<div dir="ltr">Hi,<div><br></div><div>try to put limitation to use it as single value:</div><div><div>
<span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"> <attribute id="141"></span><br style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"> <c:ref>ri:sshPublicKey</c:ref></span> <br></div><div><span style="white-space:pre"> </span><limitations></div><div><span style="white-space:pre"> </span><minOccurs>0</minOccurs></div><div><span style="white-space:pre"> </span><maxOccurs>1</maxOccurs></div><div><span style="white-space:pre"> </span><access></div><div><span style="white-space:pre"> </span><read>true</read></div><div><span style="white-space:pre"> </span><add>true</add></div><div><span style="white-space:pre"> </span><modify>true</modify></div><div><span style="white-space:pre"> </span></access></div><div><span style="white-space:pre"> </span></limitations><span style="white-space:pre"> </span></div><div>....</div><div><br></div><div>best regards,</div><div><br></div><div>Gustav </div><br><div class="gmail_quote"><div dir="ltr">st 25. 7. 2018 o 10:48 Oleksandr Nekriach <<a href="mailto:o.nekriach@dynatech.lv">o.nekriach@dynatech.lv</a>> napísal(a):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi to all,<br>I have faced with a problem of unexpected behavior of Midpoint IDM(3.7) during user recalculations.<br>I have extended IDM and LDAP with sshPublicKey attribute (xsd:base64Binary in IDM and Octet String in LDAP) and created of mapping attribute in LDAP resource as is.<br>I have to remove the attribute value on LDAP when it removes in IDM. For this task, I have added tolerant=false option in the attribute mapping in LDAP resource.<br>It works in a wrong way. When I have a non-empty sshPublicKey in IDM it is provisioned in LDAP correctly. It is Ok. But when run user recalculation it removes sshPublicKey attribute value in LDAP. When I run recalculation the second time it re-provisions sshPublicKey attribute value in LDAP again.<br>And it can be Infinite. Every time when recalculation runs it removes and restores attribute value periodically.<br>Please help me to understand what I did in the wrong way in configuration or confirm that is a bug in Midpoint.<br><div><br></div><div>See below configuration details<br></div><div><br></div><div>Attribute in LDAP schema<br></div><div><br></div><div>olcAttributeTypes: {17}( 1.3.6.1.4.1.45689.1.1.1.2.18 NAME 'sshPublicKey' DESC 'SSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )<br></div><div><br></div><div>Attribute in LDAP connector schema<br></div><div><br></div><div> <xsd:element minOccurs="0" name="sshPublicKey" type="xsd:base64Binary"><br> <xsd:annotation><br> <xsd:appinfo><br> <a:displayOrder>290</a:displayOrder><br> <ra:nativeAttributeName>sshPublicKey</ra:nativeAttributeName><br> <ra:frameworkAttributeName>sshPublicKey</ra:frameworkAttributeName><br> </xsd:appinfo><br> </xsd:annotation><br> </xsd:element></div><div><br></div><div>Attribute in IDM schema<br></div><div><br></div><div> <xsd:element name="sshPublicKey" type="xsd:base64Binary" minOccurs="0" maxOccurs="1"><br> <xsd:annotation><br> <xsd:appinfo><br> <a:displayName>sshPublicKey</a:displayName><br> <a:indexed>false</a:indexed><br> </xsd:appinfo><br> </xsd:annotation><br> </xsd:element><br></div><div><br></div><div>Attribute mapping in LDAP connector</div><div><br></div><div> <attribute id="141"><br> <c:ref>ri:sshPublicKey</c:ref><br> <displayName>sshPublicKey</displayName><br> <tolerant>false</tolerant><br> <fetchStrategy>explicit</fetchStrategy><br> <outbound><br> <strength>strong</strength><br> <source><br> <c:path>$user/extension/sshPublicKey</c:path><br> </source><br> </outbound><br> </attribute><br></div><div><br></div>-- <br><div class="gmail-m_-7492617122192416046gmail_signature"><div dir="ltr"><span style="color:rgb(76,76,76)">Best regards, <br><br><img src="cid:o.nekriach@dynatech.lv1520941785292-7770"> <br><br>Oleksandr Nekriach | Identity and access management engineer <br><br>Dynatech, <a href="https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g" target="_blank">Mednieku str. 4a, Riga, LV-1010, Latvia</a> <br><br><div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>,<div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div>|<div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div> <br><br>Stay connected: <br><div style="display:inline-block;margin:5px 5px 0px 0px"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:o.nekriach@dynatech.lv1520941785292-7771"></a></div><div style="display:inline-block;margin:5px 0px 0px"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:o.nekriach@dynatech.lv1520941785292-7772"></a></div><br><br><span style="font-size:11px;color:rgb(161,161,161)">Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.</span></span></div></div>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint<br clear="all"><div><br></div>-- <br></a><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank"></a><div class="gmail_signature" data-smartmail="gmail_signature"><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank"></a><div dir="ltr"><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank"><div>Gustáv Pálos</div><div>Identity Engineer</div></a><a href="http://evolveum.com/" rel="noreferrer" style="color:rgb(17,85,204);font-size:12.8px" target="_blank">evolveum.com</a><br></div></div></div></blockquote></div></div></div>