[midPoint] Synchronizating roles between a database table and midPoint

Mercedes Oncina Deltell moncina at um.es
Fri Feb 11 12:40:38 CET 2022


I have deleted all users and all shadows to begin from scratch in order 
to better understand midPoint internals.

If I set the correlation expression with $projection, the error now is: 
Error occurred during resource object shadow owner lookup, reason: 
Couldn't convert query.

So, obviously, the problem is something related with this expression. I 
have version 4.4 of midPoint with a postgreSQL database as a repository.

I have done another test with this expression: for my authoritative 
resource I have inboud mappings defined, yesterday, I was using 
$focus/attributes/uuid in the correlation expression path and it ran fine.

<q:equal 
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" 
xmlns="">
     <q:path>name</q:path>
     <expression xmlns="">
         <path>$focus/attributes/uuid</path>
     </expression>
</q:equal>

Today, I am trying to use $projection, as I can see in the manual of 
midPoint, but it doesn´t run, I get the error mentioned above.

What I understand for correlation is:

<q:path>name</q:path> => what I'm checking (the source), the attribute 
of the user in midPoint (it is $focus, isn't it?, this is the default 
value so you can omit $focus in the expression $focus/name)

<path>$focus/attributes/uuid</path> => what I'm checking with, it is the 
account in the resource, _it should be $projection_, shouldn't it?

However, in the correlation expression, if I use $focus, I can import 
the accounts into midPoint, but if I use $projection, I get the error: 
Couldn't convert query.

I can't find any good reference for these variables and their segments 
paths, only in 
https://docs.evolveum.com/midpoint/reference/concepts/item-path/ it is 
mentioned, but there is no further information about variables and 
segments that can be used and when.

Thanks.

El 11/02/2022 a las 11:01, midpoint-request at lists.evolveum.com escribió:
> Send midPoint mailing list submissions to
> 	midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> 	midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
> 	midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
>     1. Re: Synchronizating roles between a database table and
>        midPoint (Richard Richter)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 11 Feb 2022 11:01:07 +0100 (CET)
> From: Richard Richter<virgo at evolveum.com>
> To: midPoint General Discussion<midpoint at lists.evolveum.com>
> Cc: MERCEDES ONCINA DELTELL<moncina at um.es>
> Subject: Re: [midPoint] Synchronizating roles between a database table
> 	and midPoint
> Message-ID:
> 	<708275964.54644.1644573667626.JavaMail.zimbra at evolveum.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi
>
> Just a wild guess, but it can happen - if you tried to access the resource with a previous configuration that was not right, midPoint created shadows with a wrong object class that can now stand in the way.
> In main menu go to Repository objects / All objects and choose Shadow in the type select box, also select your resource . Then you can use the little down arrow on the right in the table header:
> After this try to list the accounts on your resource again. If it's set up right, it should help. If it doesn't, then there is still resource configuration problem.
>
> Regards
>
> Richard Richter
> Software Developer
> Evolveum
>
>
> From: "midPoint General Discussion"<midpoint at lists.evolveum.com>  
> To: "midPoint General Discussion"<midpoint at lists.evolveum.com>  
> Cc: "MERCEDES ONCINA DELTELL"<moncina at um.es>  
> Sent: Thursday, February 10, 2022 9:50:25 PM
> Subject: Re: [midPoint] Synchronizating roles between a database table and midPoint
>
>
>
> In the schema handling I assign icfs:uid, which is associated with the primary key of the table (TREL_CODIGO) in the resource configuration, with the "name" attribute, so, both "uid" and "name" have the same value: TREL_CODIGO.
>
> On the other hand, I have tried this:
> <correlation>
> <q:equal xmlns="">
> <q:path>name</q:path>
> <expression>
> <path>$projection/attributes/trel_codigo</path>
> </expression>
> </q:equal>
> </correlation>
> And I get the same error:
> Message: Could not import account shadow:b18c3e63-f2c5-461c-b6c0-27b91e0aa2bb(01)
> Error: No object class found for the shadow
>
> I admit that I don't really understand the variables that can be used inside the expression, I have seen $user, $focus and $projection, but I am not very sure when each one should be used.
>
> In the rest of the resources, I use $focus in the correlation expression, both for input and output resources and it runs fine.
>
> Thanks in advance.
>
>
>
>
> please check you correlation. In the path-Tag you need to refer to an
> attribute of the projection/account, not to an attribute of the focus
> object.
>
> You could try this:
>
> <correlation> <q:equal xmlns=""> <q:path>name</q:path> <expression> <path>$projection/attributes/ ri:/TREL_CODIGO/ </path> </expression> </q:equal> </correlation>
>
>
>
>
> [mailto:midpoint-request at lists.evolveum.com  |midpoint-request at lists.evolveum.com  ] escribió:
> BQ_BEGIN
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 10 Feb 2022 14:14:51 +0100
> From: Mercedes Oncina Deltell < [mailto:moncina at um.es  |moncina at um.es  ] >
> To: [mailto:midpoint at lists.evolveum.com  |midpoint at lists.evolveum.com  ]
> Subject: Re: [midPoint] Synchronizating roles between a database table
> and midPoint
> Message-ID: < [mailto:7b623c6f-989c-1cd2-74ad-08e159063317 at um.es  |7b623c6f-989c-1cd2-74ad-08e159063317 at um.es  ] >
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> I have configured it as you wrote and I can see the entitlements from de
> resource in midPoint, but when I try to import them, I get the now
> familiar error:
>
> Message
> Could not import account shadow:b18c3e63-f2c5-461c-b6c0-27b91e0aa2bb(01)
>
> Error
> No object class found for the shadow
>
> My configuration is:
>
> /* <schemaHandling>*
> <objectType id="16">
> * <kind>entitlement</kind>**
> ** <intent>default</intent>**
> ** <default>true</default>**
> **<objectClass>ri:AccountObjectClass</objectClass>*
> <attribute id="17">
> <ref>icfs:uid</ref>
> <tolerant>true</tolerant>
> <inbound id="19">
> <authoritative>true</authoritative>
> <exclusive>false</exclusive>
> <strength>normal</strength>
> <target>
> <path>name</path>
> </target>
> </inbound>
> </attribute>
> <attribute id="18">
> <ref>ri:TREL_DESCRIPCION</ref>
> <tolerant>true</tolerant>
> <exclusiveStrong>false</exclusiveStrong>
> <inbound id="20">
> <authoritative>true</authoritative>
> <exclusive>false</exclusive>
> <strength>normal</strength>
> <target>
> <path>displayName</path>
> </target>
> </inbound>
> </attribute>
> </objectType>
> </schemaHandling>
> * <synchronization>*
> <objectSynchronization>
> <name>SynchroRoles</name>
> *<objectClass>AccountObjectClass</objectClass>**
> ** <kind>entitlement</kind>**
> ** <intent>default</intent>**
> **<focusType>c:RoleType</focusType>**
> ** <enabled>true</enabled>*
> * <correlation>*
> <q:equal xmlns="">
> <q:path>name</q:path>
> <expression xmlns="">
> <path>$focus/attributes/trel_codigo</path>
> </expression>
> </q:equal>
> <q:description>CheckUIDwithCODIGO</q:description>
> </correlation>
> <reconcile>false</reconcile>
> <reaction>
> <situation>deleted</situation>
> <synchronize>true</synchronize>
> <action>
> <handlerUri> [http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink  |http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink  ] </handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>linked</situation>
> <synchronize>true</synchronize>
> <reconcile>false</reconcile>
> </reaction>
> <reaction>
> <situation>unlinked</situation>
> <synchronize>true</synchronize>
> <action>
> <handlerUri> [http://midpoint.evolveum.com/xml/ns/public/model/action-3#link  |http://midpoint.evolveum.com/xml/ns/public/model/action-3#link  ] </handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>unmatched</situation>
> <synchronize>true</synchronize>
> <reconcile>false</reconcile>
> <action>
> <handlerUri> [http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus  |http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus  ] </handlerUri>
> </action>
> </reaction>
> </objectSynchronization>
> </synchronization>/
>
> The Oracle table is:
>
> /CREATE TABLE TIPO_RELACIONES
> (
> TREL_CODIGO VARCHAR2(2 BYTE),
> TREL_DESCRIPCION VARCHAR2(60 BYTE),
> TREL_UNIVERSITARIO VARCHAR2(1 BYTE),
> TREL_PRIORIDAD NUMBER(2),
> TREL_DURACION DATE,
> TREL_MESES NUMBER(4),
> TREL_TIPO_DURACION VARCHAR2(1 BYTE),
> TREL_VIGENTE VARCHAR2(1 BYTE),
> TREL_RESPONSABLE VARCHAR2(8 BYTE),
> TREL_TIPO_EMAIL VARCHAR2(1 BYTE),
> TREL_EXTERNO VARCHAR2(1 BYTE)
> )/
>
> I only want it for importing and synchronizing data into midPoint (inbound).
>
>
> El 10/02/2022 a las 12:00, [mailto:midpoint-request at lists.evolveum.com  |midpoint-request at lists.evolveum.com  ] escribió:
> BQ_BEGIN
>
>
> <schemaHandling> <objectType> <objectClass>ri:AccountObjectClass</objectClass> <default>true</default> <kind>*entitlement*</kind> <intent>default</intent> ...
> <synchronization> <objectSynchronization> <objectClass>AccountObjectClass</objectClass> <kind>*entitlement*</kind> <intent>default</intent> <focusType>RoleType</focusType> <enabled>true</enabled>
>
> ...
> BQ_END

-- 
Mercedes Oncina Deltell
Servicio de Infraestructuras TICS
ATICA - Universidad de Murcia
Telf: +34 868881983
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220211/63cc65b0/attachment-0001.htm>


More information about the midPoint mailing list