[midPoint] Problem when I try to remove LDAP attribute on Midpoint

Paul Engle pengle at rice.edu
Tue Jul 19 17:34:59 CEST 2022


It's been my experience with the LDAP connector that if the LDAP
attribute is multi-valued, then you have to have a target set defined for
the outbound mapping. Otherwise, midpoint won't delete values from LDAP
when the source attribute changes. Try this for your mapping:

<attribute id="49">
    <ref>ri:MB-NOM-APE</ref>
    <outbound>
        <trace>true</trace>
        <strength>strong</strength>
        <source>
            <path>$focus/extension/nomApe</path>
        </source>
        <expression>
            <trace>true</trace>
            <asIs/>
        </expression>
        <target>
             <set>
                  <predefined>all</predefined>
             </set>
         </target>
    </outbound>
</attribute>


That tells midpoint that it is to replace all the values on the LDAP side
with the data received from midpoint. However, if you have data existing in
LDAP that you don't want removed, then you'll have to tune the target set
with a script to manage only those values you want midpoint to touch.

The docs page
https://docs.evolveum.com/midpoint/reference/expressions/mappings/range/
has more information about mapping ranges.


-- 
Paul Engle
IAM Architect
Identity & Access Management
pengle at rice.edu 713-348-4702


On Mon, Jul 18, 2022 at 10:10 AM Douglas Alves via midPoint <
midpoint at lists.evolveum.com> wrote:

> Hello everyone,
> I found a problem thats I can't resolve, I'm removing a attribute called
> "NOM-APE" from Midpoint but that change didn't applied to LDAP, that
> attribute works like a multivalued attribute, but inside the configuration
> thats a monovalued one.
>
> That's my extended schema configuration:
>
> ```
> <xsd:element name="nomApe" type="xsd:string" minOccurs="0" maxOccurs="1">
>     <xsd:annotation>
>          <xsd:appinfo>
>             <a:indexed>true</a:indexed>
>             <a:displayName>NOM-APE</a:displayName>
>             <a:displayOrder>135</a:displayOrder>
>             <a:help>APELIDO</a:help>
>         </xsd:appinfo>
>     </xsd:annotation>
>  </xsd:element>
> ```
>
> On the Role xml I turn on the traces to try to found a problem:
>
> ```
> <attribute id="49">
>     <ref>ri:MB-NOM-APE</ref>
>     <outbound>
>         <trace>true</trace>
>         <strength>strong</strength>
>         <source>
>             <path>$focus/extension/nomApe</path>
>         </source>
>         <expression>
>             <trace>true</trace>
>             <asIs/>
>         </expression>
>     </outbound>
> </attribute>
> ```
>
> On the LDAP resource xml the value of atttribute was mapped like that:
>
> ```
> <xsd:element maxOccurs="1" minOccurs="0" name="MB-NOM-APE"
> type="xsd:string">
>     <xsd:annotation>
>         <xsd:appinfo>
>             <a:displayOrder>180</a:displayOrder>
>             <a:matchingRule xmlns:qn390="
> http://prism.evolveum.com/xml/ns/public/matching-rule-3
> ">qn390:stringIgnoreCase</a:matchingRule>
>             <ra:nativeAttributeName>MB-NOM-APE</ra:nativeAttributeName>
>
> <ra:frameworkAttributeName>MB-NOM-APE</ra:frameworkAttributeName>
>         </xsd:appinfo>
>     </xsd:annotation>
> </xsd:element>
> ```
>
> Trying to replace this value in user on trace log , in LDAP the value is
> added like multivalored attribute i.e:
>
> ```
> 2022-07-18 11:33:17,051 [MODEL] [pool-3-thread-13] INFO
> (com.evolveum.midpoint.model.common.mapping.AbstractMappingImpl): Mapping
> trace:
> ---[ MAPPING  in outbound mapping for attribute
> {.../resource/instance-3}MB-NOM-APE in
> role:f003a8b0-8693-4184-9dfa-36dba1d9f40b(Perfil Básico
> Parceiro)]---------------------------
> Strength: STRONG
> Source nomApe:
>   old: null
>   delta: PropertyDeltaImpl(extension / {
> http://zurich.com/xml/ns/userSchema}nomApe, REPLACE)
>   new: PP({http://zurich.com/xml/ns/userSchema}nomApe):[PPV(String:DTS)]
> Target: rRAD:{.../resource/instance-3}MB-NOM-APE {xsd:}string[0,1],RAM
> native=MB-NOM-APE framework=MB-NOM-APE,Disp:MODEL
> Expression: asIs
> Condition: true -> true
> Result: added: DTS
> ```
>
> But the value is appended to LDAP user entry.
>
> ```
> ldapsearch -LLL -x -H ldap://localhost:389 -D 'cn=admin,c=br' -w ? -b
> 'uid=E222222,ou=Usuarios,o=SFMB,c=br' -s sub "(objectClass=*)" MB-NOM-APE
> dn: uid=E222222,ou=Usuarios,o=SFMB,c=br
> MB-NOM-APE: 661736
> MB-NOM-APE: 423534
> MB-NOM-APE: 669999
> MB-NOM-APE: 139999
> MB-NOM-APE: 609999
> MB-NOM-APE: 579999
> MB-NOM-APE: 6999999
> MB-NOM-APE: 6999998
> MB-NOM-APE: 660457
> MB-NOM-APE: 699999
> MB-NOM-APE: 679999
> MB-NOM-APE: DTS
> ```
>
> And when I try to remove this value on Midpoint, the Midpoint tracing
> looks like ok to me:
>
> ```
> 2022-07-18 11:40:49,720 [MODEL] [pool-3-thread-14] INFO
> (com.evolveum.midpoint.model.common.mapping.AbstractMappingImpl): Mapping
> trace:
> ---[ MAPPING  in outbound mapping for attribute
> {.../resource/instance-3}MB-NOM-APE in
> role:f003a8b0-8693-4184-9dfa-36dba1d9f40b(Perfil Básico
> Parceiro)]---------------------------
> Strength: STRONG
> Source nomApe:
>   old: PP({http://zurich.com/xml/ns/userSchema}nomApe):[PPV(String:DTS)]
>   delta: PropertyDeltaImpl(extension / {
> http://zurich.com/xml/ns/userSchema}nomApe, DELETE)
>   new: PP({http://zurich.com/xml/ns/userSchema}nomApe):[]
> Target: rRAD:{.../resource/instance-3}MB-NOM-APE {xsd:}string[0,1],RAM
> native=MB-NOM-APE framework=MB-NOM-APE,Disp:MODEL
> Expression: asIs
> Condition: true -> true
> Result: removed: DTS
> ```
>
> But the attribute wasn't removed:
>
> ```
> ldapsearch -LLL -x -H ldap://localhost:389 -D 'cn=admin,c=br' -w ? -b
> 'uid=E222222,ou=Usuarios,o=SFMB,c=br' -s sub "(objectClass=*)" MB-NOM-APE
> dn: uid=E222222,ou=Usuarios,o=SFMB,c=br
> MB-NOM-APE: 661736
> MB-NOM-APE: 423534
> MB-NOM-APE: 669999
> MB-NOM-APE: 139999
> MB-NOM-APE: 609999
> MB-NOM-APE: 579999
> MB-NOM-APE: 6999999
> MB-NOM-APE: 6999998
> MB-NOM-APE: 660457
> MB-NOM-APE: 699999
> MB-NOM-APE: 679999
> MB-NOM-APE: DTS
> ```
>
> I've tried to change role configurations and resource configuration xml,
> but no one works. I hope someone can help me with this trouble.
>
> Best Regards,
>
> Douglas Alves.
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220719/12e43b42/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5338 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220719/12e43b42/attachment.bin>


More information about the midPoint mailing list