[midPoint] Evolveum LDAP Connector schema reading (389-DS) - hint

[Radovan Semancik]

On 06/28/2017 01:02 PM, Wojciech Staszewski wrote:
> When resource schema is created or reloaded, in inetOrgPerson class attributes: sn, givenName and cn (and maybe others) have "maxOccurs" set to "unbounded" (multi-valued).
> In 389-DS these attributes are single-valued (maxOccurs=1).

That's strange. LDAP specs are quite specific about these attributes 
being multivalued. And as far as I remember they really are multivalued 
in the 389ds that I have used for the tests.

> As you can see MidPoint tries to ADD a new value instead UPDATE existing.

And that's correct behavior for multivalue attributes. MidPoint always 
tries to add/delete multivalue attributes. We do not have any locking or 
transactions on the resource. Add/delete operations are easy to merge, 
e.g. there is is only a very low chance of inconsistencies if two add 
operations are executed in parallel. However, if two replace operations 
are executed in parallel then the chance of data inconsistency is very high.

MidPoint also assumes that adding a value that is already present will 
go smoothly. And that's how LDAP is supposed to behave if permissive 
modify control is supported. If that control is supported (and properly 
declared in root DSE) then midPoint will try to use it automatically.

But as I said: the LDAP servers tend to interpret the LDAP specs quite 
liberally. So some adjustments like you have done are sometimes needed.

-- 
Radovan Semancik
Software Architect
evolveum.com