<div dir="ltr"><div><br></div>It's been my experience with the LDAP connector that if the LDAP attribute is multi-valued, then you have to have a target set defined for the outbound mapping. Otherwise, midpoint won't delete values from LDAP when the source attribute changes. Try this for your mapping:<div><br></div><div><attribute id="49"><br> <ref>ri:MB-NOM-APE</ref><br> <outbound><br> <trace>true</trace><br> <strength>strong</strength><br> <source><br> <path>$focus/extension/nomApe</path><br> </source><br> <expression><br> <trace>true</trace><br> <asIs/><br> </expression></div><div> <target></div><div> <set></div><div> <predefined>all</predefined></div><div> </set></div><div> </target><br> </outbound><br></attribute><br></div><div><br></div><div><br></div><div>That tells midpoint that it is to replace all the values on the LDAP side with the data received from midpoint. However, if you have data existing in LDAP that you don't want removed, then you'll have to tune the target set with a script to manage only those values you want midpoint to touch.</div><div><br></div><div>The docs page <a href="https://docs.evolveum.com/midpoint/reference/expressions/mappings/range/">https://docs.evolveum.com/midpoint/reference/expressions/mappings/range/</a> has more information about mapping ranges.</div><div><br></div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div>-- </div><div>Paul Engle</div><div>IAM Architect</div><div>Identity & Access Management</div><div><a href="mailto:pengle@rice.edu" target="_blank">pengle@rice.edu</a> 713-348-4702</div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jul 18, 2022 at 10:10 AM Douglas Alves via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello everyone,<br>
I found a problem thats I can't resolve, I'm removing a attribute called "NOM-APE" from Midpoint but that change didn't applied to LDAP, that attribute works like a multivalued attribute, but inside the configuration thats a monovalued one.<br>
<br>
That's my extended schema configuration:<br>
<br>
```<br>
<xsd:element name="nomApe" type="xsd:string" minOccurs="0" maxOccurs="1"><br>
<xsd:annotation><br>
<xsd:appinfo><br>
<a:indexed>true</a:indexed><br>
<a:displayName>NOM-APE</a:displayName><br>
<a:displayOrder>135</a:displayOrder><br>
<a:help>APELIDO</a:help><br>
</xsd:appinfo><br>
</xsd:annotation><br>
</xsd:element><br>
```<br>
<br>
On the Role xml I turn on the traces to try to found a problem:<br>
<br>
```<br>
<attribute id="49"><br>
<ref>ri:MB-NOM-APE</ref><br>
<outbound><br>
<trace>true</trace><br>
<strength>strong</strength><br>
<source><br>
<path>$focus/extension/nomApe</path><br>
</source><br>
<expression><br>
<trace>true</trace><br>
<asIs/><br>
</expression><br>
</outbound><br>
</attribute><br>
```<br>
<br>
On the LDAP resource xml the value of atttribute was mapped like that:<br>
<br>
```<br>
<xsd:element maxOccurs="1" minOccurs="0" name="MB-NOM-APE" type="xsd:string"><br>
<xsd:annotation><br>
<xsd:appinfo><br>
<a:displayOrder>180</a:displayOrder><br>
<a:matchingRule xmlns:qn390="<a href="http://prism.evolveum.com/xml/ns/public/matching-rule-3" rel="noreferrer" target="_blank">http://prism.evolveum.com/xml/ns/public/matching-rule-3</a>">qn390:stringIgnoreCase</a:matchingRule><br>
<ra:nativeAttributeName>MB-NOM-APE</ra:nativeAttributeName><br>
<ra:frameworkAttributeName>MB-NOM-APE</ra:frameworkAttributeName><br>
</xsd:appinfo><br>
</xsd:annotation><br>
</xsd:element><br>
```<br>
<br>
Trying to replace this value in user on trace log , in LDAP the value is added like multivalored attribute i.e:<br>
<br>
```<br>
2022-07-18 11:33:17,051 [MODEL] [pool-3-thread-13] INFO (com.evolveum.midpoint.model.common.mapping.AbstractMappingImpl): Mapping trace:<br>
---[ MAPPING in outbound mapping for attribute {.../resource/instance-3}MB-NOM-APE in role:f003a8b0-8693-4184-9dfa-36dba1d9f40b(Perfil Básico Parceiro)]---------------------------<br>
Strength: STRONG<br>
Source nomApe:<br>
old: null<br>
delta: PropertyDeltaImpl(extension / {<a href="http://zurich.com/xml/ns/userSchema%7DnomApe" rel="noreferrer" target="_blank">http://zurich.com/xml/ns/userSchema}nomApe</a>, REPLACE)<br>
new: PP({<a href="http://zurich.com/xml/ns/userSchema%7DnomApe):%5BPPV(String:DTS" rel="noreferrer" target="_blank">http://zurich.com/xml/ns/userSchema}nomApe):[PPV(String:DTS</a>)]<br>
Target: rRAD:{.../resource/instance-3}MB-NOM-APE {xsd:}string[0,1],RAM native=MB-NOM-APE framework=MB-NOM-APE,Disp:MODEL<br>
Expression: asIs<br>
Condition: true -> true<br>
Result: added: DTS<br>
```<br>
<br>
But the value is appended to LDAP user entry.<br>
<br>
```<br>
ldapsearch -LLL -x -H ldap://localhost:389 -D 'cn=admin,c=br' -w ? -b 'uid=E222222,ou=Usuarios,o=SFMB,c=br' -s sub "(objectClass=*)" MB-NOM-APE<br>
dn: uid=E222222,ou=Usuarios,o=SFMB,c=br<br>
MB-NOM-APE: 661736<br>
MB-NOM-APE: 423534<br>
MB-NOM-APE: 669999<br>
MB-NOM-APE: 139999<br>
MB-NOM-APE: 609999<br>
MB-NOM-APE: 579999<br>
MB-NOM-APE: 6999999<br>
MB-NOM-APE: 6999998<br>
MB-NOM-APE: 660457<br>
MB-NOM-APE: 699999<br>
MB-NOM-APE: 679999<br>
MB-NOM-APE: DTS<br>
```<br>
<br>
And when I try to remove this value on Midpoint, the Midpoint tracing looks like ok to me:<br>
<br>
```<br>
2022-07-18 11:40:49,720 [MODEL] [pool-3-thread-14] INFO (com.evolveum.midpoint.model.common.mapping.AbstractMappingImpl): Mapping trace:<br>
---[ MAPPING in outbound mapping for attribute {.../resource/instance-3}MB-NOM-APE in role:f003a8b0-8693-4184-9dfa-36dba1d9f40b(Perfil Básico Parceiro)]---------------------------<br>
Strength: STRONG<br>
Source nomApe:<br>
old: PP({<a href="http://zurich.com/xml/ns/userSchema%7DnomApe):%5BPPV(String:DTS" rel="noreferrer" target="_blank">http://zurich.com/xml/ns/userSchema}nomApe):[PPV(String:DTS</a>)]<br>
delta: PropertyDeltaImpl(extension / {<a href="http://zurich.com/xml/ns/userSchema%7DnomApe" rel="noreferrer" target="_blank">http://zurich.com/xml/ns/userSchema}nomApe</a>, DELETE)<br>
new: PP({<a href="http://zurich.com/xml/ns/userSchema%7DnomApe):%5B%5D" rel="noreferrer" target="_blank">http://zurich.com/xml/ns/userSchema}nomApe):[]</a><br>
Target: rRAD:{.../resource/instance-3}MB-NOM-APE {xsd:}string[0,1],RAM native=MB-NOM-APE framework=MB-NOM-APE,Disp:MODEL<br>
Expression: asIs<br>
Condition: true -> true<br>
Result: removed: DTS<br>
```<br>
<br>
But the attribute wasn't removed:<br>
<br>
```<br>
ldapsearch -LLL -x -H ldap://localhost:389 -D 'cn=admin,c=br' -w ? -b 'uid=E222222,ou=Usuarios,o=SFMB,c=br' -s sub "(objectClass=*)" MB-NOM-APE<br>
dn: uid=E222222,ou=Usuarios,o=SFMB,c=br<br>
MB-NOM-APE: 661736<br>
MB-NOM-APE: 423534<br>
MB-NOM-APE: 669999<br>
MB-NOM-APE: 139999<br>
MB-NOM-APE: 609999<br>
MB-NOM-APE: 579999<br>
MB-NOM-APE: 6999999<br>
MB-NOM-APE: 6999998<br>
MB-NOM-APE: 660457<br>
MB-NOM-APE: 699999<br>
MB-NOM-APE: 679999<br>
MB-NOM-APE: DTS<br>
```<br>
<br>
I've tried to change role configurations and resource configuration xml, but no one works. I hope someone can help me with this trouble.<br>
<br>
Best Regards,<br>
<br>
Douglas Alves.<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>