[midPoint] Reconciliation issue when importing from LDAP

Ivan Noris ivan.noris at evolveum.com
Mon Oct 3 16:43:22 CEST 2016 

Hi Teemu,

as an workaround, can you try running import/recon with disabled
capabilities for create, update and delete?

...

 </schemaHandling>

                <capabilities
xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
                        <configured>
                                <cap:create>
                                        <cap:enabled>false</cap:enabled>
                                </cap:create>
                                <cap:update>
                                        <cap:enabled>false</cap:enabled>
                                </cap:update>
                                <cap:delete>
                                        <cap:enabled>delete</cap:enabled>
                                </cap:delete>
                        </configured>
                </capabilities>
        <synchronization>
...

It should not be able to modify anything back on the resource.

We are still evaluating the situation anyway. Might be a bug in midPoint.

Regards,

Ivan


On 10/03/2016 04:12 PM, Teemu Turpeinen wrote:
> Hi Ivan
>
> Only inbound mappings have been defined.
>
>
>
> Regards,
>
> Teemu
>
>> On 03 Oct 2016, at 17:04, Ivan Noris <ivan.noris at evolveum.com> wrote:
>>
>> Hi Teemu,
>>
>> just a quick idea: do you have any outbound mappings?
>>
>> Ivan
>>
>>
>> On 10/03/2016 03:17 PM, Teemu Turpeinen wrote:
>>> Hello all
>>>
>>> I’ve been trying to configure one way sync (inbound mappings only) of users and groups from FreeIPA (uses DS 389 as a backend) and the import seems to work, but, after importing an entry to midPoint repository, the sync engine wants to run reconciliation, which tries to pretty much delete all objectClasses and attributes from the entry in LDAP (except for inetOrgPerson, which is the mapped class).
>>>
>>> Below is some of the trace level log entries
>>>
>>> 2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Starting reconciliation of account(ID {.../resource/instance-3}nsUniqueId = [ c997d202-816c11e6-96aaa51d-384fb703 ], type 'FreeIPAAccount', object:8f2420b3-31da-4711-ad66-13de48c6d212(FreeIPA LDAP))
>>> 2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Auxiliary object class reconciliation processing account(ID {.../resource/instance-3}nsUniqueId = [ c997d202-816c11e6-96aaa51d-384fb703 ], type 'FreeIPAAccount', object:8f2420b3-31da-4711-ad66-13de48c6d212(FreeIPA LDAP))
>>> 2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Reconciliation will DELETE value of attribute {.../common/common-3}auxiliaryObjectClass: {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}ipaObject because it is not given
>>> 2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Checking existence for DELETE of value {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}ipaObject in existing detla: null
>>> 2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Reconciliation will DELETE value of attribute {.../common/common-3}auxiliaryObjectClass: {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}ipaSshUser because it is not given
>>>
>>>>>>
>>> 2016-10-03 12:40:13,988 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Removing attribute {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}ipaSshPubKey because it is in the deleted object class {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}ipaSshUser and it is not defined by any current object class for account(ID {.../resource/instance-3}nsUniqueId = [ c997d202-816c11e6-96aaa51d-384fb703 ], type 'FreeIPAAccount', object:8f2420b3-31da-4711-ad66-13de48c6d212(FreeIPA LDAP))
>>> 2016-10-03 12:40:13,988 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Removing attribute {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}krbLastSuccessfulAuth because it is in the deleted object class {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}krbPrincipalAux and it is not defined by any current object class for account(ID {.../resource/instance-3}nsUniqueId = [ c997d202-816c11e6-96aaa51d-384fb703 ], type 'FreeIPAAccount', object:8f2420b3-31da-4711-ad66-13de48c6d212(FreeIPA LDAP))
>>>
>>> ...
>>>
>>> How should one import just certain attributes from LDAP without midPoint trying to write anything back? The entries in LDAP may have a lot of objectClasses (a user normally has 14) and attributes, but only a subset of attributes will be imported, which are all from a single objectClass. For now.
>>>
>>> midPoint version is 3.4.1.
>>>
>>>
>>>
>>> Regards,
>>>
>>>
>>> Teemu
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> -- 
>> Ivan Noris
>> Senior Identity Engineer
>> evolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

More information about the midPoint mailing list