[midPoint] DeltaBuilder for ShadowType - add an attribute value to the resource - Undefined or dynamic path error
Frédéric Lohier
frederic at lohier.org
Thu Apr 8 18:26:37 CEST 2021
Hello Pavol,
Thank you for the suggested workaround and the jira issue, but I could not
make it work. The closest I got was :
def delta = DeltaBuilder.deltaFor(ShadowType.class, prismContext)
.item(ItemPath.create(ShadowType.F_ATTRIBUTES, "pwdReset"),
pwdResetDefinition)
.replace("TRUE")
.asObjectDelta(projection.getOid())
But, I don’t know how to get the ResourceAttributeDefinition for my
pwdResetDefinition variable.
As I workaround, I tried to modify the user’s
credentials/password/forceChange attribute and add a mapping to the
ri :pwdReset attribute but I also could not make it work. The deltabuilder
in the credential mapping works, I can see that the user’s forceChange
attribute is set to TRUE when I edit the password throught the GUI, *but
this change is not synced to the resource*.
How could this behaviour be explained? What am I missing?
I checked that my pwdReset outbound mapping works : if I manually set the
forceChange attribute through the GUI, then the resource’s pwdReset
attribute is set to TRUE.
For reference, the aforementioned mappings :
<credentials>
<password>
<outbound>
<name>Password and pwdReset (to force the password reset by
user)</name>
<strength>strong</strength>
<channel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</channel>
<expression>
<script>
<code>
// If password modification comes from an Midpoint
admin (channel #user), then we set the credentials/password/forceChange
user’s attribute to true, which will then be synced to the Open LDAP
pwdReset attribute (this will force the user to reset his password)
import com.evolveum.midpoint.prism.impl.delta.builder.*
import com.evolveum.midpoint.xml.ns._public.common.common_3.*
import com.evolveum.prism.xml.ns._public.types_3.*
def prismContext = midpoint.getPrismContext()
def delta = DeltaBuilder.deltaFor(UserType.class, prismContext)
.item(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD,
PasswordType.F_FORCE_CHANGE)
.replace("TRUE")
.asObjectDelta(focus.getOid())
midpoint.modifyObject(delta, null)
// Then we return the password value anyway
return input
</code>
</script>
</expression>
</outbound>
<outbound>
<name> Simple password mapping</name>
<description>We apply this mapping every time, except if the
modification is done on the Midpoint GUI (by an IDM admin)</description>
<strength>strong</strength>
<exceptChannel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</
exceptChannel>
</outbound>
<inbound/>
</password>
</credentials>
<attribute>
<ref>ri:pwdReset</ref>
<tolerant>true</tolerant>
<outbound>
<channel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</channel>
<strength>strong</strength>
<source>
<path>$focus/credentials/password/forceChange</path>
</source>
</outbound>
<inbound>
<exceptChannel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</
exceptChannel>
<strength>strong</strength>
<target>
<path>$focus/credentials/password/forceChange</path>
</target>
</inbound>
</attribute>
Logs when I modify the password value of a user through the midpoint GUI
(the delta I am building in the credentials mapping is mentioned as
« debugdelta ») :
2021-04-08 18:08:45,012 [MODEL] [pool-3-thread-142] INFO
(com.evolveum.midpoint.expression): - *debugdelta:*
*ObjectDelta<UserType>(UserType:a0d85100-354e-450d-9ad1-8d2028d8336c,MODIFY):*
*credentials/password/forceChange*
* ADD: TRUE*
2021-04-08 18:08:45,298 [MODEL] [pool-3-thread-142] DEBUG
(com.evolveum.midpoint.model.impl.lens.Clockwork): Context rot: projection
LensProjectionContext(ShadowType:574a2c41-b0ea-45a1-b006-3e0f980165f7 on
resource:xxxx (Arobas - IDP LDAP)) rotten because of executable delta
ObjectDelta(ShadowType:574a2c41-b0ea-45a1-b006-3e0f980165f7,MODIFY:
PropertyDeltaImpl(attributes / {.../resource/instance-3}pwdReset, REPLACE))
2021-04-08 18:08:45,298 [MODEL] [pool-3-thread-142] DEBUG
(com.evolveum.midpoint.model.impl.lens.Clockwork): Context rot: context
rotten because of focus execution delta
ObjectDelta(UserType:a0d85100-354e-450d-9ad1-8d2028d8336c,MODIFY:
PropertyDeltaImpl(credentials/password / {.../common/common-3}forceChange,
ADD), PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyChannel, REPLACE),
PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTimestamp, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifierRef, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTaskRef, REPLACE))
2021-04-08 18:08:45,400 [MODEL] [pool-3-thread-142] DEBUG
(com.evolveum.midpoint.model.impl.lens.Clockwork):
###[ CLOCKWORK SUMMARY ]######################################
Channel: http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user
Triggered by focus primary delta
ObjectDelta(UserType:a0d85100-354e-450d-9ad1-8d2028d8336c,MODIFY:
PropertyDeltaImpl(credentials/password / {.../common/common-3}*forceChange,
ADD*))
Focus: focus(user:a0d85100-354e-450d-9ad1-8d2028d8336c(admlutunp))
Projections (1):
account(ID {.../resource/instance-3}entryUUID = [
a4407a92-56fa-103a-868e-afc68d38775e ], type 'default',
resource:d0811790-1d80-11e4-86b2-3c970e467874(Arobas - IDP LDAP)): KEEP
Executed:
ObjectDelta(UserType:a0d85100-354e-450d-9ad1-8d2028d8336c,MODIFY:
PropertyDeltaImpl(credentials/password / {.../common/common-3}forceChange,
ADD), PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyChannel, REPLACE),
PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTimestamp, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifierRef, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTaskRef, REPLACE), PropertyDeltaImpl(metadata /
{.../common/common-3}lastProvisioningTimestamp, REPLACE),
PropertyDeltaImpl(metadata / {.../common/common-3}modifyChannel, REPLACE),
PropertyDeltaImpl(metadata / {.../common/common-3}modifyTimestamp,
REPLACE), ReferenceDeltaImpl(metadata / {.../common/common-3}modifierRef,
REPLACE), ReferenceDeltaImpl(metadata / {.../common/common-3}modifyTaskRef,
REPLACE), ReferenceDeltaImpl(metadata /
{.../common/common-3}modifyApproverRef, REPLACE),
PropertyDeltaImpl(metadata / {.../common/common-3}modifyApprovalComment,
REPLACE)): SUCCESS
ObjectDelta(ShadowType:574a2c41-b0ea-45a1-b006-3e0f980165f7,MODIFY:
PropertyDeltaImpl(attributes / {.../resource/instance-3}pwdReset, REPLACE),
PropertyDeltaImpl(metadata / {.../common/common-3}modifyChannel, REPLACE),
PropertyDeltaImpl(metadata / {.../common/common-3}modifyTimestamp,
REPLACE), ReferenceDeltaImpl(metadata / {.../common/common-3}modifierRef,
REPLACE), ReferenceDeltaImpl(metadata / {.../common/common-3}modifyTaskRef,
REPLACE), ReferenceDeltaImpl(metadata /
{.../common/common-3}modifyApproverRef, REPLACE),
PropertyDeltaImpl(metadata / {.../common/common-3}modifyApprovalComment,
REPLACE)): SUCCESS
##############################################################
2021-04-08 18:08:45,465 [MODEL] [pool-3-thread-142] INFO
(com.evolveum.midpoint.expression): - *debugdelta:*
*ObjectDelta<UserType>(UserType:a0d85100-354e-450d-9ad1-8d2028d8336c,MODIFY):*
* credentials/password/forceChange*
* ADD: TRUE*
2021-04-08 18:08:45,623 [MODEL] [pool-3-thread-142] DEBUG
(com.evolveum.midpoint.model.impl.lens.Clockwork): Context rot: context
rotten because of focus execution delta
ObjectDelta(UserType:a0d85100-354e-450d-9ad1-8d2028d8336c,MODIFY:
PropertyDeltaImpl(credentials/password / {.../common/common-3}forceChange,
ADD), PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyChannel, REPLACE),
PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTimestamp, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifierRef, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTaskRef, REPLACE))
2021-04-08 18:08:45,679 [MODEL] [pool-3-thread-142] DEBUG
(com.evolveum.midpoint.model.impl.lens.Clockwork):
###[ CLOCKWORK SUMMARY ]######################################
Channel: http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user
Triggered by focus primary delta
ObjectDelta(UserType:a0d85100-354e-450d-9ad1-8d2028d8336c,MODIFY:
PropertyDeltaImpl(credentials/password / {.../common/common-3}*forceChange,
ADD*))
Focus: focus(user:a0d85100-354e-450d-9ad1-8d2028d8336c(admlutunp))
Projections (1):
account(ID {.../resource/instance-3}entryUUID = [
a4407a92-56fa-103a-868e-afc68d38775e ], type 'default', resource:xxx(Arobas
- IDP LDAP)): KEEP
Executed:
ObjectDelta(UserType:a0d85100-354e-450d-9ad1-8d2028d8336c,MODIFY:
PropertyDeltaImpl(credentials/password / {.../common/common-3}forceChange,
ADD), PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyChannel, REPLACE),
PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTimestamp, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifierRef, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTaskRef, REPLACE), PropertyDeltaImpl(metadata /
{.../common/common-3}modifyChannel, REPLACE), PropertyDeltaImpl(metadata /
{.../common/common-3}modifyTimestamp, REPLACE), ReferenceDeltaImpl(metadata
/ {.../common/common-3}modifierRef, REPLACE), ReferenceDeltaImpl(metadata /
{.../common/common-3}modifyTaskRef, REPLACE), ReferenceDeltaImpl(metadata /
{.../common/common-3}modifyApproverRef, REPLACE),
PropertyDeltaImpl(metadata / {.../common/common-3}modifyApprovalComment,
REPLACE)): SUCCESS
##############################################################
2021-04-08 18:08:45,929 [MODEL] [pool-3-thread-142] DEBUG
(com.evolveum.midpoint.model.impl.lens.Clockwork): Context rot: context
rotten because of focus execution delta
ObjectDelta(UserType:a0d85100-354e-450d-9ad1-8d2028d8336c,MODIFY:
PropertyDeltaImpl(credentials/password / {.../common/common-3}value,
REPLACE), PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyChannel, REPLACE),
PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTimestamp, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifierRef, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTaskRef, REPLACE))
2021-04-08 18:08:46,009 [MODEL] [pool-3-thread-142] DEBUG
(com.evolveum.midpoint.model.impl.lens.Clockwork):
###[ CLOCKWORK SUMMARY ]######################################
Channel: http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user
Triggered by focus primary delta
ObjectDelta(UserType:a0d85100-354e-450d-9ad1-8d2028d8336c,MODIFY:
PropertyDeltaImpl(credentials/password / {.../common/common-3}*value,
REPLACE*))
Focus: focus(user:a0d85100-354e-450d-9ad1-8d2028d8336c(admlutunp))
Projections (1):
account(ID {.../resource/instance-3}entryUUID = [
a4407a92-56fa-103a-868e-afc68d38775e ], type 'default', resource:xxx(Arobas
- IDP LDAP)): KEEP
Executed:
ObjectDelta(UserType:a0d85100-354e-450d-9ad1-8d2028d8336c,MODIFY:
PropertyDeltaImpl(credentials/password / {.../common/common-3}value,
REPLACE), PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyChannel, REPLACE),
PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTimestamp, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifierRef, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTaskRef, REPLACE), PropertyDeltaImpl(metadata /
{.../common/common-3}lastProvisioningTimestamp, REPLACE),
PropertyDeltaImpl(metadata / {.../common/common-3}modifyChannel, REPLACE),
PropertyDeltaImpl(metadata / {.../common/common-3}modifyTimestamp,
REPLACE), ReferenceDeltaImpl(metadata / {.../common/common-3}modifierRef,
REPLACE), ReferenceDeltaImpl(metadata / {.../common/common-3}modifyTaskRef,
REPLACE), ReferenceDeltaImpl(metadata /
{.../common/common-3}modifyApproverRef, REPLACE),
PropertyDeltaImpl(metadata / {.../common/common-3}modifyApprovalComment,
REPLACE)): SUCCESS
ObjectDelta(ShadowType:574a2c41-b0ea-45a1-b006-3e0f980165f7,MODIFY:
PropertyDeltaImpl(credentials/password / {.../common/common-3}value,
REPLACE), PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyChannel, REPLACE),
PropertyDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTimestamp, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifierRef, REPLACE),
ReferenceDeltaImpl(credentials/password/metadata /
{.../common/common-3}modifyTaskRef, REPLACE), PropertyDeltaImpl(metadata /
{.../common/common-3}modifyChannel, REPLACE), PropertyDeltaImpl(metadata /
{.../common/common-3}modifyTimestamp, REPLACE), ReferenceDeltaImpl(metadata
/ {.../common/common-3}modifierRef, REPLACE), ReferenceDeltaImpl(metadata /
{.../common/common-3}modifyTaskRef, REPLACE), ReferenceDeltaImpl(metadata /
{.../common/common-3}modifyApproverRef, REPLACE),
PropertyDeltaImpl(metadata / {.../common/common-3}modifyApprovalComment,
REPLACE)): SUCCESS
##############################################################
On Thu, Apr 8, 2021, 08:32 Pavol Mederly via midPoint <
midpoint at lists.evolveum.com> wrote:
> Hello Frédéric,
>
> unfortunately I have currently no time to analyze your specific problem,
> but the issue you see with the delta builder is an inherent limitation of
> that API. For more information and a suggested workaround please see
> https://jira.evolveum.com/browse/MID-6981.
>
> Best regards,
>
> --
> Pavol Mederly
> Software developerevolveum.com
>
> On 07/04/2021 17:27, Frédéric Lohier via midPoint wrote:
>
> Hello,
>
>
>
> Following up my last email « Set resource attribute pwdReset when password
> changed by Midpoint GUI by IDM admin », I think the password mapping using
> channels is the way to go.
>
> What I want to do now is to set this attribute in the password mapping
> context using groovy. This attribute exists in the resource schema as an
> operational attribute and I can manualy set this attribute for a user
> through midpoint GUI (edit projection tab).
>
>
>
> My guess is that I have to « build a delta » for the correspondant shadow
> object. Am I right?
>
>
>
> I know the shadow OID thanks to the projection variable
> (projection.getOid()), I tried to build the delta using some examples
> around, but I get the error « Undefined or dynamic path: pwdReset in: CTD
> ({.../common/common-3}ShadowType) ». Any idea of what I am doing wrong?
>
>
>
> The full password mapping :
>
>
>
> <credentials>
>
> <password>
>
> <outbound>
>
> <name>Password and pwdReset (to force the password reset by
> user)</name>
>
> <strength>strong</strength>
>
> <channel>
> http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</channel>
>
> <expression>
>
> <script>
>
> <code>
>
> // If password modification comes from an Midpoint
> admin (channel #user), then we set the Open LDAP pwdReset attribute to TRUE
> (this will force the user to reset his password)
>
>
>
>
> import com.evolveum.midpoint.prism.impl.delta.builder.*
>
>
> import com.evolveum.midpoint.xml.ns._public.common.common_3.*
>
> import com.evolveum.prism.xml.ns._public.types_3.*
>
>
>
> def prismContext = midpoint.getPrismContext()
>
> def shadowOid = projection.getOid()
>
>
> def delta = DeltaBuilder.deltaFor(ShadowType.class, prismContext)
>
> .item(ShadowType.F_ATTRIBUTES, "pwdReset")
>
> .add("TRUE")
>
> .asObjectDelta(shadowOid)
>
> midpoint.modifyObject(delta, null)
>
>
>
> // Then we return the password value anyway
>
> return input
>
> </code>
>
> </script>
>
> </expression>
>
> </outbound>
>
> <outbound>
>
> <name> Simple password mapping</name>
>
> <description>We apply this mapping every time, except if the
> modification is done on the Midpoint GUI (by an IDM admin)</description>
>
> <strength>strong</strength>
>
> <exceptChannel>
> http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</
> exceptChannel>
>
> </outbound>
>
> <inbound/>
>
> </password>
>
> </credentials>
>
>
>
>
>
>
>
> Error :
>
>
>
> java.lang.IllegalArgumentException: Undefined or dynamic path: pwdReset
> in: CTD ({.../common/common-3}ShadowType)
>
> at
> com.evolveum.midpoint.prism.impl.delta.builder.DeltaBuilder.item(DeltaBuilder.java:92)
>
> at
> com.evolveum.midpoint.prism.impl.delta.builder.DeltaBuilder.item(DeltaBuilder.java:85)
>
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>
> at
> org.codehaus.groovy.runtime.callsite.PlainObjectMetaMethodSite.doInvoke(PlainObjectMetaMethodSite.java:43)
>
> at
> org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoCachedMethodSite.invoke(PojoMetaMethodSite.java:188)
>
> at
> org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53)
>
> at
> org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47)
>
> at
> org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:115)
>
> at
> org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127)
>
> at
> expression_in_mapping_'Password_and_pwdReset_(to_force_the_password_reset_by_user)'_in_password_mapping_in_projection_(account_(default)_on_resource_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx(LDAP)).run(expression
> in mapping 'Password_and_pwdReset_(to_force_the_password_reset_by_user)' in
> password mapping in projection (account (default) on resource:
> xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (LDAP)):13)
>
> at
> com.evolveum.midpoint.model.common.expression.script.groovy.GroovyScriptEvaluator.evaluateScript(GroovyScriptEvaluator.java:203)
>
> at
> com.evolveum.midpoint.model.common.expression.script.groovy.GroovyScriptEvaluator.evaluateScript(GroovyScriptEvaluator.java:50)
>
> at
> com.evolveum.midpoint.model.common.expression.script.AbstractCachingScriptEvaluator.evaluate(AbstractCachingScriptEvaluator.java:76)
>
> ... 36 common frames omitted
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210408/764eb9d3/attachment-0001.htm>
More information about the midPoint
mailing list