[midPoint] Security Violation with Custom Attribute

Ivan Noris ivan.noris at evolveum.com
Thu Mar 30 08:52:57 CEST 2017 

Hi Brad,

I believe you are "mixing" things a little: see below:


On 03/29/2017 11:42 PM, Brad Firestone wrote:
> Hi, I'm just getting started with my midPoint configuration.  I have
> setup an OpenLDAP resource that has custom attributes in a custom
> object class.  This resource should not ever be modified, so I have
> removed all inbound settings, since I only want information to go out
> to this resource.

If the resource is TARGET, there must be outbounds. If you don't need to
synchronize anything FROM the resource, you don't need inbounds.

>
> When I try to project a midPoint user to this resource, I get the
> following error:
>
> Security violation during processing shadow shadow: null (OID:null):
> Attempt to add shadow with non-createable attribute
> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}gnUniqueId
>
> The attribute gnUniqueID exists in a custom schema XSD file and it
> does display under the Extension section of the User in the GUI. 
> Here's the related section from the XSD file:
>
> <xsd:element name="gnUniqueID" type="xsd:string" minOccurs="0"
> maxOccurs="1">
> <xsd:annotation>
> <xsd:appinfo>
> <a:indexed>true</a:indexed>
> <a:displayName>GN-UniqueID</a:displayName>
> <a:displayOrder>120</a:displayOrder>
> </xsd:appinfo>
> </xsd:annotation>
> </xsd:element>
>
> Here is the attribute section of the Resource XML file:
>
> <attribute>
> <ref>ri:gnUniqueId</ref>
> <displayName>GN Unique ID</displayName>
> <limitations>
> <access>
> <read>true</read>
> <add>false</add>
> <modify>true</modify>
> </access>
> </limitations>
> <outbound>
> <source>
> <path>$user/extension/gnUniqueID</path>
> </source>
> </outbound>
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> </attribute>
>

I believe the "<add>false</add>" is the problem. You can't add the value
of "gnUniqueId" resource attribute because you have prohibited it. (The
attribute is "non-creatable".)
What happens if you remove the "<add>false</add>" restriction?

Regards,
Ivan

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

More information about the midPoint mailing list