[midPoint] Problem with auxiliaryObjectClass definition in LDAP Connector on midPoint 4.6
Patrik Sidler
patrik.sidler at itconcepts.ch
Thu Nov 24 17:28:31 CET 2022
Hi Pedro,
Thank you for your help, I have tried your way but I think it still not works.
I have the following Definition in my LDAP Resource:
<schema>
<generationConstraints>
<generateObjectClass>ri:inetOrgPerson</generateObjectClass>
<generateObjectClass>ri:groupOfNames</generateObjectClass>
<generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
<generateObjectClass>ri:organizationalUnit</generateObjectClass>
<generateObjectClass>ri:ipaObject</generateObjectClass>
<generateObjectClass>ri:iamUser</generateObjectClass>
<generateObjectClass>ri:inetUser</generateObjectClass>
<generateObjectClass>ri:ipaSshUser</generateObjectClass>
<generateObjectClass>ri:krbTicketPolicyAux</generateObjectClass>
<generateObjectClass>ri:krbPrincipalAux</generateObjectClass>
<generateObjectClass>ri:aspectraUser</generateObjectClass>
<generateObjectClass>ri:posixAccount</generateObjectClass>
<generateObjectClass>ri:ipaNTUserAttrs</generateObjectClass>
<generateObjectClass>ri:ipaNTGroupAttrs</generateObjectClass>
</generationConstraints>
</schema>
<schemaHandling>
<objectType id="4">
<kind>account</kind>
<intent>ldapAccount</intent>
<displayName>LDAP Account</displayName>
<default>true</default>
<auxiliaryObjectClassMappings>
<tolerant>true</tolerant>
</auxiliaryObjectClassMappings>
<delineation>
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClass>ri:ipaObject</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:iamUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:inetUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaSshUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:krbTicketPolicyAux</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:krbPrincipalAux</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:aspectraUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaNTUserAttrs</auxiliaryObjectClass>
</delineation>
<focus>
<type>c:UserType</type>
</focus>
<attribute id="86">
<ref>ri:uid</ref>
<outbound>
<name>uid</name>
<source>
<path>$focus/name</path>
</source>
<enabled>true</enabled>
</outbound>
<inbound id="88">
<name>uid</name>
<target>
<path>c:name</path>
</target>
<enabled>true</enabled>
</inbound>
</attribute>
<association id="8">
<ref>ri:ldapGroupMember</ref>
<displayName>LDAP Group Member</displayName>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
<activation>
<existence>
<outbound id="32">
<strength>weak</strength>
<expression>
<path>$focusExists</path>
</expression>
</outbound>
</existence>
</activation>
<correlation>
<correlators>
<items id="41">
<name>Correlation_LDAP</name>
<enabled>true</enabled>
<item id="42">
<ref>c:name</ref>
</item>
</items>
</correlators>
</correlation>
<synchronization>
<reaction id="46">
<name>Linked</name>
<situation>linked</situation>
</reaction>
<reaction id="47">
<name>Unlinked</name>
<situation>unlinked</situation>
<actions>
<link id="50">
<synchronize>true</synchronize>
<reconcile>true</reconcile>
</link>
</actions>
</reaction>
<reaction id="48">
<name>Deleted</name>
<situation>deleted</situation>
<actions>
<unlink id="51">
<synchronize>true</synchronize>
<reconcile>true</reconcile>
</unlink>
</actions>
</reaction>
<reaction id="49">
<name>Unmatched</name>
<situation>unmatched</situation>
<actions>
<addFocus id="52">
<synchronize>true</synchronize>
</addFocus>
</actions>
</reaction>
</synchronization>
</objectType>
<objectType id="9">
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<displayName>LDAP Group</displayName>
<default>true</default>
<objectClass>ri:groupOfNames</objectClass>
<auxiliaryObjectClassMappings>
<tolerant>true</tolerant>
</auxiliaryObjectClassMappings>
<delineation>
<objectClass>ri:groupOfNames</objectClass>
<auxiliaryObjectClass>ri:ipaNTGroupAttrs</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaObject</auxiliaryObjectClass>
</delineation>
<focus>
<type>c:RoleType</type>
</focus>
<attribute id="10">
<ref>ri:description</ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<inbound id="12">
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<path>description</path>
</target>
</inbound>
</attribute>
<attribute id="11">
<ref>ri:dn</ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<inbound id="13">
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<path>name</path>
</target>
</inbound>
</attribute>
<attribute id="24">
<ref>ri:cn</ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<inbound id="25">
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<path>displayName</path>
</target>
</inbound>
</attribute>
<synchronization>
<reaction id="54">
<name>Linked</name>
<situation>linked</situation>
</reaction>
<reaction id="55">
<name>Unlinked</name>
<situation>unlinked</situation>
<actions>
<link id="58">
<synchronize>true</synchronize>
<reconcile>true</reconcile>
<objectTemplateRef oid="5c025649-cd36-4d6f-a825-89737f24212c" relation="org:default" type="c:ObjectTemplateType">
<!-- LDAP Group Import Template -->
</objectTemplateRef>
</link>
</actions>
</reaction>
<reaction id="56">
<name>Deleted</name>
<situation>deleted</situation>
<actions>
<unlink id="59">
<synchronize>true</synchronize>
<reconcile>true</reconcile>
<objectTemplateRef oid="5c025649-cd36-4d6f-a825-89737f24212c" relation="org:default" type="c:ObjectTemplateType">
<!-- LDAP Group Import Template -->
</objectTemplateRef>
</unlink>
</actions>
</reaction>
<reaction id="57">
<name>Unmatched</name>
<situation>unmatched</situation>
<actions>
<addFocus id="60">
<synchronize>true</synchronize>
<reconcile>true</reconcile>
<objectTemplateRef oid="5c025649-cd36-4d6f-a825-89737f24212c" relation="org:default" type="c:ObjectTemplateType">
<!-- LDAP Group Import Template -->
</objectTemplateRef>
</addFocus>
</actions>
</reaction>
</synchronization>
</objectType>
</schemaHandling>
But depending on the User I try to assign a Role (Adding a LDAP Account to a LDAP Group), I get the following Error:
com.evolveum.midpoint.util.exception.SecurityViolationException: org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error modifying LDAP entry uid=xxxxx,cn=users,cn=accounts,dc=yyyyyyyy,dc=zzzzzz,dc=net: [add:objectClass=ipaSshUser,]: insufficientAccessRights: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'uid= xxxxx,cn=users,cn=accounts,dc= yyyyyyyy,dc= zzzzzz,dc=net'.? (50))
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil.processConnectorException(ConnIdUtil.java:276)
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil.processConnIdException(ConnIdUtil.java:219)
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.modifyObjectDelta(ConnectorInstanceConnIdImpl.java:999)
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.modifyObject(ConnectorInstanceConnIdImpl.java:927)
at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.executeModify(ResourceObjectConverter.java:849)
at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.modifyResourceObject(ResourceObjectConverter.java:634)
at com.evolveum.midpoint.provisioning.impl.shadows.ModifyHelper.modifyShadowAttempt(ModifyHelper.java:199)
at com.evolveum.midpoint.provisioning.impl.shadows.ModifyHelper.modifyShadow(ModifyHelper.java:126)
at com.evolveum.midpoint.provisioning.impl.shadows.ShadowsFacade.modifyShadow(ShadowsFacade.java:90)
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.modifyObject(ProvisioningServiceImpl.java:465)
at com.evolveum.midpoint.model.impl.lens.executor.DeltaExecution.modifyProvisioningObject(DeltaExecution.java:612)
at com.evolveum.midpoint.model.impl.lens.executor.DeltaExecution.executeModification(DeltaExecution.java:557)
at com.evolveum.midpoint.model.impl.lens.executor.DeltaExecution.execute(DeltaExecution.java:169)
at com.evolveum.midpoint.model.impl.lens.executor.ProjectionChangeExecution.execute(ProjectionChangeExecution.java:129)
at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeProjectionsChanges(ChangeExecutor.java:98)
at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeChanges(ChangeExecutor.java:61)
Assigning this Role to the same User worked with midPoint 4.4.3.
Best Regards,
Patrik
Von: Pedro Marques <pmbm at fct.unl.pt>
Gesendet: Donnerstag, 24. November 2022 17:11
An: midPoint General Discussion <midpoint at lists.evolveum.com>
Cc: Patrik Sidler <patrik.sidler at itconcepts.ch>
Betreff: Re: [midPoint] Problem with auxiliaryObjectClass definition in LDAP Connector on midPoint 4.6
Hi,
From my experience, you can use the same config in version 4.6
<auxiliaryObjectClassMappings>
<tolerant>true</tolerant>
</auxiliaryObjectClassMappings>
In my case I do it using the option "Edit Raw" on the resource.It seems to have the same behaviour that exists in the previous versions of midpoint. I also don't found the relation of this option with gui wizard
----
<auxiliaryObjectClassMappings>
<tolerant>true</tolerant>
</auxiliaryObjectClassMappings>
<delineation>
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClass>ri:qmailUser</auxiliaryObjectClass>
</delineation>
----
Hope it helps.
Best regards
Patrik Sidler via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> escreveu no dia quinta, 24/11/2022 à(s) 14:09:
Hi All,
I am having a problem, configuring the auxiliaryObjectClass on my LDAP Connector (Version 3.5) running on midPoint 4.6.
The configuration midPoint 4.4.3 (LDAP Connector) worked perfect:
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClass>ri:ipaObject</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:iamUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:inetUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaSshUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:krbTicketPolicyAux</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:krbPrincipalAux</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:aspectraUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaNTUserAttrs</auxiliaryObjectClass>
<auxiliaryObjectClassMappings>
<tolerant>true</tolerant>
</auxiliaryObjectClassMappings>
With midPoint 4.6 and LDAP Connector 3.5, the configuration looks the following:
<objectType id="4">
<kind>account</kind>
<intent>ldapAccount</intent>
<displayName>LDAP Account</displayName>
<default>true</default>
<delineation>
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClass>ri:ipaObject</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:iamUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:inetUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaSshUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:krbTicketPolicyAux</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:krbPrincipalAux</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:aspectraUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaNTUserAttrs</auxiliaryObjectClass>
</delineation>
But I am not able to set the auxiliaryObjectClassMappings to tolerant. I also found no description/example to do this with the new Wizard thing…
Anyone an Idea how to solve this problem?
Thank you in advance for your help.
Best regards
Patrik
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221124/59b7c507/attachment-0001.htm>
More information about the midPoint
mailing list