<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>Hi Oliver,</p>
<p>I think I remember something like this from a similar
configuration I was working on recently. The attributes appear to
be posix related, in schema you import from OpenLDAP, are you
getting posixGroup and posixAccount attributes?</p>
<p>Ethan<br>
</p>
<div class="moz-cite-prefix">On 9/11/20 8:10 AM, Oliver Schonefeld
via midPoint wrote:<br>
</div>
<blockquote type="cite" cite="mid:4b91d7e1-50b3-0352-64f9-eb58573bf025@ids-mannheim.de">
<pre class="moz-quote-pre" wrap="">Hello,
I'm new to midpoint and am still learning, so please bear with me.
For my evaluation of midpoint, I started to setup a fresh copy of
Midpoint 4.1 with Postgres.
I've manged to connect to our HR system by using an CSV resource and
data is imported and synchronized as expected.
Now, for migration purposes, I'd like to import some information from a
legacy (Open)LDAP server. I'm only interested to enrich my accounts in
midpoint with a few attributes from LDAP (e.g. mail and uid). However I
don't want midpoint to push any changes to the legacy LDAP server;
midpoint should only read the attributes I'm interested in and update
the accounts in midpoint.
I've setup a LDAP resource and I am able to connect to the LDAP server.
The Account, I use to connect to the LDAP server, has no write
permissions, so I went ahead and overrode the capabilities of the
resource using:
<capabilities>
<configured>
<cap:create>
<cap:enabled>false</cap:enabled>
</cap:create>
<cap:update>
<cap:enabled>false</cap:enabled>
</cap:update>
<cap:delete>
<cap:enabled>false</cap:enabled>
</cap:delete>
</configured>
</capabilities>
Now, when I try to import data from the LDAP server to midpoint, I get
the following error:
Operation not supported for
shadow:e7a471e5-531e-479b-8257-14112ab83b20($REDACTED$) in
<a class="moz-txt-link-freetext" href="resource:873f6012-bac3-4b2c-9d2d-bb886b9c2213(Legacy">resource:873f6012-bac3-4b2c-9d2d-bb886b9c2213(Legacy</a> IDS-LDAP) as
UpdateCapabilityType is missing
When I remove the capability override, midpoint throws the following
exception:
org.identityconnectors.framework.common.exceptions.PermissionDeniedException(Error
modifying LDAP entry $REDACTED$:
[remove:idsWiki=TRUE,<a class="moz-txt-link-abbreviated" href="mailto:remove:idsMailRoutingAddress=$REDACTED$@mailbox.ids-mannheim.de,remove:idsPosix=TRUE,remove:idsMail=TRUE,remove:idsDisplayPub=TRUE,remove:idsVpn=TRUE,remove:objectClass=idsServices,remove:vacationStart=binary">remove:idsMailRoutingAddress=$REDACTED$@mailbox.ids-mannheim.de,remove:idsPosix=TRUE,remove:idsMail=TRUE,remove:idsDisplayPub=TRUE,remove:idsVpn=TRUE,remove:objectClass=idsServices,remove:vacationStart=binary</a>
value 10
bytes,remove:gidNumber=50,remove:idsDisplayWeb=TRUE,remove:vacationEnd=binary
value 10
bytes,remove:loginShell=/sbin/nologin,remove:vacationInfo=binary value
533
bytes,remove:homeDirectory=$REDACTED$,remove:vacationActive=FALSE,remove:uidNumber=$REDACTED$,remove:idsAD=TRUE,]:
insufficientAccessRights: (50))
My synchronization reactions are configured as follows:
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
</reaction>
<reaction>
<situation>unlinked</situation>
<action>
<handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link">http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</a></handlerUri>
</action>
</reaction>
<!--
<reaction>
<situation>unmatched</situation>
<action>
<handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus">http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</a></handlerUri>
</action>
</reaction>
-->
<reaction>
<situation>deleted</situation>
<action>
<handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteShadow">http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteShadow</a></handlerUri>
</action>
</reaction>
I have only inbound mapping definitions for the attributes I am
interested in. There are no outbound definitions.
So midpoint tries to synchronize the information and remove some
attributes on the objects in the LDAP server. However, I only want to
pull some information from the LDAP server and never write to it.
What am I missing or doing wrong?
Thank you and best regards,
Oliver
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body>
</html>