[midPoint] ignoring attributes when LDAP connector reads schema

Thu Oct 27 11:42:46 CEST 2016

Thanks Radovan,

I’ll have a dig around and see if I can see any errors from the connector

Kind regards,

Brad

From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Radovan Semancik
Sent: Thursday, 27 October 2016 6:23 PM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] ignoring attributes when LDAP connector reads schema

Hi,

No, connector does not have an option to ignore specific attributes. However the errors may not be critical. If you are using AD, 389ds or a similar LDAP server that does not completely complies with RFCs then you will see the schema errors in the log. If these are the errors produced by the Apache Directory API then they are mostly safe to ignore (org.apache.directory package). The errors produced by the connector code are important (com.evolveum.polygon.ldap package).

There are two reasons for that. Firstly there are broken LDAP servers that just won't comply with the standards. This is the real reason for the errors, but realistically there is nothing we can do about this. The secondly, the error handling and reporting in the Apache Directory API is not ideal. I have made some improvements in the current version of the Apache Directory API (as did other contributors). Now there is a possibility for the connector to process the errors, but the API logs the errors anyway. The Apache Directory API needs a larger re-engineering of the error handling code. But that would break API compatibility. So we (Apache Directory API comitters) have agreed to postpone these fixes after API 1.0 release. Currently the 1.0-RC2 release is in progress, therefore we will hopefully get to fixing this issue soon ...

If you see any errors from the connector itself I would really wonder what these are. I have tested the connector with OpenLDAP (several versions), OpenDJ and 389ds. Almost the same code also applies to AD and eDirectory operations. Even though there are some schema errors all the attributes that I have tried worked fine.

-- 
Radovan Semancik
Software Architect
evolveum.com

On 10/27/2016 08:38 AM, Brad Fardig wrote:

Hi,

Is it possible to have the LDAP connector ignore particular attributes when it is dynamically building the schema?

I have midPoint 3.4 with the LDAP connector version 1.4.2.19

I am getting errors when the schema is being retrieved.  If I turn quirks mode on the errors are as shown in connector-error1.log and connector-error2.log (taken from idm.log.  

With quirks mode off the error is shown in err.txt.  The attribute in question here has a complex syntax that is defined in the schema but doesn’t appear to be returned by the directory as my LDAP admin tool doesn’t show the syntax either.  The attribute is not used within any entries in the directory but is defined as a “may” attribute within several aux object classes.

Kind Regards,

Brad

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com> 
http://lists.evolveum.com/mailman/listinfo/midpoint

This email, and any attachment, is confidential and also privileged. If you have received it in error, please notify me immediately and delete it from your system along with any attachments. You should not copy or use it for any purpose, nor disclose its contents to any other person. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161027/f5f6e66e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4802 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161027/f5f6e66e/attachment.bin>