[midPoint] OpenLDAP Midpoint Schema
Ivan Noris
ivan.noris at evolveum.com
Mon Feb 21 13:27:47 CET 2022
Hi Luca,
I think you are on a good track. It really seems that midpoint does not
see the object class.
To avoid the simple mistakes:
I assume that openldap is configured correctly. (And that you can create
account there without midPoint using inetOrgPerson + midPointPerson.)
I assume that you did upload + test the resource (test resource will
fetch schema from OpenLDAP).
(I was tempted to ask you to add ri: prefix to your midPointPerson
auxiliary object class.)
Are you perhaps using something like this?
<schema>
<generationConstraints>
<generateObjectClass>ri:inetOrgPerson</generateObjectClass>
<generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
<generateObjectClass>ri:groupOfNames</generateObjectClass>
<generateObjectClass>ri:organizationalUnit</generateObjectClass>
<generateObjectClass>ri:domain</generateObjectClass>
*<generateObjectClass>ri:midPointPerson</generateObjectClass>**
* </generationConstraints>
</schema>
(Please make sure that if you use generationConstraints, you are
mentioning the auxiliary object classes there too).
I'm out of other ideas for now :)
Best regards,
Ivan
On 21. 2. 2022 13:21, Luca Verardo wrote:
> Hello Ivan,
>
> Yes, I have read this chapter and tried to implement it in the same way :
>
> <kind>account</kind> <intent>default</intent> <displayName>Default
> Account</displayName> <default>true</default>
> <objectClass>ri:inetOrgPerson</objectClass>
> <auxiliaryObjectClass>midPointPerson</auxiliaryObjectClass>
>
> However, MidPoint seems to not like it very much, and throws the
> following error :
>
> Auxiliary object class midPointPerson specified in
> rOCD+(ACCOUNT:default={.../resource/instance-3}inetOrgPerson) does not
> exist
>
> I think I might need to inform midPoint about the schema, but I’m not
> sure how to do it, and if it is the correct mitigation step about this
> issue.
>
>
> Best regards,
> Luca Verardo
>
>> Le 21 févr. 2022 à 13:00, Ivan Noris via midPoint
>> <midpoint at lists.evolveum.com> a écrit :
>>
>> Hi Luca,
>>
>> you are right, it's auxiliary object class. I was trying to find
>> existing example, but I found nothing.
>>
>> Unless anyone else from the community has a working ready-to-share
>> example, some bits and pieces:
>>
>> 1. please see
>> https://docs.evolveum.com/midpoint/reference/resources/auxiliary-object-classes/
>> for auxiliary object class configuration. If all your accounts should
>> have the auxiliary object class, the first chapter Static Use of
>> Auxiliary Object Classes should be what you need
>>
>> 2. Unix Story Test at
>> https://docs.evolveum.com/midpoint/reference/samples/story-tests/unix/
>> could be also useful for configuration example (even it's a different
>> scenario and different auxiliary object class)
>>
>> 3. if you can see the midpointActivationStatus attribute in your
>> resource, you will probably need something like this in your LDAP
>> resource XML (based on the documentation I see that
>> midpointActivationStatus should be string):
>>
>> <capabilities
>> xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
>> <configured>
>> <cap:activation>
>> <cap:status>
>> <cap:attribute>ri:midpointActivationStatus</cap:attribute>
>> <cap:enableValue>enabled</cap:enableValue>
>> <cap:disableValue>disabled</cap:disableValue>
>> </cap:status>
>> </cap:activation>
>> </configured>
>> </capabilities>
>>
>> and an ordinary outbound activation/administrativeStatus mapping in
>> the resource.
>>
>> Unfortunately I do not have the environment prepared to really test this.
>>
>> Best regards & happy testing,
>>
>> Ivan
>>
>> On 21. 2. 2022 11:59, Luca Verardo wrote:
>>> Hello Ivan,
>>>
>>> Thank you.
>>>
>>> I added successfully the midPointPerson schema. However, I cannot
>>> get the Auxiliary Object classes to work. If I understood correctly,
>>> to be able to use midPointActivationStatus, an LDAP user needs to
>>> have inetOrgPerson + midPointPerson.
>>>
>>> Can you share an example on how to instruct MidPoint to add this
>>> object class to newly created users ?
>>>
>>>
>>> Thanks a lot in advance.
>>>
>>>
>>> Best regards,
>>> Luca Verardo
>>>
>>>> Le 17 févr. 2022 à 09:32, Ivan Noris via midPoint
>>>> <midpoint at lists.evolveum.com> a écrit :
>>>>
>>>> Hi Luca,
>>>>
>>>> please have a look here:
>>>> https://docs.evolveum.com/connectors/resources/ldap/openldap/structure/
>>>>
>>>> It is referencing
>>>> https://github.com/Evolveum/midpoint-samples/tree/master/samples/resources/openldap
>>>> where you have also LDIF files for OpenLDAP.
>>>>
>>>> Hope it helps.
>>>>
>>>> Best regards,
>>>>
>>>> Ivan
>>>>
>>>> On 17. 2. 2022 8:53, Luca Verardo via midPoint wrote:
>>>>> Dear community,
>>>>>
>>>>> Is there any up to date documentation explaining how to add and
>>>>> use the OpenLDAP midPoint schema ? The one that allows the
>>>>> midPointAccountStatus (disabled or enabled) for example.
>>>>>
>>>>>
>>>>> Thanks a lot in advance.
>>>>>
>>>>>
>>>>> Best regards,
>>>>> Luca
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>> --
>>>> Ivan Noris
>>>> Senior Identity Engineer
>>>> evolveum.com <http://evolveum.com/>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>> --
>> Ivan Noris
>> Senior Identity Engineer
>> evolveum.com <http://evolveum.com>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220221/a1ba8eae/attachment-0001.htm>
More information about the midPoint
mailing list