Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-6884

No secondary identifier in base context identification for ldap resource with uidAttribute=dn

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 4.2
    • 4.3, 4.2.1
    • None
    • Active subscription

    Description

      We're using LDAP connector with uidAttribute=dn.

      When attempting to provision certain accounts, we get:

      com.evolveum.midpoint.util.exception.SchemaException: No secondary identifier in base context identification ResourceObjectIdentification({.../resource/instance-3}organizationalUnit: primary=[RA({.../resource/instance-3}dn):[PPV(String:ou=ApplicationGroups,o=example.com)]], secondary=[])
      	at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.search(ConnectorInstanceConnIdImpl.java:1934)
      	at com.evolveum.midpoint.provisioning.impl.EntitlementConverter.postProcessEntitlementEntitlementToSubject(EntitlementConverter.java:274)
      	at com.evolveum.midpoint.provisioning.impl.EntitlementConverter.postProcessEntitlementsRead(EntitlementConverter.java:113)
      	at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.postProcessResourceObjectRead(ResourceObjectConverter.java:2105)
      	at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchResourceObject(ResourceObjectConverter.java:1448)
      	at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.getResourceObject(ResourceObjectConverter.java:113)
      	at com.evolveum.midpoint.provisioning.impl.ShadowCache.getShadow(ShadowCache.java:271)
      	at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.getObject(ProvisioningServiceImpl.java:203)
      	at com.evolveum.midpoint.model.impl.lens.projector.ContextLoader.loadLinkRefsFromFocus(ContextLoader.java:689)
      	at com.evolveum.midpoint.model.impl.lens.projector.ContextLoader.loadLinkRefs(ContextLoader.java:626)
      	at com.evolveum.midpoint.model.impl.lens.projector.ContextLoader.load(ContextLoader.java:139)
      	at com.evolveum.midpoint.model.impl.lens.ClockworkMedic.lambda$partialExecute$1(ClockworkMedic.java:184)
      	at com.evolveum.midpoint.model.impl.lens.ClockworkMedic.partialExecute(ClockworkMedic.java:343)
      	at com.evolveum.midpoint.model.impl.lens.ClockworkMedic.partialExecute(ClockworkMedic.java:182)
      	at com.evolveum.midpoint.model.impl.lens.projector.Projector.projectInternal(Projector.java:171)
      	at com.evolveum.midpoint.model.impl.lens.projector.Projector.projectAllWaves(Projector.java:119)
      	at com.evolveum.midpoint.model.impl.lens.Clockwork.previewChanges(Clockwork.java:299)
      	at com.evolveum.midpoint.model.impl.controller.ModelInteractionServiceImpl.previewChanges(ModelInteractionServiceImpl.java:186)
      	at com.evolveum.midpoint.web.component.progress.ProgressPanel$14.callWithContextPrepared(ProgressPanel.java:662)
      	at com.evolveum.midpoint.web.component.progress.ProgressPanel$14.callWithContextPrepared(ProgressPanel.java:651)
      	at com.evolveum.midpoint.web.component.SecurityContextAwareCallable.call(SecurityContextAwareCallable.java:50)
      	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
      	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
      	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
      	at java.base/java.lang.Thread.run(Thread.java:834)
      

      We're using baseContext like this:

      ...
       <objectType>
                  <kind>account</kind>
                  <intent>ldapTrustedApps</intent>
                  <displayName>TrustedApps</displayName>
                  <objectClass>ri:inetOrgPerson</objectClass>
      
                  <baseContext>
                      <objectClass>ri:organizationalUnit</objectClass>
                      <filter>
                          <q:equal>
                              <q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#distinguishedName</q:matching>
                              <q:path>attributes/dn</q:path>
                              <q:value>ou=xxx,o=example.com</q:value>
                          </q:equal>
                      </filter>
                  </baseContext>
                  <searchHierarchyScope>one</searchHierarchyScope>
      
                  <projection>
                      <assignmentPolicyEnforcement>full</assignmentPolicyEnforcement>
                  </projection>
      ...
      

      Similarly we're using it in entitlement definitions (and we're using associations with them).

      For some suffixes this works - for them we also have shadows in midpoint (for the organizationalUnits). For the organizationalUnit in our specific issue we also have shadow, but the account is attempted to be created under another ou - so maybe even the error message is misleading - and for that organizationalUnit (baseContext) we don't have shadow in repository.

      Attachments

        Activity

          People

            vix Ivan Noris
            vix Ivan Noris
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: