[midPoint] Attempt to add shadow without any attributes

Chris Woods chris at cmwoods.com
Tue Sep 15 17:15:00 CEST 2020


Hi Ethan,

We are using the connector too. I think there are a few bugs in the 
connector. All of our broken shadows came from this connector (the schema 
has an "id" attribute that causes problems in midPoint)

I will be doing the same as you next week, so I can report back then if you 
like. At the moment we are only provisioning user accounts.

Regards,
Chris

Am 15. September 2020 16:45:59 schrieb Ethan Kromhout via midPoint 
<midpoint at lists.evolveum.com>:

> I'm working with the experimental MS Graph connector to Azure AD. My
> initial use case is just creating groups and updating memberships, so my
> mappings are just an association for the AccountObjectClass and a more
> complete set of mappings for the GroupObjectClass. The schema this
> connector generates contain no mandatory attributes, e.g. nothing is
> marked minOccurs="1".. Group creation is working just fine, but I'm
> having  a problem with the membership management. If I go into a user
> who is a member of an organization that should connect the user to the
> Azure AD group, and preview a reconciliation change, it sees that it
> should add the Azure AD group, but when I hit save on the user, the
> change fails with this error:
>
> 2020-09-15 14:22:05,611 [MODEL] [pool-3-thread-16] WARN
> (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor):
> Can't do reconciliation. Account context doesn't contain current version
> of account.
> 2020-09-15 14:22:05,820 [MODEL] [pool-3-thread-16] ERROR
> (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl):
> Attempt to add shadow without any attributes: shadow:null(null)
> com.evolveum.midpoint.util.exception.SchemaException: Attempt to add
> shadow without any attributes: shadow:null(null)
>     at
> com.evolveum.midpoint.provisioning.impl.ShadowCache.addShadowAttempt(ShadowCache.java:508)
>
> And indeed, no Account shadow is created for the Azure AD resource for
> that user. If I import the the Account object for that user directly
> from the Azure AD resource, then the shadow is created, and the
> membership in Azure AD is updated. So I'm confused as to why saving a
> user on reconciliation would fail with this error, but an import on the
> resource succeeds.
>
> Thanks for any experience or advise, I've attached the resource
> definition in case that is of interest,
>
> Ethan
>
>
>
>
> ----------
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200915/6ec36f92/attachment.htm>


More information about the midPoint mailing list