[midPoint] Read-Only LDAP-Ressouce? Only pull data from LDAP resource?

Pascal PÉRICHON pascal.perichon at u-paris.fr
Fri Sep 11 14:23:10 CEST 2020


Hello,

I had the same problem. I didn't find any solution and I'm interested in 
a solution.


Le 11/09/2020 à 14:10, Oliver Schonefeld via midPoint a écrit :
> Hello,
>
> I'm new to midpoint and am still learning, so please bear with me.
>
> For my evaluation of midpoint, I started to setup a fresh copy of
> Midpoint 4.1 with Postgres.
>
> I've manged to connect to our HR system by using an CSV resource and
> data is imported and synchronized as expected.
>
> Now, for migration purposes, I'd like to import some information from a
> legacy (Open)LDAP server. I'm only interested to enrich my accounts in
> midpoint with a few attributes from LDAP (e.g. mail and uid). However I
> don't want midpoint to push any changes to the legacy LDAP server;
> midpoint should only read the attributes I'm interested in and update
> the accounts in midpoint.
>
> I've setup a LDAP resource and I am able to connect to the LDAP server.
> The Account, I use to connect to the LDAP server, has no write
> permissions, so I went ahead and overrode the capabilities of the
> resource using:
>    <capabilities>
>          <configured>
>              <cap:create>
>                  <cap:enabled>false</cap:enabled>
>              </cap:create>
>              <cap:update>
>                  <cap:enabled>false</cap:enabled>
>              </cap:update>
>              <cap:delete>
>                  <cap:enabled>false</cap:enabled>
>              </cap:delete>
>          </configured>
>      </capabilities>
>
>
> Now, when I try to import data from the LDAP server to midpoint, I get
> the following error:
>    Operation not supported for
> shadow:e7a471e5-531e-479b-8257-14112ab83b20($REDACTED$) in
> resource:873f6012-bac3-4b2c-9d2d-bb886b9c2213(Legacy IDS-LDAP) as
> UpdateCapabilityType is missing
>
>
> When I remove the capability override, midpoint throws the following
> exception:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
> modifying LDAP entry $REDACTED$:
> [remove:idsWiki=TRUE,remove:idsMailRoutingAddress=$REDACTED$@mailbox.ids-mannheim.de,remove:idsPosix=TRUE,remove:idsMail=TRUE,remove:idsDisplayPub=TRUE,remove:idsVpn=TRUE,remove:objectClass=idsServices,remove:vacationStart=binary
> value 10
> bytes,remove:gidNumber=50,remove:idsDisplayWeb=TRUE,remove:vacationEnd=binary
> value 10
> bytes,remove:loginShell=/sbin/nologin,remove:vacationInfo=binary value
> 533
> bytes,remove:homeDirectory=$REDACTED$,remove:vacationActive=FALSE,remove:uidNumber=$REDACTED$,remove:idsAD=TRUE,]:
> insufficientAccessRights: (50))
>
> My synchronization reactions are configured as follows:
>              <reaction>
>                  <situation>linked</situation>
>                  <synchronize>true</synchronize>
>              </reaction>
>              <reaction>
>                  <situation>unlinked</situation>
>                  <action>
>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
>                  </action>
>              </reaction>
>              <!--
>              <reaction>
>                  <situation>unmatched</situation>
>                  <action>
>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
>                  </action>
>              </reaction>
>              -->
>              <reaction>
>                  <situation>deleted</situation>
>                  <action>
>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteShadow</handlerUri>
>                  </action>
>              </reaction>
>
> I have only inbound mapping definitions for the attributes I am
> interested in. There are no outbound definitions.
>
> So midpoint tries to synchronize the information and remove some
> attributes on the objects in the LDAP server. However, I only want to
> pull some information from the LDAP server and never write to it.
>
> What am I missing or doing wrong?
>
>
> Thank you and best regards,
>    Oliver
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200911/da972334/attachment.htm>


More information about the midPoint mailing list