Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-2193

Referential Integrity and group membership on eDirectory does not work when renaming users

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.0 (Newton)
    • Fix Version/s: 3.1.1
    • Component/s: None
    • Git Revision:
      git-v3.0.1devel-859-g57c59e3

      Description

      eDirectory is configured as target system, both accounts and associations (entitlements, groups).

      Creating user and putting into correct group is working ok. The groups are created automatically by metaroles to replicate organizational structure from midPoint to eDirectory.

      Renaming user does the following:
      1. user is renamed in midPoint (change user/name)
      2. user is renamed in eDirectory (both dn and cn is mapped to user/name; cn has weak mapping)
      3. eDirectory seems to update all member references in all user's groups automatically
      4. midPoint seems to try to put the new DN into the group (to reflect user rename). This fails with:

      2015-02-02 13:20:31,217 [UCF] [Thread-1753] ERROR (com.evolveum.midpoint.provisioning.ucf.impl.IcfUtil): ICF Exception org.identityconnectors.framework.common.exceptions.Con
      nectorException in connector:addaa163-e8cf-4a79-a0a1-53325fe1151f(ICF org.identityconnectors.ldap.LdapConnector v1.4.0.49): resource:9dbdde52-ec88-11e3-b755-001e8c717e5b(Int
      ernal eDirectory) while adding attribute values to object identified by ICF UID 'cn=xx_groupname,ou=groups,o=example': javax.naming.directory.AttributeInUseException: [LDAP: erro
      r code 20 - NDS error: duplicate value (-614)]; remaining name 'cn=xx_groupname,ou=groups,o=example'
      

      5. as GUI fails, I can only click Back button at the bottom of the page
      6. subsequent editing the user in midPoint does NOT show the account. Checking the shadow repository shows that the shadow still contains the old (before rename) DN. The get request fixes the shadow (possibly using correlation and consistency?)
      7. the next editing of the user shows the renamed account and it is in the same groups as before (this is correct).

      In resource, I have the following association configuration for accounts:

      			<association>
      				<ref>ri:group</ref>
      				<tolerant>true</tolerant>
      				<matchingRule>mr:stringIgnoreCase</matchingRule>
      				<displayName>eDirectory Group Membership</displayName>
      				<kind>entitlement</kind>
      				<intent>group-org</intent>
      				<direction>objectToSubject</direction>
      				<associationAttribute>ri:member</associationAttribute>
      				<valueAttribute>icfs:name</valueAttribute>
      				<!-- XXX --><explicitReferentialIntegrity>false</explicitReferentialIntegrity><!-- XXX -->
      				<!-- false: rename fails (group membership) and keeps the old shadow, further get cannot get account but fixes the shadow,
      				second get works, because the account is ok in shadow -->
      				<!-- manual rename in Apache directory studio is ok, groups are reflecting changes -->
      			</association>
      
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              vix Ivan Noris
              Reporter:
              vix Ivan Noris
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: