[midPoint] reconcile failed adding auxiliary objectclasses

Andrew Morgan morgan at oregonstate.edu
Thu May 31 01:25:03 CEST 2018 

I have an existing user entry in LDAP (created by midPoint).  When I 
perform reconciliation on the midPoint user, I get an LDAP error:

2018-05-30 15:21:03,241 [] [pool-6-thread-3] ERROR (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): ConnId Exception org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException in connector:2550dac9-8c37-49b6-809e-1895204baa21(ConnId com.evolveum.polygon.connector.ldap.LdapConnector v1.5.1-osu1): ConnectorSpec(resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa(ONID LDAP DEV), name=null, oid=2550dac9-8c37-49b6-809e-1895204baa21) while adding attribute values to object identified by ConnId UID 'c4130201-5ee211e8-80d383a7-05078e7e': Error modifying LDAP entry osuuid=78013514100,ou=people,o=midpointdev: [add:objectClass: eduPerson
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: account
objectClass: lpSghePerson,]: attributeOrValueExists:  (20)
org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException: Error modifying LDAP entry osuuid=78013514100,ou=people,o=midpointdev: [add:objectClass: eduPerson
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: account
objectClass: lpSghePerson,]: attributeOrValueExists:  (20)


These 5 objectclasses already exist on the LDAP entry, as you can see from 
this log entry earlier in the reconciliation process:

2018-05-30 15:20:55,758 [] [pool-6-thread-3] DEBUG 
(com.evolveum.polygon.connector.ldap.OperationLog): method: null 
msg:ldaps://ldap.onid.orst.edu/ Search RES Entry
     dn: osuuid=78013514100,ou=people,o=midpointdev
     objectClass: osuPerson
     objectClass: account
     objectClass: shadowAccount
     objectClass: eduPerson
     objectClass: lpSghePerson
     objectClass: inetOrgPerson
     objectClass: top
     objectClass: organizationalPerson
     objectClass: person
     uid: morgan
     osuPrimaryAffiliation: E
     osuPIDM: <redacted>
     givenName: Andrew
     osuUID: 78013514100
     sn: Morgan
     cn: Morgan, Andrew Jason
     osuID: <redacted>
     nsUniqueId: c4130201-5ee211e8-80d383a7-05078e7e


The 5 objectclasses it is complaining about are the 5 auxiliary 
objectclassed defined in my resource:

<objectClass>ri:osuPerson</objectClass> 
<auxiliaryObjectClass>ri:inetOrgPerson</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:account</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:shadowAccount</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:lpSghePerson</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:eduPerson</auxiliaryObjectClass>


Why does midPoint think it needs to add these auxiliary objectclasses to 
the LDAP entry?

Thanks,

Andy Morgan
Systems Administrator, Identity & Access Management
Information Services | Oregon State University
541-737-8877 | is.oregonstate.edu

More information about the midPoint mailing list