<html><head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body>

    <p>Hi Oliver,</p>

    <p>I understand, and I was trying to do the same thing when I had a

      similar issue. Not having those posix objectclasses in the schema

      of my resource configuration made it attempt to remove those

      attributes even though I had no outbound mappings and had create,

      update, and delete disabled. Might be worth sharing your resource

      config if you have a sanitized version.</p>

    <p>Ethan<br>

    </p>

    <div class="moz-cite-prefix">On 9/11/20 2:05 PM, Oliver Schonefeld

      via midPoint wrote:<br>

    </div>

    <blockquote type="cite" cite="mid:7b523fd0-0864-637b-579d-6d0f3e88a548@ids-mannheim.de">

      <pre class="moz-quote-pre" wrap="">Hi Ethan,

Am 11.09.2020 um 15:56 schrieb Ethan Kromhout via midPoint:

</pre>

      <blockquote type="cite">

        <pre class="moz-quote-pre" wrap="">I think I remember something like this from a similar configuration I

was working on recently. The attributes appear to be posix related, in

schema you import from OpenLDAP, are you getting posixGroup and

posixAccount attributes?

</pre>

      </blockquote>

      <pre class="moz-quote-pre" wrap="">

It's a custom schema based on inetOrgPerson with mixed in posix related

attributes and other attributes. As well das custom defined attributes.

But I just want to pull some data from the LDAP server and don't care

about most of the attributes.

I'd like to tell midpoint, to just read some stuff but don't care

otherwise about the data in the directory.

Best

  Oliver

</pre>

      <blockquote type="cite">

        <pre class="moz-quote-pre" wrap="">On 9/11/20 8:10 AM, Oliver Schonefeld via midPoint wrote:

</pre>

        <blockquote type="cite">

          <pre class="moz-quote-pre" wrap="">Hello,

I'm new to midpoint and am still learning, so please bear with me.

For my evaluation of midpoint, I started to setup a fresh copy of

Midpoint 4.1 with Postgres.

I've manged to connect to our HR system by using an CSV resource and

data is imported and synchronized as expected.

Now, for migration purposes, I'd like to import some information from a

legacy (Open)LDAP server. I'm only interested to enrich my accounts in

midpoint with a few attributes from LDAP (e.g. mail and uid). However I

don't want midpoint to push any changes to the legacy LDAP server;

midpoint should only read the attributes I'm interested in and update

the accounts in midpoint.

I've setup a LDAP resource and I am able to connect to the LDAP server.

The Account, I use to connect to the LDAP server, has no write

permissions, so I went ahead and overrode the capabilities of the

resource using:

   <capabilities>

         <configured>

             <cap:create>

                 <cap:enabled>false</cap:enabled>

             </cap:create>

             <cap:update>

                 <cap:enabled>false</cap:enabled>

             </cap:update>

             <cap:delete>

                 <cap:enabled>false</cap:enabled>

             </cap:delete>

         </configured>

     </capabilities>

Now, when I try to import data from the LDAP server to midpoint, I get

the following error:

   Operation not supported for

shadow:e7a471e5-531e-479b-8257-14112ab83b20($REDACTED$) in

<a class="moz-txt-link-freetext" href="resource:873f6012-bac3-4b2c-9d2d-bb886b9c2213(Legacy">resource:873f6012-bac3-4b2c-9d2d-bb886b9c2213(Legacy</a> IDS-LDAP) as

UpdateCapabilityType is missing

When I remove the capability override, midpoint throws the following

exception:

org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error

modifying LDAP entry $REDACTED$:

[remove:idsWiki=TRUE,<a class="moz-txt-link-abbreviated" href="mailto:remove:idsMailRoutingAddress=$REDACTED$@mailbox.ids-mannheim.de,remove:idsPosix=TRUE,remove:idsMail=TRUE,remove:idsDisplayPub=TRUE,remove:idsVpn=TRUE,remove:objectClass=idsServices,remove:vacationStart=binary">remove:idsMailRoutingAddress=$REDACTED$@mailbox.ids-mannheim.de,remove:idsPosix=TRUE,remove:idsMail=TRUE,remove:idsDisplayPub=TRUE,remove:idsVpn=TRUE,remove:objectClass=idsServices,remove:vacationStart=binary</a>

value 10

bytes,remove:gidNumber=50,remove:idsDisplayWeb=TRUE,remove:vacationEnd=binary

value 10

bytes,remove:loginShell=/sbin/nologin,remove:vacationInfo=binary value

533

bytes,remove:homeDirectory=$REDACTED$,remove:vacationActive=FALSE,remove:uidNumber=$REDACTED$,remove:idsAD=TRUE,]:

insufficientAccessRights: (50))

My synchronization reactions are configured as follows:

             <reaction>

                 <situation>linked</situation>

                 <synchronize>true</synchronize>

             </reaction>

             <reaction>

                 <situation>unlinked</situation>

                 <action>

<handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link">http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</a></handlerUri>

                 </action>

             </reaction>

             <!--

             <reaction>

                 <situation>unmatched</situation>

                 <action>

<handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus">http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</a></handlerUri>

                 </action>

             </reaction>

             -->

             <reaction>

                 <situation>deleted</situation>

                 <action>

<handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteShadow">http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteShadow</a></handlerUri>

                 </action>

             </reaction>

I have only inbound mapping definitions for the attributes I am

interested in. There are no outbound definitions.

So midpoint tries to synchronize the information and remove some

attributes on the objects in the LDAP server. However, I only want to

pull some information from the LDAP server and never write to it.

What am I missing or doing wrong?

Thank you and best regards,

   Oliver

_______________________________________________

midPoint mailing list

<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

        </blockquote>

        <pre class="moz-quote-pre" wrap="">

_______________________________________________

midPoint mailing list

<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

      </blockquote>

      <pre class="moz-quote-pre" wrap="">

</pre>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

midPoint mailing list

<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

    </blockquote>

  </body>

</html>