[midPoint] Synchronizating roles between a database table and midPoint

Richard Richter virgo at evolveum.com
Fri Feb 11 11:01:07 CET 2022


Hi 

Just a wild guess, but it can happen - if you tried to access the resource with a previous configuration that was not right, midPoint created shadows with a wrong object class that can now stand in the way. 
In main menu go to Repository objects / All objects and choose Shadow in the type select box, also select your resource . Then you can use the little down arrow on the right in the table header: 
After this try to list the accounts on your resource again. If it's set up right, it should help. If it doesn't, then there is still resource configuration problem. 

Regards 

Richard Richter 
Software Developer 
Evolveum 


From: "midPoint General Discussion" <midpoint at lists.evolveum.com> 
To: "midPoint General Discussion" <midpoint at lists.evolveum.com> 
Cc: "MERCEDES ONCINA DELTELL" <moncina at um.es> 
Sent: Thursday, February 10, 2022 9:50:25 PM 
Subject: Re: [midPoint] Synchronizating roles between a database table and midPoint 



In the schema handling I assign icfs:uid, which is associated with the primary key of the table (TREL_CODIGO) in the resource configuration, with the "name" attribute, so, both "uid" and "name" have the same value: TREL_CODIGO. 

On the other hand, I have tried this: 
<correlation> 
<q:equal xmlns=""> 
<q:path>name</q:path> 
<expression> 
<path>$projection/attributes/trel_codigo</path> 
</expression> 
</q:equal> 
</correlation> 
And I get the same error: 
Message: Could not import account shadow:b18c3e63-f2c5-461c-b6c0-27b91e0aa2bb(01) 
Error: No object class found for the shadow 

I admit that I don't really understand the variables that can be used inside the expression, I have seen $user, $focus and $projection, but I am not very sure when each one should be used. 

In the rest of the resources, I use $focus in the correlation expression, both for input and output resources and it runs fine. 

Thanks in advance. 




please check you correlation. In the path-Tag you need to refer to an 
attribute of the projection/account, not to an attribute of the focus 
object. 

You could try this: 

<correlation> <q:equal xmlns=""> <q:path>name</q:path> <expression> <path>$projection/attributes/ ri:/TREL_CODIGO/ </path> </expression> </q:equal> </correlation> 




[ mailto:midpoint-request at lists.evolveum.com | midpoint-request at lists.evolveum.com ] escribió: 
BQ_BEGIN



------------------------------ 

Message: 2 
Date: Thu, 10 Feb 2022 14:14:51 +0100 
From: Mercedes Oncina Deltell < [ mailto:moncina at um.es | moncina at um.es ] > 
To: [ mailto:midpoint at lists.evolveum.com | midpoint at lists.evolveum.com ] 
Subject: Re: [midPoint] Synchronizating roles between a database table 
and midPoint 
Message-ID: < [ mailto:7b623c6f-989c-1cd2-74ad-08e159063317 at um.es | 7b623c6f-989c-1cd2-74ad-08e159063317 at um.es ] > 
Content-Type: text/plain; charset="utf-8"; Format="flowed" 

I have configured it as you wrote and I can see the entitlements from de 
resource in midPoint, but when I try to import them, I get the now 
familiar error: 

Message 
Could not import account shadow:b18c3e63-f2c5-461c-b6c0-27b91e0aa2bb(01) 

Error 
No object class found for the shadow 

My configuration is: 

/* <schemaHandling>* 
<objectType id="16"> 
* <kind>entitlement</kind>** 
** <intent>default</intent>** 
** <default>true</default>** 
**<objectClass>ri:AccountObjectClass</objectClass>* 
<attribute id="17"> 
<ref>icfs:uid</ref> 
<tolerant>true</tolerant> 
<inbound id="19"> 
<authoritative>true</authoritative> 
<exclusive>false</exclusive> 
<strength>normal</strength> 
<target> 
<path>name</path> 
</target> 
</inbound> 
</attribute> 
<attribute id="18"> 
<ref>ri:TREL_DESCRIPCION</ref> 
<tolerant>true</tolerant> 
<exclusiveStrong>false</exclusiveStrong> 
<inbound id="20"> 
<authoritative>true</authoritative> 
<exclusive>false</exclusive> 
<strength>normal</strength> 
<target> 
<path>displayName</path> 
</target> 
</inbound> 
</attribute> 
</objectType> 
</schemaHandling> 
* <synchronization>* 
<objectSynchronization> 
<name>SynchroRoles</name> 
*<objectClass>AccountObjectClass</objectClass>** 
** <kind>entitlement</kind>** 
** <intent>default</intent>** 
**<focusType>c:RoleType</focusType>** 
** <enabled>true</enabled>* 
* <correlation>* 
<q:equal xmlns=""> 
<q:path>name</q:path> 
<expression xmlns=""> 
<path>$focus/attributes/trel_codigo</path> 
</expression> 
</q:equal> 
<q:description>CheckUIDwithCODIGO</q:description> 
</correlation> 
<reconcile>false</reconcile> 
<reaction> 
<situation>deleted</situation> 
<synchronize>true</synchronize> 
<action> 
<handlerUri> [ http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink | http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink ] </handlerUri> 
</action> 
</reaction> 
<reaction> 
<situation>linked</situation> 
<synchronize>true</synchronize> 
<reconcile>false</reconcile> 
</reaction> 
<reaction> 
<situation>unlinked</situation> 
<synchronize>true</synchronize> 
<action> 
<handlerUri> [ http://midpoint.evolveum.com/xml/ns/public/model/action-3#link | http://midpoint.evolveum.com/xml/ns/public/model/action-3#link ] </handlerUri> 
</action> 
</reaction> 
<reaction> 
<situation>unmatched</situation> 
<synchronize>true</synchronize> 
<reconcile>false</reconcile> 
<action> 
<handlerUri> [ http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus | http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus ] </handlerUri> 
</action> 
</reaction> 
</objectSynchronization> 
</synchronization>/ 

The Oracle table is: 

/CREATE TABLE TIPO_RELACIONES 
( 
TREL_CODIGO VARCHAR2(2 BYTE), 
TREL_DESCRIPCION VARCHAR2(60 BYTE), 
TREL_UNIVERSITARIO VARCHAR2(1 BYTE), 
TREL_PRIORIDAD NUMBER(2), 
TREL_DURACION DATE, 
TREL_MESES NUMBER(4), 
TREL_TIPO_DURACION VARCHAR2(1 BYTE), 
TREL_VIGENTE VARCHAR2(1 BYTE), 
TREL_RESPONSABLE VARCHAR2(8 BYTE), 
TREL_TIPO_EMAIL VARCHAR2(1 BYTE), 
TREL_EXTERNO VARCHAR2(1 BYTE) 
)/ 

I only want it for importing and synchronizing data into midPoint (inbound). 


El 10/02/2022 a las 12:00, [ mailto:midpoint-request at lists.evolveum.com | midpoint-request at lists.evolveum.com ] escribió: 
BQ_BEGIN


<schemaHandling> <objectType> <objectClass>ri:AccountObjectClass</objectClass> <default>true</default> <kind>*entitlement*</kind> <intent>default</intent> ... 
<synchronization> <objectSynchronization> <objectClass>AccountObjectClass</objectClass> <kind>*entitlement*</kind> <intent>default</intent> <focusType>RoleType</focusType> <enabled>true</enabled> 

... 
BQ_END
-- 
Mercedes Oncina Deltell 
Servicio de Infraestructuras TICS 
ATICA - Universidad de Murcia 
Telf: +34 868881983 
-------------- next part -------------- 
An HTML attachment was scrubbed... 
URL: < [ https://lists.evolveum.com/pipermail/midpoint/attachments/20220210/51943c85/attachment-0001.htm | https://lists.evolveum.com/pipermail/midpoint/attachments/20220210/51943c85/attachment-0001.htm ] > 

------------------------------ 

Message: 3 
Date: Thu, 10 Feb 2022 16:46:51 +0100 
From: Marc Fueller < [ mailto:marc.fueller at daasi.de | marc.fueller at daasi.de ] > 
To: Mercedes Oncina Deltell via midPoint < [ mailto:midpoint at lists.evolveum.com | midpoint at lists.evolveum.com ] > 
Subject: Re: [midPoint] Synchronizating roles between a database table 
and midPoint 
Message-ID: < [ mailto:831e49ab-7b01-c992-9916-ec01841df301 at daasi.de | 831e49ab-7b01-c992-9916-ec01841df301 at daasi.de ] > 
Content-Type: text/plain; charset="utf-8"; Format="flowed" 

Hi, 

please check you correlation. In the path-Tag you need to refer to an 
attribute of the projection/account, not to an attribute of the focus 
object. 

You could try this: 

<correlation> <q:equal xmlns=""> <q:path>name</q:path> <expression> <path>$projection/attributes/ ri:/TREL_CODIGO/ </path> </expression> </q:equal> </correlation> 


You also need to make sure that you are also mapping TREL_CODIGO to the 
midPoint "name" property in the schema handling. 

HTH 

Marc 


Am 10.02.22 um 14:14 schrieb Mercedes Oncina Deltell via midPoint: 
BQ_BEGIN


I have configured it as you wrote and I can see the entitlements from 
de resource in midPoint, but when I try to import them, I get the now 
familiar error: 

Message 
Could not import account 
shadow:b18c3e63-f2c5-461c-b6c0-27b91e0aa2bb(01) 

Error 
No object class found for the shadow 

My configuration is: 

/* <schemaHandling>* 
<objectType id="16"> 
* <kind>entitlement</kind>** 
** <intent>default</intent>** 
** <default>true</default>** 
**<objectClass>ri:AccountObjectClass</objectClass>* 
<attribute id="17"> 
<ref>icfs:uid</ref> 
<tolerant>true</tolerant> 
<inbound id="19"> 
<authoritative>true</authoritative> 
<exclusive>false</exclusive> 
<strength>normal</strength> 
<target> 
<path>name</path> 
</target> 
</inbound> 
</attribute> 
<attribute id="18"> 
<ref>ri:TREL_DESCRIPCION</ref> 
<tolerant>true</tolerant> 
<exclusiveStrong>false</exclusiveStrong> 
<inbound id="20"> 
<authoritative>true</authoritative> 
<exclusive>false</exclusive> 
<strength>normal</strength> 
<target> 
<path>displayName</path> 
</target> 
</inbound> 
</attribute> 
</objectType> 
</schemaHandling> 
* <synchronization>* 
<objectSynchronization> 
<name>SynchroRoles</name> 
*<objectClass>AccountObjectClass</objectClass>** 
** <kind>entitlement</kind>** 
** <intent>default</intent>** 
**<focusType>c:RoleType</focusType>** 
** <enabled>true</enabled>* 
* <correlation>* 
<q:equal xmlns=""> 
<q:path>name</q:path> 
<expression xmlns=""> 
<path>$focus/attributes/trel_codigo</path> 
</expression> 
</q:equal> 
<q:description>CheckUIDwithCODIGO</q:description> 
</correlation> 
<reconcile>false</reconcile> 
<reaction> 
<situation>deleted</situation> 
<synchronize>true</synchronize> 
<action> 
<handlerUri> [ http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink | http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink ] </handlerUri> 
</action> 
</reaction> 
<reaction> 
<situation>linked</situation> 
<synchronize>true</synchronize> 
<reconcile>false</reconcile> 
</reaction> 
<reaction> 
<situation>unlinked</situation> 
<synchronize>true</synchronize> 
<action> 
<handlerUri> [ http://midpoint.evolveum.com/xml/ns/public/model/action-3#link | http://midpoint.evolveum.com/xml/ns/public/model/action-3#link ] </handlerUri> 
</action> 
</reaction> 
<reaction> 
<situation>unmatched</situation> 
<synchronize>true</synchronize> 
<reconcile>false</reconcile> 
<action> 
<handlerUri> [ http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus | http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus ] </handlerUri> 
</action> 
</reaction> 
</objectSynchronization> 
</synchronization>/ 

The Oracle table is: 

/CREATE TABLE TIPO_RELACIONES 
( 
TREL_CODIGO VARCHAR2(2 BYTE), 
TREL_DESCRIPCION VARCHAR2(60 BYTE), 
TREL_UNIVERSITARIO VARCHAR2(1 BYTE), 
TREL_PRIORIDAD NUMBER(2), 
TREL_DURACION DATE, 
TREL_MESES NUMBER(4), 
TREL_TIPO_DURACION VARCHAR2(1 BYTE), 
TREL_VIGENTE VARCHAR2(1 BYTE), 
TREL_RESPONSABLE VARCHAR2(8 BYTE), 
TREL_TIPO_EMAIL VARCHAR2(1 BYTE), 
TREL_EXTERNO VARCHAR2(1 BYTE) 
)/ 

I only want it for importing and synchronizing data into midPoint 
(inbound). 


El 10/02/2022 a las 12:00, [ mailto:midpoint-request at lists.evolveum.com | midpoint-request at lists.evolveum.com ] escribió: 
BQ_BEGIN


<schemaHandling> <objectType> <objectClass>ri:AccountObjectClass</objectClass> <default>true</default> <kind>*entitlement*</kind> <intent>default</intent> ... 
<synchronization> <objectSynchronization> <objectClass>AccountObjectClass</objectClass> <kind>*entitlement*</kind> <intent>default</intent> <focusType>RoleType</focusType> <enabled>true</enabled> 

... 
BQ_END
-- 
Mercedes Oncina Deltell 
Servicio de Infraestructuras TICS 
ATICA - Universidad de Murcia 
Telf: +34 868881983 

_______________________________________________ 
midPoint mailing list 
[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ] 
[ https://lists.evolveum.com/mailman/listinfo/midpoint | https://lists.evolveum.com/mailman/listinfo/midpoint ] 

BQ_END
-- 
Marc Füller 
Consultant 

DAASI International GmbH 
Europaplatz 3 
D-72072 Tübingen 
Germany 

phone: +49 7071 407109-0 
fax: +49 7071 407109-9 
email:marc.fueller at daasi.de 
web: [ http://www.daasi.de/ | www.daasi.de ] 
Sitz der Gesellschaft: Tübingen 
Registergericht: Amtsgericht Stuttgart, HRB 382175 
Geschäftsleitung: Peter Gietz 
-------------- next part -------------- 
An HTML attachment was scrubbed... 
URL: < [ https://lists.evolveum.com/pipermail/midpoint/attachments/20220210/6cf285e3/attachment.htm | https://lists.evolveum.com/pipermail/midpoint/attachments/20220210/6cf285e3/attachment.htm ] > 

------------------------------ 

Subject: Digest Footer 

_______________________________________________ 
midPoint mailing list 
[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ] 
[ https://lists.evolveum.com/mailman/listinfo/midpoint | https://lists.evolveum.com/mailman/listinfo/midpoint ] 


------------------------------ 

End of midPoint Digest, Vol 118, Issue 19***************************************** 
BQ_END




_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
https://lists.evolveum.com/mailman/listinfo/midpoint 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220211/2b91a86d/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 722421
Type: image/png
Size: 17697 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220211/2b91a86d/attachment-0001.png>


More information about the midPoint mailing list