[midPoint] Removing role does not remove all attributes

Andrew Morgan morgan at oregonstate.edu
Wed Sep 12 22:42:07 CEST 2018 

On Wed, 12 Sep 2018, Morgan, Andrew Jason wrote:

> I'm seeing an issue when I attempt to remove a role from a user.  Here is 
> the role definition:
>
> <inducement id="1">
> 	<construction>
> 		<!-- This is the ONIDLDAPDEV resource -->
> 		<resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa" relation="org:default" type="c:ResourceType"/>
> 		<kind>account</kind>
> 		<auxiliaryObjectClass>ri:googlePerson</auxiliaryObjectClass>
> 		<attribute>
> 			<ref>ri:googlePrincipalName</ref>
> 			<outbound>
> 				<source>
> 					<path>$user/extension/username</path>
> 				</source>
> 				<expression>
> 					<script>
> 						<code>username + '@oregonstate.edu'</code>
> 					</script>
> 				</expression>
> 			</outbound>
> 		</attribute>
> 		<attribute>
> 			<ref>ri:googleMailEnabled</ref>
> 			<outbound>
> 				<strength>weak</strength>
> 				<expression>
> 					<value>1</value>
> 				</expression>
> 			</outbound>
> 		</attribute>
> 	</construction>
> </inducement>
>
> The user's LDAP account has these values (plus more, of course):
>
> objectClass: googlePerson
> googleMailEnabled: 0
> googlePrincipalName: morgan at oregonstate.edu
>
> When I remove the role from the midPoint user and choose "Preview 
> changes", it says it will remove the googlePerson auxiliaryObjectClass. 
> It also says it will remove the googlePrincipalName attribute.  It does 
> not say it will remove the googleMailEnabled attribute.  When I proceed 
> with the change, there is a fatal error due to the schema violation 
> (googleMailEnabled cannot be present without the googlePerson 
> objectclass).
>
> The resource configuration does not contain any references to the 
> googlePerson objectclass or its attributes.
>
> The resource schema (viewed in Repository objects) is very clear that 
> these attributes are only present in the googlePerson objectclass.
>
> Why isn't midPoint correctly enforcing the schema on the googleMailEnabled 
> attribute?

I found an interesting detail.  When I set googleMailEnabled=1 on this 
user, midPoint does try to remove the attribute.  This is the value set by 
the mapping.  If googleMailEnabled is set to some value other than "1", 
midPoint won't try to remove the attribute.

This would make sense if I was also using this attribute in the resource, 
but as this is an auxiliaryObjectClass mapping, I'm only applying it in 
the role.

Thanks to Brad for giving me some ideas to try, which led to this 
additional information.

Andy Morgan
Systems Administrator, Identity & Access Management
Information Services | Oregon State University
541-737-8877 | is.oregonstate.edu

More information about the midPoint mailing list