[midPoint] LDAP attributes from inducement

Brad Firestone bhotrock at gmail.com
Thu Aug 16 17:12:54 CEST 2018 

Hi All,

I'm running into something strange and I'm sure I just have something 
configured wrong.  Hopefully someone can point me in the right 
direction.  I'm working with midPoint 3.7.2.

I am inducing some Services (using Services rather than Roles, but think 
I understand they should work similarly) for certain Organizations.  I 
do that by adding the Service as an inducement when editing the 
Organization.  The Service places a set value into a multi-valued 
attribute (authServices) in the LDAP resource.  The "Add" part works 
just fine.  The attribute is added to both the mP User and to the LDAP 
Account.  "Show all Assignments" does show the indirect assignment of 
the Service.  At this point, everything is as expected.

However, if I then remove the Induced Service from the Organization and 
Reconcile a User, the reconciliation shows 0 Primary Changes and 0 
Secondary changes.  It won't remove the related attribute value from the 
mP User or from the LDAP account.  However, "Show all Assignments" no 
longer shows the indirect assignment of the Service.

Directly Assigning and then Unassigning this Service to a user adds and 
removes the attribute as expected.  I only have the problem removing the 
attribute if the Service is Induced.

Based on other email threads and documentation, I've set the following 
in both the Resource definition and the Service definition for Outbound 
mapping:
<tolerant>false</tolerant>
<strength>strong</strength>
<authoritative>true</authoritative>

I started without these tolerant, strength and authoritative settings 
and added them one by one hoping that would fix the problem.

Here is the XML from a test Service:

<service xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
          
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
          
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
          
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
          
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
          oid="c4144a0c-7fca-4666-a5d4-8f64050c3b58"
          version="8">
<name>Cloud-via-LDAP</name>

<inducement id="1">
<construction>
<resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467873"
                       relation="org:default"
                       type="c:ResourceType"><!-- GnLDAP --></resourceRef>
<attribute id="3">
<c:ref>authServices</c:ref>
<tolerant>false</tolerant>
<outbound>
<authoritative>true</authoritative>
<strength>strong</strength>
<expression>
<value>cloud</value>
</expression>
</outbound>
</attribute>
</construction>
</inducement>
</service>

Here is the mapping for that attribute in the LDAP Resource:

<attribute id="7">
<c:ref>ri:authServices</c:ref>
<displayName>Authorized Services</displayName>
<limitations>
<minOccurs>0</minOccurs>
<maxOccurs>unbounded</maxOccurs>
</limitations>
<outbound>
<authoritative>true</authoritative>
<tolerant>false</tolerant>
<strength>strong</strength>
<source>
<c:path>$user/extension/authServices</c:path>
</source>
</outbound>
<inbound id="11">
<strength>normal</strength>
<target>
<c:path>$user/extension/authServices</c:path>
</target>
</inbound>
</attribute>

Can anyone point me in the right direction to fix this?  I would really 
appreciate the help!
Brad

More information about the midPoint mailing list