[midPoint] Read-Only LDAP-Ressouce? Only pull data from LDAP resource?

Ethan Kromhout kromhout at unc.edu
Fri Sep 11 20:47:35 CEST 2020


Hi Oliver,

I understand, and I was trying to do the same thing when I had a similar 
issue. Not having those posix objectclasses in the schema of my resource 
configuration made it attempt to remove those attributes even though I 
had no outbound mappings and had create, update, and delete disabled. 
Might be worth sharing your resource config if you have a sanitized version.

Ethan

On 9/11/20 2:05 PM, Oliver Schonefeld via midPoint wrote:
> Hi Ethan,
>
> Am 11.09.2020 um 15:56 schrieb Ethan Kromhout via midPoint:
>> I think I remember something like this from a similar configuration I
>> was working on recently. The attributes appear to be posix related, in
>> schema you import from OpenLDAP, are you getting posixGroup and
>> posixAccount attributes?
> It's a custom schema based on inetOrgPerson with mixed in posix related
> attributes and other attributes. As well das custom defined attributes.
>
> But I just want to pull some data from the LDAP server and don't care
> about most of the attributes.
>
> I'd like to tell midpoint, to just read some stuff but don't care
> otherwise about the data in the directory.
>
> Best
>    Oliver
>
>
>
>> On 9/11/20 8:10 AM, Oliver Schonefeld via midPoint wrote:
>>> Hello,
>>>
>>> I'm new to midpoint and am still learning, so please bear with me.
>>>
>>> For my evaluation of midpoint, I started to setup a fresh copy of
>>> Midpoint 4.1 with Postgres.
>>>
>>> I've manged to connect to our HR system by using an CSV resource and
>>> data is imported and synchronized as expected.
>>>
>>> Now, for migration purposes, I'd like to import some information from a
>>> legacy (Open)LDAP server. I'm only interested to enrich my accounts in
>>> midpoint with a few attributes from LDAP (e.g. mail and uid). However I
>>> don't want midpoint to push any changes to the legacy LDAP server;
>>> midpoint should only read the attributes I'm interested in and update
>>> the accounts in midpoint.
>>>
>>> I've setup a LDAP resource and I am able to connect to the LDAP server.
>>> The Account, I use to connect to the LDAP server, has no write
>>> permissions, so I went ahead and overrode the capabilities of the
>>> resource using:
>>>     <capabilities>
>>>           <configured>
>>>               <cap:create>
>>>                   <cap:enabled>false</cap:enabled>
>>>               </cap:create>
>>>               <cap:update>
>>>                   <cap:enabled>false</cap:enabled>
>>>               </cap:update>
>>>               <cap:delete>
>>>                   <cap:enabled>false</cap:enabled>
>>>               </cap:delete>
>>>           </configured>
>>>       </capabilities>
>>>
>>>
>>> Now, when I try to import data from the LDAP server to midpoint, I get
>>> the following error:
>>>     Operation not supported for
>>> shadow:e7a471e5-531e-479b-8257-14112ab83b20($REDACTED$) in
>>> resource:873f6012-bac3-4b2c-9d2d-bb886b9c2213(Legacy IDS-LDAP) as
>>> UpdateCapabilityType is missing
>>>
>>>
>>> When I remove the capability override, midpoint throws the following
>>> exception:
>>> org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
>>>
>>> modifying LDAP entry $REDACTED$:
>>> [remove:idsWiki=TRUE,remove:idsMailRoutingAddress=$REDACTED$@mailbox.ids-mannheim.de,remove:idsPosix=TRUE,remove:idsMail=TRUE,remove:idsDisplayPub=TRUE,remove:idsVpn=TRUE,remove:objectClass=idsServices,remove:vacationStart=binary
>>>
>>> value 10
>>> bytes,remove:gidNumber=50,remove:idsDisplayWeb=TRUE,remove:vacationEnd=binary
>>>
>>> value 10
>>> bytes,remove:loginShell=/sbin/nologin,remove:vacationInfo=binary value
>>> 533
>>> bytes,remove:homeDirectory=$REDACTED$,remove:vacationActive=FALSE,remove:uidNumber=$REDACTED$,remove:idsAD=TRUE,]:
>>>
>>> insufficientAccessRights: (50))
>>>
>>> My synchronization reactions are configured as follows:
>>>               <reaction>
>>>                   <situation>linked</situation>
>>>                   <synchronize>true</synchronize>
>>>               </reaction>
>>>               <reaction>
>>>                   <situation>unlinked</situation>
>>>                   <action>
>>>
>>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
>>>
>>>                   </action>
>>>               </reaction>
>>>               <!--
>>>               <reaction>
>>>                   <situation>unmatched</situation>
>>>                   <action>
>>>
>>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
>>>
>>>                   </action>
>>>               </reaction>
>>>               -->
>>>               <reaction>
>>>                   <situation>deleted</situation>
>>>                   <action>
>>>
>>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteShadow</handlerUri>
>>>
>>>                   </action>
>>>               </reaction>
>>>
>>> I have only inbound mapping definitions for the attributes I am
>>> interested in. There are no outbound definitions.
>>>
>>> So midpoint tries to synchronize the information and remove some
>>> attributes on the objects in the LDAP server. However, I only want to
>>> pull some information from the LDAP server and never write to it.
>>>
>>> What am I missing or doing wrong?
>>>
>>>
>>> Thank you and best regards,
>>>     Oliver
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200911/8fbfcb89/attachment.htm>


More information about the midPoint mailing list