[midPoint] Midpoint 3.4.1 389ds LDAP import error because users have many objectCalsses

Ivan Noris ivan.noris at evolveum.com
Tue Nov 22 11:37:07 CET 2016 

Hi,

I think you may need to specify object classes that are auxiliary in
schema handling...

e.g.:

        <objectType>
                <kind>account</kind>
            <intent>default</intent>
            <displayName>Account</displayName>
            <objectClass>ri:inetOrgPerson</objectClass>
          *  <auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>**
**            <auxiliaryObjectClass>ri:shadowAccount</auxiliaryObjectClass>*

...

Not sure if you can "ignore" the attributes during synchronization , but
maybe someone else knows.

Regards,

Ivan


On 11/22/2016 11:06 AM, Wojciech Staszewski wrote:
> Hello,
>
> I have some problems with initial users import from my 389ds LDAP.
> Most of users have objectClasses:
>
>       <generationConstraints>
>          <generateObjectClass>ri:inetOrgPerson</generateObjectClass>
>          <generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
>          <generateObjectClass>ri:groupOfNames</generateObjectClass>
>          <generateObjectClass>ri:organizationalUnit</generateObjectClass>
>          <generateObjectClass>ri:inetUser</generateObjectClass>
>          <generateObjectClass>ri:shadowAccount</generateObjectClass>
>          <generateObjectClass>ri:sambaSamAccount</generateObjectClass>
>          <generateObjectClass>ri:posixAccount</generateObjectClass>
>          <generateObjectClass>ri:posixGroup</generateObjectClass>
>          <generateObjectClass>ri:top</generateObjectClass>
>          <generateObjectClass>ri:person</generateObjectClass>
>          <generateObjectClass>ri:organizationalPerson</generateObjectClass>
>          <generateObjectClass>ri:mozillaAbPersonAlpha</generateObjectClass>
>       </generationConstraints>
>
> Accounts having only "inetOrgPerson"  objectClass (for example special
> accounts for some services) was imported and linked correctly.
> At this moment I have 41 correctly linked accounts from about 6000.
> Import of the rest ending with error quoted below and accounts remains
> "UNLINKED":
>
> Schema violation during processing shadow: shadow:
> uid=XXXXX,ou=People,dc=YYYYY,dc=ZZ 
> (OID:000354a4-fe05-41de-81f1-4a5fdeb9928b): Schema violation: Invalid
> attribute:
> org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error
> modifying LDAP entry uid=XXXXXX,ou=People,dc=YYYYY,dc=ZZ:
> [remove:sambaPwdLastSet: 0,remove:sambaPwdCanChange:
> 0,remove:sambaLogonTime: 2147483647,remove:sambaKickoffTime:
> 2147483647,remove:homeDirectory: /home/XXXXXX,remove:sambaAcctFlags: [U
> ],remove:uidNumber: 1587,remove:objectClass: inetUser?objectClass:
> posixAccount?objectClass: sambaSamAccount,remove:sambaSID:
> -4174,remove:sambaLogoffTime: 2147483647,remove:sambaPwdMustChange:
> 2147483647,remove:gidNumber: 1463,]: objectClassViolation: attribute
> "memberOf" not allowed? (65)): Schema violation during processing
> shadow: shadow: uid=XXXXXX,ou=People,dc=YYYYY,dc=ZZ
> (OID:000354a4-fe05-41de-81f1-4a5fdeb9928b): Schema violation: Invalid
> attribute:
> org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error
> modifying LDAP entry uid=XXXXXX,ou=People,dc=YYYYY,dc=ZZ:
> [remove:sambaPwdLastSet: 0,remove:sambaPwdCanChange:
> 0,remove:sambaLogonTime: 2147483647,remove:sambaKickoffTime:
> 2147483647,remove:homeDirectory: /home/XXXXXX,remove:sambaAcctFlags: [U
> ],remove:uidNumber: 1587,remove:objectClass: inetUser?objectClass:
> posixAccount?objectClass: sambaSamAccount,remove:sambaSID:
> -4174,remove:sambaLogoffTime: 2147483647,remove:sambaPwdMustChange:
> 2147483647,remove:gidNumber: 1463,]: objectClassViolation: attribute
> "memberOf" not allowed? (65)): Schema violation during processing
> shadow: shadow: uid=XXXXXX,ou=People,dc=YYYYY,dc=ZZ
> (OID:000354a4-fe05-41de-81f1-4a5fdeb9928b): Schema violation: Invalid
> attribute:
> org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error
> modifying LDAP entry uid=XXXXXX,ou=People,dc=YYYYY,dc=ZZ:
> [remove:sambaPwdLastSet: 0,remove:sambaPwdCanChange:
> 0,remove:sambaLogonTime: 2147483647,remove:sambaKickoffTime:
> 2147483647,remove:homeDirectory: /home/XXXXXX,remove:sambaAcctFlags: [U
> ],remove:uidNumber: 1587,remove:objectClass: inetUser?objectClass:
> posixAccount?objectClass: sambaSamAccount,remove:sambaSID:
> -4174,remove:sambaLogoffTime: 2147483647,remove:sambaPwdMustChange:
> 2147483647,remove:gidNumber: 1463,]: objectClassViolation: attribute
> "memberOf" not allowed? (65)): Schema violation during processing
> shadow: shadow: uid=XXXXXX,ou=People,dc=YYYYY,dc=ZZ
> (OID:000354a4-fe05-41de-81f1-4a5fdeb9928b): Schema violation: Invalid
> attribute:
> org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error
> modifying LDAP entry uid=XXXXXX,ou=People,dc=YYYYY,dc=ZZ:
> [remove:sambaPwdLastSet: 0,remove:sambaPwdCanChange:
> 0,remove:sambaLogonTime: 2147483647,remove:sambaKickoffTime:
> 2147483647,remove:homeDirectory: /home/XXXXXX,remove:sambaAcctFlags: [U
> ],remove:uidNumber: 1587,remove:objectClass: inetUser?objectClass:
> posixAccount?objectClass: sambaSamAccount,remove:sambaSID:
> -4174,remove:sambaLogoffTime: 2147483647,remove:sambaPwdMustChange:
> 2147483647,remove:gidNumber: 1463,]: objectClassViolation: attribute
> "memberOf" not allowed? (65))
>
> How to tell Midpoint to ignore these objectClasses and attributes?
> Thanks.
>

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161122/429b9b8a/attachment.htm>

More information about the midPoint mailing list