[midPoint] define custom schema for ldap resource

Jeria, Esteban esteban.jeria at cgi.com
Fri Jun 15 15:43:44 CEST 2018


Hi Keith,

Actually, it is the opposite, the custom class "customprofile" is already defined as STRUCTURAL in the LDAP schema, and unfortunately it seems to be complicated to change it (not managed by us).

     objectclass ( customprofile-oid NAME 'customprofile'
         SUP top
         STRUCTURAL
         MAY ( matricule $ adressetravail $ fonction $ uniteadministrative ) )

     dn: uid=testuser,ou=people,dc=example,dc=com
         objectClass: top
         objectClass: inetOrgPerson
         objectClass: organizationalPerson
         objectClass: person
         objectClass: customprofile
         cn: Test USER
         sn: USER
         givenName: Test
         uid: testuser
         matricule: 12345678

Then, in order to read its custom attributes (ex. "matricule"), I have to specify the class to midPoint, but given that it only support one structural class, I defined it as auxiliary.

      <schemaHandling>
          <objectType>
              <kind>account</kind>
              <intent>default</intent>
              <displayName>Default Account</displayName>
              <default>true</default>
              <objectClass>ri:inetOrgPerson</objectClass>
              <auxiliaryObjectClass>ri: customprofile</auxiliaryObjectClass>

MidPoint is able to create the user to LDAP, but it fails as soon as I try to modify any attribute on the profile.

2018-06-14 15:27:08,882 [] [Thread-25] ERROR (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): ConnId Exception org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException in connector:7e39b53e-9709-4a82-81fc-bda465af52c0(ConnId com.evolveum.polygon.connector.ldap.LdapConnector v1.5): ConnectorSpec(resource:resource-sunone(SunOne), name=null, oid=7e39b53e-9709-4a82-81fc-bda465af52c0) while adding attribute values to object identified by ConnId UID '94967781-700011e8-80eeb4e7-304b8fc4': Error modifying LDAP entry uid=testuser,ou=people,dc=example,dc=com: [add: objectClass: customprofile,]: attributeOrValueExists:  (20)

Esteban Jeria
esteban.jeria at cgi.com<mailto:esteban.jeria at cgi.com>
Conseiller CGI / CGI Consultant
Sécurité - Gestion des Identités et des Accès / Security - Identity and Access Management
514-415-3000 ext.1018296

From: Keith Hazelton [mailto:keith.hazelton at wisc.edu]
Sent: Friday, June 15, 2018 8:26 AM
To: midPoint General Discussion
Subject: Re: [midPoint] define custom schema for ldap resource

Esteban,

Why do you need to make the object class structural? inetOrgPerson can be structural, auxiliary for your class should be good enough unless I’m missing something.   --Keith

___________________________________
email & jabber: keith.hazelton at wisc.edu<mailto:keith.hazelton at wisc.edu>
calendar: http://go.wisc.edu/i6zxx0<https://urldefense.proofpoint.com/v2/url?u=http-3A__go.wisc.edu_i6zxx0&d=DwMGaQ&c=H50I6Bh8SW87d_bXfZP_8g&r=3iM986yl1CVC_rjHiE-INe9tiSAFCd7Ih6_50tgvu0w&m=DQgAuSHEg9XB-jZgWrZXiaUCnEomujJSqd9Ay1ZOptA&s=2489Ompm3-SiesFWAkbUa-OihUm8Bos0xZh-Xifri44&e=>
From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> on behalf of "Jeria, Esteban" <esteban.jeria at cgi.com<mailto:esteban.jeria at cgi.com>>
Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Date: Friday, June 15, 2018 at 07:16
To: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Subject: Re: [midPoint] define custom schema for ldap resource

Hi,

I have some more details about the problem that I have with the existing ldap resource schema. I noticed that the custom class is currently set as STRUCTURAL instead of AUXILIARY, so then when I try to modify any user attribute through midPoint, I have  an error attributeOrValueExists.
After some tests, I suspect that midPoint seems to always trying to add the auxiliary classes, no matter if they exist or not, but given that mine it is set to structural, it fail.

I afraid that overwriting the resource schema locally will not work, so is there any workaround for this situation?

Esteban Jeria
esteban.jeria at cgi.com<mailto:esteban.jeria at cgi.com>
Conseiller CGI / CGI Consultant
Sécurité - Gestion des Identités et des Accès / Security - Identity and Access Management
514-415-3000 ext.1018296

From: Jeria, Esteban [mailto:esteban.jeria at cgi.com]<mailto:[mailto:esteban.jeria at cgi.com]>
Sent: Wednesday, June 13, 2018 12:11 PM
To: midPoint General Discussion
Cc: Landry, Robert
Subject: [midPoint] define custom schema for ldap resource

Hi,

I'm trying to figure out how to define an auxiliary object class to overwrite or extend a ldap resource schema.
We have an old Oracle Directory Server that has some custom classes which are not properly configured or they are incomplete, so instead of try to fix them, I was wondering if there is a way to use my own schema definition and add it to the one retrieved from resource at the run-time.
I looked in your wiki page and in this forum but all that I found is how to extend the midPoint schema and not the one of a resource.

---------
I tried adding the custom-ldap-extension.xsd on midPoint directory/schema

<xsd:schema elementFormDefault="qualified"
     targetNamespace="http://midpoint.evolveum.com/xml/ns/custom/ldap-extension"<https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_custom_ldap-2Dextension-2522&d=DwQFAw&c=H50I6Bh8SW87d_bXfZP_8g&r=3iM986yl1CVC_rjHiE-INe9tiSAFCd7Ih6_50tgvu0w&m=KXwaVHDVz_6Strc23dQEsouxgNLbWGqlUD2BbwE23Ng&s=ypxo-SYM7WrRtHOcw-wP-OLx4AyCQw5MoDheMXf6ugM&e=>
     xmlns:tns="http://midpoint.evolveum.com/xml/ns/custom/ldap-extension<https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_custom_ldap-2Dextension&d=DwMGaQ&c=H50I6Bh8SW87d_bXfZP_8g&r=3iM986yl1CVC_rjHiE-INe9tiSAFCd7Ih6_50tgvu0w&m=DQgAuSHEg9XB-jZgWrZXiaUCnEomujJSqd9Ay1ZOptA&s=9LOli-1l1Vbw3YsDMqPpLHPz5N5jbB4yapcufRKQt7Y&e=>"
     xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3<https://urldefense.proofpoint.com/v2/url?u=http-3A__prism.evolveum.com_xml_ns_public_annotation-2D3&d=DwMGaQ&c=H50I6Bh8SW87d_bXfZP_8g&r=3iM986yl1CVC_rjHiE-INe9tiSAFCd7Ih6_50tgvu0w&m=DQgAuSHEg9XB-jZgWrZXiaUCnEomujJSqd9Ay1ZOptA&s=UgmnomL7yDftdEG9m3zIHRQFWLYsqi4hKILBmKKEYUo&e=>"
     xmlns:ra="http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3<https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_resource_annotation-2D3&d=DwMGaQ&c=H50I6Bh8SW87d_bXfZP_8g&r=3iM986yl1CVC_rjHiE-INe9tiSAFCd7Ih6_50tgvu0w&m=DQgAuSHEg9XB-jZgWrZXiaUCnEomujJSqd9Ay1ZOptA&s=R7GwT3IBtvG5BmsHTNLeTHdmlGNAn6l8NRf145hLeko&e=>"
     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3<https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwMGaQ&c=H50I6Bh8SW87d_bXfZP_8g&r=3iM986yl1CVC_rjHiE-INe9tiSAFCd7Ih6_50tgvu0w&m=DQgAuSHEg9XB-jZgWrZXiaUCnEomujJSqd9Ay1ZOptA&s=iqOBwNVHCilfTywxjRUcV2AsP1h399mDzhFEYxP5L-w&e=>"
     xmlns:xsd="http://www.w3.org/2001/XMLSchema<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.w3.org_2001_XMLSchema&d=DwMGaQ&c=H50I6Bh8SW87d_bXfZP_8g&r=3iM986yl1CVC_rjHiE-INe9tiSAFCd7Ih6_50tgvu0w&m=DQgAuSHEg9XB-jZgWrZXiaUCnEomujJSqd9Ay1ZOptA&s=V9KoHfA9AFLOmm-NTu_IofdF52TIDRwi0lvkYiRkYLA&e=>">

    <xsd:import namespace="http://prism.evolveum.com/xml/ns/public/annotation-3"/><https://urldefense.proofpoint.com/v2/url?u=http-3A__prism.evolveum.com_xml_ns_public_annotation-2D3-2522_-253E&d=DwQFAw&c=H50I6Bh8SW87d_bXfZP_8g&r=3iM986yl1CVC_rjHiE-INe9tiSAFCd7Ih6_50tgvu0w&m=KXwaVHDVz_6Strc23dQEsouxgNLbWGqlUD2BbwE23Ng&s=U024t1SEx4w_m973WOYjz_z3v8-i5XtKYQnK-BhVUp8&e=>
     <xsd:import namespace="http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"/><https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_resource_annotation-2D3-2522_-253E&d=DwQFAw&c=H50I6Bh8SW87d_bXfZP_8g&r=3iM986yl1CVC_rjHiE-INe9tiSAFCd7Ih6_50tgvu0w&m=KXwaVHDVz_6Strc23dQEsouxgNLbWGqlUD2BbwE23Ng&s=peOzWRtpuvEKq4SR7t959Bi-1zs87iPT74770SGfjF4&e=>

   <xsd:complexType name="customprofile">
      <xsd:annotation>
         <xsd:appinfo>
            <ra:resourceObject/>
            <ra:nativeObjectClass>customprofile</ra:nativeObjectClass>
         </xsd:appinfo>
      </xsd:annotation>

      <xsd:sequence>
         <xsd:element name="matricule" type="xsd:string" maxOccurs="unbounded" minOccurs="0">
            <xsd:annotation>
               <xsd:appinfo>
                  <a:displayOrder>150</a:displayOrder>
                  <ra:nativeAttributeName>matricule</ra:nativeAttributeName>
                  <ra:frameworkAttributeName>matricule</ra:frameworkAttributeName>
               </xsd:appinfo>
            </xsd:annotation>
         </xsd:element>
...

Then I restricted the schema definition to only the standard classes
...
      <schema>
         <generationConstraints>
             <generateObjectClass>ri:groupOfNames</generateObjectClass>
             <generateObjectClass>ri:inetOrgPerson</generateObjectClass>
             <generateObjectClass>ri:organizationalUnit</generateObjectClass>
             <generateObjectClass>ri:person</generateObjectClass>
         </generationConstraints>
...

And I added the reference to the namespace on the connector
           xmlns:ext="http://prism.evolveum.com/xml/ns/custom/ldap-extension<https://urldefense.proofpoint.com/v2/url?u=http-3A__prism.evolveum.com_xml_ns_custom_ldap-2Dextension&d=DwMGaQ&c=H50I6Bh8SW87d_bXfZP_8g&r=3iM986yl1CVC_rjHiE-INe9tiSAFCd7Ih6_50tgvu0w&m=DQgAuSHEg9XB-jZgWrZXiaUCnEomujJSqd9Ay1ZOptA&s=EOiW-cycxc7yz8IMqw2vogZuEPQnKRrr2m0mtgW-J18&e=>"

but, I didn't find a way to make it work when trying to map the attributes from this class.


Esteban Jeria
esteban.jeria at cgi.com<mailto:esteban.jeria at cgi.com>
Conseiller CGI / CGI Consultant
Sécurité - Gestion des Identités et des Accès / Security - Identity and Access Management

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180615/5e6b5c91/attachment.htm>


More information about the midPoint mailing list