[midPoint] Read-Only LDAP-Ressouce? Only pull data from LDAP resource?

Oliver Schonefeld schonefeld at ids-mannheim.de
Fri Sep 11 14:10:58 CEST 2020


Hello,

I'm new to midpoint and am still learning, so please bear with me.

For my evaluation of midpoint, I started to setup a fresh copy of
Midpoint 4.1 with Postgres.

I've manged to connect to our HR system by using an CSV resource and
data is imported and synchronized as expected.

Now, for migration purposes, I'd like to import some information from a
legacy (Open)LDAP server. I'm only interested to enrich my accounts in
midpoint with a few attributes from LDAP (e.g. mail and uid). However I
don't want midpoint to push any changes to the legacy LDAP server;
midpoint should only read the attributes I'm interested in and update
the accounts in midpoint.

I've setup a LDAP resource and I am able to connect to the LDAP server.
The Account, I use to connect to the LDAP server, has no write
permissions, so I went ahead and overrode the capabilities of the
resource using:
  <capabilities>
        <configured>
            <cap:create>
                <cap:enabled>false</cap:enabled>
            </cap:create>
            <cap:update>
                <cap:enabled>false</cap:enabled>
            </cap:update>
            <cap:delete>
                <cap:enabled>false</cap:enabled>
            </cap:delete>
        </configured>
    </capabilities>


Now, when I try to import data from the LDAP server to midpoint, I get
the following error:
  Operation not supported for
shadow:e7a471e5-531e-479b-8257-14112ab83b20($REDACTED$) in
resource:873f6012-bac3-4b2c-9d2d-bb886b9c2213(Legacy IDS-LDAP) as
UpdateCapabilityType is missing


When I remove the capability override, midpoint throws the following
exception:
org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
modifying LDAP entry $REDACTED$:
[remove:idsWiki=TRUE,remove:idsMailRoutingAddress=$REDACTED$@mailbox.ids-mannheim.de,remove:idsPosix=TRUE,remove:idsMail=TRUE,remove:idsDisplayPub=TRUE,remove:idsVpn=TRUE,remove:objectClass=idsServices,remove:vacationStart=binary
value 10
bytes,remove:gidNumber=50,remove:idsDisplayWeb=TRUE,remove:vacationEnd=binary
value 10
bytes,remove:loginShell=/sbin/nologin,remove:vacationInfo=binary value
533
bytes,remove:homeDirectory=$REDACTED$,remove:vacationActive=FALSE,remove:uidNumber=$REDACTED$,remove:idsAD=TRUE,]:
insufficientAccessRights: (50))

My synchronization reactions are configured as follows:
            <reaction>
                <situation>linked</situation>
                <synchronize>true</synchronize>
            </reaction>
            <reaction>
                <situation>unlinked</situation>
                <action>

<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
                </action>
            </reaction>
            <!--
            <reaction>
                <situation>unmatched</situation>
                <action>

<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
                </action>
            </reaction>
            -->
            <reaction>
                <situation>deleted</situation>
                <action>

<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteShadow</handlerUri>
                </action>
            </reaction>

I have only inbound mapping definitions for the attributes I am
interested in. There are no outbound definitions.

So midpoint tries to synchronize the information and remove some
attributes on the objects in the LDAP server. However, I only want to
pull some information from the LDAP server and never write to it.

What am I missing or doing wrong?


Thank you and best regards,
  Oliver
-- 
Oliver Schonefeld
Leibniz-Institut für Deutsche Sprache, Informationstechnik (IT)
R5, 6-13, D-68161 Mannheim
+49-(0)621-1581-168 | http://www.ids-mannheim.de


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5381 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200911/b3ccb888/attachment.bin>


More information about the midPoint mailing list