[Midpoint-dev] Problem importing groups as roles from Active Directory to MidPoint

[Александр Кириллов]

Hello community!

I have an AD resource configured. I need to import AD groups into MidPoint
as roles. I have specified the following configuration:
```





































































*<objectType id="2">            <kind>entitlement</kind>
<intent>group</intent>            <displayName>AD Group</displayName>
      <default>true</default>
<objectClass>ri:group</objectClass>            <focus>
<type>c:RoleType</type>            </focus>            <attribute id="22">
              <ref>ri:dn</ref>                <matchingRule
xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3
<http://prism.evolveum.com/xml/ns/public/matching-rule-3>">mr:stringIgnoreCase</matchingRule>
              <outbound>                    <source>
<path>$focus/name</path>                    </source>
<expression>                        <script>
<code>                                'CN=' + name +
',CN=Users,DC=idm,DC=ru'                            </code>
        </script>                    </expression>
</outbound>            </attribute>            <attribute id="23">
      <ref>ri:name</ref>                <outbound>
<source>                        <path>$focus/name</path>
</source>                </outbound>                <inbound id="26">
              <target>                        <path>name</path>
        </target>                </inbound>            </attribute>
    <attribute id="24">                <ref>ri:description</ref>
    <outbound>                    <strength>strong</strength>
      <source>                        <path>description</path>
      </source>                </outbound>                <inbound
id="27">                    <target>
<path>description</path>                    </target>
</inbound>            </attribute>            <correlation>
<correlators>                    <items id="157">
<item id="158">                            <ref>name</ref>
      </item>                    </items>                </correlators>
        </correlation>            <synchronization>
<reaction id="159">                    <situation>unmatched</situation>
                <actions>                        <addFocus id="160"/>
              </actions>                </reaction>
</synchronization>        </objectType>*
```
I also configured the task to import groups from AD. The trick is that of
all existing groups, only half are added in the form of roles; for the
remaining roles, MidPoint throws the following error:

*Error processing focus(role:null(Operators Server)): constraint violation:
Found conflicting existing object with property name =
PP({.../common/common-3}name):[PPV(PolyString:* *Operators Server*
*)]: role:471cba00-1b15-45d3-94c4-287fa0ff661e(Administrators)*
In *<correlation> *I added

* matchingRule:*
*<matchingRule>polyStringNorm</matchingRule>*

This fixed the bugs - the task of adding groups now completes without them.
But this did not solve the problem that, as before, of all groups, exactly
half are added as roles, the rest are simply ignored.

Tell me how this can be fixed?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint-dev/attachments/20230920/948f8556/attachment.htm>