[midPoint] OpenLDAP Midpoint Schema

Luca Verardo luca at verardo.ch
Mon Feb 21 13:56:13 CET 2022 

Hello Ivan,

Perfect, it worked. The addition of <generateObjectClass> and a refresh schema / test connection worked.

Next in line is the synchronisation issues. I cannot point the outbound mapping to be $projection/midPointAccountStatus, midpoint will say it does not exists.



Is this mapping correct ?

Best regards,
Luca Verardo

> Le 21 févr. 2022 à 13:27, Ivan Noris via midPoint <midpoint at lists.evolveum.com> a écrit :
> 
> Hi Luca,
> 
> I think you are on a good track. It really seems that midpoint does not see the object class.
> 
> To avoid the simple mistakes:
> 
> I assume that openldap is configured correctly. (And that you can create account there without midPoint using inetOrgPerson + midPointPerson.)
> 
> I assume that you did upload + test the resource (test resource will fetch schema from OpenLDAP).
> 
> (I was tempted to ask you to add ri: prefix to your midPointPerson auxiliary object class.)
> 
> Are you perhaps using something like this?
> 
>  <schema>
>         <generationConstraints>
>             <generateObjectClass>ri:inetOrgPerson</generateObjectClass>
>             <generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
>             <generateObjectClass>ri:groupOfNames</generateObjectClass>
>             <generateObjectClass>ri:organizationalUnit</generateObjectClass>
>             <generateObjectClass>ri:domain</generateObjectClass>
>             <generateObjectClass>ri:midPointPerson</generateObjectClass>
>         </generationConstraints>
>     </schema>
> 
> (Please make sure that if you use generationConstraints, you are mentioning the auxiliary object classes there too).
> 
> I'm out of other ideas for now :)
> 
> Best regards,
> 
> Ivan
> 
> On 21. 2. 2022 13:21, Luca Verardo wrote:
>> Hello Ivan,
>> 
>> Yes, I have read this chapter and tried to implement it in the same way :
>> 
>> <kind>account</kind>
>> <intent>default</intent>
>> <displayName>Default Account</displayName>
>> <default>true</default>
>> <objectClass>ri:inetOrgPerson</objectClass>
>> <auxiliaryObjectClass>midPointPerson</auxiliaryObjectClass>
>> 
>> However, MidPoint seems to not like it very much, and throws the following error :
>> 
>> Auxiliary object class midPointPerson specified in rOCD+(ACCOUNT:default={.../resource/instance-3}inetOrgPerson) does not exist
>> 
>> I think I might need to inform midPoint about the schema, but I’m not sure how to do it, and if it is the correct mitigation step about this issue.
>> 
>> 
>> Best regards,
>> Luca Verardo
>> 
>>> Le 21 févr. 2022 à 13:00, Ivan Noris via midPoint <midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>> a écrit :
>>> 
>>> Hi Luca,
>>> 
>>> you are right, it's auxiliary object class. I was trying to find existing example, but I found nothing.
>>> 
>>> Unless anyone else from the community has a working ready-to-share example, some bits and pieces:
>>> 
>>> 1. please see https://docs.evolveum.com/midpoint/reference/resources/auxiliary-object-classes/ <https://docs.evolveum.com/midpoint/reference/resources/auxiliary-object-classes/> for auxiliary object class configuration. If all your accounts should have the auxiliary object class, the first chapter Static Use of Auxiliary Object Classes should be what you need
>>> 
>>> 2. Unix Story Test at https://docs.evolveum.com/midpoint/reference/samples/story-tests/unix/ <https://docs.evolveum.com/midpoint/reference/samples/story-tests/unix/> could be also useful for configuration example (even it's a different scenario and different auxiliary object class)
>>> 
>>> 3. if you can see the midpointActivationStatus attribute in your resource, you will probably need something like this in your LDAP resource XML (based on the documentation I see that midpointActivationStatus should be string):
>>> 
>>>     <capabilities xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3" <http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3>>
>>>         <configured>
>>>             <cap:activation>
>>>                 <cap:status>
>>>                     <cap:attribute>ri:midpointActivationStatus</cap:attribute>
>>>                     <cap:enableValue>enabled</cap:enableValue>
>>>                     <cap:disableValue>disabled</cap:disableValue>
>>>                 </cap:status>
>>>             </cap:activation>
>>>         </configured>
>>>     </capabilities>
>>> 
>>> and an ordinary outbound activation/administrativeStatus mapping in the resource.
>>> 
>>> Unfortunately I do not have the environment prepared to really test this.
>>> 
>>> Best regards & happy testing,
>>> 
>>> Ivan
>>> 
>>> On 21. 2. 2022 11:59, Luca Verardo wrote:
>>>> Hello Ivan,
>>>> 
>>>> Thank you.
>>>> 
>>>> I added successfully the midPointPerson schema. However, I cannot get the Auxiliary Object classes to work. If I understood correctly, to be able to use midPointActivationStatus, an LDAP user needs to have inetOrgPerson + midPointPerson.
>>>> 
>>>> Can you share an example on how to instruct MidPoint to add this object class to newly created users ?
>>>> 
>>>> 
>>>> Thanks a lot in advance.
>>>> 
>>>> 
>>>> Best regards,
>>>> Luca Verardo
>>>> 
>>>>> Le 17 févr. 2022 à 09:32, Ivan Noris via midPoint <midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>> a écrit :
>>>>> 
>>>>> Hi Luca,
>>>>> 
>>>>> please have a look here: https://docs.evolveum.com/connectors/resources/ldap/openldap/structure/ <https://docs.evolveum.com/connectors/resources/ldap/openldap/structure/>
>>>>> It is referencing https://github.com/Evolveum/midpoint-samples/tree/master/samples/resources/openldap <https://github.com/Evolveum/midpoint-samples/tree/master/samples/resources/openldap> where you have also LDIF files for OpenLDAP.
>>>>> 
>>>>> Hope it helps.
>>>>> 
>>>>> Best regards,
>>>>> 
>>>>> Ivan
>>>>> 
>>>>> On 17. 2. 2022 8:53, Luca Verardo via midPoint wrote:
>>>>>> Dear community,
>>>>>> 
>>>>>> Is there any up to date documentation explaining how to add and use the OpenLDAP midPoint schema ? The one that allows the midPointAccountStatus (disabled or enabled) for example.
>>>>>> 
>>>>>> 
>>>>>> Thanks a lot in advance.
>>>>>> 
>>>>>> 
>>>>>> Best regards,
>>>>>> Luca
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>> https://lists.evolveum.com/mailman/listinfo/midpoint <https://lists.evolveum.com/mailman/listinfo/midpoint>
>>>>> -- 
>>>>> Ivan Noris
>>>>> Senior Identity Engineer
>>>>> evolveum.com <http://evolveum.com/>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>> https://lists.evolveum.com/mailman/listinfo/midpoint <https://lists.evolveum.com/mailman/listinfo/midpoint>
>>>> 
>>> -- 
>>> Ivan Noris
>>> Senior Identity Engineer
>>> evolveum.com <http://evolveum.com/>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> https://lists.evolveum.com/mailman/listinfo/midpoint <https://lists.evolveum.com/mailman/listinfo/midpoint>
>> 
> -- 
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220221/5e66914d/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Capture d?e?cran 2022-02-21 a? 13.56.03.png
Type: image/png
Size: 22379 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220221/5e66914d/attachment-0001.png>

More information about the midPoint mailing list