<div dir="ltr">Hi Pavol,<div><br></div><div><br></div><div>Thanks for your reply, I tried it doing on other midpoint server which is connected to different AD server and it worked for me. I am not sure what is wrong with my setup but i am going to look into this and update you with my findings.</div><div><br></div><div>Thanks a lot for the time you invested in this. I really appreciate your help.</div><div><br></div><div>Regards</div><div>Dharmendra</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 6, 2015 at 7:00 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:pavol.mederly@gmail.com" target="_blank">pavol.mederly@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hello Dharmendra,<br>
<br>
I've tried to replicate the problem in my midPoint. However, in my
case, everything works as expected.<br>
<br>
What I use:<br>
<br>
- AD connector 1.4.1.20283 (however, I know of no changes with
respect to your version that could cause different behavior)<br>
- midPoint version v3.2devel-188-g409d5e1 (last commit
409d5e117c7ddd9e35ce5c2bc4ec6c3ff51bfb8d)<br>
- your resource configuration, with changes:<br>
<br>
<gen70:Container>OU=ConnectorTest,DC=test,DC=***,DC=local</gen70:Container><br>
<gen70:DomainName>test.***.local</gen70:DomainName><br>
<br>
(I removed <schema> section)<br>
<br>
- then I created a user named "testgroup", filled in some common
attributes, selected ADD ACCOUNT, entered a value of<span>
CN=abc,OU=ConnectorTest,DC=test,DC=***,DC=local for</span> the
name attribute<br>
<br>
The group was created on the resource, the shadow was created in
midPoint, and when I open the user, I see the "account" created
for it.<br>
<br>
Back to your situation:<br>
- are there any errors in ConnectorServer.log (on windows side)?<br>
- are there any errors in midpoint log?<br>
- could you enable TRACE debug level for model and provisioning
and retry the operation? Then could you send me the log? I can
have a look on that.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
</div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">Hi
<div><br>
</div>
<div>Any other suggestions?</div>
<div><br>
</div>
<div>Thanks!</div>
</div>
</div></div><div class="gmail_extra"><br>
<div class="gmail_quote"><div><div class="h5">On Thu, Mar 5, 2015 at 8:58 PM,
Dharmendra Parakh <span dir="ltr"><<a href="mailto:dharmendra@confluxsys.com" target="_blank">dharmendra@confluxsys.com</a>></span>
wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>I tried both the setups but no luck. Still the group
is getting created in AD but midpoint is not storing the
shadow.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks!</div>
</div>
</div></div><div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote"><div><div class="h5">On Thu, Mar 5, 2015 at 6:39
PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><div><div class="h5"> Hi
Dharmendra,<br>
<br>
can you please try with this:<br>
<br>
...<br>
<connectorConfiguration><br>
<b>
<icfc:resultsHandlerConfiguration></b><b><br>
</b><b>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler></b><b><br>
</b><b>
</icfc:resultsHandlerConfiguration></b><b><br>
</b><br>
<!-- Configuration specific for
the Active Directory connector --><br>
<icfc:configurationProperties<br>
...<br>
<br>
Alternatively:<br>
<br>
<icfc:resultsHandlerConfiguration><br>
<icfc:enableFilteredResultsHandler><b>true</b></icfc:enableFilteredResultsHandler><br>
<icfc:enableCaseInsensitiveFilter><b>true</b></icfc:enableCaseInsensitiveFilter><br>
</icfc:resultsHandlerConfiguration><br>
<br>
But please start with the <b>first</b> setup.
The first config will switch off the result
handler filtering in ICF; the second will let it
turned on, but switch to case insensitive...<br>
<br>
Please let us know. Thanks you.<br>
<br>
Regards,<br>
Ivan
</div></div><div>
<div><div><div class="h5"><br>
<br>
<div>On 03/05/2015 12:08 PM, Dharmendra
Parakh wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>I could not find the shadow in
midpoint's repository page (xml). I
think probably this is the problem
that midpoint did not store the shadow
somehow.</div>
<div><br>
</div>
<div>No attribute of this resource is
dependent on user/role attributes,
user is going to enter the value.</div>
<div><br>
</div>
<div>Thanks</div>
</div>
</div></div><div class="gmail_extra"><br>
<div class="gmail_quote"><div><div class="h5">On Thu, Mar 5,
2015 at 3:53 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5"> Hi Dharmendra,<br>
<br>
so far I can't see any reason for
not working, especially if it
works in LDAP.<br>
<br>
Can you please check this:<br>
<br>
- open your user in midPoint's
repository pages (XML)<br>
- check the oid of the Shadow in
linkRef<br>
- open the shadow in midPoint's
repository pages (XML)<br>
- check the attributes
attributes/icfs:name and
attributes/icfs:uid - they should
be at the bottom of the object.
Are this ok?<br>
<br>
midPoint seems to be unable to
find the object - as this is AD,
it should be located by the GUID
(icfs:uid).<br>
I have a strange feeling that this
is related to string case.<br>
<br>
BTW. I don't see any outbounds to
generate icfs:name for that group;
is this done in the role(s)? Does
the name somehow depend on user
attributes?<br>
<br>
Regards,<br>
Ivan
</div></div><div>
<div><div><div class="h5"><br>
<br>
<div>On 03/05/2015 10:38 AM,
Dharmendra Parakh wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>Thanks for all the
information.</div>
<div><br>
</div>
<div>My requirement is
just to create a AD
group on the target and
at this point I do not
want to assign this
group to any user. So
basically we want to use
this resource for group
creation purpose only.</div>
<div><br>
</div>
<div>I am well aware of
the way you have
described for group
creation as entitlement
(I have tried that and
it works) but we want to
avoid the multiple steps
involved in entitlement
creation and also we
want to create this
under a user/role as an
assignment/account only
because group management
becomes easy for us this
way. As i have mentioned
we are doing the same in
case of ldap resource
and that is working for
us. I cannot think of
any reason why midpoint
will behave differently
for ad and ldap.</div>
<div><br>
</div>
<div>AFAIK for connector
group is just an object
class like account so i
think it should work
logically. I think i am
missing something or i
have some issue in
resource. I will
appreciate any help on
this.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div></div><div class="gmail_extra"><br>
<div class="gmail_quote"><div><div class="h5">On
Thu, Mar 5, 2015 at 2:39
PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5"> Hi
Dharmendra,<br>
<br>
I'm not sure if I
understand what you
try to achieve.<br>
<br>
Do you want to
create AD group for
given user in
midPoint? Or do you
want to create the
group through
midPoint and then
assign to user?<br>
<br>
I would definitely
not change the
default object class
for "account" to
CustomGroupObjectClass.
Just use kinds and
intents in schema
handling.<br>
<br>
In my project I have
the following setup:
I want to create
users in midPoint,
accounts for them in
AD. I also want to
create groups (and
other objects) in AD
that belong to
organizations in
midPoint (part of
org. structure
replication). And I
also want to put AD
accounts to these
groups. The
simplified example
follows:<br>
<br>
1. in resource, I
define new
kind=entitlement and
intent=group-municipality,
e.g.:<br>
<objectType><br>
<kind><b>entitlement</b></kind><br>
<intent><b>group-municipality</b></intent><br>
<displayName>Municipality
groups</displayName><br>
<default>true</default><br>
<objectClass>ri:<b>CustomGroupObjectClass</b></objectClass><br>
<attribute><br>
. . .<br>
<br>
This means that I'm
able to reference
groups of this
"type" (I have
several different
types of groups) as
kind=entitlement and
intent=group-municipality.<br>
<br>
2. in resource, I
define association
for <b>accounts</b>
with this kind of
groups:<br>
<objectType><br>
<kind><b>account</b></kind><br>
<intent><b>default</b></intent><br>
<displayName>Default
Account -
Municipality
users</displayName><br>
<default>true</default><br>
<objectClass>ri:<b>AccountObjectClass</b></objectClass><br>
. . .<br>
<association><br>
<ref>ri:adGroups</ref><br>
<tolerant>true</tolerant><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<kind><b>entitlement</b></kind><br>
<intent><b>group-municipality</b></intent><br>
<direction>objectToSubject</direction><br>
<associationAttribute>ri:member</associationAttribute><br>
<valueAttribute>icfs:name</valueAttribute><br>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity><br>
</association><br>
</objectType><br>
<br>
This means midPoint
is able to associate
AD accounts with
this type of groups
and will show the
"Association" part
in GUI when editing
user - list of
groups for that
account.<br>
<br>
3. to <b>assign AD
account to any
existing AD group</b>
(EmailAllUsers in
this example), I
have a role in
midPoint:<br>
<br>
<role xmlns=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:icfs=<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a><br>
xmlns:q=<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a><br>
oid="b4b5059a-5cdc-4a2c-a184-bb6e0c67e064"><br>
<name>E-Mail</name><br>
<inducement><br>
<construction><br>
<!-- The c:
prefix in type must
be there due to a
JAXB bug --><br>
<resourceRef
oid="00000000-0000-0000-0001-100000000002"
type="c:ResourceType"/><br>
<association><br>
<ref>ri:adGroups</ref><br>
<outbound><br>
<strength>strong</strength><br>
<expression><br>
<associationTargetSearch><br>
<filter><br>
<q:equal><br>
<q:path><br>
declare namespace
icfs=<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a>;<br>
declare namespace
ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>;<br>
attributes/ri:samAccountName<br>
</q:path><br>
<expression><br>
<script><br>
<code><br>
return '<b>EmailAllUsers</b>'
<!-- group's
sAMAccountName in AD
--><br>
</code><br>
</script><br>
</expression><br>
</q:equal><br>
</filter><br>
<searchOnResource>true</searchOnResource><br>
</associationTargetSearch><br>
</expression><br>
</outbound><br>
</association><br>
</construction><br>
</inducement><br>
</role><br>
<br>
If this role is
assigned to user in
midPoint, it will
create AD account
(if it does not
exist yet) it will
search for a group
named
"EmailAllUsers" (by
sAMAccountName) and
add user to that
group if such group
exists.<br>
<br>
4. if you want to <b>create
groups</b> in AD
from midPoint, they
must be regarded as
a projection of
either User,
Organization or Role
in midPoint. In my
scenario, for some
Organization I
create the type of
groups I referred to
above by assignin a
role to an <b>organization</b>,
e.g.:<br>
<br>
<role
oid="00000000-0000-0000-0004-000000000010"<br>
xmlns=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/types-3"</a>><br>
<name>Meta-role
for organizational
structure
replication to
AD</name><br>
<inducement><br>
<construction><br>
<!-- AD resource
--><br>
<resourceRef
oid="00000000-0000-0000-0001-100000000002"
type="c:ResourceType"/><br>
<b>
<kind>entitlement</kind></b><b><br>
</b><b>
<intent>group-municipality</intent></b><br>
</construction><br>
</inducement><br>
...<br>
</role><br>
<br>
This means that
midPoint will create
a group of that type
for the organization
in midPoint. Of
course, in
schemaHandling for
AD resource, in the
kind=entitlement and
intent=group-municipality
part, you have to
define proper
outbound mappings
(icfs:name = DN;
sAMAccountName and
possibly other
attributes) to
actually create the
group.<br>
<br>
And that's all, so
simple.<br>
<br>
Some examples can be
also seen in our
OrgSync scenario
wiki page: <a href="https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test" target="_blank">https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test</a>
(it is different
scenario as I've
described in my
example, but it's
very usable for
concept
understanding).<br>
<br>
Hope this helps.<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On
03/05/2015
09:44 AM,
Dharmendra
Parakh wrote:<br>
</div>
</div>
</div>
</div></div><blockquote type="cite">
<div>
<div>
<div dir="ltr"><div><div class="h5">Hi
<div><br>
</div>
<div>I have
been playing
around with AD
Connector and
i am facing an
issue where i
was trying to
create an AD
group using
the AD
Connector.</div>
<div><br>
</div>
<div>I have a
resource
configured
where the
default object
class is my AD
Group object
class and kind
is set to
account.</div>
<div>When i
try to create
the group by
creating a
account of
this resource
i see the<b>
group is
created on
Active
Directory</b>
but same does
not show up in
the midpoint
UI under
User's
accounts
panel.<br>
</div>
<div><br>
</div>
<div>I can see
the linkRef in
user's xml but
it is not
getting loaded
in UI and also
when i open
the user xml i
see an error: </div>
<div><br>
</div>
</div></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><div class="h5">
<div>
<div><font color="#000000" size="1">[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
objectclass={.../resource/instance-3}CustomGroupObjectClass:
Object
identified by
[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
was not found
by
connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
v1.4.1.20257
@ConnectorServer27:22:8759)</font></div>
</div>
<div>
<div><font color="#000000" size="1">com.evolveum.midpoint.util.exception.ObjectNotFoundException:
Object not
found.
identifiers=[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
objectclass={.../resource/instance-3}CustomGroupObjectClass:
Object
identified by
[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
was not found
by
connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
v1.4.1.20257
@ConnectorServer27:22:8759)</font></div>
</div>
<div>
<div><font color="#000000" size="1"><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.consistency.impl.ObjectNotFoundHandler.handleError(ObjectNotFoundHandler.java:268)~[provisioning-impl-3.2-SNAPSHOT.jar:na]</font></div>
</div>
</div></div><div>
<div><font color="#000000" size="1"><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.impl.ShadowCache.handleError(ShadowCache.java:683)~[provisioning-impl-3.2-SNAPSHOT.jar:na]</font></div>
</div>
</blockquote><div><div class="h5">
<div><br>
</div>
<div><br>
</div>
<div>We have
similar setup
for ldap group
provisioning
and that works
very fine.</div>
<div><br>
</div>
<div>I have
attached my
resource xml
with the
email, please
have a look
and let me
know if i am
doing anything
wrong here.</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
</div></div></div>
<br>
<fieldset></fieldset>
<br>
</div>
</div><div><div class="h5">
<pre>_______________________________________________
midPoint-dev mailing list
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888">
</font></span></div></div></blockquote><div><div class="h5">
<span><font color="#888888">
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div></div></div><div><div class="h5">
<br>
_______________________________________________<br>
midPoint-dev mailing
list<br>
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><br>
<br>
</div></div></blockquote>
</div>
<br>
</div>
</blockquote><div><div class="h5">
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote><div><div class="h5">
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div><div><div class="h5">
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint-dev mailing list
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a>
</pre>
</div></div></blockquote>
<br>
</div>
<br>_______________________________________________<br>
midPoint-dev mailing list<br>
<a href="mailto:midPoint-dev@lists.evolveum.com">midPoint-dev@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><br>
<br></blockquote></div><br></div>