Critical Description
We're using LDAP connector with uidAttribute=dn.
When attempting to provision certain accounts, we get:
com.evolveum.midpoint.util.exception.SchemaException: No secondary identifier in base context identification ResourceObjectIdentification({.../resource/instance-3}organizationalUnit: primary=[RA({.../resource/instance-3}dn):[PPV(String:ou=ApplicationGroups,o=example.com)]], secondary=[])
at com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.search(ConnectorInstanceConnIdImpl.java:1934)
at com.evolveum.midpoint.provisioning.impl.EntitlementConverter.postProcessEntitlementEntitlementToSubject(EntitlementConverter.java:274)
at com.evolveum.midpoint.provisioning.impl.EntitlementConverter.postProcessEntitlementsRead(EntitlementConverter.java:113)
at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.postProcessResourceObjectRead(ResourceObjectConverter.java:2105)
at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchResourceObject(ResourceObjectConverter.java:1448)
at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.getResourceObject(ResourceObjectConverter.java:113)
at com.evolveum.midpoint.provisioning.impl.ShadowCache.getShadow(ShadowCache.java:271)
at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.getObject(ProvisioningServiceImpl.java:203)
at com.evolveum.midpoint.model.impl.lens.projector.ContextLoader.loadLinkRefsFromFocus(ContextLoader.java:689)
at com.evolveum.midpoint.model.impl.lens.projector.ContextLoader.loadLinkRefs(ContextLoader.java:626)
at com.evolveum.midpoint.model.impl.lens.projector.ContextLoader.load(ContextLoader.java:139)
at com.evolveum.midpoint.model.impl.lens.ClockworkMedic.lambda$partialExecute$1(ClockworkMedic.java:184)
at com.evolveum.midpoint.model.impl.lens.ClockworkMedic.partialExecute(ClockworkMedic.java:343)
at com.evolveum.midpoint.model.impl.lens.ClockworkMedic.partialExecute(ClockworkMedic.java:182)
at com.evolveum.midpoint.model.impl.lens.projector.Projector.projectInternal(Projector.java:171)
at com.evolveum.midpoint.model.impl.lens.projector.Projector.projectAllWaves(Projector.java:119)
at com.evolveum.midpoint.model.impl.lens.Clockwork.previewChanges(Clockwork.java:299)
at com.evolveum.midpoint.model.impl.controller.ModelInteractionServiceImpl.previewChanges(ModelInteractionServiceImpl.java:186)
at com.evolveum.midpoint.web.component.progress.ProgressPanel$14.callWithContextPrepared(ProgressPanel.java:662)
at com.evolveum.midpoint.web.component.progress.ProgressPanel$14.callWithContextPrepared(ProgressPanel.java:651)
at com.evolveum.midpoint.web.component.SecurityContextAwareCallable.call(SecurityContextAwareCallable.java:50)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
We're using baseContext like this:
...
<objectType>
<kind>account</kind>
<intent>ldapTrustedApps</intent>
<displayName>TrustedApps</displayName>
<objectClass>ri:inetOrgPerson</objectClass>
<baseContext>
<objectClass>ri:organizationalUnit</objectClass>
<filter>
<q:equal>
<q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#distinguishedName</q:matching>
<q:path>attributes/dn</q:path>
<q:value>ou=xxx,o=example.com</q:value>
</q:equal>
</filter>
</baseContext>
<searchHierarchyScope>one</searchHierarchyScope>
<projection>
<assignmentPolicyEnforcement>full</assignmentPolicyEnforcement>
</projection>
...
Similarly we're using it in entitlement definitions (and we're using associations with them).
For some suffixes this works - for them we also have shadows in midpoint (for the organizationalUnits). For the organizationalUnit in our specific issue we also have shadow, but the account is attempted to be created under another ou - so maybe even the error message is misleading - and for that organizationalUnit (baseContext) we don't have shadow in repository.