[midPoint] Problem with auxiliaryObjectClass definition in LDAP Connector on midPoint 4.6

Pedro Marques pmbm at fct.unl.pt
Fri Nov 25 19:07:28 CET 2022


I faced that error when I configured the connector with a Bind DN user
without write permissions on LDAP. From what I can see in the log ,the ldap
 connector tried to   add an objectclass attribute to the user entry, but
failed to write that attribute, probably due to wrong permissions.
Can you reproduce this operation with an ldapmodify command using the same
user (bind dn) that you configured in the connector, and see if you get the
same error.


Patrik Sidler <patrik.sidler at itconcepts.ch> escreveu no dia quinta,
24/11/2022 à(s) 16:28:

> Hi Pedro,
>
>
>
> Thank you for your help, I have tried your way but I think it still not
> works.
>
>
>
> I have the following Definition in my LDAP Resource:
>
>
>
> <schema>
>
>         <generationConstraints>
>
>             <generateObjectClass>ri:inetOrgPerson</generateObjectClass>
>
>             <generateObjectClass>ri:groupOfNames</generateObjectClass>
>
>
> <generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
>
>
> <generateObjectClass>ri:organizationalUnit</generateObjectClass>
>
>             <generateObjectClass>ri:ipaObject</generateObjectClass>
>
>             <generateObjectClass>ri:iamUser</generateObjectClass>
>
>             <generateObjectClass>ri:inetUser</generateObjectClass>
>
>             <generateObjectClass>ri:ipaSshUser</generateObjectClass>
>
>
> <generateObjectClass>ri:krbTicketPolicyAux</generateObjectClass>
>
>             <generateObjectClass>ri:krbPrincipalAux</generateObjectClass>
>
>             <generateObjectClass>ri:aspectraUser</generateObjectClass>
>
>             <generateObjectClass>ri:posixAccount</generateObjectClass>
>
>             <generateObjectClass>ri:ipaNTUserAttrs</generateObjectClass>
>
>             <generateObjectClass>ri:ipaNTGroupAttrs</generateObjectClass>
>
>         </generationConstraints>
>
> </schema>
>
>     <schemaHandling>
>
>         <objectType id="4">
>
>             <kind>account</kind>
>
>             <intent>ldapAccount</intent>
>
>             <displayName>LDAP Account</displayName>
>
>             <default>true</default>
>
>             <auxiliaryObjectClassMappings>
>
>                 <tolerant>true</tolerant>
>
>             </auxiliaryObjectClassMappings>
>
>             <delineation>
>
>                 <objectClass>ri:inetOrgPerson</objectClass>
>
>                 <auxiliaryObjectClass>ri:ipaObject</auxiliaryObjectClass>
>
>                 <auxiliaryObjectClass>ri:iamUser</auxiliaryObjectClass>
>
>                 <auxiliaryObjectClass>ri:inetUser</auxiliaryObjectClass>
>
>                 <auxiliaryObjectClass>ri:ipaSshUser</auxiliaryObjectClass>
>
>
> <auxiliaryObjectClass>ri:krbTicketPolicyAux</auxiliaryObjectClass>
>
>
> <auxiliaryObjectClass>ri:krbPrincipalAux</auxiliaryObjectClass>
>
>
> <auxiliaryObjectClass>ri:aspectraUser</auxiliaryObjectClass>
>
>
> <auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
>
>
> <auxiliaryObjectClass>ri:ipaNTUserAttrs</auxiliaryObjectClass>
>
>             </delineation>
>
>             <focus>
>
>                <type>c:UserType</type>
>
>             </focus>
>
>             <attribute id="86">
>
>                 <ref>ri:uid</ref>
>
>                 <outbound>
>
>                     <name>uid</name>
>
>                     <source>
>
>                         <path>$focus/name</path>
>
>                     </source>
>
>                     <enabled>true</enabled>
>
>                 </outbound>
>
>                 <inbound id="88">
>
>                     <name>uid</name>
>
>                     <target>
>
>                         <path>c:name</path>
>
>                     </target>
>
>                     <enabled>true</enabled>
>
>                 </inbound>
>
>             </attribute>
>
>             <association id="8">
>
>                 <ref>ri:ldapGroupMember</ref>
>
>                 <displayName>LDAP Group Member</displayName>
>
>                 <tolerant>true</tolerant>
>
>                 <exclusiveStrong>false</exclusiveStrong>
>
>                 <kind>entitlement</kind>
>
>                 <intent>ldapGroup</intent>
>
>                 <direction>objectToSubject</direction>
>
>                 <associationAttribute>ri:member</associationAttribute>
>
>                 <valueAttribute>ri:dn</valueAttribute>
>
>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>
>             </association>
>
>             <activation>
>
>                 <existence>
>
>                     <outbound id="32">
>
>                         <strength>weak</strength>
>
>                         <expression>
>
>                             <path>$focusExists</path>
>
>                         </expression>
>
>                     </outbound>
>
>                 </existence>
>
>             </activation>
>
>             <correlation>
>
>                 <correlators>
>
>                     <items id="41">
>
>                         <name>Correlation_LDAP</name>
>
>                         <enabled>true</enabled>
>
>                         <item id="42">
>
>                             <ref>c:name</ref>
>
>                         </item>
>
>                     </items>
>
>                 </correlators>
>
>             </correlation>
>
>             <synchronization>
>
>                 <reaction id="46">
>
>                     <name>Linked</name>
>
>                     <situation>linked</situation>
>
>                 </reaction>
>
>                 <reaction id="47">
>
>                     <name>Unlinked</name>
>
>                     <situation>unlinked</situation>
>
>                     <actions>
>
>                         <link id="50">
>
>                             <synchronize>true</synchronize>
>
>                             <reconcile>true</reconcile>
>
>                         </link>
>
>                     </actions>
>
>                 </reaction>
>
>                 <reaction id="48">
>
>                     <name>Deleted</name>
>
>                     <situation>deleted</situation>
>
>                     <actions>
>
>                         <unlink id="51">
>
>                             <synchronize>true</synchronize>
>
>                             <reconcile>true</reconcile>
>
>                         </unlink>
>
>                     </actions>
>
>                 </reaction>
>
>                 <reaction id="49">
>
>                     <name>Unmatched</name>
>
>                     <situation>unmatched</situation>
>
>                     <actions>
>
>                         <addFocus id="52">
>
>                             <synchronize>true</synchronize>
>
>                         </addFocus>
>
>                     </actions>
>
>                 </reaction>
>
>             </synchronization>
>
>         </objectType>
>
>         <objectType id="9">
>
>             <kind>entitlement</kind>
>
>             <intent>ldapGroup</intent>
>
>             <displayName>LDAP Group</displayName>
>
>             <default>true</default>
>
>             <objectClass>ri:groupOfNames</objectClass>
>
>             <auxiliaryObjectClassMappings>
>
>                 <tolerant>true</tolerant>
>
>             </auxiliaryObjectClassMappings>
>
>             <delineation>
>
>                 <objectClass>ri:groupOfNames</objectClass>
>
>
> <auxiliaryObjectClass>ri:ipaNTGroupAttrs</auxiliaryObjectClass>
>
>                 <auxiliaryObjectClass>ri:ipaObject</auxiliaryObjectClass>
>
>             </delineation>
>
>             <focus>
>
>                 <type>c:RoleType</type>
>
>             </focus>
>
>             <attribute id="10">
>
>                 <ref>ri:description</ref>
>
>                 <tolerant>true</tolerant>
>
>                 <exclusiveStrong>false</exclusiveStrong>
>
>                 <inbound id="12">
>
>                     <authoritative>true</authoritative>
>
>                     <exclusive>false</exclusive>
>
>                     <strength>normal</strength>
>
>                     <target>
>
>                         <path>description</path>
>
>                     </target>
>
>                 </inbound>
>
>             </attribute>
>
>             <attribute id="11">
>
>                 <ref>ri:dn</ref>
>
>                 <tolerant>true</tolerant>
>
>                 <exclusiveStrong>false</exclusiveStrong>
>
>                 <inbound id="13">
>
>                     <authoritative>true</authoritative>
>
>                     <exclusive>false</exclusive>
>
>                     <strength>normal</strength>
>
>                     <target>
>
>                         <path>name</path>
>
>                     </target>
>
>                 </inbound>
>
>             </attribute>
>
>             <attribute id="24">
>
>                 <ref>ri:cn</ref>
>
>                 <tolerant>true</tolerant>
>
>                 <exclusiveStrong>false</exclusiveStrong>
>
>                 <inbound id="25">
>
>                     <authoritative>true</authoritative>
>
>                     <exclusive>false</exclusive>
>
>                     <strength>normal</strength>
>
>                     <target>
>
>                         <path>displayName</path>
>
>                     </target>
>
>                 </inbound>
>
>             </attribute>
>
>             <synchronization>
>
>                 <reaction id="54">
>
>                     <name>Linked</name>
>
>                     <situation>linked</situation>
>
>                 </reaction>
>
>                 <reaction id="55">
>
>                     <name>Unlinked</name>
>
>                     <situation>unlinked</situation>
>
>                     <actions>
>
>                         <link id="58">
>
>                             <synchronize>true</synchronize>
>
>                             <reconcile>true</reconcile>
>
>                             <objectTemplateRef
> oid="5c025649-cd36-4d6f-a825-89737f24212c" relation="org:default"
> type="c:ObjectTemplateType">
>
>                                 <!-- LDAP Group Import Template -->
>
>                             </objectTemplateRef>
>
>                         </link>
>
>                     </actions>
>
>                 </reaction>
>
>                 <reaction id="56">
>
>                     <name>Deleted</name>
>
>                     <situation>deleted</situation>
>
>                     <actions>
>
>                         <unlink id="59">
>
>                             <synchronize>true</synchronize>
>
>                             <reconcile>true</reconcile>
>
>                             <objectTemplateRef
> oid="5c025649-cd36-4d6f-a825-89737f24212c" relation="org:default"
> type="c:ObjectTemplateType">
>
>                                 <!-- LDAP Group Import Template -->
>
>                             </objectTemplateRef>
>
>                         </unlink>
>
>                     </actions>
>
>                 </reaction>
>
>                 <reaction id="57">
>
>                     <name>Unmatched</name>
>
>                     <situation>unmatched</situation>
>
>                     <actions>
>
>                         <addFocus id="60">
>
>                             <synchronize>true</synchronize>
>
>                             <reconcile>true</reconcile>
>
>                             <objectTemplateRef
> oid="5c025649-cd36-4d6f-a825-89737f24212c" relation="org:default"
> type="c:ObjectTemplateType">
>
>                                 <!-- LDAP Group Import Template -->
>
>                             </objectTemplateRef>
>
>                         </addFocus>
>
>                     </actions>
>
>                 </reaction>
>
>             </synchronization>
>
>         </objectType>
>
>     </schemaHandling>
>
>
>
>
>
> But depending on the User I try to assign a Role (Adding a LDAP Account to
> a LDAP Group), I get the following Error:
>
>
>
> com.evolveum.midpoint.util.exception.SecurityViolationException:
> org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
> modifying LDAP entry
> uid=xxxxx,cn=users,cn=accounts,dc=yyyyyyyy,dc=zzzzzz,dc=net:
> [add:objectClass=ipaSshUser,]: insufficientAccessRights: Insufficient
> 'write' privilege to the 'objectClass' attribute of entry 'uid=
> xxxxx,cn=users,cn=accounts,dc= yyyyyyyy,dc= zzzzzz,dc=net'.? (50))
>
>          at
> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil.processConnectorException(ConnIdUtil.java:276)
>
>          at
> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil.processConnIdException(ConnIdUtil.java:219)
>
>          at
> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.modifyObjectDelta(ConnectorInstanceConnIdImpl.java:999)
>
>          at
> com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.modifyObject(ConnectorInstanceConnIdImpl.java:927)
>
>          at
> com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.executeModify(ResourceObjectConverter.java:849)
>
>          at
> com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.modifyResourceObject(ResourceObjectConverter.java:634)
>
>          at
> com.evolveum.midpoint.provisioning.impl.shadows.ModifyHelper.modifyShadowAttempt(ModifyHelper.java:199)
>
>          at
> com.evolveum.midpoint.provisioning.impl.shadows.ModifyHelper.modifyShadow(ModifyHelper.java:126)
>
>          at
> com.evolveum.midpoint.provisioning.impl.shadows.ShadowsFacade.modifyShadow(ShadowsFacade.java:90)
>
>          at
> com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.modifyObject(ProvisioningServiceImpl.java:465)
>
>          at
> com.evolveum.midpoint.model.impl.lens.executor.DeltaExecution.modifyProvisioningObject(DeltaExecution.java:612)
>
>          at
> com.evolveum.midpoint.model.impl.lens.executor.DeltaExecution.executeModification(DeltaExecution.java:557)
>
>          at
> com.evolveum.midpoint.model.impl.lens.executor.DeltaExecution.execute(DeltaExecution.java:169)
>
>          at
> com.evolveum.midpoint.model.impl.lens.executor.ProjectionChangeExecution.execute(ProjectionChangeExecution.java:129)
>
>          at
> com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeProjectionsChanges(ChangeExecutor.java:98)
>
>          at
> com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeChanges(ChangeExecutor.java:61)
>
>
>
> Assigning this Role to the same User worked with midPoint 4.4.3.
>
>
>
> Best Regards,
>
> Patrik
>
>
>
> *Von:* Pedro Marques <pmbm at fct.unl.pt>
> *Gesendet:* Donnerstag, 24. November 2022 17:11
> *An:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Cc:* Patrik Sidler <patrik.sidler at itconcepts.ch>
> *Betreff:* Re: [midPoint] Problem with auxiliaryObjectClass definition in
> LDAP Connector on midPoint 4.6
>
>
>
> Hi,
>
>
>
> From my experience, you can use the same config in version 4.6
>
>
>
> <*auxiliaryObjectClassMappings*>
>     <*tolerant*>true</*tolerant*>
> </*auxiliaryObjectClassMappings*>
>
>
>
> In my case I do it using the option "Edit Raw" on the resource.It seems to
> have the same behaviour  that exists in the previous versions of midpoint.
> I also don't found the relation of this option with  gui wizard
>
> ----
>
>             <auxiliaryObjectClassMappings>
>                 <tolerant>true</tolerant>
>             </auxiliaryObjectClassMappings>
>             <delineation>
>                 <objectClass>ri:inetOrgPerson</objectClass>
>                 <auxiliaryObjectClass>ri:qmailUser</auxiliaryObjectClass>
>            </delineation>
>
> ----
>
>
>
> Hope it helps.
>
>
>
> Best regards
>
>
>
>
>
> Patrik Sidler via midPoint <midpoint at lists.evolveum.com> escreveu no dia
> quinta, 24/11/2022 à(s) 14:09:
>
> Hi All,
>
>
>
> I am having a problem, configuring the auxiliaryObjectClass on my LDAP
> Connector (Version 3.5) running on midPoint 4.6.
>
>
>
>
>
> The configuration midPoint 4.4.3 (LDAP Connector) worked perfect:
>
>
>
> <*objectClass*>ri:inetOrgPerson</*objectClass*>
> <*auxiliaryObjectClass*>ri:ipaObject</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:iamUser</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:inetUser</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:ipaSshUser</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:krbTicketPolicyAux</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:krbPrincipalAux</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:aspectraUser</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:posixAccount</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:ipaNTUserAttrs</*auxiliaryObjectClass*>
> <*auxiliaryObjectClassMappings*>
>     <*tolerant*>true</*tolerant*>
> </*auxiliaryObjectClassMappings*>
>
>
>
>
>
> With midPoint 4.6 and LDAP Connector 3.5, the configuration looks the
> following:
>
> <*objectType **id**="4"*>
>     <*kind*>account</*kind*>
>     <*intent*>ldapAccount</*intent*>
>     <*displayName*>LDAP Account</*displayName*>
>     <*default*>true</*default*>
>     <*delineation*>
>         <*objectClass*>ri:inetOrgPerson</*objectClass*>
>         <*auxiliaryObjectClass*>ri:ipaObject</*auxiliaryObjectClass*>
>         <*auxiliaryObjectClass*>ri:iamUser</*auxiliaryObjectClass*>
>         <*auxiliaryObjectClass*>ri:inetUser</*auxiliaryObjectClass*>
>         <*auxiliaryObjectClass*>ri:ipaSshUser</*auxiliaryObjectClass*>
>         <*auxiliaryObjectClass*>ri:krbTicketPolicyAux</*auxiliaryObjectClass*>
>         <*auxiliaryObjectClass*>ri:krbPrincipalAux</*auxiliaryObjectClass*>
>         <*auxiliaryObjectClass*>ri:aspectraUser</*auxiliaryObjectClass*>
>         <*auxiliaryObjectClass*>ri:posixAccount</*auxiliaryObjectClass*>
>         <*auxiliaryObjectClass*>ri:ipaNTUserAttrs</*auxiliaryObjectClass*>
>     </*delineation*>
>
>
>
> But I am not able to set the auxiliaryObjectClassMappings to tolerant. I
> also found no description/example to do this with the new Wizard thing…
>
>
>
> Anyone an Idea how to solve this problem?
>
>
>
> Thank you in advance for your help.
>
>
>
> Best regards
>
> Patrik
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>


-- 

Cumprimentos
--

*Pedro Marques*

Divisão de Infraestruturas Informáticas

Tel: (+351) 21 294 85 96  Ext: 15605


NOVA SCHOOL OF SCIENCE AND TECHNOLOGY | FCT NOVA

Universidade NOVA de Lisboa

Campus de Caparica | 2829-516 Caparica | Portugal

(+351) 21 294 8300

www.fct.unl.pt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221125/db1033e9/attachment-0001.htm>


More information about the midPoint mailing list