[midPoint] OpenLDAP Midpoint Schema

Ivan Noris ivan.noris at evolveum.com
Mon Feb 21 14:10:15 CET 2022


Hi Luca,

if you used the capabilities I sent, then the attribute 
midpointAccountStatus is considered to be the account's activation and 
is not visible in account attributes by default.

Standard outbound mapping will do the trick:

<activation>

<administrativeStatus>

<outbound/>

<!-- source is implicit: activation/effectiveStatus;

expression is implicit: as is;

target is implicit: what connector knows. As in this case it does not 
know, we use the capabilities to tell midPoint to simulate the 
capability using the midpointAccountStatus attribute

The mapping can be also strong if you want.

-->

</administrativeStatus>

</activation>

Ivan

On 21. 2. 2022 13:56, Luca Verardo wrote:
> Hello Ivan,
>
> Perfect, it worked. The addition of <generateObjectClass> and a 
> refresh schema / test connection worked.
>
> Next in line is the synchronisation issues. I cannot point the 
> outbound mapping to be $projection/midPointAccountStatus, midpoint 
> will say it does not exists.
>
>
> Is this mapping correct ?
>
> Best regards,
> Luca Verardo
>
>> Le 21 févr. 2022 à 13:27, Ivan Noris via midPoint 
>> <midpoint at lists.evolveum.com> a écrit :
>>
>> Hi Luca,
>>
>> I think you are on a good track. It really seems that midpoint does 
>> not see the object class.
>>
>> To avoid the simple mistakes:
>>
>> I assume that openldap is configured correctly. (And that you can 
>> create account there without midPoint using inetOrgPerson + 
>> midPointPerson.)
>>
>> I assume that you did upload + test the resource (test resource will 
>> fetch schema from OpenLDAP).
>>
>> (I was tempted to ask you to add ri: prefix to your midPointPerson 
>> auxiliary object class.)
>>
>> Are you perhaps using something like this?
>>
>>  <schema>
>>         <generationConstraints>
>> <generateObjectClass>ri:inetOrgPerson</generateObjectClass>
>> <generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
>> <generateObjectClass>ri:groupOfNames</generateObjectClass>
>> <generateObjectClass>ri:organizationalUnit</generateObjectClass>
>> <generateObjectClass>ri:domain</generateObjectClass>
>> *<generateObjectClass>ri:midPointPerson</generateObjectClass>**
>> *        </generationConstraints>
>>     </schema>
>>
>> (Please make sure that if you use generationConstraints, you are 
>> mentioning the auxiliary object classes there too).
>>
>> I'm out of other ideas for now :)
>>
>> Best regards,
>>
>> Ivan
>>
>> On 21. 2. 2022 13:21, Luca Verardo wrote:
>>> Hello Ivan,
>>>
>>> Yes, I have read this chapter and tried to implement it in the same 
>>> way :
>>>
>>> <kind>account</kind> <intent>default</intent> <displayName>Default 
>>> Account</displayName> <default>true</default> 
>>> <objectClass>ri:inetOrgPerson</objectClass> 
>>> <auxiliaryObjectClass>midPointPerson</auxiliaryObjectClass>
>>>
>>> However, MidPoint seems to not like it very much, and throws the 
>>> following error :
>>>
>>> Auxiliary object class midPointPerson specified in 
>>> rOCD+(ACCOUNT:default={.../resource/instance-3}inetOrgPerson) does 
>>> not exist
>>>
>>> I think I might need to inform midPoint about the schema, but I’m 
>>> not sure how to do it, and if it is the correct mitigation step 
>>> about this issue.
>>>
>>>
>>> Best regards,
>>> Luca Verardo
>>>
>>>> Le 21 févr. 2022 à 13:00, Ivan Noris via midPoint 
>>>> <midpoint at lists.evolveum.com> a écrit :
>>>>
>>>> Hi Luca,
>>>>
>>>> you are right, it's auxiliary object class. I was trying to find 
>>>> existing example, but I found nothing.
>>>>
>>>> Unless anyone else from the community has a working ready-to-share 
>>>> example, some bits and pieces:
>>>>
>>>> 1. please see 
>>>> https://docs.evolveum.com/midpoint/reference/resources/auxiliary-object-classes/ 
>>>> for auxiliary object class configuration. If all your accounts 
>>>> should have the auxiliary object class, the first chapter Static 
>>>> Use of Auxiliary Object Classes should be what you need
>>>>
>>>> 2. Unix Story Test at 
>>>> https://docs.evolveum.com/midpoint/reference/samples/story-tests/unix/ 
>>>> could be also useful for configuration example (even it's a 
>>>> different scenario and different auxiliary object class)
>>>>
>>>> 3. if you can see the midpointActivationStatus attribute in your 
>>>> resource, you will probably need something like this in your LDAP 
>>>> resource XML (based on the documentation I see that 
>>>> midpointActivationStatus should be string):
>>>>
>>>>     <capabilities 
>>>> xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
>>>>         <configured>
>>>>             <cap:activation>
>>>>                 <cap:status>
>>>> <cap:attribute>ri:midpointActivationStatus</cap:attribute>
>>>> <cap:enableValue>enabled</cap:enableValue>
>>>> <cap:disableValue>disabled</cap:disableValue>
>>>>                 </cap:status>
>>>>             </cap:activation>
>>>>         </configured>
>>>>     </capabilities>
>>>>
>>>> and an ordinary outbound activation/administrativeStatus mapping in 
>>>> the resource.
>>>>
>>>> Unfortunately I do not have the environment prepared to really test 
>>>> this.
>>>>
>>>> Best regards & happy testing,
>>>>
>>>> Ivan
>>>>
>>>> On 21. 2. 2022 11:59, Luca Verardo wrote:
>>>>> Hello Ivan,
>>>>>
>>>>> Thank you.
>>>>>
>>>>> I added successfully the midPointPerson schema. However, I cannot 
>>>>> get the Auxiliary Object classes to work. If I understood 
>>>>> correctly, to be able to use midPointActivationStatus, an LDAP 
>>>>> user needs to have inetOrgPerson + midPointPerson.
>>>>>
>>>>> Can you share an example on how to instruct MidPoint to add this 
>>>>> object class to newly created users ?
>>>>>
>>>>>
>>>>> Thanks a lot in advance.
>>>>>
>>>>>
>>>>> Best regards,
>>>>> Luca Verardo
>>>>>
>>>>>> Le 17 févr. 2022 à 09:32, Ivan Noris via midPoint 
>>>>>> <midpoint at lists.evolveum.com> a écrit :
>>>>>>
>>>>>> Hi Luca,
>>>>>>
>>>>>> please have a look here: 
>>>>>> https://docs.evolveum.com/connectors/resources/ldap/openldap/structure/
>>>>>>
>>>>>> It is referencing 
>>>>>> https://github.com/Evolveum/midpoint-samples/tree/master/samples/resources/openldap 
>>>>>> where you have also LDIF files for OpenLDAP.
>>>>>>
>>>>>> Hope it helps.
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Ivan
>>>>>>
>>>>>> On 17. 2. 2022 8:53, Luca Verardo via midPoint wrote:
>>>>>>> Dear community,
>>>>>>>
>>>>>>> Is there any up to date documentation explaining how to add and 
>>>>>>> use the OpenLDAP midPoint schema ? The one that allows the 
>>>>>>> midPointAccountStatus (disabled or enabled) for example.
>>>>>>>
>>>>>>>
>>>>>>> Thanks a lot in advance.
>>>>>>>
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Luca
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing list
>>>>>>> midPoint at lists.evolveum.com
>>>>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>> -- 
>>>>>> Ivan Noris
>>>>>> Senior Identity Engineer
>>>>>> evolveum.com  <http://evolveum.com/>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>> -- 
>>>> Ivan Noris
>>>> Senior Identity Engineer
>>>> evolveum.com  <http://evolveum.com/>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>> -- 
>> Ivan Noris
>> Senior Identity Engineer
>> evolveum.com  <http://evolveum.com>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-- 
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220221/43ed818d/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Capture%20d%E2%80%99e%CC%81cran%202022-02-21%20a%CC%80%2013.56.03.png
Type: image/png
Size: 22379 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220221/43ed818d/attachment-0001.png>


More information about the midPoint mailing list