[midPoint] Reading attributes without appropriate object class
Orlandis Brown
brownolb1 at gmail.com
Tue Jan 13 22:25:05 CET 2026
I found the solution here
https://docs.evolveum.com/connectors/resources/active-directory/active-directory-ldap/
:
"Objects can easily have attributes that are not defined in any object
classes that they have. E.g., a normal user (the user object class) may
have an info attribute. If such extra attributes are used in your AD
instance, then the best way is to configure them as operational attributes
in the connector configuration and define them explicitly in the Resource
Schema Handling (see MID-3379)."
I'm not sure what exactly is meant by "define them explicitly in the
Resource Schema Handling", but that step was not needed in my case.
On Mon, Jan 12, 2026 at 3:06 PM Orlandis Brown <brownolb1 at gmail.com> wrote:
> Our AD team populates eduPerson attributes for accounts, but apparently
> does not provision them with the eduPerson object class. In order to read
> from the eduPerson schema in midPoint, eduPerson needs to be an auxiliary
> object class of the account object type. During synchronization, midPoint
> attempts to modify the AD account with eduPerson object class. I would like
> to override this behavior somehow, since the LDAP account used to bind does
> not have permission to modify the object class.
>
> How can I read eduPerson schema attributes without modifying the object
> class of the source account?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20260113/37773765/attachment.htm>
More information about the midPoint
mailing list