[midPoint] Adding new posixaccount attributes

Shawn McKinney smckinney at symas.com
Tue Mar 1 16:34:17 CET 2016 

Below is log trace captured from slapd daemon during update operation.  It shows the ldap operation attempting to replace a number of the posixAccount attributes.  Missing is the objectclass attribute for posixAccount.

     [exec] 56d5b47a => acl_mask: access to entry "uid=foo3,ou=People,dc=example,dc=com", attr "homeDirectory" requested
     [exec] 56d5b47a => acl_mask: to value by "cn=idm,ou=administrators,dc=example,dc=com", (=0) 
     [exec] 56d5b47a <= check a_dn_pat: cn=idm,ou=administrators,dc=example,dc=com
     [exec] 56d5b47a <= acl_mask: [1] applying write(=wrscxd) (stop)
     [exec] 56d5b47a <= acl_mask: [1] mask: write(=wrscxd)
     [exec] 56d5b47a => slap_access_allowed: add access granted by write(=wrscxd)
     [exec] 56d5b47a => access_allowed: add access granted by write(=wrscxd)
     [exec] 56d5b47a acl: internal mod entryCSN: modify access granted
     [exec] 56d5b47a acl: internal mod modifiersName: modify access granted
     [exec] 56d5b47a acl: internal mod modifyTimestamp: modify access granted
     [exec] 56d5b47a mdb_modify_internal: replace uidNumber
     [exec] 56d5b47a mdb_modify_internal: replace loginShell
     [exec] 56d5b47a mdb_modify_internal: replace gecos
     [exec] 56d5b47a mdb_modify_internal: replace gidNumber
     [exec] 56d5b47a mdb_modify_internal: replace homeDirectory
     [exec] 56d5b47a mdb_modify_internal: replace entryCSN
     [exec] 56d5b47a mdb_modify_internal: replace modifiersName
     [exec] 56d5b47a mdb_modify_internal: replace modifyTimestamp
     [exec] 56d5b47a oc_check_required entry (uid=foo3,ou=People,dc=example,dc=com), objectClass "inetOrgPerson"
     [exec] 56d5b47a oc_check_allowed type "uid"
     [exec] 56d5b47a oc_check_allowed type "ou"
     [exec] 56d5b47a oc_check_allowed type "objectClass"
     [exec] 56d5b47a oc_check_allowed type "description"
     [exec] 56d5b47a oc_check_allowed type "givenName"
     [exec] 56d5b47a oc_check_allowed type "sn"
     [exec] 56d5b47a oc_check_allowed type "cn"
     [exec] 56d5b47a oc_check_allowed type "structuralObjectClass"
     [exec] 56d5b47a oc_check_allowed type "entryUUID"
     [exec] 56d5b47a oc_check_allowed type "creatorsName"
     [exec] 56d5b47a oc_check_allowed type "createTimestamp"
     [exec] 56d5b47a oc_check_allowed type "userPassword"
     [exec] 56d5b47a oc_check_allowed type "pwdChangedTime"
     [exec] 56d5b47a oc_check_allowed type "pwdHistory"
     [exec] 56d5b47a oc_check_allowed type "uidNumber"
     [exec] 56d5b47a Entry (uid=foo3,ou=People,dc=example,dc=com), attribute 'uidNumber' not allowed
     [exec] 56d5b47a entry failed schema check: attribute 'uidNumber' not allowed
     [exec] 56d5b47a mdb_modify: modify failed (65)
     [exec] 56d5b47a send_ldap_result: conn=1000 op=8 p=3
     [exec] 56d5b47a send_ldap_result: err=65 matched="" text="attribute 'uidNumber' not allowed"
     [exec] 56d5b47a slap_queue_csn: queueing 0x7f5c40117e40 20160301152546.874456Z#000000#000#000000

Shawn

> On Mar 1, 2016, at 9:12 AM, Shawn McKinney <smckinney at symas.com> wrote:
> 
> Hello,
> 
> We are using midpoint 3.3 and this ldap connector (latest as of a couple of week ago):
> 
>    <name>ICF com.evolveum.polygon.connector.ldap.LdapConnector v1.4.3.0-SNAPSHOT</name>
> 
> The current task, is to manage rfc2307bis posixAccount attributes from within the midpoint console.  These attributes correspond with an auxiliary object class in the LDAP entry.  
> 
> The resource schema definition excerpt can be found below.  Not the entire definition but enough to show you how we’re handling the aux object class posixAccount.
> 
> I’ve also extended the midpoint schema xsd file so the new attributes will show up in the console. 
> 
> Everything works fine when operating on ldap objects that already have existing the posixAccount aux objectClass attribute (i.e. prepopulated from the start).  But when I try to add the attributes to an ldap entry that has not already been prepopulated with aux objectClass (and corresponding must have attributes) I get this error:
> 
> "Schema violation during processing shadow: shadow: uid=foo2,ou=People,dc=example,dc=com (OID:afc71094-be90-40eb-9df9-da939145c65c): Schema violation: Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error modifying entry uid=foo2,ou=People,dc=example,dc=com: attribute 'uidNumber' not allowed)->org.apache.directory.api.ldap.model.exception.LdapSchemaViolationException(attribute 'uidNumber' not allowed)”
> 
> The error tells us midpoint is attempting to add these attributes without including the attribute for the aux object class itself:
> 
> objectClass: posixAccount
> 
> Without this attribute being included in the add operation of course it will fail.  My question, how do I compel the midpoint operation to include the necessary object class attribute when newly populating ldap objects?
> 
> Thanks in advance for your help,
> 
> Shawn
> 
> 
> ** Begin schema reference ***
> 
> 	<schemaHandling>
> 		<objectType>
> 			<kind>account</kind>
> 			<displayName>Normal Account</displayName>
> 			<default>true</default>
> 			<objectClass>ri:inetOrgPerson</objectClass>
>                        <auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
> 
> 			<attribute>
> 				<c:ref>ri:homeDirectory</c:ref>
> 				<displayName>Home Directory</displayName>
> 				<limitations>
> 					<maxOccurs>1</maxOccurs>
> 				</limitations>
> 				<outbound>
> 					<source>
> 						<path>$user/extension/homeDirectory</path>
> 					</source>
> 				</outbound>
> 				<inbound>
> 					<target>
> 						<path>$user/extension/homeDirectory</path>
> 					</target>
> 				</inbound>
> 			</attribute>
> 
> 			<attribute>
> 				<c:ref>ri:loginShell</c:ref>
> 				<displayName>Login Shell</displayName>
> 				<limitations>
> 					<maxOccurs>1</maxOccurs>
> 				</limitations>
> 				<outbound>
> 					<source>
> 						<path>$user/extension/loginShell</path>
> 					</source>
> 				</outbound>
> 				<inbound>
> 					<target>
> 						<path>$user/extension/loginShell</path>
> 					</target>
> 				</inbound>
> 			</attribute>
> 
> 			<attribute>
> 				<c:ref>ri:gecos</c:ref>
> 				<displayName>Gecos</displayName>
> 				<limitations>
> 					<maxOccurs>1</maxOccurs>
> 				</limitations>
> 				<outbound>
> 					<source>
> 						<path>$user/extension/gecos</path>
> 					</source>
> 				</outbound>
> 				<inbound>
> 					<target>
> 						<path>$user/extension/gecos</path>
> 					</target>
> 				</inbound>
> 			</attribute>
> 
> 			<attribute>
> 				<c:ref>ri:uidNumber</c:ref>
> 				<displayName>UserId Number</displayName>
> 				<limitations>
> 					<maxOccurs>1</maxOccurs>
> 				</limitations>
> 				<outbound>
> 					<source>
> 						<path>$user/extension/uidNumber</path>
> 					</source>
> 				</outbound>
> 				<inbound>
> 					<target>
> 						<path>$user/extension/uidNumber</path>
> 					</target>
> 				</inbound>
> 			</attribute>
> 
> 			<attribute>
> 				<c:ref>ri:gidNumber</c:ref>
> 				<displayName>GroupId Number</displayName>
> 				<limitations>
> 					<maxOccurs>1</maxOccurs>
> 				</limitations>
> 				<outbound>
> 					<source>
> 						<path>$user/extension/gidNumber</path>
> 					</source>
> 				</outbound>
> 				<inbound>
> 					<target>
> 						<path>$user/extension/gidNumber</path>
> 					</target>
> 				</inbound>
> 			</attribute>
> 
>                      ….
> 
> ** End schema reference ***
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

More information about the midPoint mailing list