[midPoint] filter LDAP entries

Jeria, Esteban esteban.jeria at cgi.com
Thu May 31 17:51:44 CEST 2018


Hi,

I was wondering if there is a way to restrict the ldap connector so that it will only work with a subset of entries from an OU, like a filter.
We currently have a LAB environment with over 50K entries, so I would like to limit our tests with only a dozen of them, previously identified with an attribute (businessCategory = midpoint_test).

I tried using the <protected> section on the <schemaHandling> with a reversed filter:

<protected>
   <filter>
      <q:not>
         <q:equal>
            <q:path>attributes/businessCategory</q:path>
           <q:value>midpoint_test</q:value>
         </q:equal>
      </q:not>
   </filter>
</protected>

But it doesn't work properly, it really ignores the entries that don't match the attribute, but I have this error on the targeted entries and I'm unable to modify them.

SystemException: Security violation during processing shadow shadow: uid=testuser,ou=IT,ou=people,dc=example,dc=com (OID:4d030941-e623-46e2-8b17-2c99ae6639d5): Cannot modify protected resource object

Esteban Jeria
esteban.jeria at cgi.com<mailto:esteban.jeria at cgi.com>
Conseiller CGI / CGI Consultant
Sécurité - Gestion des Identités et des Accès / Security - Identity and Access Management

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180531/0d746000/attachment.htm>


More information about the midPoint mailing list