[midPoint] Problem with auxiliaryObjectClass definition in LDAP Connector on midPoint 4.6
Patrik Sidler
patrik.sidler at itconcepts.ch
Sun Nov 27 14:41:35 CET 2022
Hi Pedro,
Actually, I can not reproduce. But I know with the current Resource Config, I was able to add a LDAP Account to a LDAP group in midPoint 4.6.
The more auxiliaryObject classes I add, the more tries the connector to add them to an Account whenever an Action is executed on this account.
I still think tolerant auxiliaryObjectClass mappings does not work.
Regards
Patrik Sidler
Am 25.11.2022 um 19:08 schrieb Pedro Marques <pmbm at fct.unl.pt>:
I faced that error when I configured the connector with a Bind DN user without write permissions on LDAP. From what I can see in the log ,the ldap connector tried to add an objectclass attribute to the user entry, but failed to write that attribute, probably due to wrong permissions.
Can you reproduce this operation with an ldapmodify command using the same user (bind dn) that you configured in the connector, and see if you get the same error.
Patrik Sidler <patrik.sidler at itconcepts.ch<mailto:patrik.sidler at itconcepts.ch>> escreveu no dia quinta, 24/11/2022 à(s) 16:28:
Hi Pedro,
Thank you for your help, I have tried your way but I think it still not works.
I have the following Definition in my LDAP Resource:
<schema>
<generationConstraints>
<generateObjectClass>ri:inetOrgPerson</generateObjectClass>
<generateObjectClass>ri:groupOfNames</generateObjectClass>
<generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
<generateObjectClass>ri:organizationalUnit</generateObjectClass>
<generateObjectClass>ri:ipaObject</generateObjectClass>
<generateObjectClass>ri:iamUser</generateObjectClass>
<generateObjectClass>ri:inetUser</generateObjectClass>
<generateObjectClass>ri:ipaSshUser</generateObjectClass>
<generateObjectClass>ri:krbTicketPolicyAux</generateObjectClass>
<generateObjectClass>ri:krbPrincipalAux</generateObjectClass>
<generateObjectClass>ri:aspectraUser</generateObjectClass>
<generateObjectClass>ri:posixAccount</generateObjectClass>
<generateObjectClass>ri:ipaNTUserAttrs</generateObjectClass>
<generateObjectClass>ri:ipaNTGroupAttrs</generateObjectClass>
</generationConstraints>
</schema>
<schemaHandling>
<objectType id="4">
<kind>account</kind>
<intent>ldapAccount</intent>
<displayName>LDAP Account</displayName>
<default>true</default>
<auxiliaryObjectClassMappings>
<tolerant>true</tolerant>
</auxiliaryObjectClassMappings>
<delineation>
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClass>ri:ipaObject</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:iamUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:inetUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaSshUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:krbTicketPolicyAux</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:krbPrincipalAux</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:aspectraUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaNTUserAttrs</auxiliaryObjectClass>
</delineation>
<focus>
<type>c:UserType</type>
</focus>
<attribute id="86">
<ref>ri:uid</ref>
<outbound>
<name>uid</name>
<source>
<path>$focus/name</path>
</source>
<enabled>true</enabled>
</outbound>
<inbound id="88">
<name>uid</name>
<target>
<path>c:name</path>
</target>
<enabled>true</enabled>
</inbound>
</attribute>
<association id="8">
<ref>ri:ldapGroupMember</ref>
<displayName>LDAP Group Member</displayName>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
<activation>
<existence>
<outbound id="32">
<strength>weak</strength>
<expression>
<path>$focusExists</path>
</expression>
</outbound>
</existence>
</activation>
<correlation>
<correlators>
<items id="41">
<name>Correlation_LDAP</name>
<enabled>true</enabled>
<item id="42">
<ref>c:name</ref>
</item>
</items>
</correlators>
</correlation>
<synchronization>
<reaction id="46">
<name>Linked</name>
<situation>linked</situation>
</reaction>
<reaction id="47">
<name>Unlinked</name>
<situation>unlinked</situation>
<actions>
<link id="50">
<synchronize>true</synchronize>
<reconcile>true</reconcile>
</link>
</actions>
</reaction>
<reaction id="48">
<name>Deleted</name>
<situation>deleted</situation>
<actions>
<unlink id="51">
<synchronize>true</synchronize>
<reconcile>true</reconcile>
</unlink>
</actions>
</reaction>
<reaction id="49">
<name>Unmatched</name>
<situation>unmatched</situation>
<actions>
<addFocus id="52">
<synchronize>true</synchronize>
</addFocus>
</actions>
</reaction>
</synchronization>
</objectType>
<objectType id="9">
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<displayName>LDAP Group</displayName>
<default>true</default>
<objectClass>ri:groupOfNames</objectClass>
<auxiliaryObjectClassMappings>
<tolerant>true</tolerant>
</auxiliaryObjectClassMappings>
<delineation>
<objectClass>ri:groupOfNames</objectClass>
<auxiliaryObjectClass>ri:ipaNTGroupAttrs</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaObject</auxiliaryObjectClass>
</delineation>
<focus>
<type>c:RoleType</type>
</focus>
<attribute id="10">
<ref>ri:description</ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<inbound id="12">
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<path>description</path>
</target>
</inbound>
</attribute>
<attribute id="11">
<ref>ri:dn</ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<inbound id="13">
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<path>name</path>
</target>
</inbound>
</attribute>
<attribute id="24">
<ref>ri:cn</ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<inbound id="25">
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<path>displayName</path>
</target>
</inbound>
</attribute>
<synchronization>
<reaction id="54">
<name>Linked</name>
<situation>linked</situation>
</reaction>
<reaction id="55">
<name>Unlinked</name>
<situation>unlinked</situation>
<actions>
<link id="58">
<synchronize>true</synchronize>
<reconcile>true</reconcile>
<objectTemplateRef oid="5c025649-cd36-4d6f-a825-89737f24212c" relation="org:default" type="c:ObjectTemplateType">
<!-- LDAP Group Import Template -->
</objectTemplateRef>
</link>
</actions>
</reaction>
<reaction id="56">
<name>Deleted</name>
<situation>deleted</situation>
<actions>
<unlink id="59">
<synchronize>true</synchronize>
<reconcile>true</reconcile>
<objectTemplateRef oid="5c025649-cd36-4d6f-a825-89737f24212c" relation="org:default" type="c:ObjectTemplateType">
<!-- LDAP Group Import Template -->
</objectTemplateRef>
</unlink>
</actions>
</reaction>
<reaction id="57">
<name>Unmatched</name>
<situation>unmatched</situation>
<actions>
<addFocus id="60">
<synchronize>true</synchronize>
<reconcile>true</reconcile>
<objectTemplateRef oid="5c025649-cd36-4d6f-a825-89737f24212c" relation="org:default" type="c:ObjectTemplateType">
<!-- LDAP Group Import Template -->
</objectTemplateRef>
</addFocus>
</actions>
</reaction>
</synchronization>
</objectType>
</schemaHandling>
But depending on the User I try to assign a Role (Adding a LDAP Account to a LDAP Group), I get the following Error:
com.evolveum.midpoint.util.exception.SecurityViolationException: org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error modifying LDAP entry uid=xxxxx,cn=users,cn=accounts,dc=yyyyyyyy,dc=zzzzzz,dc=net: [add:objectClass=ipaSshUser,]: insufficientAccessRights: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'uid= xxxxx,cn=users,cn=accounts,dc= yyyyyyyy,dc= zzzzzz,dc=net'.? (50))
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil.processConnectorException(ConnIdUtil.java:276)
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil.processConnIdException(ConnIdUtil.java:219)
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.modifyObjectDelta(ConnectorInstanceConnIdImpl.java:999)
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.modifyObject(ConnectorInstanceConnIdImpl.java:927)
at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.executeModify(ResourceObjectConverter.java:849)
at com.evolveum.midpoint.provisioning.impl.resourceobjects.ResourceObjectConverter.modifyResourceObject(ResourceObjectConverter.java:634)
at com.evolveum.midpoint.provisioning.impl.shadows.ModifyHelper.modifyShadowAttempt(ModifyHelper.java:199)
at com.evolveum.midpoint.provisioning.impl.shadows.ModifyHelper.modifyShadow(ModifyHelper.java:126)
at com.evolveum.midpoint.provisioning.impl.shadows.ShadowsFacade.modifyShadow(ShadowsFacade.java:90)
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.modifyObject(ProvisioningServiceImpl.java:465)
at com.evolveum.midpoint.model.impl.lens.executor.DeltaExecution.modifyProvisioningObject(DeltaExecution.java:612)
at com.evolveum.midpoint.model.impl.lens.executor.DeltaExecution.executeModification(DeltaExecution.java:557)
at com.evolveum.midpoint.model.impl.lens.executor.DeltaExecution.execute(DeltaExecution.java:169)
at com.evolveum.midpoint.model.impl.lens.executor.ProjectionChangeExecution.execute(ProjectionChangeExecution.java:129)
at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeProjectionsChanges(ChangeExecutor.java:98)
at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeChanges(ChangeExecutor.java:61)
Assigning this Role to the same User worked with midPoint 4.4.3.
Best Regards,
Patrik
Von: Pedro Marques <pmbm at fct.unl.pt<mailto:pmbm at fct.unl.pt>>
Gesendet: Donnerstag, 24. November 2022 17:11
An: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Cc: Patrik Sidler <patrik.sidler at itconcepts.ch<mailto:patrik.sidler at itconcepts.ch>>
Betreff: Re: [midPoint] Problem with auxiliaryObjectClass definition in LDAP Connector on midPoint 4.6
Hi,
From my experience, you can use the same config in version 4.6
<auxiliaryObjectClassMappings>
<tolerant>true</tolerant>
</auxiliaryObjectClassMappings>
In my case I do it using the option "Edit Raw" on the resource.It seems to have the same behaviour that exists in the previous versions of midpoint. I also don't found the relation of this option with gui wizard
----
<auxiliaryObjectClassMappings>
<tolerant>true</tolerant>
</auxiliaryObjectClassMappings>
<delineation>
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClass>ri:qmailUser</auxiliaryObjectClass>
</delineation>
----
Hope it helps.
Best regards
Patrik Sidler via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> escreveu no dia quinta, 24/11/2022 à(s) 14:09:
Hi All,
I am having a problem, configuring the auxiliaryObjectClass on my LDAP Connector (Version 3.5) running on midPoint 4.6.
The configuration midPoint 4.4.3 (LDAP Connector) worked perfect:
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClass>ri:ipaObject</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:iamUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:inetUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaSshUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:krbTicketPolicyAux</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:krbPrincipalAux</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:aspectraUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaNTUserAttrs</auxiliaryObjectClass>
<auxiliaryObjectClassMappings>
<tolerant>true</tolerant>
</auxiliaryObjectClassMappings>
With midPoint 4.6 and LDAP Connector 3.5, the configuration looks the following:
<objectType id="4">
<kind>account</kind>
<intent>ldapAccount</intent>
<displayName>LDAP Account</displayName>
<default>true</default>
<delineation>
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClass>ri:ipaObject</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:iamUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:inetUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaSshUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:krbTicketPolicyAux</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:krbPrincipalAux</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:aspectraUser</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:ipaNTUserAttrs</auxiliaryObjectClass>
</delineation>
But I am not able to set the auxiliaryObjectClassMappings to tolerant. I also found no description/example to do this with the new Wizard thing…
Anyone an Idea how to solve this problem?
Thank you in advance for your help.
Best regards
Patrik
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint
--
Cumprimentos
--
Pedro Marques
Divisão de Infraestruturas Informáticas
Tel: (+351) 21 294 85 96 Ext: 15605
NOVA SCHOOL OF SCIENCE AND TECHNOLOGY | FCT NOVA
Universidade NOVA de Lisboa
Campus de Caparica | 2829-516 Caparica | Portugal
(+351) 21 294 8300
www.fct.unl.pt<http://www.fct.unl.pt/>
[https://www.fct.unl.pt/sites/default/files/images/nova_4.png]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221127/92e0b62e/attachment-0001.htm>
More information about the midPoint
mailing list