypes: top,person,organizationalPerson,inetOrgPerson,shadowAccount,simpleSecurityObject,dcObject,swissEduPerson The only object type I'm interested in importing is posixAccount, however I seem to get the list of objectClasses in two different orders so I have to define both on the Map Object Types page: "swissEduPerson,inetOrgPerson,organizationalPerson,person,top,posixAccount",posixAccount "inetOrgPerson,swissEduPerson,organizationalPerson,person,top,posixAccount",posixAccount The way to find out the ordering of the objectClasses is to look through the LDAP Full.xml file which you'll find in the MA's MaData folder. HTH http://www.wapshere.com/missmiis

just to visulize Carol's configuration. Another way to find out what objectType mapping you're requiring is to look at the OpenLDAP schema: Here you can enumerate for a given objectType what objectClasses belong to type /Matthias /Matthias

Thanks a lot to both of you - I have now managed to import the objects I need with the MA. Do I have to configure the attributes for each object manually ("Define object types" and "Configure attributes"), or is there a way to import the LDAP schema so that the attributes are added automatically? My final task is to set up a FIM Service Management Agent, so that the users can be managed with the fim portal/fim web services. Thanks again, Francis :)

Do I have to configure the attributes for each object manually The MA imports the OpenLDAP schema for you. The objectType specification aka attribute-objectType mapping within the MA however must be done individually. /Matthias/Matthias

Sorry for my seemingly never-ending questions, but I'm still a bit stuck. If I search the connector space, I can inspect all the objects, and all the attributes/data I want is present. I have set up a join rule for the object type I ultimately want to manage with the fim portal (eduPerson): cn Direct cn displayName Direct displayName givenName Direct givenName sn Direct sn uid Direct uid I have done the same for an inbound attribute flow. The problem is that when I do a full sync, I only get disconnectors, and none of the objects are joined. Have you got any ideas as to why this is happening? Thanks, Francis PS: Does anyone know what the parameter "readAnchor" means?

I assume you want to populate the FIM Portal (which is initially empty) with eduPersons from OpenLDAP, right? Do you configure the system with with Inbound Synchronization rules inside FIM Portal Administration or directly in the Mangement Agent properites? In the second case there's nothing to join, you have to project the objects first to Metaverse and need then provisioning code to populate the FIM Portal. I'd recommend using the first way. For more information about these procedures read this. /Matthias/Matthias

You say you created a join rule, but do you have objects already in the metaverse to join them to? Perhaps what you want is a projection rule? The next thing about the metaverse obejct type - if you use person in the metaverse it will go into the fim portal automatically. If you've created a new object type in the metaverse (you mentioned eduPerson) then you'l need to create an inbound Sync Rule in the portal. If you're not using person in the metaverse for something else then I'd recommend just using that - you can chnge the default attributes as you need.http://www.wapshere.com/missmiis

Paul Loonen has just posted about how to sort the objectclasses into an ordered list on the ILM forum, which removes the problem I was talking about. http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/8b6421a7-8a9a-4afd-80e4-8659b0cbee5d http://www.wapshere.com/missmiis

Cheers guys! After changing from join to projection, I got the users synced to the FIM portal. However, the project went through an architectural change, so I'll have to make my own MA that can communicate via SOAP. Do you recommend making a full MA, or using a connected datasource with the "Extensible Connectivity" MA? Thanks, Francis

Cheers guys! After changing from join to projection, I got the users synced to the FIM portal. However, the project went through an architectural change, so I'll have to make my own MA that can communicate via SOAP. Do you reccoment making a full MA, or using a connected datasource with the "Extensible Connectivity" MA? Thanks, Francis