[midPoint] OpenLDAP - Cannot modify user UID or role CN

Ivan Noris ivan.noris at evolveum.com
Mon Jan 8 12:31:33 CET 2024 

Hi Luca,

please check that your outbound mappings for uid (for accounts) and cn 
(for groups) are weak. I think that should do the trick. DN will be 
changed via the other mapping and changing uid or cn won't work because 
it has been already changed by openLDAP internally. Weak mapping will 
work only when the account is created (and there is no other value of uid).

See example in 
https://github.com/Evolveum/midpoint-samples/blob/63de97c300aad96027cc082b403d4aed8236b713/samples/resources/openldap/openldap-localhost-medium.xml#L230

Best regards,

Ivan

On 5. 1. 2024 11:27, Luca Verardo via midPoint wrote:
> Dear community,
>
> I'm in the process of re-creating my OpenLDAP resource using the new 
> wizard UI. The basic operations are working correctly and also 
> synchronized correctly.
> However, when I try to rename a user, midPoint gives the following 
> error :
>
>     Error modifying LDAP entry
>     uid=test-user-rename,ou=People,dc=CORP,dc=org:
>     [add:uid=test-user-rename,remove:uid=test-user,]: noSuchAttribute:
>     (16)
>
>
> Where 'test-user' is the old username, and 'test-user-rename' is the 
> new username. I tried to play with the permissive modfiy setting of 
> the resource. When it is set to never, midPoint will compain that the 
> entry already exists. If set to auto or always, it gives the error 
> mentioned above.
>
> The same problem arises when trying to rename a role (which is bounded 
> to an OpenLDAP groupOfNames).
>
> Maybe it's wrong, but I think that the reason behind this error is 
> that midPoint will try to query the LDAP server with the new UID 
> instead of the old one. However, it may totally be something else, I'm 
> not sure.
>
> Could someone help me to solve this issue ? You can find below my 
> OpenLDAP resource configuration.
> Thanks a lot in advance!
>
-- 

Best Regards,

*Ivan Noris* | Expert Identity Engineer

<https://evolveum.com/>
ivan.noris at evolveum.com | www.evolveum.com <http://www.evolveum.com/>

Evolveum at TIIME 2024 <https://tiime-unconference.eu/>

Evolveum LinkedIn <https://www.linkedin.com/company/evolveum> Evolveum 
Twitter <https://twitter.com/evolveum> Evolveum Facebook 
<https://www.facebook.com/evolveum>

Disclaimer: The contents of this e-mail and attachment(s) thereto are 
confidential and intended for the named recipient(s) only. It shall not 
attach any liability on the originator or Evolveum s.r.o. or its 
affiliates. Any views or opinions presented in this email are solely 
those of the author and may not necessarily reflect the opinions of 
Evolveum s.r.o. or its affiliates. Any form of reproduction, 
dissemination, copying, disclosure, modification, distribution and / or 
publication of this message without the prior written consent of the 
author of this e-mail is strictly prohibited. If you have received this 
email in error please delete it and notify the sender immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240108/6f17bc14/attachment.htm>

More information about the midPoint mailing list