<html><head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body>

    <p>Hi Oliver,</p>

    <p>I think I remember something like this from a similar

      configuration I was working on recently. The attributes appear to

      be posix related, in schema you import from OpenLDAP, are you

      getting posixGroup and posixAccount attributes?</p>

    <p>Ethan<br>

    </p>

    <div class="moz-cite-prefix">On 9/11/20 8:10 AM, Oliver Schonefeld

      via midPoint wrote:<br>

    </div>

    <blockquote type="cite" cite="mid:4b91d7e1-50b3-0352-64f9-eb58573bf025@ids-mannheim.de">

      <pre class="moz-quote-pre" wrap="">Hello,

I'm new to midpoint and am still learning, so please bear with me.

For my evaluation of midpoint, I started to setup a fresh copy of

Midpoint 4.1 with Postgres.

I've manged to connect to our HR system by using an CSV resource and

data is imported and synchronized as expected.

Now, for migration purposes, I'd like to import some information from a

legacy (Open)LDAP server. I'm only interested to enrich my accounts in

midpoint with a few attributes from LDAP (e.g. mail and uid). However I

don't want midpoint to push any changes to the legacy LDAP server;

midpoint should only read the attributes I'm interested in and update

the accounts in midpoint.

I've setup a LDAP resource and I am able to connect to the LDAP server.

The Account, I use to connect to the LDAP server, has no write

permissions, so I went ahead and overrode the capabilities of the

resource using:

  <capabilities>

        <configured>

            <cap:create>

                <cap:enabled>false</cap:enabled>

            </cap:create>

            <cap:update>

                <cap:enabled>false</cap:enabled>

            </cap:update>

            <cap:delete>

                <cap:enabled>false</cap:enabled>

            </cap:delete>

        </configured>

    </capabilities>

Now, when I try to import data from the LDAP server to midpoint, I get

the following error:

  Operation not supported for

shadow:e7a471e5-531e-479b-8257-14112ab83b20($REDACTED$) in

<a class="moz-txt-link-freetext" href="resource:873f6012-bac3-4b2c-9d2d-bb886b9c2213(Legacy">resource:873f6012-bac3-4b2c-9d2d-bb886b9c2213(Legacy</a> IDS-LDAP) as

UpdateCapabilityType is missing

When I remove the capability override, midpoint throws the following

exception:

org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error

modifying LDAP entry $REDACTED$:

[remove:idsWiki=TRUE,<a class="moz-txt-link-abbreviated" href="mailto:remove:idsMailRoutingAddress=$REDACTED$@mailbox.ids-mannheim.de,remove:idsPosix=TRUE,remove:idsMail=TRUE,remove:idsDisplayPub=TRUE,remove:idsVpn=TRUE,remove:objectClass=idsServices,remove:vacationStart=binary">remove:idsMailRoutingAddress=$REDACTED$@mailbox.ids-mannheim.de,remove:idsPosix=TRUE,remove:idsMail=TRUE,remove:idsDisplayPub=TRUE,remove:idsVpn=TRUE,remove:objectClass=idsServices,remove:vacationStart=binary</a>

value 10

bytes,remove:gidNumber=50,remove:idsDisplayWeb=TRUE,remove:vacationEnd=binary

value 10

bytes,remove:loginShell=/sbin/nologin,remove:vacationInfo=binary value

533

bytes,remove:homeDirectory=$REDACTED$,remove:vacationActive=FALSE,remove:uidNumber=$REDACTED$,remove:idsAD=TRUE,]:

insufficientAccessRights: (50))

My synchronization reactions are configured as follows:

            <reaction>

                <situation>linked</situation>

                <synchronize>true</synchronize>

            </reaction>

            <reaction>

                <situation>unlinked</situation>

                <action>

<handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link">http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</a></handlerUri>

                </action>

            </reaction>

            <!--

            <reaction>

                <situation>unmatched</situation>

                <action>

<handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus">http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</a></handlerUri>

                </action>

            </reaction>

            -->

            <reaction>

                <situation>deleted</situation>

                <action>

<handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteShadow">http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteShadow</a></handlerUri>

                </action>

            </reaction>

I have only inbound mapping definitions for the attributes I am

interested in. There are no outbound definitions.

So midpoint tries to synchronize the information and remove some

attributes on the objects in the LDAP server. However, I only want to

pull some information from the LDAP server and never write to it.

What am I missing or doing wrong?

Thank you and best regards,

  Oliver

</pre>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

midPoint mailing list

<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

    </blockquote>

  </body>

</html>