[midPoint] Issue with userPassword Schema Discovery and Synchronization from OpenDJ to midPoint

Zehra Kezer zehra.kezer at kartaca.com
Wed Feb 11 06:20:53 CET 2026 

Dear midPoint Team / Support,
I am experiencing an issue where the userPassword attribute is not being
discovered or synchronized from an OpenDJ resource to midPoint, even though
the attribute is accessible via direct LDAP queries.

Environment:
Resource: OpenDJ
Connector: Polygon LDAP Connector (latest-alpine image)
midPoint Version: 4.9


*Problem Summary:The userPassword attribute is missing from the midPoint
Resource Schema. More importantly, even after adding the correct
<credentials> inbound mapping to my Resource XML, the password status on
the midPoint user profile remains "Not Set" after reconciliation/import.*

What I have verified so far:
LDAP Permission: The Bind DN used by midPoint successfully retrieves the
hashed password via terminal. I’ve verified this from within the midPoint
container:
ldapsearch -x -H ldap://<IP> -D "<BindDN>" -w <Pass> -b
"ou=people,o=kartaca" "(uid=user)" userPassword -> Returns valid data.

Connector Settings: I have configured operationalAttributes to include
userPassword and set passwordAttribute to userPassword.

Inbound Mapping: I have added the following configuration to my objectType:
<credentials>
    <password>
        <inbound>
            <expression>
                <asIs/>
            </expression>
        </inbound>
    </password>
</credentials>

The Issue:
Despite the configuration above, absolutely nothing happens. The "Password"
tab on the User page shows no value, and there is no indication that
midPoint is even attempting to pull the password data. When checking the
Schema tab of the resource, userPassword is not listed under any object
class.
If I try to define it as a standard attribute, I get a
ConfigurationException stating the definition is not found in inetOrgPerson.

Question:
What could prevent midPoint from seeing this attribute and processing the
<credentials> mapping even when the underlying LDAP connection clearly has
access to the data? Are there specific "Shadow" or "Capabilities" settings
required to force midPoint to recognize the password attribute in OpenDJ?

Thank you for your help.
Best regards,
Zehra Kezer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20260211/c9770315/attachment.htm>

More information about the midPoint mailing list