<div dir="ltr">Hi Ivan<div><br></div><div>I could not find the shadow in midpoint's repository page (xml). I think probably this is the problem that midpoint did not store the shadow somehow.</div><div><br></div><div>No attribute of this resource is dependent on user/role attributes, user is going to enter the value.</div><div><br></div><div>Thanks</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 5, 2015 at 3:53 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Hi Dharmendra,<br>
    <br>
    so far I can't see any reason for not working, especially if it
    works in LDAP.<br>
    <br>
    Can you please check this:<br>
    <br>
    - open your user in midPoint's repository pages (XML)<br>
    - check the oid of the Shadow in linkRef<br>
    - open the shadow in midPoint's repository pages (XML)<br>
    - check the attributes attributes/icfs:name and attributes/icfs:uid
    - they should be at the bottom of the object. Are this ok?<br>
    <br>
    midPoint seems to be unable to find the object - as this is AD, it
    should be located by the GUID (icfs:uid).<br>
    I have a strange feeling that this is related to string case.<br>
    <br>
    BTW. I don't see any outbounds to generate icfs:name for that group;
    is this done in the role(s)? Does the name somehow depend on user
    attributes?<br>
    <br>
    Regards,<br>
    Ivan<div><div class="h5"><br>
    <br>
    <div>On 03/05/2015 10:38 AM, Dharmendra
      Parakh wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Hi Ivan
        <div><br>
        </div>
        <div>Thanks for all the information.</div>
        <div><br>
        </div>
        <div>My requirement is just to create a AD group on the target
          and at this point I do not want to assign this group to any
          user. So basically we want to use this resource for group
          creation purpose only.</div>
        <div><br>
        </div>
        <div>I am well aware of the way you have described for group
          creation as entitlement (I have tried that and it works) but
          we want to avoid the multiple steps involved in entitlement
          creation and also we want to create this under a user/role as
          an assignment/account only because group management becomes
          easy for us this way. As i have mentioned we are doing the
          same in case of ldap resource and that is working for us. I
          cannot think of any reason why midpoint will behave
          differently for ad and ldap.</div>
        <div><br>
        </div>
        <div>AFAIK for connector group is just an object class like
          account so i think it should work logically. I think i am
          missing something or i have some issue in resource. I will
          appreciate any help on this.</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>Thanks!</div>
        <div><br>
        </div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Mar 5, 2015 at 2:39 PM, Ivan
          Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> Hi Dharmendra,<br>
              <br>
              I'm not sure if I understand what you try to achieve.<br>
              <br>
              Do you want to create AD group for given user in midPoint?
              Or do you want to create the group through midPoint and
              then assign to user?<br>
              <br>
              I would definitely not change the default object class for
              "account" to CustomGroupObjectClass. Just use kinds and
              intents in schema handling.<br>
              <br>
              In my project I have the following setup: I want to create
              users in midPoint, accounts for them in AD. I also want to
              create groups (and other objects) in AD that belong to
              organizations in midPoint (part of org. structure
              replication). And I also want to put AD accounts to these
              groups. The simplified example follows:<br>
              <br>
              1. in resource, I define new kind=entitlement and
              intent=group-municipality, e.g.:<br>
                      <objectType><br>
                          <kind><b>entitlement</b></kind><br>
                          <intent><b>group-municipality</b></intent><br>
                          <displayName>Municipality
              groups</displayName><br>
                          <default>true</default><br>
                          <objectClass>ri:<b>CustomGroupObjectClass</b></objectClass><br>
                          <attribute><br>
              . . .<br>
              <br>
              This means that I'm able to reference groups of this
              "type" (I have several different types of groups) as
              kind=entitlement and intent=group-municipality.<br>
              <br>
              2. in resource, I define association for <b>accounts</b>
              with this kind of groups:<br>
                                      <objectType><br>
                                      <kind><b>account</b></kind><br>
                                              <intent><b>default</b></intent><br>
                                              <displayName>Default
              Account - Municipality users</displayName><br>
                                             
              <default>true</default><br>
                                              <objectClass>ri:<b>AccountObjectClass</b></objectClass><br>
              . . .<br>
                          <association><br>
                              <ref>ri:adGroups</ref><br>
                              <tolerant>true</tolerant><br>
                             
              <matchingRule>mr:stringIgnoreCase</matchingRule><br>
                              <kind><b>entitlement</b></kind><br>
                              <intent><b>group-municipality</b></intent><br>
                             
              <direction>objectToSubject</direction><br>
                             
              <associationAttribute>ri:member</associationAttribute><br>
                             
              <valueAttribute>icfs:name</valueAttribute><br>
                             
<explicitReferentialIntegrity>false</explicitReferentialIntegrity><br>
                          </association><br>
                      </objectType><br>
              <br>
              This means midPoint is able to associate AD accounts with
              this type of groups and will show the "Association" part
              in GUI when editing user - list of groups for that
              account.<br>
              <br>
              3. to <b>assign AD account to any existing AD group</b>
              (EmailAllUsers in this example), I have a role in
              midPoint:<br>
              <br>
              <role xmlns=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
                      xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
                     
              xmlns:icfs=<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a><br>
                      xmlns:q=<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
                     
              xmlns:ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a><br>
                      oid="b4b5059a-5cdc-4a2c-a184-bb6e0c67e064"><br>
                 <name>E-Mail</name><br>
                  <inducement><br>
                      <construction><br>
                              <!-- The c: prefix in type must be
              there due to a JAXB bug --><br>
                              <resourceRef
              oid="00000000-0000-0000-0001-100000000002"
              type="c:ResourceType"/><br>
                      <association><br>
                          <ref>ri:adGroups</ref><br>
                          <outbound><br>
              <strength>strong</strength><br>
                              <expression><br>
                                  <associationTargetSearch><br>
                                      <filter><br>
                                          <q:equal><br>
                                              <q:path><br>
                                                      declare namespace
              icfs=<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a>;<br>
                                                      declare namespace
              ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>;<br>
                                                     
              attributes/ri:samAccountName<br>
                                              </q:path><br>
                                              <expression><br>
                                                  <script><br>
                                                      <code><br>
              return '<b>EmailAllUsers</b>' <!-- group's
              sAMAccountName in AD --><br>
              </code><br>
                                                  </script><br>
                                              </expression><br>
                                          </q:equal><br>
                                      </filter><br>
                                 
              <searchOnResource>true</searchOnResource><br>
                                  </associationTargetSearch><br>
                              </expression><br>
                          </outbound><br>
                      </association><br>
              </construction><br>
              </inducement><br>
              </role><br>
              <br>
              If this role is assigned to user in midPoint, it will
              create AD account (if it does not exist yet) it will
              search for a group named "EmailAllUsers" (by
              sAMAccountName) and add user to that group if such group
              exists.<br>
              <br>
              4. if you want to <b>create groups</b> in AD from
              midPoint, they must be regarded as a projection of either
              User, Organization or Role in midPoint. In my scenario,
              for some Organization I create the type of groups I
              referred to above by assignin a role to an <b>organization</b>,
              e.g.:<br>
              <br>
              <role oid="00000000-0000-0000-0004-000000000010"<br>
                      xmlns=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
                      xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
                      xmlns:t=<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/types-3"</a>><br>
                  <name>Meta-role for organizational structure
              replication to AD</name><br>
                  <inducement><br>
                      <construction><br>
                              <!-- AD resource --><br>
                              <resourceRef
              oid="00000000-0000-0000-0001-100000000002"
              type="c:ResourceType"/><br>
               <b>               <kind>entitlement</kind></b><b><br>
              </b><b>               
                <intent>group-municipality</intent></b><br>
                      </construction><br>
                  </inducement><br>
              ...<br>
              </role><br>
              <br>
              This means that midPoint will create a group of that type
              for the organization in midPoint. Of course, in
              schemaHandling for AD resource, in the kind=entitlement
              and intent=group-municipality part, you have to define
              proper outbound mappings (icfs:name = DN; sAMAccountName
              and possibly other attributes) to actually create the
              group.<br>
              <br>
              And that's all, so simple.<br>
              <br>
              Some examples can be also seen in our OrgSync scenario
              wiki page: <a href="https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test" target="_blank">https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test</a>
              (it is different scenario as I've described in my example,
              but it's very usable for concept understanding).<br>
              <br>
              Hope this helps.<br>
              Regards,<br>
              Ivan
              <div>
                <div><br>
                  <br>
                  <div>On 03/05/2015 09:44 AM, Dharmendra Parakh wrote:<br>
                  </div>
                </div>
              </div>
              <blockquote type="cite">
                <div>
                  <div>
                    <div dir="ltr">Hi
                      <div><br>
                      </div>
                      <div>I have been playing around with AD Connector
                        and i am facing an issue where i was trying to
                        create an AD group using the AD Connector.</div>
                      <div><br>
                      </div>
                      <div>I have a resource configured where the
                        default object class is my AD Group object class
                        and kind is set to account.</div>
                      <div>When i try to create the group by creating a
                        account of this resource i see the<b> group is
                          created on Active Directory</b> but same does
                        not show up in the midpoint UI under User's
                        accounts panel.<br>
                      </div>
                      <div><br>
                      </div>
                      <div>I can see the linkRef in user's xml but it is
                        not getting loaded in UI and also when i open
                        the user xml i see an error: </div>
                      <div><br>
                      </div>
                      <blockquote style="margin:0 0 0 40px;border:none;padding:0px">
                        <div>
                          <div><font color="#000000" size="1">[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],

                              objectclass={.../resource/instance-3}CustomGroupObjectClass:

                              Object identified by
                              [RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]

                              was not found by
                              connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
                              Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector

                              v1.4.1.20257 @ConnectorServer27:22:8759)</font></div>
                        </div>
                        <div>
                          <div><font color="#000000" size="1">com.evolveum.midpoint.util.exception.ObjectNotFoundException:

                              Object not found.
                              identifiers=[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],

                              objectclass={.../resource/instance-3}CustomGroupObjectClass:

                              Object identified by
                              [RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]

                              was not found by
                              connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
                              Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector

                              v1.4.1.20257 @ConnectorServer27:22:8759)</font></div>
                        </div>
                        <div>
                          <div><font color="#000000" size="1"><span style="white-space:pre-wrap"> </span>at
                              com.evolveum.midpoint.provisioning.consistency.impl.ObjectNotFoundHandler.handleError(ObjectNotFoundHandler.java:268)

                              ~[provisioning-impl-3.2-SNAPSHOT.jar:na]</font></div>
                        </div>
                        <div>
                          <div><font color="#000000" size="1"><span style="white-space:pre-wrap"> </span>at
                              com.evolveum.midpoint.provisioning.impl.ShadowCache.handleError(ShadowCache.java:683)

                              ~[provisioning-impl-3.2-SNAPSHOT.jar:na]</font></div>
                        </div>
                      </blockquote>
                      <div><br>
                      </div>
                      <div><br>
                      </div>
                      <div>We have similar setup for ldap group
                        provisioning and that works very fine.</div>
                      <div><br>
                      </div>
                      <div>I have attached my resource xml with the
                        email, please have a look and let me know if i
                        am doing anything wrong here.</div>
                      <div><br>
                      </div>
                      <div><br>
                      </div>
                      <div>Regards</div>
                      <div>Dharmendra</div>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                  </div>
                </div>
                <pre>_______________________________________________
midPoint-dev mailing list
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><span><font color="#888888">
</font></span></pre>
                <span><font color="#888888"> </font></span></blockquote>
              <span><font color="#888888"> <br>
                  <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>                     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  ___________________________________________________
  "Semper Id(e)M Vix."
</pre>
                </font></span></div>
            <br>
            _______________________________________________<br>
            midPoint-dev mailing list<br>
            <a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a><br>
            <a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
    <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>                     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  ___________________________________________________
  "Semper Id(e)M Vix."
</pre>
  </div></div></div>

</blockquote></div><br></div>