[midPoint] Reconciliation issue when importing from LDAP

Teemu Turpeinen teemu at mintsecurity.fi
Wed Oct 5 10:39:41 CEST 2016 

Created issue MID-3449



Regards,


Teemu


On 3 October 2016 at 18:21:58, Ivan Noris (ivan.noris at evolveum.com) wrote:

Yes, that's when midPoint tries to execute disabled operation.

Unless you get some answers from my coleagues I suggest you to create a issue for this problem.

Regards,

Ivan


On 10/03/2016 04:58 PM, Teemu Turpeinen wrote:
Hello.

I actually tried disabling the capabilities earlier today, but receive a different kind of error then:

"Internal error: java.lang.UnsupportedOperationException: Resource does not support 'update’ operation”



Regards,

Teemu


On 3 October 2016 at 17:48:19, Ivan Noris (ivan.noris at evolveum.com) wrote:

Sorry, typo; the capability for delete should also be false:

...

 </schemaHandling>

                <capabilities
xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
                        <configured>
                                <cap:create>
                                        <cap:enabled>false</cap:enabled>
                                </cap:create>
                                <cap:update>
                                        <cap:enabled>false</cap:enabled>
                                </cap:update>
                                <cap:delete>
                                        <cap:enabled>false</cap:enabled>
                                </cap:delete>
                        </configured>
                </capabilities>
        <synchronization>
...

On 10/03/2016 04:43 PM, Ivan Noris wrote:
Hi Teemu,

as an workaround, can you try running import/recon with disabled
capabilities for create, update and delete?

...

 </schemaHandling>

                <capabilities
xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
                        <configured>
                                <cap:create>
                                        <cap:enabled>false</cap:enabled>
                                </cap:create>
                                <cap:update>
                                        <cap:enabled>false</cap:enabled>
                                </cap:update>
                                <cap:delete>
                                        <cap:enabled>delete</cap:enabled>
                                </cap:delete>
                        </configured>
                </capabilities>
        <synchronization>
...

It should not be able to modify anything back on the resource.

We are still evaluating the situation anyway. Might be a bug in midPoint.

Regards,

Ivan


On 10/03/2016 04:12 PM, Teemu Turpeinen wrote:
Hi Ivan

Only inbound mappings have been defined.



Regards,

Teemu

On 03 Oct 2016, at 17:04, Ivan Noris <ivan.noris at evolveum.com> wrote:

Hi Teemu,

just a quick idea: do you have any outbound mappings?

Ivan


On 10/03/2016 03:17 PM, Teemu Turpeinen wrote:
Hello all

I’ve been trying to configure one way sync (inbound mappings only) of users and groups from FreeIPA (uses DS 389 as a backend) and the import seems to work, but, after importing an entry to midPoint repository, the sync engine wants to run reconciliation, which tries to pretty much delete all objectClasses and attributes from the entry in LDAP (except for inetOrgPerson, which is the mapped class).

Below is some of the trace level log entries

2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Starting reconciliation of account(ID {.../resource/instance-3}nsUniqueId = [ c997d202-816c11e6-96aaa51d-384fb703 ], type 'FreeIPAAccount', object:8f2420b3-31da-4711-ad66-13de48c6d212(FreeIPA LDAP))
2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Auxiliary object class reconciliation processing account(ID {.../resource/instance-3}nsUniqueId = [ c997d202-816c11e6-96aaa51d-384fb703 ], type 'FreeIPAAccount', object:8f2420b3-31da-4711-ad66-13de48c6d212(FreeIPA LDAP))
2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Reconciliation will DELETE value of attribute {.../common/common-3}auxiliaryObjectClass: {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}ipaObject because it is not given
2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Checking existence for DELETE of value {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}ipaObject in existing detla: null
2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Reconciliation will DELETE value of attribute {.../common/common-3}auxiliaryObjectClass: {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}ipaSshUser because it is not given

…

2016-10-03 12:40:13,988 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Removing attribute {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}ipaSshPubKey because it is in the deleted object class {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}ipaSshUser and it is not defined by any current object class for account(ID {.../resource/instance-3}nsUniqueId = [ c997d202-816c11e6-96aaa51d-384fb703 ], type 'FreeIPAAccount', object:8f2420b3-31da-4711-ad66-13de48c6d212(FreeIPA LDAP))
2016-10-03 12:40:13,988 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Removing attribute {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}krbLastSuccessfulAuth because it is in the deleted object class {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}krbPrincipalAux and it is not defined by any current object class for account(ID {.../resource/instance-3}nsUniqueId = [ c997d202-816c11e6-96aaa51d-384fb703 ], type 'FreeIPAAccount', object:8f2420b3-31da-4711-ad66-13de48c6d212(FreeIPA LDAP))

...

How should one import just certain attributes from LDAP without midPoint trying to write anything back? The entries in LDAP may have a lot of objectClasses (a user normally has 14) and attributes, but only a subset of attributes will be imported, which are all from a single objectClass. For now.

midPoint version is 3.4.1.



Regards,


Teemu

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
--   
Ivan Noris
Senior Identity Engineer
evolveum.com

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint

 --   
Ivan Noris
Senior Identity Engineer
evolveum.com
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint

--  
Ivan Noris
Senior Identity Engineer
evolveum.com
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161005/5eff9926/attachment.htm>

More information about the midPoint mailing list