[midPoint] Removing role does not remove all attributes
Andrew Morgan
morgan at oregonstate.edu
Wed Sep 12 21:27:17 CEST 2018
I'm seeing an issue when I attempt to remove a role from a user. Here is
the role definition:
<inducement id="1">
<construction>
<!-- This is the ONIDLDAPDEV resource -->
<resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa" relation="org:default" type="c:ResourceType"/>
<kind>account</kind>
<auxiliaryObjectClass>ri:googlePerson</auxiliaryObjectClass>
<attribute>
<ref>ri:googlePrincipalName</ref>
<outbound>
<source>
<path>$user/extension/username</path>
</source>
<expression>
<script>
<code>username + '@oregonstate.edu'</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:googleMailEnabled</ref>
<outbound>
<strength>weak</strength>
<expression>
<value>1</value>
</expression>
</outbound>
</attribute>
</construction>
</inducement>
The user's LDAP account has these values (plus more, of course):
objectClass: googlePerson
googleMailEnabled: 0
googlePrincipalName: morgan at oregonstate.edu
When I remove the role from the midPoint user and choose "Preview
changes", it says it will remove the googlePerson auxiliaryObjectClass.
It also says it will remove the googlePrincipalName attribute. It does
not say it will remove the googleMailEnabled attribute. When I proceed
with the change, there is a fatal error due to the schema violation
(googleMailEnabled cannot be present without the googlePerson
objectclass).
The resource configuration does not contain any references to the
googlePerson objectclass or its attributes.
The resource schema (viewed in Repository objects) is very clear that
these attributes are only present in the googlePerson objectclass.
Why isn't midPoint correctly enforcing the schema on the googleMailEnabled
attribute?
Thanks,
Andy Morgan
Systems Administrator, Identity & Access Management
Information Services | Oregon State University
541-737-8877 | is.oregonstate.edu
More information about the midPoint
mailing list