[midPoint] Removing role does not remove all attributes
Andrew Morgan
morgan at oregonstate.edu
Fri Sep 14 01:33:06 CEST 2018
On Wed, 12 Sep 2018, Morgan, Andrew Jason wrote:
> On Wed, 12 Sep 2018, Morgan, Andrew Jason wrote:
>
>> I'm seeing an issue when I attempt to remove a role from a user. Here is
>> the role definition:
>>
>> <inducement id="1">
>> <construction>
>> <!-- This is the ONIDLDAPDEV resource -->
>> <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa" relation="org:default" type="c:ResourceType"/>
>> <kind>account</kind>
>> <auxiliaryObjectClass>ri:googlePerson</auxiliaryObjectClass>
>> <attribute>
>> <ref>ri:googlePrincipalName</ref>
>> <outbound>
>> <source>
>> <path>$user/extension/username</path>
>> </source>
>> <expression>
>> <script>
>> <code>username + '@oregonstate.edu'</code>
>> </script>
>> </expression>
>> </outbound>
>> </attribute>
>> <attribute>
>> <ref>ri:googleMailEnabled</ref>
>> <outbound>
>> <strength>weak</strength>
>> <expression>
>> <value>1</value>
>> </expression>
>> </outbound>
>> </attribute>
>> </construction>
>> </inducement>
>>
>> The user's LDAP account has these values (plus more, of course):
>>
>> objectClass: googlePerson
>> googleMailEnabled: 0
>> googlePrincipalName: morgan at oregonstate.edu
>>
>> When I remove the role from the midPoint user and choose "Preview
>> changes", it says it will remove the googlePerson auxiliaryObjectClass.
>> It also says it will remove the googlePrincipalName attribute. It does
>> not say it will remove the googleMailEnabled attribute. When I proceed
>> with the change, there is a fatal error due to the schema violation
>> (googleMailEnabled cannot be present without the googlePerson
>> objectclass).
>>
>> The resource configuration does not contain any references to the
>> googlePerson objectclass or its attributes.
>>
>> The resource schema (viewed in Repository objects) is very clear that
>> these attributes are only present in the googlePerson objectclass.
>>
>> Why isn't midPoint correctly enforcing the schema on the googleMailEnabled
>> attribute?
>
> I found an interesting detail. When I set googleMailEnabled=1 on this
> user, midPoint does try to remove the attribute. This is the value set by
> the mapping. If googleMailEnabled is set to some value other than "1",
> midPoint won't try to remove the attribute.
>
> This would make sense if I was also using this attribute in the resource,
> but as this is an auxiliaryObjectClass mapping, I'm only applying it in
> the role.
I set the logging to TRACE for Clockwork and Projector and tried removing
the Google role.
I see the following details during "PROJECTOR (INITIAL) context projection
values and credentials of
resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa(ONID LDAP DEV)(default)":
User primary delta:
ObjectDelta<UserType>(UserType:67444ba5-7380-42d2-bd78-b78ef1aa5247,MODIFY):
assignment
DELETE:
id=214
(no items)
Evaluated assignments:
Zero:
-> role:0643c9e2-8125-4c3c-9445-aeb48c9bdca9(Base ONID)
-> role:47c290d9-f4de-45fa-b12b-056b95590a08(Unix)
Plus:
Minus:
-> role:0aab3f14-2c04-46a1-9638-8d6332bd237b(Google)
PROJECTION ShadowType RSD(account (default) @ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa) : ONID LDAP DEV
OID: 245a1350-9480-4034-b326-680aca6e24bc, wave 0, full, exists=true, assigned=true->true, active=true, legal=true->true, recon=false, syncIntent=null, decision=KEEP
Account current:
shadow: (245a1350-9480-4034-b326-680aca6e24bc, v25, ShadowType)
auxiliaryObjectClass: [ {...resource/instance-3}posixAccount, {...resource/instance-3}osuPerson, {...resource/instance-3}lpSghePerson, {...resource/instance-3}googlePerson, {...resource/instance-3}eduPerson, {...resource/instance-3}shadowAccount ]
attributes:
googlePrincipalName: morgan at oregonstate.edu
googleMailEnabled: 0
...
Account new:
shadow: (245a1350-9480-4034-b326-680aca6e24bc, v25, ShadowType)
auxiliaryObjectClass: [ {...resource/instance-3}posixAccount, {...resource/instance-3}osuPerson, {...resource/instance-3}lpSghePerson, {...resource/instance-3}eduPerson, {...resource/instance-3}shadowAccount ]
attributes:
googleMailEnabled: 0
...
Account secondary delta:
ObjectDelta<ShadowType>(ShadowType:245a1350-9480-4034-b326-680aca6e24bc,MODIFY):
auxiliaryObjectClass
DELETE: {...resource/instance-3}googlePerson
OLD: {...resource/instance-3}posixAccount, {...resource/instance-3}osuPerson, {...resource/instance-3}lpSghePerson, {...resource/instance-3}googlePerson, {...resource/instance-3}eduPerson, {...resource/instance-3}shadowAccount
attributes/googlePrincipalName
DELETE: morgan at oregonstate.edu
OLD: morgan at oregonstate.edu
Account constructionDeltaSetTriple:
DeltaSetTriple:
minus:
Construction:RSD(account (default) @ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa)
isValid: true
wasValid: true
relativityMode: ZERO
auxiliary object classes:
{http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}googlePerson
attribute mappings:
M({...resource/instance-3}googlePrincipalName = PVDeltaSetTriple(zero: [PPV(String:morgan at oregonstate.edu)]; plus: []; minus: []; ))
M({...resource/instance-3}googleMailEnabled = PVDeltaSetTriple(zero: [PPV(String:1)]; plus: []; minus: []; ), weak)
AssignmentPath: (2)
default:1=1(match): user:67444ba5-7380-42d2-bd78-b78ef1aa5247(78013514100) id:214 -[default]-> role:0aab3f14-2c04-46a1-9638-8d6332bd237b(Google)
default:1=1(match): role:0aab3f14-2c04-46a1-9638-8d6332bd237b(Google) inducement id:1 Constr 'null'
Account squeezed attributes:
{...resource/instance-3}googleMailEnabled =>
DeltaSetTriple:
zero:
plus:
minus:
ItemValueWithOrigin:
itemValue:
1
mapping: M({...resource/instance-3}googleMailEnabled = PVDeltaSetTriple(zero: [PPV(String:1)]; plus: []; minus: []; ), weak)
construction: Construction(RSD(account (default) @ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa) in role:0aab3f14-2c04-46a1-9638-8d6332bd237b(Google))
{...resource/instance-3}googlePrincipalName =>
DeltaSetTriple:
zero:
plus:
minus:
ItemValueWithOrigin:
itemValue:
morgan at oregonstate.edu
mapping: M({...resource/instance-3}googlePrincipalName = PVDeltaSetTriple(zero: [PPV(String:morgan at oregonstate.edu)]; plus: []; minus: []; ))
construction: Construction(RSD(account (default) @ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa) in role:0aab3f14-2c04-46a1-9638-8d6332bd237b(Google))
Account squeezed auxiliary object classes:
{...common/common-3}auxiliaryObjectClass =>
DeltaSetTriple:
minus:
ItemValueWithOrigin:
itemValue:
{...resource/instance-3}googlePerson
mapping: extractor(auxiliary object class construction Construction(RSD(account (default) @ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa) in role:0aab3f14-2c04-46a1-9638-8d6332bd237b(Google)))
construction: Construction(RSD(account (default) @ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa) in role:0aab3f14-2c04-46a1-9638-8d6332bd237b(Google))
(summarized, of course)
When it executes the next step, "PROJECTOR (INITIAL) context projection
reconciliation of resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa(ONID LDAP
DEV)(default)", I get a schema violation:
Error modifying LDAP entry osuuid=78013514100,ou=people,o=midpointdev:
[remove:googlePrincipalName: morgan at oregonstate.edu,remove:objectClass:
googlePerson,]: objectClassViolation: (65)
The googlePerson objectclass cannot be removed while the googleMailEnabled
attribute is still present.
Why won't midPoint remove the googleMailEnabled attribute?
I tried to set a range on the googleMailEnabled attribute mapping to make
midPoint authoritative for all values, but I kept getting a NPE. This is
the mapping I tried to use (in the role):
<attribute>
<ref>ri:googleMailEnabled</ref>
<outbound>
<strength>weak</strength>
<expression>
<value>1</value>
</expression>
<target>
<set>
<condition>
<script>
<code>true</code>
</script>
</condition>
</set>
</target>
</outbound>
</attribute>
How do I define a range that returns true for all values?
Thanks,
Andy Morgan
Systems Administrator, Identity & Access Management
Information Services | Oregon State University
541-737-8877 | is.oregonstate.edu
More information about the midPoint
mailing list