[midPoint] Evolveum LDAP Connector schema reading (389-DS) - hint
Radovan Semancik
radovan.semancik at evolveum.com
Wed Jun 28 17:14:21 CEST 2017
On 06/28/2017 01:02 PM, Wojciech Staszewski wrote:
> When resource schema is created or reloaded, in inetOrgPerson class attributes: sn, givenName and cn (and maybe others) have "maxOccurs" set to "unbounded" (multi-valued).
> In 389-DS these attributes are single-valued (maxOccurs=1).
That's strange. LDAP specs are quite specific about these attributes
being multivalued. And as far as I remember they really are multivalued
in the 389ds that I have used for the tests.
> As you can see MidPoint tries to ADD a new value instead UPDATE existing.
And that's correct behavior for multivalue attributes. MidPoint always
tries to add/delete multivalue attributes. We do not have any locking or
transactions on the resource. Add/delete operations are easy to merge,
e.g. there is is only a very low chance of inconsistencies if two add
operations are executed in parallel. However, if two replace operations
are executed in parallel then the chance of data inconsistency is very high.
MidPoint also assumes that adding a value that is already present will
go smoothly. And that's how LDAP is supposed to behave if permissive
modify control is supported. If that control is supported (and properly
declared in root DSE) then midPoint will try to use it automatically.
But as I said: the LDAP servers tend to interpret the LDAP specs quite
liberally. So some adjustments like you have done are sometimes needed.
--
Radovan Semancik
Software Architect
evolveum.com
More information about the midPoint
mailing list