[midPoint] Attempt to add shadow without any attributes

Ethan Kromhout kromhout at unc.edu
Tue Sep 15 21:05:31 CEST 2020 

Hi Chris,

I hit that problem with an attribute named "id" in a connector I was 
writing, that one wasn't a lot of fun to track down. I've seen this 
"shadow without attributes" thing in other connectors, I think there is 
something fundamental I'm not understanding about cases where midPoint 
isn't managing the Accounts in the resource, but I still want it to read 
or right information about those Accounts.

Thanks,

Ethan

On 9/15/20 11:15 AM, Chris Woods wrote:
> Hi Ethan,
>
> We are using the connector too. I think there are a few bugs in the 
> connector. All of our broken shadows came from this connector (the 
> schema has an "id" attribute that causes problems in midPoint)
>
> I will be doing the same as you next week, so I can report back then 
> if you like. At the moment we are only provisioning user accounts.
>
> Regards,
> Chris
>
> Am 15. September 2020 16:45:59 schrieb Ethan Kromhout via midPoint 
> <midpoint at lists.evolveum.com>:
>
>> I'm working with the experimental MS Graph connector to Azure AD. My
>> initial use case is just creating groups and updating memberships, so my
>> mappings are just an association for the AccountObjectClass and a more
>> complete set of mappings for the GroupObjectClass. The schema this
>> connector generates contain no mandatory attributes, e.g. nothing is
>> marked minOccurs="1".. Group creation is working just fine, but I'm
>> having  a problem with the membership management. If I go into a user
>> who is a member of an organization that should connect the user to the
>> Azure AD group, and preview a reconciliation change, it sees that it
>> should add the Azure AD group, but when I hit save on the user, the
>> change fails with this error:
>>
>> 2020-09-15 14:22:05,611 [MODEL] [pool-3-thread-16] WARN
>> (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): 
>>
>> Can't do reconciliation. Account context doesn't contain current version
>> of account.
>> 2020-09-15 14:22:05,820 [MODEL] [pool-3-thread-16] ERROR
>> (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl):
>> Attempt to add shadow without any attributes: shadow:null(null)
>> com.evolveum.midpoint.util.exception.SchemaException: Attempt to add
>> shadow without any attributes: shadow:null(null)
>>      at
>> com.evolveum.midpoint.provisioning.impl.ShadowCache.addShadowAttempt(ShadowCache.java:508)
>>
>> And indeed, no Account shadow is created for the Azure AD resource for
>> that user. If I import the the Account object for that user directly
>> from the Azure AD resource, then the shadow is created, and the
>> membership in Azure AD is updated. So I'm confused as to why saving a
>> user on reconciliation would fail with this error, but an import on the
>> resource succeeds.
>>
>> Thanks for any experience or advise, I've attached the resource
>> definition in case that is of interest,
>>
>> Ethan
>>
>>
>>
>>
>> ----------
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200915/edc9e0a4/attachment.htm>

More information about the midPoint mailing list