[midPoint] Evolveum LDAP Connector schema reading (389-DS) - hint
Wojciech Staszewski
wojciech.staszewski at diagnostyka.pl
Wed Jun 28 18:52:42 CEST 2017
You are right. I changed these values in LDAP by hand (ldapmodify) and
it works.
So - my previous mail is false.
But what in that case causing the errors?...
W dniu 28.06.2017 o 17:14, Radovan Semancik pisze:
> On 06/28/2017 01:02 PM, Wojciech Staszewski wrote:
>> When resource schema is created or reloaded, in inetOrgPerson class
>> attributes: sn, givenName and cn (and maybe others) have "maxOccurs"
>> set to "unbounded" (multi-valued).
>> In 389-DS these attributes are single-valued (maxOccurs=1).
>
> That's strange. LDAP specs are quite specific about these attributes
> being multivalued. And as far as I remember they really are
> multivalued in the 389ds that I have used for the tests.
>
>> As you can see MidPoint tries to ADD a new value instead UPDATE
>> existing.
>
> And that's correct behavior for multivalue attributes. MidPoint always
> tries to add/delete multivalue attributes. We do not have any locking
> or transactions on the resource. Add/delete operations are easy to
> merge, e.g. there is is only a very low chance of inconsistencies if
> two add operations are executed in parallel. However, if two replace
> operations are executed in parallel then the chance of data
> inconsistency is very high.
>
> MidPoint also assumes that adding a value that is already present will
> go smoothly. And that's how LDAP is supposed to behave if permissive
> modify control is supported. If that control is supported (and
> properly declared in root DSE) then midPoint will try to use it
> automatically.
>
> But as I said: the LDAP servers tend to interpret the LDAP specs quite
> liberally. So some adjustments like you have done are sometimes needed.
>
More information about the midPoint
mailing list