<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Hello.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">I actually tried disabling the capabilities earlier today, but receive a different kind of error then:</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">"Internal error: java.lang.UnsupportedOperationException: Resource does not support 'update’ operation”</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Regards,</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Teemu</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><p class="airmail_on">On 3 October 2016 at 17:48:19, Ivan Noris (<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div bgcolor="#FFFFFF" text="#000000"><div></div><div>



<title></title>


<p>Sorry, typo; the capability for delete should also be false:</p>
<pre wrap="">...

 </schemaHandling>

                <capabilities
xmlns:cap=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">"http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"</a>>
                        <configured>
                                <cap:create>
                                        <cap:enabled><b>false</b></cap:enabled>
                                </cap:create>
                                <cap:update>
                                        <cap:enabled><b>false</b></cap:enabled>
                                </cap:update>
                                <cap:delete>
                                        <cap:enabled><b>false</b></cap:enabled>
                                </cap:delete>
                        </configured>
                </capabilities>
        <synchronization>
...</pre>
<br>
<div class="moz-cite-prefix">On 10/03/2016 04:43 PM, Ivan Noris
wrote:<br></div>
<blockquote cite="mid:93785cfd-27b5-0422-65aa-e807b4857c46@evolveum.com" type="cite">
<pre wrap="">Hi Teemu,

as an workaround, can you try running import/recon with disabled
capabilities for create, update and delete?

...

 </schemaHandling>

                <capabilities
xmlns:cap=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">"http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"</a>>
                        <configured>
                                <cap:create>
                                        <cap:enabled>false</cap:enabled>
                                </cap:create>
                                <cap:update>
                                        <cap:enabled>false</cap:enabled>
                                </cap:update>
                                <cap:delete>
                                        <cap:enabled>delete</cap:enabled>
                                </cap:delete>
                        </configured>
                </capabilities>
        <synchronization>
...

It should not be able to modify anything back on the resource.

We are still evaluating the situation anyway. Might be a bug in midPoint.

Regards,

Ivan


On 10/03/2016 04:12 PM, Teemu Turpeinen wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi Ivan

Only inbound mappings have been defined.



Regards,

Teemu

</pre>
<blockquote type="cite">
<pre wrap="">On 03 Oct 2016, at 17:04, Ivan Noris <a class="moz-txt-link-rfc2396E" href="mailto:ivan.noris@evolveum.com"><ivan.noris@evolveum.com></a> wrote:

Hi Teemu,

just a quick idea: do you have any outbound mappings?

Ivan


On 10/03/2016 03:17 PM, Teemu Turpeinen wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello all

I’ve been trying to configure one way sync (inbound mappings only) of users and groups from FreeIPA (uses DS 389 as a backend) and the import seems to work, but, after importing an entry to midPoint repository, the sync engine wants to run reconciliation, which tries to pretty much delete all objectClasses and attributes from the entry in LDAP (except for inetOrgPerson, which is the mapped class).

Below is some of the trace level log entries

2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Starting reconciliation of account(ID {.../resource/instance-3}nsUniqueId = [ c997d202-816c11e6-96aaa51d-384fb703 ], type 'FreeIPAAccount', object:8f2420b3-31da-4711-ad66-13de48c6d212(FreeIPA LDAP))
2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Auxiliary object class reconciliation processing account(ID {.../resource/instance-3}nsUniqueId = [ c997d202-816c11e6-96aaa51d-384fb703 ], type 'FreeIPAAccount', object:8f2420b3-31da-4711-ad66-13de48c6d212(FreeIPA LDAP))
2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Reconciliation will DELETE value of attribute {.../common/common-3}auxiliaryObjectClass: {<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}ipaObject because it is not given
2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Checking existence for DELETE of value {<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}ipaObject in existing detla: null
2016-10-03 12:40:13,987 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Reconciliation will DELETE value of attribute {.../common/common-3}auxiliaryObjectClass: {<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}ipaSshUser because it is not given



2016-10-03 12:40:13,988 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Removing attribute {<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}ipaSshPubKey because it is in the deleted object class {<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}ipaSshUser and it is not defined by any current object class for account(ID {.../resource/instance-3}nsUniqueId = [ c997d202-816c11e6-96aaa51d-384fb703 ], type 'FreeIPAAccount', object:8f2420b3-31da-4711-ad66-13de48c6d212(FreeIPA LDAP))
2016-10-03 12:40:13,988 [] [http-nio-127.0.0.1-8081-exec-10] TRACE (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Removing attribute {<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}krbLastSuccessfulAuth because it is in the deleted object class {<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}krbPrincipalAux and it is not defined by any current object class for account(ID {.../resource/instance-3}nsUniqueId = [ c997d202-816c11e6-96aaa51d-384fb703 ], type 'FreeIPAAccount', object:8f2420b3-31da-4711-ad66-13de48c6d212(FreeIPA LDAP))

...

How should one import just certain attributes from LDAP without midPoint trying to write anything back? The entries in LDAP may have a lot of objectClasses (a user normally has 14) and attributes, but only a subset of attributes will be imported, which are all from a single objectClass. For now.

midPoint version is 3.4.1.



Regards,


Teemu

_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre></blockquote>
<pre wrap="">--  
Ivan Noris
Senior Identity Engineer
evolveum.com

_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre></blockquote>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre></blockquote>
<pre wrap=""></pre></blockquote>
<br>
<pre class="moz-signature" cols="72">--  
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>


_______________________________________________<br>midPoint mailing list<br>midPoint@lists.evolveum.com<br>http://lists.evolveum.com/mailman/listinfo/midpoint<br></div></div></span></blockquote></body></html>