[midPoint] Problem with auxiliaryObjectClass definition in LDAP Connector on midPoint 4.6

Pascal PÉRICHON pascal.perichon at u-paris.fr
Mon Nov 28 13:27:36 CET 2022 

Hi,

I'm not sure, because it was a long time ago, but (maybe) your problem 
seems to be familiar...

Some of *accounts of one of my LDAP were not symetric*, i.e *some LDAP 
accounts didn't use/have all the objectClass that are listed in your* 
*midPoint* *auxiliaryObjectClass***.

If the missing objectClass occurs in one LDAP account then midpoint try 
to access and add the objectClass in the LDAP schema account, even if 
the concerned LDAP attribute of the objectClass is null (not used) : 
your error is something like "add:objectClass=ipaSshUser 
insufficientAccessRights: Insufficient 'write' privilege to the 
'objectClass' attribute "...

I solved my problem this way (by taking control on missing 
attributes/objectClasses and I can access to account with or without 
missing objectClass in LDAP account schema)  :

<auxiliaryObjectClassMappings>
     <tolerant>true</tolerant>

                 <inbound>
		    <!--
                         *Remove "<auxiliaryObjectClass>ri:ipaSshUser</auxiliaryObjectClass>" in 
your declaration.*
                         I don't remember exactly but I think if you use "source" on missing LDAP objectClass it's going to explode.
                         Better use groovy code and basic.getAttributeValues(projection, 'attributeIn_ipaSshUser_Class') that send you null.
			relativityMode helps is LDAP attribute is multi valued.
                         Be careful relativityMode always gives you tabular even if monovalued
                      -->		
                     <!--source>
                         <c:path>$c:projection/c:attributes/ipaSshUser</c:path>
                     </source-->
                     <expression>
                         <script>
                             <relativityMode>absolute</relativityMode>
                             <code>
                                 myVar = basic.getAttributeValues(projection, 'attributeIn_ipaSshUser_Class')

                                 if(!basic.isEmpty(myVar)) {
                                     // bla bla
                                     this.binding.variables.each {k,v -> log.info("-------> {} = {}", k, v)};
                                 }
                                 // ifipaSshUser  is not there
                                 return null
                             </code>
                         </script>
                     </expression>
                     <target>
                         <path>$focus/</path>
                     </target>
                 </inbound>
</auxiliaryObjectClassMappings>

Hope it's your problem :)
Best regards

-------

*Pascal PÉRICHON*
Direction des systèmes d'information et du numérique
Université Paris Cité

Le 24/11/2022 à 15:08, Patrik Sidler via midPoint a écrit :

> Hi All,
>
> I am having a problem, configuring the auxiliaryObjectClass on my LDAP 
> Connector (Version 3.5) running on midPoint 4.6.
>
> The configuration midPoint 4.4.3 (LDAP Connector) worked perfect:
>
> <*objectClass*>ri:inetOrgPerson</*objectClass*>
> <*auxiliaryObjectClass*>ri:ipaObject</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:iamUser</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:inetUser</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:ipaSshUser</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:krbTicketPolicyAux</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:krbPrincipalAux</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:aspectraUser</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:posixAccount</*auxiliaryObjectClass*>
> <*auxiliaryObjectClass*>ri:ipaNTUserAttrs</*auxiliaryObjectClass*>
> <*auxiliaryObjectClassMappings*>
> <*tolerant*>true</*tolerant*>
> </*auxiliaryObjectClassMappings*>
>
> With midPoint 4.6 and LDAP Connector 3.5, the configuration looks the 
> following:
>
> <*objectType **id**="4"*><*kind*>account</*kind*><*intent*>ldapAccount</*intent*><*displayName*>LDAP Account</*displayName*><*default*>true</*default*><*delineation*><*objectClass*>ri:inetOrgPerson</*objectClass*><*auxiliaryObjectClass*>ri:ipaObject</*auxiliaryObjectClass*><*auxiliaryObjectClass*>ri:iamUser</*auxiliaryObjectClass*><*auxiliaryObjectClass*>ri:inetUser</*auxiliaryObjectClass*><*auxiliaryObjectClass*>ri:ipaSshUser</*auxiliaryObjectClass*><*auxiliaryObjectClass*>ri:krbTicketPolicyAux</*auxiliaryObjectClass*><*auxiliaryObjectClass*>ri:krbPrincipalAux</*auxiliaryObjectClass*><*auxiliaryObjectClass*>ri:aspectraUser</*auxiliaryObjectClass*><*auxiliaryObjectClass*>ri:posixAccount</*auxiliaryObjectClass*><*auxiliaryObjectClass*>ri:ipaNTUserAttrs</*auxiliaryObjectClass*></*delineation*>
>
> But I am not able to set the auxiliaryObjectClassMappings to tolerant. 
> I also found no description/example to do this with the new Wizard thing…
>
> Anyone an Idea how to solve this problem?
>
> Thank you in advance for your help.
>
> Best regards
>
> Patrik
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221128/3deabf14/attachment-0001.htm>

More information about the midPoint mailing list