From roman.pudil at ami.cz Mon Nov 2 13:04:41 2015 From: roman.pudil at ami.cz (Roman Pudil - AMI Praha a.s.) Date: Mon, 02 Nov 2015 12:04:41 +0000 Subject: [midPoint] How to create User-User association? Message-ID: Hi all, how to create user-user manager association (like user-entitlements) in midPoint resource? I have Active Directory resource and in user object filled "manager" attribute (DN of another user) in AD. What is the right way to create user-manager association? It seems, that user-entitlements association example modified to user-manager association does not work. Here is part of my code - "account" schema handling on Active Directory resource: ri:mgr Manager account uzivatel-ad subjectToObject ri:manager icfs:name Thanks! Regards Roman Roman Pudil solution architect gsm: [+420] 775 663 666 e-mail: roman.pudil at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel./fax: [+420] 274 783 239 web: www.ami.cz Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3984 bytes Desc: not available URL: From ivan.noris at evolveum.com Mon Nov 2 13:48:47 2015 From: ivan.noris at evolveum.com (Ivan Noris) Date: Mon, 2 Nov 2015 13:48:47 +0100 Subject: [midPoint] How to create User-User association? In-Reply-To: References: Message-ID: <56375BAF.5010303@evolveum.com> Hi Roman, I have done this for another (not AD) directory using midpoint's organizational structure, fetching the manager and his/her account attribute(s), i.e. not using entitlements. It was something like this: ri:manager false strong . . . Does this help a little? Be adwised as there is no source in the mapping, if manager of the user changes in midPoint, you need to recompute. Regards, Ivan On 11/02/2015 01:04 PM, Roman Pudil - AMI Praha a.s. wrote: > Hi all, > how to create user-user manager association (like user-entitlements) > in midPoint resource? > > I have Active Directory resource and in user object filled "manager" > attribute (DN of another user) in AD. > What is the right way to create user-manager association? > > It seems, that user-entitlements association example modified to > user-manager association does not work. > > Here is part of my code - "account" schema handling on Active > Directory resource: > > > ri:mgr > Manager > account > uzivatel-ad > subjectToObject > ri:manager > icfs:name > > > Thanks! > Regards > Roman > > > Roman Pudil > solution architect > > gsm: [+420] 775 663 666 > e-mail: roman.pudil at ami.cz > > > > AMI Praha a.s. > Pláničkova 11 > 162 00 Praha 6 > tel./fax: [+420] 274 783 239 > web: www.ami.cz > > > > > > > Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za > společnost AMI Praha a.s. > jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít > výhradně písemnou formu. > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect evolveum.com evolveum.com/blog/ ___________________________________________________ "Semper Id(e)M Vix." -------------- next part -------------- An HTML attachment was scrubbed... URL: From radovan.semancik at evolveum.com Mon Nov 2 17:19:26 2015 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Mon, 2 Nov 2015 17:19:26 +0100 Subject: [midPoint] How to create User-User association? In-Reply-To: <56375BAF.5010303@evolveum.com> References: <56375BAF.5010303@evolveum.com> Message-ID: <56378D0E.1080606@evolveum.com> Hi, On 11/02/2015 01:48 PM, Ivan Noris wrote: > I have done this for another (not AD) directory using midpoint's > organizational structure, fetching the manager and his/her account > attribute(s), i.e. not using entitlements. I can confirm that this is the right approach. At least for now. The associations are designed to be used for account-entitlement or entitlement-entitlement relations. I have not foreseen the need for account-account association. As I'm thinking about it now there is nothing in the architecture that would prohibit that. But it is likely that the code is hardcoded in a way that the association target is an entitlement. You can try it, but my guess is that it is unlikely to work in current midPoint versions. However this might be a nice addition for future midPoint versions. I have created a jira for that: https://jira.evolveum.com/browse/MID-2668 It is currently scheduled for "distant future". If any midPoint subscriber or contributor expresses enough "motivation" to implement it then I will add it to the roadmap. -- Radovan Semancik Software Architect evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From roman.pudil at ami.cz Tue Nov 3 09:42:46 2015 From: roman.pudil at ami.cz (Roman Pudil - AMI Praha a.s.) Date: Tue, 03 Nov 2015 08:42:46 +0000 Subject: [midPoint] How to create User-User association? In-Reply-To: <56375BAF.5010303@evolveum.com> Message-ID: Hi Ivan, thanks, it partly helped me! How can I search user in MidPoint repository by other attribute (or extension attribute) than name? Thanks! Regards Roman Roman Pudil solution architect gsm: [+420] 775 663 666 e-mail: roman.pudil at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel./fax: [+420] 274 783 239 web: www.ami.cz Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. ------ Původní zpráva ------ Od: "Ivan Noris" Komu: midpoint at lists.evolveum.com Odesláno: 2.11.2015 13:48:47 Předmět: Re: [midPoint] How to create User-User association? >Hi Roman, > >I have done this for another (not AD) directory using midpoint's >organizational structure, fetching the manager and his/her account >attribute(s), i.e. not using entitlements. > >It was something like this: > > > ri:manager > false > > strong > > > > >. . . > > > >Does this help a little? > >Be adwised as there is no source in the mapping, if manager of the user >changes in midPoint, you need to recompute. > >Regards, >Ivan > >On 11/02/2015 01:04 PM, Roman Pudil - AMI Praha a.s. wrote: >>Hi all, >>how to create user-user manager association (like user-entitlements) >>in midPoint resource? >> >>I have Active Directory resource and in user object filled "manager" >>attribute (DN of another user) in AD. >>What is the right way to create user-manager association? >> >>It seems, that user-entitlements association example modified to >>user-manager association does not work. >> >>Here is part of my code - "account" schema handling on Active >>Directory resource: >> >> >> ri:mgr >> Manager >> account >> uzivatel-ad >> subjectToObject >> ri:manager >> icfs:name >> >> >>Thanks! >>Regards >>Roman >> >>Roman Pudil >>solution architect >> >>gsm: [+420] 775 663 666 >>e-mail: roman.pudil at ami.cz >> >> >>AMI Praha a.s. >>Pláničkova 11 >>162 00 Praha 6 >>tel./fax: [+420] 274 783 239 >>web: www.ami.cz >> >> >> >> >> >>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za >>společnost AMI Praha a.s. >>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít >>výhradně písemnou formu. >> >> >> >>_______________________________________________ midPoint mailing list >>midPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint > >-- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect >evolveum.com evolveum.com/blog/ >___________________________________________________ "Semper Id(e)M >Vix." -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3984 bytes Desc: not available URL: From zamppa90 at hotmail.com Tue Nov 3 16:12:02 2015 From: zamppa90 at hotmail.com (Samu Viitanen) Date: Tue, 3 Nov 2015 17:12:02 +0200 Subject: [midPoint] Search filters in IDM Model WS Interface Message-ID: Afternoon, I am having issues with the following code QueryType query = new QueryType(); ObjectFactory factory = new ObjectFactory(); SearchFilterType filter = factory.createSearchFilterType(); PropertyComplexValueFilterClauseType fc = factory.createPropertyComplexValueFilterClauseType(); ItemPathType path = new ItemPathType(); path.setValue("c:name"); fc.setPath(path); fc.setValue("queryvalue"); filter.setFilterClause(??????); query.setFilter(filter); I noticed that SearchFilterType.setFilterClause only accepts org.w3c.dom.Element as a parameter. Is this intentional? If so, are there tools to create these dom elements? I was just wondering since there are plenty of ways to create the filter clauses, but I just dont seem to get my head around how I could actually set the filter clause. Sorry for the stupid question. BR Samu Viitanen -------------- next part -------------- An HTML attachment was scrubbed... URL: From sito.org at gmail.com Wed Nov 4 01:18:44 2015 From: sito.org at gmail.com (Jon V) Date: Tue, 3 Nov 2015 16:18:44 -0800 Subject: [midPoint] new to IAMs -- general usage question Message-ID: hello. i have installed midpoint and played with it a little. with all its complexity and options, i am still not sure if it is what i want to solve the problem i have. i have an application with a set of data which i want to allow various types of access to, based upon set of criteria tied to the user. i do not wish to reinvent the wheel and write my own code to manage users, groups, passwords, authentication, etc etc, so an IAM seems like a great idea. however, i am not clear about creating *arbitrary* roles/permissions/groups that my *application* will need -- if this is what an IAM is designed for? (or if the roles, etc in the IAM are strictly for permissions *within* the IAM system itself and not meant to have meaning to outside systems.) any tips on a place for a newbie to get assistance on usage of IAM would greatly be appreciated. thanks! -jon -------------- next part -------------- An HTML attachment was scrubbed... URL: From petr at gasparik.cz Wed Nov 4 08:07:46 2015 From: petr at gasparik.cz (=?UTF-8?B?UGV0ciBHYcWhcGFyw61r?=) Date: Wed, 04 Nov 2015 07:07:46 +0000 Subject: [midPoint] new to IAMs -- general usage question In-Reply-To: References: Message-ID: Hi Jon, Main question is what do you want to achievr. : - do you want to manage existing users repositories across applications (with all those audits and reconciliations) - hence identity management? - or do you want to manage realtime access of users to the applications (with on the fly evaluation of risk profile etc) - hence access management? MidPoint is very strong and suitable for the first case. For second case, there are others systems in IAM ecosystem, like Apereo's CAS Regards, Petr Gašparík Dne st 4. 11. 2015 1:19 uživatel Jon V napsal: > hello. i have installed midpoint and played with it a little. with all > its complexity and options, i am still not sure if it is what i want to > solve the problem i have. > > i have an application with a set of data which i want to allow various > types of access to, based upon set of criteria tied to the user. i do not > wish to reinvent the wheel and write my own code to manage users, groups, > passwords, authentication, etc etc, so an IAM seems like a great idea. > however, i am not clear about creating *arbitrary* > roles/permissions/groups that my *application* will need -- if this is > what an IAM is designed for? (or if the roles, etc in the IAM are strictly > for permissions *within* the IAM system itself and not meant to have > meaning to outside systems.) > > any tips on a place for a newbie to get assistance on usage of IAM would > greatly be appreciated. thanks! > > -jon > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -- -- Petr G. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Wed Nov 4 15:29:18 2015 From: jeverling at bshp.edu (Jason Everling) Date: Wed, 4 Nov 2015 08:29:18 -0600 Subject: [midPoint] new to IAMs -- general usage question In-Reply-To: References:

Message-ID: I wanted to reply to this one, "or if the roles, etc in the IAM are strictly for permissions *within* the IAM system itself and not meant to have meaning to outside systems." The roles,orgs,etc.. in midpoint can have meaning outside the system. A role/org in midpoint can be used to manage groups and roles in external systems, like LDAP groups or Unix groups and also generically. JASON On Wed, Nov 4, 2015 at 1:07 AM, Petr Gašparík wrote: > Hi Jon, > Main question is what do you want to achievr. : > - do you want to manage existing users repositories across applications > (with all those audits and reconciliations) - hence identity management? > - or do you want to manage realtime access of users to the applications > (with on the fly evaluation of risk profile etc) - hence access > management? > > MidPoint is very strong and suitable for the first case. For second case, > there are others systems in IAM ecosystem, like Apereo's CAS > > Regards, Petr Gašparík > > Dne st 4. 11. 2015 1:19 uživatel Jon V napsal: > >> hello. i have installed midpoint and played with it a little. with all >> its complexity and options, i am still not sure if it is what i want to >> solve the problem i have. >> >> i have an application with a set of data which i want to allow various >> types of access to, based upon set of criteria tied to the user. i do not >> wish to reinvent the wheel and write my own code to manage users, groups, >> passwords, authentication, etc etc, so an IAM seems like a great idea. >> however, i am not clear about creating *arbitrary* >> roles/permissions/groups that my *application* will need -- if this is >> what an IAM is designed for? (or if the roles, etc in the IAM are strictly >> for permissions *within* the IAM system itself and not meant to have >> meaning to outside systems.) >> >> any tips on a place for a newbie to get assistance on usage of IAM would >> greatly be appreciated. thanks! >> >> -jon >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> > -- > -- > Petr G. > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- JASON -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sito.org at gmail.com Wed Nov 4 19:01:47 2015 From: sito.org at gmail.com (Jon V) Date: Wed, 4 Nov 2015 10:01:47 -0800 Subject: [midPoint] new to IAMs -- general usage question Message-ID: On Wed, Nov 4, 2015 at 3:00 AM, wrote: > Hi Jon, > Main question is what do you want to achievr. : > - do you want to manage existing users repositories across applications > (with all those audits and reconciliations) - hence identity management? > - or do you want to manage realtime access of users to the applications > (with on the fly evaluation of risk profile etc) - hence access > management? > > MidPoint is very strong and suitable for the first case. For second case, > there are others systems in IAM ecosystem, like Apereo's CAS > > Regards, Petr Gašparík > thank you for your response, petr. i guess it would be more the _second_ case for me, controlling access to the application (based on users). eventually we might get a more complex userbase that would involve more of the first kind of activity, but not to begin with. to start, i think it is more on the "A" in "IAM" as i am understanding it. thanks for your suggestion of CAS... i will check it out. -jon -------------- next part -------------- An HTML attachment was scrubbed... URL: From midpoint at mybtinternet.com Thu Nov 5 13:23:31 2015 From: midpoint at mybtinternet.com (midpoint at mybtinternet.com) Date: Thu, 5 Nov 2015 12:23:31 +0000 (GMT) Subject: [midPoint] Password policy issue Message-ID: <15908382.24716.1446726211752.JavaMail.defaultUser@defaultHost> Hi, Seems to be a new password policy issue(s) for 3.2 ... I have a HR feed, csvfile, and this generates a new password on user import. The password generated does not meet the minimum length for the default password policy; e.g. # ----- default pw policy extract ----- 7 3 false # ----- result of import ----- Failed to import: com.evolveum.midpoint.model.api.PolicyViolationException: Provided password does not satisfy password policies. Required minimal size (7) of password is not met (password length: 6) : Failed to import: com.evolveum.midpoint.model.api.PolicyViolationException: Provided password does not satisfy password policies. Required minimal size (7) of password is not met (password length: 6) When referencing another password policy from the feed resource, this seems to be ignored in favour of the default password policy; e.g. # ----- another pw policy ----- 8 3 false # ----- reference another pw policy ----- weak Import results in the same error message as before. Regards, Anton -------------- next part -------------- An HTML attachment was scrubbed... URL: From midpoint at mybtinternet.com Thu Nov 5 13:24:20 2015 From: midpoint at mybtinternet.com (midpoint at mybtinternet.com) Date: Thu, 5 Nov 2015 12:24:20 +0000 (GMT) Subject: [midPoint] Password policy issue Message-ID: <30214217.24811.1446726260124.JavaMail.defaultUser@defaultHost> Hi, Seems to be a new password policy issue(s) for 3.2 ... I have a HR feed, csvfile, and this generates a new password on user import. The password generated does not meet the minimum length for the default password policy; e.g. # ----- default pw policy extract ----- 7 3 false # ----- result of import ----- Failed to import: com.evolveum.midpoint.model.api.PolicyViolationException: Provided password does not satisfy password policies. Required minimal size (7) of password is not met (password length: 6) : Failed to import: com.evolveum.midpoint.model.api.PolicyViolationException: Provided password does not satisfy password policies. Required minimal size (7) of password is not met (password length: 6) When referencing another password policy from the feed resource, this seems to be ignored in favour of the default password policy; e.g. # ----- another pw policy ----- 8 3 false # ----- reference another pw policy ----- weak Import results in the same error message as before. Regards, Anton -------------- next part -------------- An HTML attachment was scrubbed... URL: From midpoint at mybtinternet.com Thu Nov 5 13:40:34 2015 From: midpoint at mybtinternet.com (midpoint at mybtinternet.com) Date: Thu, 5 Nov 2015 12:40:34 +0000 (GMT) Subject: [midPoint] New ldap connector and auxiliary objectClasses In-Reply-To: References: <10419466.34073.1445513804668.JavaMail.defaultUser@defaultHost> <5628D373.5020507@evolveum.com> <15205466.39985.1445517053518.JavaMail.defaultUser@defaultHost> <5628D98B.4070801@evolveum.com> <29171323.51948.1445523575671.JavaMail.defaultUser@defaultHost> <56293FBC.3020801@evolveum.com> <17395086.9030.1445589864375.JavaMail.defaultUser@defaultHost> <562A144B.2030900@evolveum.com> <23217643.40293.1445606424071.JavaMail.defaultUser@defaultHost> <562A435C.5010803@evolveum.com> <562BE222.1060208@evolveum.com> Message-ID: <33476908.26175.1446727234203.JavaMail.defaultUser@defaultHost> Hi, I have not tried talking to AD, not in the new env, but have used the snapshot connector on OpenDJ ... Also had to switch to connector-ldap-1.4.2.0-20151029.212327-51.jar as the other (older) was replaced. Can confirm this works nicely with my use of auxiliary objectClasses. Also, I like the feel of the new connector; much cleaner ... great job! One thing I did notice; I delete the older connector using REST on build phase. The new resource is created using the new connector also during build. As I also update system configuration, a restart of midPoint is required. Post restart, the older connector is back in the list of connectors. Regards, Anton ----Original message---- >From : jeverling at bshp.edu Date : 26/10/2015 - 19:38 (GMT) To : midpoint at lists.evolveum.com Subject : Re: [midPoint] New ldap connector and auxiliary objectClasses That is good news! I don't think, out of all the other systems I looked at a while back, had this type of feature or on any of their road maps, they all required a connector server. We do not use the scripting or exchange features, we use Office 365/Google Apps which currently has their own sync running. I will also test it out in my dev environment and report anything, JASON On Sat, Oct 24, 2015 at 2:55 PM, Ivan Noris wrote: Hi Jason, yes, with some restrictions - no home directory creation, no scripting on server side, no Exchange support. My coleagues are already testing/deploying the connector and (will) have more real-life experiences soon. I expect I will probably also deploy it the following weeks. Regards, Ivan On 10/23/2015 09:59 PM, Jason Everling wrote: A built-in AD connector? Wow, that is great! Does that mean we would not have to rely on a connector server anymore? JASON On Fri, Oct 23, 2015 at 9:25 AM, Radovan Semancik wrote: Hi, On 10/23/2015 03:20 PM, midpoint at mybtinternet.com wrote: I agree with your principals around retrieving and interpreting the schema. However, attribute names are not supposed to be case sensitive. I have worked with many servers, and have only encountered one that was. I believe this was configurable in that particular server. Yes, that's right. They are not supposed to be case sensitive. But I think it is good practice for operations to use the same capitalization as is specified in the schema. I have seen some problems with this in the past. I'm not sure how much this applies to current LDAP servers, but it is perhaps better to stay on the safe side. And the same applies to object classes. Actually, I have seen a problem with objectclass name capitalization just a couple of days ago ... As for the server that provided no syntax definitions; wow!! I have not encountered that before ... do you mean when querying the server or no syntax period? Actually, the attributeTypes definition provided syntax OID (otherwise it would be a complete disaster). But there was no ldapSyntaxes definition. None at all. Fortunately, the Apache Directory API still works with this. Just instead of attributeType.getSyntax().getOid() I had to use attibuteType.getSyntaxOid() - which seems to be the same but it is not. The former takes OID from ldapSyntaxes definition, the latter takes it from attributeTypes definition. So obviously, the former fails if there are no ldapSyntaxes definition. Simple fix, but unless you encounter a server like that it is hard to believe that this can actually happen ... So, the bottom line is that the more LDAP servers are tested with the new LDAP connector the more robust it will become. For now we have tested it with OpenLDAP, OpenDJ, OpenDS, 389ds, eDirectory and Active Directory. I'd appreciate reports of connector success/failure with any other directory server. -- Radovan Semancik Software Architect evolveum.com _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- JASON CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect evolveum.com evolveum.com/blog/ ___________________________________________________ "Semper Id(e)M Vix." _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- JASON CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From midpoint at mybtinternet.com Thu Nov 5 13:46:19 2015 From: midpoint at mybtinternet.com (midpoint at mybtinternet.com) Date: Thu, 5 Nov 2015 12:46:19 +0000 (GMT) Subject: [midPoint] Build with updated system configuration Message-ID: <18116615.26738.1446727579752.JavaMail.defaultUser@defaultHost> Hi, Currently I use REST to update my system's configuration at (automated) build time. This works, however it requires midPoint to be up and I need to restart post update to make the configuration active. Is it possible to update the configuration prior to or during (initial) start-up? e.g. can I get midPoint to import custom configuration, system configuration, templates, policies etc at start-up? Thx Regards, Anton -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Thu Nov 5 13:48:34 2015 From: ivan.noris at evolveum.com (Ivan Noris) Date: Thu, 5 Nov 2015 13:48:34 +0100 Subject: [midPoint] New ldap connector and auxiliary objectClasses In-Reply-To: <33476908.26175.1446727234203.JavaMail.defaultUser@defaultHost> References: <10419466.34073.1445513804668.JavaMail.defaultUser@defaultHost> <5628D373.5020507@evolveum.com> <15205466.39985.1445517053518.JavaMail.defaultUser@defaultHost> <5628D98B.4070801@evolveum.com> <29171323.51948.1445523575671.JavaMail.defaultUser@defaultHost> <56293FBC.3020801@evolveum.com> <17395086.9030.1445589864375.JavaMail.defaultUser@defaultHost> <562A144B.2030900@evolveum.com> <23217643.40293.1445606424071.JavaMail.defaultUser@defaultHost> <562A435C.5010803@evolveum.com> <562BE222.1060208@evolveum.com> <33476908.26175.1446727234203.JavaMail.defaultUser@defaultHost> Message-ID: <563B5022.5000208@evolveum.com> Hi Anton, did not quite understand the last thing about deleting connectors. Did you try to delete/remove connector which is bundled with midpoint? By deleting Connector object in repository? If this is so, the connector is still bundled, it's somewhere in WEB-INF/lib and corresponding Connector object will be created in repository when midpoint is starting. Regards, Ivan On 11/05/2015 01:40 PM, midpoint at mybtinternet.com wrote: > Hi, > > I have not tried talking to AD, not in the new env, but have used > the snapshot connector on OpenDJ ... > Also had to switch to connector-ldap-1.4.2.0-20151029.212327-51.jar > as the other (older) was > replaced. > > Can confirm this works nicely with my use of auxiliary > objectClasses. Also, I like the feel of the new > connector; much cleaner ... great job! > > One thing I did notice; I delete the older connector using REST on > build phase. The new resource > is created using the new connector also during build. As I also > update system configuration, a > restart of midPoint is required. Post restart, the older connector > is back in the list of connectors. > > Regards, > Anton > > > ----Original message---- > From : jeverling at bshp.edu > Date : 26/10/2015 - 19:38 (GMT) > To : midpoint at lists.evolveum.com > Subject : Re: [midPoint] New ldap connector and auxiliary > objectClasses > > That is good news! I don't think, out of all the other systems I > looked at a while back, had this type of feature or on any of > their road maps, they all required a connector server. We do not > use the scripting or exchange features, we use Office 365/Google > Apps which currently has their own sync running. > > I will also test it out in my dev environment and report anything, > > JASON > > On Sat, Oct 24, 2015 at 2:55 PM, Ivan Noris > > wrote: > > Hi Jason, > > yes, with some restrictions - no home directory creation, no > scripting on server side, no Exchange support. > > My coleagues are already testing/deploying the connector and > (will) have more real-life experiences soon. I expect I will > probably also deploy it the following weeks. > > Regards, > Ivan > > > On 10/23/2015 09:59 PM, Jason Everling wrote: >> A built-in AD connector? Wow, that is great! Does that mean >> we would not have to rely on a connector server anymore? >> >> JASON >> >> On Fri, Oct 23, 2015 at 9:25 AM, Radovan Semancik >> > > wrote: >> >> Hi, >> >> On 10/23/2015 03:20 PM, midpoint at mybtinternet.com >> wrote: >> >> I agree with your principals around retrieving and >> interpreting the schema. However, >> attribute names are not supposed to be case >> sensitive. I have worked with many >> servers, and have only encountered one that was. I >> believe this was configurable >> in that particular server. >> >> >> Yes, that's right. They are not supposed to be case >> sensitive. But I think it is good practice for operations >> to use the same capitalization as is specified in the >> schema. I have seen some problems with this in the past. >> I'm not sure how much this applies to current LDAP >> servers, but it is perhaps better to stay on the safe >> side. And the same applies to object classes. Actually, I >> have seen a problem with objectclass name capitalization >> just a couple of days ago ... >> >> As for the server that provided no syntax >> definitions; wow!! I have not encountered >> that before ... do you mean when querying the >> server or no syntax period? >> >> >> Actually, the attributeTypes definition provided syntax >> OID (otherwise it would be a complete disaster). But >> there was no ldapSyntaxes definition. None at all. >> Fortunately, the Apache Directory API still works with >> this. Just instead of attributeType.getSyntax().getOid() >> I had to use attibuteType.getSyntaxOid() - which seems to >> be the same but it is not. The former takes OID from >> ldapSyntaxes definition, the latter takes it from >> attributeTypes definition. So obviously, the former fails >> if there are no ldapSyntaxes definition. Simple fix, but >> unless you encounter a server like that it is hard to >> believe that this can actually happen ... >> >> So, the bottom line is that the more LDAP servers are >> tested with the new LDAP connector the more robust it >> will become. For now we have tested it with OpenLDAP, >> OpenDJ, OpenDS, 389ds, eDirectory and Active Directory. >> I'd appreciate reports of connector success/failure with >> any other directory server. >> >> >> -- >> Radovan Semancik >> Software Architect >> evolveum.com >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> >> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> >> >> -- >> JASON >> >> >> >> CONFIDENTIALITY NOTICE: >> This e-mail together with any attachments is proprietary and >> confidential; intended for only the recipient(s) named above >> and may contain information that is privileged. You should >> not retain, copy or use this e-mail or any attachments for >> any purpose, or disclose all or any part of the contents to >> any person. Any views or opinions expressed in this e-mail >> are those of the author and do not represent those of the >> Baptist School of Health Professions. If you have received >> this e-mail in error, or are not the named recipient(s), you >> are hereby notified that any review, dissemination, >> distribution or copying of this communication is prohibited >> by the sender and to do so might constitute a violation of >> the Electronic Communications Privacy Act, 18 U.S.C. section >> 2510-2521. Please immediately notify the sender and delete >> this e-mail and any attachments from your computer. >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint > > -- Ing. Ivan Noris Senior Identity Management Engineer & IDM > Architect evolveum.com > evolveum.com/blog/ > ___________________________________________________ "Semper > Id(e)M Vix." > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > > -- > JASON > > > > CONFIDENTIALITY NOTICE: > This e-mail together with any attachments is proprietary and > confidential; intended for only the recipient(s) named above and > may contain information that is privileged. You should not retain, > copy or use this e-mail or any attachments for any purpose, or > disclose all or any part of the contents to any person. Any views > or opinions expressed in this e-mail are those of the author and > do not represent those of the Baptist School of Health > Professions. If you have received this e-mail in error, or are not > the named recipient(s), you are hereby notified that any review, > dissemination, distribution or copying of this communication is > prohibited by the sender and to do so might constitute a violation > of the Electronic Communications Privacy Act, 18 U.S.C. section > 2510-2521. Please immediately notify the sender and delete this > e-mail and any attachments from your computer. > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect evolveum.com evolveum.com/blog/ ___________________________________________________ "Semper Id(e)M Vix." -------------- next part -------------- An HTML attachment was scrubbed... URL: From midpoint at mybtinternet.com Thu Nov 5 14:00:27 2015 From: midpoint at mybtinternet.com (midpoint at mybtinternet.com) Date: Thu, 5 Nov 2015 13:00:27 +0000 (GMT) Subject: [midPoint] New ldap connector and auxiliary objectClasses In-Reply-To: <563B5022.5000208@evolveum.com> References: <10419466.34073.1445513804668.JavaMail.defaultUser@defaultHost> <5628D373.5020507@evolveum.com> <15205466.39985.1445517053518.JavaMail.defaultUser@defaultHost> <5628D98B.4070801@evolveum.com> <29171323.51948.1445523575671.JavaMail.defaultUser@defaultHost> <56293FBC.3020801@evolveum.com> <17395086.9030.1445589864375.JavaMail.defaultUser@defaultHost> <562A144B.2030900@evolveum.com> <23217643.40293.1445606424071.JavaMail.defaultUser@defaultHost> <562A435C.5010803@evolveum.com> <562BE222.1060208@evolveum.com> <33476908.26175.1446727234203.JavaMail.defaultUser@defaultHost> <563B5022.5000208@evolveum.com> Message-ID: <26141301.27906.1446728427555.JavaMail.defaultUser@defaultHost> Hi Ivan, Yes, that was also my interpretation of what happens ... the point of deleting the older was from reference of procedure in the Wiki .. don't recall the exact page. What I was attempting to pre-empt was creating a new resource and this subsequently using the older connector. So, what is supposed to happen when a new resource is created and more than one connector exists? I seem to recall that failed, but can't recall authoritatively. Regards, Anton ----Original message---- >From : ivan.noris at evolveum.com Date : 05/11/2015 - 12:48 (GMT) To : midpoint at lists.evolveum.com Subject : Re: [midPoint] New ldap connector and auxiliary objectClasses Hi Anton, did not quite understand the last thing about deleting connectors. Did you try to delete/remove connector which is bundled with midpoint? By deleting Connector object in repository? If this is so, the connector is still bundled, it's somewhere in WEB-INF/lib and corresponding Connector object will be created in repository when midpoint is starting. Regards, Ivan On 11/05/2015 01:40 PM, midpoint at mybtinternet.com wrote: Hi, I have not tried talking to AD, not in the new env, but have used the snapshot connector on OpenDJ ... Also had to switch to connector-ldap-1.4.2.0-20151029.212327-51.jar as the other (older) was replaced. Can confirm this works nicely with my use of auxiliary objectClasses. Also, I like the feel of the new connector; much cleaner ... great job! One thing I did notice; I delete the older connector using REST on build phase. The new resource is created using the new connector also during build. As I also update system configuration, a restart of midPoint is required. Post restart, the older connector is back in the list of connectors. Regards, Anton ----Original message---- From : jeverling at bshp.edu Date : 26/10/2015 - 19:38 (GMT) To : midpoint at lists.evolveum.com Subject : Re: [midPoint] New ldap connector and auxiliary objectClasses That is good news! I don't think, out of all the other systems I looked at a while back, had this type of feature or on any of their road maps, they all required a connector server. We do not use the scripting or exchange features, we use Office 365/Google Apps which currently has their own sync running. I will also test it out in my dev environment and report anything, JASON On Sat, Oct 24, 2015 at 2:55 PM, Ivan Noris wrote: Hi Jason, yes, with some restrictions - no home directory creation, no scripting on server side, no Exchange support. My coleagues are already testing/deploying the connector and (will) have more real-life experiences soon. I expect I will probably also deploy it the following weeks. Regards, Ivan On 10/23/2015 09:59 PM, Jason Everling wrote: A built-in AD connector? Wow, that is great! Does that mean we would not have to rely on a connector server anymore? JASON On Fri, Oct 23, 2015 at 9:25 AM, Radovan Semancik wrote: Hi, On 10/23/2015 03:20 PM, midpoint at mybtinternet.com wrote: I agree with your principals around retrieving and interpreting the schema. However, attribute names are not supposed to be case sensitive. I have worked with many servers, and have only encountered one that was. I believe this was configurable in that particular server. Yes, that's right. They are not supposed to be case sensitive. But I think it is good practice for operations to use the same capitalization as is specified in the schema. I have seen some problems with this in the past. I'm not sure how much this applies to current LDAP servers, but it is perhaps better to stay on the safe side. And the same applies to object classes. Actually, I have seen a problem with objectclass name capitalization just a couple of days ago ... As for the server that provided no syntax definitions; wow!! I have not encountered that before ... do you mean when querying the server or no syntax period? Actually, the attributeTypes definition provided syntax OID (otherwise it would be a complete disaster). But there was no ldapSyntaxes definition. None at all. Fortunately, the Apache Directory API still works with this. Just instead of attributeType.getSyntax().getOid() I had to use attibuteType.getSyntaxOid() - which seems to be the same but it is not. The former takes OID from ldapSyntaxes definition, the latter takes it from attributeTypes definition. So obviously, the former fails if there are no ldapSyntaxes definition. Simple fix, but unless you encounter a server like that it is hard to believe that this can actually happen ... So, the bottom line is that the more LDAP servers are tested with the new LDAP connector the more robust it will become. For now we have tested it with OpenLDAP, OpenDJ, OpenDS, 389ds, eDirectory and Active Directory. I'd appreciate reports of connector success/failure with any other directory server. -- Radovan Semancik Software Architect evolveum.com _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- JASON CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect evolveum.com evolveum.com/blog/ ___________________________________________________ "Semper Id(e)M Vix." _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- JASON CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect evolveum.com evolveum.com/blog/ ___________________________________________________ "Semper Id(e)M Vix." -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Thu Nov 5 14:52:25 2015 From: ivan.noris at evolveum.com (Ivan Noris) Date: Thu, 5 Nov 2015 14:52:25 +0100 Subject: [midPoint] New ldap connector and auxiliary objectClasses In-Reply-To: <26141301.27906.1446728427555.JavaMail.defaultUser@defaultHost> References: <10419466.34073.1445513804668.JavaMail.defaultUser@defaultHost> <5628D373.5020507@evolveum.com> <15205466.39985.1445517053518.JavaMail.defaultUser@defaultHost> <5628D98B.4070801@evolveum.com> <29171323.51948.1445523575671.JavaMail.defaultUser@defaultHost> <56293FBC.3020801@evolveum.com> <17395086.9030.1445589864375.JavaMail.defaultUser@defaultHost> <562A144B.2030900@evolveum.com> <23217643.40293.1445606424071.JavaMail.defaultUser@defaultHost> <562A435C.5010803@evolveum.com> <562BE222.1060208@evolveum.com> <33476908.26175.1446727234203.JavaMail.defaultUser@defaultHost> <563B5022.5000208@evolveum.com> <26141301.27906.1446728427555.JavaMail.defaultUser@defaultHost> Message-ID: <563B5F19.5050003@evolveum.com> Hi, On 11/05/2015 02:00 PM, midpoint at mybtinternet.com wrote: > Hi Ivan, > > Yes, that was also my interpretation of what happens ... the point > of deleting the older was from reference > of procedure in the Wiki .. don't recall the exact page. What I was > attempting to pre-empt was creating a > new resource and this subsequently using the older connector. > > So, what is supposed to happen when a new resource is created and > more than one connector exists? > I seem to recall that failed, but can't recall authoritatively. > if more than one connector of the same connectorType exist, they must have different version. It's no problem to have more than 1 version of the connector, for example for migration purposes. The only drawback is that if you import resource XML and the connectorRef is a filter, it may find more than connector and fails. Two options: - use filter for connectorRef with connectorType and connectorVersion (nicer) - don't use connectorRef, but reference the connector by oid (oid is different in each environment) Eventually with newer midpoint you'll have also newer connector bundled and you can get rid of your added connector and use the bundled and remove the restriction for connectorVersion in the filter. Regards, Ivan > Regards, > Anton > > ----Original message---- > From : ivan.noris at evolveum.com > Date : 05/11/2015 - 12:48 (GMT) > To : midpoint at lists.evolveum.com > Subject : Re: [midPoint] New ldap connector and auxiliary > objectClasses > > Hi Anton, > > did not quite understand the last thing about deleting connectors. > > Did you try to delete/remove connector which is bundled with > midpoint? By deleting Connector object in repository? > > If this is so, the connector is still bundled, it's somewhere in > WEB-INF/lib and corresponding Connector object will be created in > repository when midpoint is starting. > > Regards, > Ivan > > On 11/05/2015 01:40 PM, midpoint at mybtinternet.com wrote: >> Hi, >> >> I have not tried talking to AD, not in the new env, but have >> used the snapshot connector on OpenDJ ... >> Also had to switch to >> connector-ldap-1.4.2.0-20151029.212327-51.jar as the other >> (older) was >> replaced. >> >> Can confirm this works nicely with my use of auxiliary >> objectClasses. Also, I like the feel of the new >> connector; much cleaner ... great job! >> >> One thing I did notice; I delete the older connector using REST >> on build phase. The new resource >> is created using the new connector also during build. As I also >> update system configuration, a >> restart of midPoint is required. Post restart, the older >> connector is back in the list of connectors. >> >> Regards, >> Anton >> >> >> ----Original message---- >> From : jeverling at bshp.edu >> Date : 26/10/2015 - 19:38 (GMT) >> To : midpoint at lists.evolveum.com >> Subject : Re: [midPoint] New ldap connector and auxiliary >> objectClasses >> >> That is good news! I don't think, out of all the other >> systems I looked at a while back, had this type of feature or >> on any of their road maps, they all required a connector >> server. We do not use the scripting or exchange features, we >> use Office 365/Google Apps which currently has their own sync >> running. >> >> I will also test it out in my dev environment and report >> anything, >> >> JASON >> >> On Sat, Oct 24, 2015 at 2:55 PM, Ivan Noris >> > wrote: >> >> Hi Jason, >> >> yes, with some restrictions - no home directory creation, >> no scripting on server side, no Exchange support. >> >> My coleagues are already testing/deploying the connector >> and (will) have more real-life experiences soon. I expect >> I will probably also deploy it the following weeks. >> >> Regards, >> Ivan >> >> >> On 10/23/2015 09:59 PM, Jason Everling wrote: >>> A built-in AD connector? Wow, that is great! Does that >>> mean we would not have to rely on a connector server >>> anymore? >>> >>> JASON >>> >>> On Fri, Oct 23, 2015 at 9:25 AM, Radovan Semancik >>> wrote: >>> >>> Hi, >>> >>> On 10/23/2015 03:20 PM, midpoint at mybtinternet.com wrote: >>> >>> I agree with your principals around >>> retrieving and interpreting the schema. However, >>> attribute names are not supposed to be case >>> sensitive. I have worked with many >>> servers, and have only encountered one that >>> was. I believe this was configurable >>> in that particular server. >>> >>> >>> Yes, that's right. They are not supposed to be case >>> sensitive. But I think it is good practice for >>> operations to use the same capitalization as is >>> specified in the schema. I have seen some problems >>> with this in the past. I'm not sure how much this >>> applies to current LDAP servers, but it is perhaps >>> better to stay on the safe side. And the same >>> applies to object classes. Actually, I have seen a >>> problem with objectclass name capitalization just a >>> couple of days ago ... >>> >>> As for the server that provided no syntax >>> definitions; wow!! I have not encountered >>> that before ... do you mean when querying the >>> server or no syntax period? >>> >>> >>> Actually, the attributeTypes definition provided >>> syntax OID (otherwise it would be a complete >>> disaster). But there was no ldapSyntaxes definition. >>> None at all. Fortunately, the Apache Directory API >>> still works with this. Just instead of >>> attributeType.getSyntax().getOid() I had to use >>> attibuteType.getSyntaxOid() - which seems to be the >>> same but it is not. The former takes OID from >>> ldapSyntaxes definition, the latter takes it from >>> attributeTypes definition. So obviously, the former >>> fails if there are no ldapSyntaxes definition. >>> Simple fix, but unless you encounter a server like >>> that it is hard to believe that this can actually >>> happen ... >>> >>> So, the bottom line is that the more LDAP servers >>> are tested with the new LDAP connector the more >>> robust it will become. For now we have tested it >>> with OpenLDAP, OpenDJ, OpenDS, 389ds, eDirectory and >>> Active Directory. I'd appreciate reports of >>> connector success/failure with any other directory >>> server. >>> >>> >>> -- >>> Radovan Semancik >>> Software Architect >>> evolveum.com >>> >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> >>> http://lists.evolveum.com/mailman/listinfo/midpoint >>> >>> >>> >>> >>> -- >>> JASON >>> >>> >>> >>> CONFIDENTIALITY NOTICE: >>> This e-mail together with any attachments is proprietary >>> and confidential; intended for only the recipient(s) >>> named above and may contain information that is >>> privileged. You should not retain, copy or use this >>> e-mail or any attachments for any purpose, or disclose >>> all or any part of the contents to any person. Any views >>> or opinions expressed in this e-mail are those of the >>> author and do not represent those of the Baptist School >>> of Health Professions. If you have received this e-mail >>> in error, or are not the named recipient(s), you are >>> hereby notified that any review, dissemination, >>> distribution or copying of this communication is >>> prohibited by the sender and to do so might constitute a >>> violation of the Electronic Communications Privacy Act, >>> 18 U.S.C. section 2510-2521. Please immediately notify >>> the sender and delete this e-mail and any attachments >>> from your computer. >>> >>> >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> >>> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> -- Ing. Ivan Noris Senior Identity Management Engineer & >> IDM Architect evolveum.com >> evolveum.com/blog/ >> ___________________________________________________ >> "Semper Id(e)M Vix." >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> >> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> >> >> -- >> JASON >> >> >> >> CONFIDENTIALITY NOTICE: >> This e-mail together with any attachments is proprietary and >> confidential; intended for only the recipient(s) named above >> and may contain information that is privileged. You should >> not retain, copy or use this e-mail or any attachments for >> any purpose, or disclose all or any part of the contents to >> any person. Any views or opinions expressed in this e-mail >> are those of the author and do not represent those of the >> Baptist School of Health Professions. If you have received >> this e-mail in error, or are not the named recipient(s), you >> are hereby notified that any review, dissemination, >> distribution or copying of this communication is prohibited >> by the sender and to do so might constitute a violation of >> the Electronic Communications Privacy Act, 18 U.S.C. section >> 2510-2521. Please immediately notify the sender and delete >> this e-mail and any attachments from your computer. >> >> >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint > > -- > Ing. Ivan Noris > Senior Identity Management Engineer & IDM Architect > evolveum.com evolveum.com/blog/ > ___________________________________________________ > "Semper Id(e)M Vix." > > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect evolveum.com evolveum.com/blog/ ___________________________________________________ "Semper Id(e)M Vix." -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Thu Nov 5 16:14:57 2015 From: ivan.noris at evolveum.com (Ivan Noris) Date: Thu, 5 Nov 2015 16:14:57 +0100 Subject: [midPoint] How to create User-User association? In-Reply-To: References: Message-ID: <563B7271.4030009@evolveum.com> Hi Roman, you mean by using midpoint library or some other means..? i. On 11/03/2015 09:42 AM, Roman Pudil - AMI Praha a.s. wrote: > Hi Ivan, > > thanks, it partly helped me! > How can I search user in MidPoint repository by other attribute (or > extension attribute) than name? > > Thanks! > Regards > Roman > > > Roman Pudil > solution architect > > gsm: [+420] 775 663 666 > e-mail: roman.pudil at ami.cz > > > > AMI Praha a.s. > Pláničkova 11 > 162 00 Praha 6 > tel./fax: [+420] 274 783 239 > web: www.ami.cz > > > > > > > Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za > společnost AMI Praha a.s. > jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít > výhradně písemnou formu. > > > > > ------ Původní zpráva ------ > Od: "Ivan Noris" > > Komu: midpoint at lists.evolveum.com > Odesláno: 2.11.2015 13:48:47 > Předmět: Re: [midPoint] How to create User-User association? > >> Hi Roman, >> >> I have done this for another (not AD) directory using midpoint's >> organizational structure, fetching the manager and his/her account >> attribute(s), i.e. not using entitlements. >> >> It was something like this: >> >> >> ri:manager >> false >> >> strong >> >> >> >> >> . . . >> >> >> >> Does this help a little? >> >> Be adwised as there is no source in the mapping, if manager of the >> user changes in midPoint, you need to recompute. >> >> Regards, >> Ivan >> >> On 11/02/2015 01:04 PM, Roman Pudil - AMI Praha a.s. wrote: >>> Hi all, >>> how to create user-user manager association (like user-entitlements) >>> in midPoint resource? >>> >>> I have Active Directory resource and in user object filled "manager" >>> attribute (DN of another user) in AD. >>> What is the right way to create user-manager association? >>> >>> It seems, that user-entitlements association example modified to >>> user-manager association does not work. >>> >>> Here is part of my code - "account" schema handling on Active >>> Directory resource: >>> >>> >>> ri:mgr >>> Manager >>> account >>> uzivatel-ad >>> subjectToObject >>> ri:manager >>> icfs:name >>> >>> >>> Thanks! >>> Regards >>> Roman >>> >>> >>> Roman Pudil >>> solution architect >>> >>> gsm: [+420] 775 663 666 >>> e-mail: roman.pudil at ami.cz >>> >>> >>> >>> AMI Praha a.s. >>> Pláničkova 11 >>> 162 00 Praha 6 >>> tel./fax: [+420] 274 783 239 >>> web: www.ami.cz >>> >>> >>> >>> >>> >>> >>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá >>> za společnost AMI Praha a.s. >>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít >>> výhradně písemnou formu. >>> >>> >>> >>> >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> -- >> Ing. Ivan Noris >> Senior Identity Management Engineer & IDM Architect >> evolveum.com evolveum.com/blog/ >> ___________________________________________________ >> "Semper Id(e)M Vix." > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect evolveum.com evolveum.com/blog/ ___________________________________________________ "Semper Id(e)M Vix." -------------- next part -------------- An HTML attachment was scrubbed... URL: From roman.pudil at ami.cz Thu Nov 5 16:26:36 2015 From: roman.pudil at ami.cz (Roman Pudil - AMI Praha a.s.) Date: Thu, 05 Nov 2015 15:26:36 +0000 Subject: [midPoint] How to create User-User association? In-Reply-To: <563B7271.4030009@evolveum.com> Message-ID: Hi Ivan, yes, I mean midpoint library. I have already found a solution. Here is part of my code (in template or resource definition): >>> >>> >>>. . . >>> >>> >>> >>>Does this help a little? >>> >>>Be adwised as there is no source in the mapping, if manager of the >>>user changes in midPoint, you need to recompute. >>> >>>Regards, >>>Ivan >>> >>>On 11/02/2015 01:04 PM, Roman Pudil - AMI Praha a.s. wrote: >>>>Hi all, >>>>how to create user-user manager association (like user-entitlements) >>>>in midPoint resource? >>>> >>>>I have Active Directory resource and in user object filled "manager" >>>>attribute (DN of another user) in AD. >>>>What is the right way to create user-manager association? >>>> >>>>It seems, that user-entitlements association example modified to >>>>user-manager association does not work. >>>> >>>>Here is part of my code - "account" schema handling on Active >>>>Directory resource: >>>> >>>> >>>> ri:mgr >>>> Manager >>>> account >>>> uzivatel-ad >>>> subjectToObject >>>> ri:manager >>>> icfs:name >>>> >>>> >>>>Thanks! >>>>Regards >>>>Roman >>>> >>>>Roman Pudil >>>>solution architect >>>> >>>>gsm: [+420] 775 663 666 >>>>e-mail: roman.pudil at ami.cz >>>> >>>> >>>>AMI Praha a.s. >>>>Pláničkova 11 >>>>162 00 Praha 6 >>>>tel./fax: [+420] 274 783 239 >>>>web: www.ami.cz >>>> >>>> >>>> >>>> >>>> >>>>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá >>>>za společnost AMI Praha a.s. >>>>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít >>>>výhradně písemnou formu. >>>> >>>> >>>> >>>>_______________________________________________ midPoint mailing >>>>list >>>>midPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint >>> >>>-- Ing. Ivan Noris Senior Identity Management Engineer & IDM >>>Architect evolveum.com evolveum.com/blog/ >>>___________________________________________________ "Semper Id(e)M >>>Vix." >> >> >>_______________________________________________ midPoint mailing list >>midPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint > >-- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect >evolveum.com evolveum.com/blog/ >___________________________________________________ "Semper Id(e)M >Vix." -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3984 bytes Desc: not available URL: From jeverling at bshp.edu Thu Nov 5 19:16:17 2015 From: jeverling at bshp.edu (Jason Everling) Date: Thu, 5 Nov 2015 12:16:17 -0600 Subject: [midPoint] Any type of fail safe tricks or settings? Message-ID: I was thinking about this today.. What if one day my CSV file sends out a file that is blank with just the headers, like if something just goes wrong with the connection or base query. Since my CSV resource is authoritative for who should be enabled or disabled, it would disable everyone because they are missing from the file. I don't think that could happen, I wrote in as many fail safes as I could into the Talend job that creates the CSV but.... Is there any type of mechanism that I can set that says if accounts to be changed is more than {n} then stop or suspend task? Just thinking! JASON -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mederly at evolveum.com Thu Nov 5 21:01:58 2015 From: mederly at evolveum.com (Pavol Mederly) Date: Thu, 5 Nov 2015 21:01:58 +0100 Subject: [midPoint] Search filters in IDM Model WS Interface In-Reply-To: References: Message-ID: <563BB5B6.3010209@evolveum.com> Hello Samu, because midPoint uses multiple formats for data serialization (XML, JSON, YAML - although the support for latter two is not fully finished yet), we don't rely on JAXB any more. We treat some data structures (mainly in the prism module) in quite a custom way. This causes some slight issues when trying to cooperate with JAXB serialization, namely, when interfacing via Web Services. So, to answer your questions: The weird setFilterClause method and its "Element" parameter is one of these issues. One of the methods how to create queries can be seen in the model-client-sample: // WARNING: in a real case make sure that the username is properly escaped before putting it in XML SearchFilterType filter = ModelClientUtil.parseSearchFilterType( "" + "c:name" + "" + username + "" + "" ); QueryType query = new QueryType(); query.setFilter(filter); I tried to take your sample and make it working - it can be done in the following way: QueryType query = new QueryType(); SearchFilterType filter = new SearchFilterType(); PropertyComplexValueFilterClauseType fc = new PropertyComplexValueFilterClauseType(); ItemPathType path = new ItemPathType(); path.setValue("declare namespace c=\"http://midpoint.evolveum.com/xml/ns/public/common/common-3\"; c:name"); fc.setPath(path); fc.setValue(username); ObjectFactory factory = new ObjectFactory(); JAXBElement equal = factory.createEqual(fc); JAXBContext jaxbContext = JAXBContext.newInstance("com.evolveum.midpoint.xml.ns._public.common.api_types_3:" + "com.evolveum.midpoint.xml.ns._public.common.common_3:" + "com.evolveum.prism.xml.ns._public.annotation_3:" + "com.evolveum.prism.xml.ns._public.query_3:" + "com.evolveum.prism.xml.ns._public.types_3:"); Marshaller marshaller = jaxbContext.createMarshaller(); DOMResult result = new DOMResult(); marshaller.marshal(equal, result); filter.setFilterClause(((Document) result.getNode()).getDocumentElement()); query.setFilter(filter); (Of course, you can pre-create and cache jaxbContext or marshaller in order to avoid creating them each time.) Best regards, Pavol On 3. 11. 2015 16:12, Samu Viitanen wrote: > Afternoon, > > I am having issues with the following code > > QueryType query = new QueryType(); > > ObjectFactory factory = new ObjectFactory(); > > SearchFilterType filter = factory.createSearchFilterType(); > PropertyComplexValueFilterClauseType fc = > factory.createPropertyComplexValueFilterClauseType(); > ItemPathType path = new ItemPathType(); > path.setValue("c:name"); > fc.setPath(path); > fc.setValue("queryvalue"); > filter.setFilterClause(??????); > > query.setFilter(filter); > > I noticed that SearchFilterType.setFilterClause only accepts > org.w3c.dom.Element as a parameter. Is this intentional? If so, are > there tools to create these dom elements? I was just wondering since > there are plenty of ways to create the filter clauses, but I just dont > seem to get my head around how I could actually set the filter clause. > > Sorry for the stupid question. > > BR > > Samu Viitanen > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From sito.org at gmail.com Thu Nov 5 22:50:40 2015 From: sito.org at gmail.com (Jon V) Date: Thu, 5 Nov 2015 13:50:40 -0800 Subject: [midPoint] new to IAMs -- general usage question Message-ID: On Thu, Nov 5, 2015 at 3:00 AM: > From: Jason Everling > > I wanted to reply to this one, > > "or if the roles, etc in the IAM are strictly for permissions *within* the > IAM system itself and not meant to have meaning to outside systems." > > The roles,orgs,etc.. in midpoint can have meaning outside the system. A > role/org in midpoint can be used to manage groups and roles in external > systems, like LDAP groups or Unix groups and also generically. > > JASON > thank you for your input, jason. to help me wrap my head around what i am trying to do a bit more, i have started coding out some stubs from our codebase side, to see if i can meet midpoint, well, half-way, if you will. just some simple java classes and methods. to put it in its most simplest form, i am wanting to answer this (pseudocode) boolean question: object.canUserDo(user, activity) my plan is to do with with a combination of roles and groups (e.g. a role permits activities, a user has a role *within a group*. the group is linked to the object). so really, i am hoping to not have to do all the group/role/user crud/ui/persistence at all, not reinvent the wheel. now that i have a little more code on our end, i may try to map these concepts to midpoint and see if it can handle the management for us. thanks again for feedback on my question, -jon -------------- next part -------------- An HTML attachment was scrubbed... URL: From zamppa90 at hotmail.com Fri Nov 6 16:05:51 2015 From: zamppa90 at hotmail.com (Samu Viitanen) Date: Fri, 6 Nov 2015 17:05:51 +0200 Subject: [midPoint] Search filters in IDM Model WS Interface In-Reply-To: <563BB5B6.3010209@evolveum.com> References: , <563BB5B6.3010209@evolveum.com> Message-ID: Hello Pavol, Thank you for your response. I will use this code in my solution. BR- Samu To: midpoint at lists.evolveum.com From: mederly at evolveum.com Date: Thu, 5 Nov 2015 21:01:58 +0100 Subject: Re: [midPoint] Search filters in IDM Model WS Interface Hello Samu, because midPoint uses multiple formats for data serialization (XML, JSON, YAML - although the support for latter two is not fully finished yet), we don't rely on JAXB any more. We treat some data structures (mainly in the prism module) in quite a custom way. This causes some slight issues when trying to cooperate with JAXB serialization, namely, when interfacing via Web Services. So, to answer your questions: The weird setFilterClause method and its "Element" parameter is one of these issues. One of the methods how to create queries can be seen in the model-client-sample: // WARNING: in a real case make sure that the username is properly escaped before putting it in XML SearchFilterType filter = ModelClientUtil.parseSearchFilterType( "" + "c:name" + "" + username + "" + "" ); QueryType query = new QueryType(); query.setFilter(filter); I tried to take your sample and make it working - it can be done in the following way: QueryType query = new QueryType(); SearchFilterType filter = new SearchFilterType(); PropertyComplexValueFilterClauseType fc = new PropertyComplexValueFilterClauseType(); ItemPathType path = new ItemPathType(); path.setValue("declare namespace c=\"http://midpoint.evolveum.com/xml/ns/public/common/common-3\"; c:name"); fc.setPath(path); fc.setValue(username); ObjectFactory factory = new ObjectFactory(); JAXBElement equal = factory.createEqual(fc); JAXBContext jaxbContext = JAXBContext.newInstance("com.evolveum.midpoint.xml.ns._public.common.api_types_3:" + "com.evolveum.midpoint.xml.ns._public.common.common_3:" + "com.evolveum.prism.xml.ns._public.annotation_3:" + "com.evolveum.prism.xml.ns._public.query_3:" + "com.evolveum.prism.xml.ns._public.types_3:"); Marshaller marshaller = jaxbContext.createMarshaller(); DOMResult result = new DOMResult(); marshaller.marshal(equal, result); filter.setFilterClause(((Document) result.getNode()).getDocumentElement()); query.setFilter(filter); (Of course, you can pre-create and cache jaxbContext or marshaller in order to avoid creating them each time.) Best regards, Pavol On 3. 11. 2015 16:12, Samu Viitanen wrote: Afternoon, I am having issues with the following code QueryType query = new QueryType(); ObjectFactory factory = new ObjectFactory(); SearchFilterType filter = factory.createSearchFilterType(); PropertyComplexValueFilterClauseType fc = factory.createPropertyComplexValueFilterClauseType(); ItemPathType path = new ItemPathType(); path.setValue("c:name"); fc.setPath(path); fc.setValue("queryvalue"); filter.setFilterClause(??????); query.setFilter(filter); I noticed that SearchFilterType.setFilterClause only accepts org.w3c.dom.Element as a parameter. Is this intentional? If so, are there tools to create these dom elements? I was just wondering since there are plenty of ways to create the filter clauses, but I just dont seem to get my head around how I could actually set the filter clause. Sorry for the stupid question. BR Samu Viitanen _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Tue Nov 10 20:17:46 2015 From: jeverling at bshp.edu (Jason Everling) Date: Tue, 10 Nov 2015 13:17:46 -0600 Subject: [midPoint] New notification, need to verify my code Message-ID: I tested the below code and it seems to work but I just wanted to verify I am using it correctly. Also, notification are the last item to process correct, after all changes have been made to the account? Snippet from body expression code: "Status: " + requestee?.getActivation()?.getAdministrativeStatus() + " \n" + Thanks! JASON -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From midpoint at mybtinternet.com Wed Nov 11 12:11:11 2015 From: midpoint at mybtinternet.com (midpoint at mybtinternet.com) Date: Wed, 11 Nov 2015 11:11:11 +0000 (GMT) Subject: [midPoint] Any type of fail safe tricks or settings? In-Reply-To: References: Message-ID: <29257670.18512.1447240271503.JavaMail.defaultUser@defaultHost> Hi Jason, I've had to solve these kinds of problems for various projects in the past, admittedly not using midPoint. There are also other things that could be happening that cause similar issues; e.g. in-flight / broken transfers etc. Solving the problem with midPoint would imply having some sort of preview or a running count of changes vs non-changes, or validation in the connector. Not aware of anything like this ... Having a system with some decent scripting can help. Some strategies I used in the past: Check that modification time on target is at least # mins ago; e.g. not in-flight transfer Generate a checksum on the source and validate that on the target (md5sum, sha1sum, ...) A status line at the end; e.g. end of feed, a count, checksum, etc You could, if using (UNIX / Linux) do a grep -v on header - check result for zero size. Incoming transmission write to a filename different from what your resource expects; validation copies / renames to resource input name is validation ok. Regards, Anton ----Original message---- >From : jeverling at bshp.edu Date : 05/11/2015 - 18:16 (GMT) To : midpoint at lists.evolveum.com Subject : [midPoint] Any type of fail safe tricks or settings? I was thinking about this today.. What if one day my CSV file sends out a file that is blank with just the headers, like if something just goes wrong with the connection or base query. Since my CSV resource is authoritative for who should be enabled or disabled, it would disable everyone because they are missing from the file. I don't think that could happen, I wrote in as many fail safes as I could into the Talend job that creates the CSV but.... Is there any type of mechanism that I can set that says if accounts to be changed is more than {n} then stop or suspend task? Just thinking! JASON CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From roman.pudil at ami.cz Wed Nov 11 13:40:11 2015 From: roman.pudil at ami.cz (Roman Pudil - AMI Praha a.s.) Date: Wed, 11 Nov 2015 12:40:11 +0000 Subject: [midPoint] Create account on resource with disable state Message-ID: Hi all, I have a user in midPoint with enabled state. Now, I want to create new account on Active Directory resource, but with disabled state. Then AD admin performs settings of this account (add another info, add initial password etc.) and enable it. And from now i want to manage user/account state from midPoint. Another words, I need set disable state of account during creation on resource (independent on user state in midPoint), and later I need manage state from midPoint. How to construct "activation" part in resource definition (or "inducement" part in role, which assigned this resource)? Thanks! Regards Roman Pudil solution architect gsm: [+420] 775 663 666 e-mail: roman.pudil at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel./fax: [+420] 274 783 239 web: www.ami.cz Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4060 bytes Desc: not available URL: From jeverling at bshp.edu Wed Nov 11 15:35:30 2015 From: jeverling at bshp.edu (Jason Everling) Date: Wed, 11 Nov 2015 08:35:30 -0600 Subject: [midPoint] Any type of fail safe tricks or settings? In-Reply-To: <29257670.18512.1447240271503.JavaMail.defaultUser@defaultHost> References: <29257670.18512.1447240271503.JavaMail.defaultUser@defaultHost> Message-ID: I didn't actually think to run anything on the file itself or check total count before transfer to file on source system. I am pretty sure I could write something up in Talend to check the source and count before processing any further. Thanks! JASON On Wed, Nov 11, 2015 at 5:11 AM, wrote: > Hi Jason, > > I've had to solve these kinds of problems for various projects in the > past, admittedly > not using midPoint. There are also other things that could be happening > that cause > similar issues; e.g. in-flight / broken transfers etc. > > Solving the problem with midPoint would imply having some sort of > preview or a running > count of changes vs non-changes, or validation in the connector. Not > aware of anything > like this ... > > Having a system with some decent scripting can help. Some strategies I > used in the past: > > - Check that modification time on target is at least # mins ago; e.g. > not in-flight transfer > - Generate a checksum on the source and validate that on the target > (md5sum, sha1sum, ...) > - A status line at the end; e.g. end of feed, a count, checksum, etc > > > You could, if using (UNIX / Linux) do a grep -v on header - check result > for zero size. > Incoming transmission write to a filename different from what your > resource expects; validation > copies / renames to resource input name is validation ok. > > Regards, > Anton > > ----Original message---- > From : jeverling at bshp.edu > Date : 05/11/2015 - 18:16 (GMT) > To : midpoint at lists.evolveum.com > Subject : [midPoint] Any type of fail safe tricks or settings? > > > I was thinking about this today.. > > What if one day my CSV file sends out a file that is blank with just the > headers, like if something just goes wrong with the connection or base > query. Since my CSV resource is authoritative for who should be enabled or > disabled, it would disable everyone because they are missing from the file. > > I don't think that could happen, I wrote in as many fail safes as I could > into the Talend job that creates the CSV but.... > > Is there any type of mechanism that I can set that says if accounts to be > changed is more than {n} then stop or suspend task? > > Just thinking! > > JASON > > > > CONFIDENTIALITY NOTICE: > This e-mail together with any attachments is proprietary and confidential; > intended for only the recipient(s) named above and may contain information > that is privileged. You should not retain, copy or use this e-mail or any > attachments for any purpose, or disclose all or any part of the contents to > any person. Any views or opinions expressed in this e-mail are those of the > author and do not represent those of the Baptist School of Health > Professions. If you have received this e-mail in error, or are not the > named recipient(s), you are hereby notified that any review, dissemination, > distribution or copying of this communication is prohibited by the sender > and to do so might constitute a violation of the Electronic Communications > Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the > sender and delete this e-mail and any attachments from your computer. > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- JASON -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From roberto.casiano at cogitogroup.com.au Thu Nov 12 05:28:35 2015 From: roberto.casiano at cogitogroup.com.au (Roberto Casiano) Date: Thu, 12 Nov 2015 04:28:35 +0000 Subject: [midPoint] need help creating new object type Message-ID: Hi, Is it possible to create a new object type? We have a requirement to have a separate Device object in midpoint that we could associate to Users. So we're thinking of creating a new object type called Device. I tried to create an .xsd file, the contents of which are similar to that used when creating extensions, but extending FocusType instead. I placed it in midpoint.home/schema and restarted tomcat. I don't see any errors when tomcat starts up, but I don't know how to test if a new object type was indeed created. I have a hunch it did not create a new object type, but instead extended the definition of FocusType. Can you please explain how to create a new object type, and how to test and verify? Thanks, Rob This email, and any attachment, is confidential and also privileged. If you have received it in error, please notify me immediately and delete it from your system along with any attachments. You should not copy or use it for any purpose, nor disclose its contents to any other person. -------------- next part -------------- An HTML attachment was scrubbed... URL: From petr at gasparik.cz Thu Nov 12 07:48:58 2015 From: petr at gasparik.cz (=?UTF-8?B?UGV0ciBHYcWhcGFyw61r?=) Date: Thu, 12 Nov 2015 06:48:58 +0000 Subject: [midPoint] Any type of fail safe tricks or settings? In-Reply-To: References: <29257670.18512.1447240271503.JavaMail.defaultUser@defaultHost> Message-ID: Also, you can incorporate some logic like If there is more than 100 changes, wait for manual confirmation of changes. P. Dne st 11. 11. 2015 15:36 uživatel Jason Everling napsal: > I didn't actually think to run anything on the file itself or check total > count before transfer to file on source system. I am pretty sure I could > write something up in Talend to check the source and count before > processing any further. > > Thanks! > JASON > > On Wed, Nov 11, 2015 at 5:11 AM, wrote: > >> Hi Jason, >> >> I've had to solve these kinds of problems for various projects in the >> past, admittedly >> not using midPoint. There are also other things that could be happening >> that cause >> similar issues; e.g. in-flight / broken transfers etc. >> >> Solving the problem with midPoint would imply having some sort of >> preview or a running >> count of changes vs non-changes, or validation in the connector. Not >> aware of anything >> like this ... >> >> Having a system with some decent scripting can help. Some strategies I >> used in the past: >> >> - Check that modification time on target is at least # mins ago; e.g. >> not in-flight transfer >> - Generate a checksum on the source and validate that on the target >> (md5sum, sha1sum, ...) >> - A status line at the end; e.g. end of feed, a count, checksum, etc >> >> >> You could, if using (UNIX / Linux) do a grep -v on header - check >> result for zero size. >> Incoming transmission write to a filename different from what your >> resource expects; validation >> copies / renames to resource input name is validation ok. >> >> Regards, >> Anton >> >> ----Original message---- >> From : jeverling at bshp.edu >> Date : 05/11/2015 - 18:16 (GMT) >> To : midpoint at lists.evolveum.com >> Subject : [midPoint] Any type of fail safe tricks or settings? >> >> >> I was thinking about this today.. >> >> What if one day my CSV file sends out a file that is blank with just the >> headers, like if something just goes wrong with the connection or base >> query. Since my CSV resource is authoritative for who should be enabled or >> disabled, it would disable everyone because they are missing from the file. >> >> I don't think that could happen, I wrote in as many fail safes as I could >> into the Talend job that creates the CSV but.... >> >> Is there any type of mechanism that I can set that says if accounts to be >> changed is more than {n} then stop or suspend task? >> >> Just thinking! >> >> JASON >> >> >> >> CONFIDENTIALITY NOTICE: >> This e-mail together with any attachments is proprietary and >> confidential; intended for only the recipient(s) named above and may >> contain information that is privileged. You should not retain, copy or use >> this e-mail or any attachments for any purpose, or disclose all or any part >> of the contents to any person. Any views or opinions expressed in this >> e-mail are those of the author and do not represent those of the Baptist >> School of Health Professions. If you have received this e-mail in error, or >> are not the named recipient(s), you are hereby notified that any review, >> dissemination, distribution or copying of this communication is prohibited >> by the sender and to do so might constitute a violation of the Electronic >> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately >> notify the sender and delete this e-mail and any attachments from your >> computer. >> >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> > > > -- > JASON > > > > CONFIDENTIALITY NOTICE: > This e-mail together with any attachments is proprietary and confidential; > intended for only the recipient(s) named above and may contain information > that is privileged. You should not retain, copy or use this e-mail or any > attachments for any purpose, or disclose all or any part of the contents to > any person. Any views or opinions expressed in this e-mail are those of the > author and do not represent those of the Baptist School of Health > Professions. If you have received this e-mail in error, or are not the > named recipient(s), you are hereby notified that any review, dissemination, > distribution or copying of this communication is prohibited by the sender > and to do so might constitute a violation of the Electronic Communications > Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the > sender and delete this e-mail and any attachments from your computer. > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -- -- Petr G. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Thu Nov 12 08:37:50 2015 From: ivan.noris at evolveum.com (Ivan Noris) Date: Thu, 12 Nov 2015 08:37:50 +0100 Subject: [midPoint] Build with updated system configuration In-Reply-To: <18116615.26738.1446727579752.JavaMail.defaultUser@defaultHost> References: <18116615.26738.1446727579752.JavaMail.defaultUser@defaultHost> Message-ID: <564441CE.9010306@evolveum.com> Hi Anton, the only thing I know is that midPoint is importing objects from WAR file directory WEB-INF/classes/initial-objects. These seem to be imported in the order of sorted files. But I assume the objects are imported only if they are not already present in repository. But it's interesting for me that you need to restart midPoint to apply configuration. For everything in System Configuration I'd NOT expect restart. Logging configuration, object template references etc. are immediately active and when changed, system configuration is reloaded. Regards, Ivan On 11/05/2015 01:46 PM, midpoint at mybtinternet.com wrote: > Hi, > > Currently I use REST to update my system's configuration at > (automated) build time. This works, however > it requires midPoint to be up and I need to restart post update to > make the configuration active. Is it possible > to update the configuration prior to or during (initial) start-up? > e.g. can I get midPoint to import custom > configuration, system configuration, templates, policies etc at > start-up? Thx > > Regards, > Anton > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect evolveum.com evolveum.com/blog/ ___________________________________________________ "Semper Id(e)M Vix." -------------- next part -------------- An HTML attachment was scrubbed... URL: From Radovan.Semancik at evolveum.com Thu Nov 12 15:00:00 2015 From: Radovan.Semancik at evolveum.com (Radovan Semancik) Date: Thu, 12 Nov 2015 15:00:00 +0100 (CET) Subject: [midPoint] need help creating new object type In-Reply-To: References: Message-ID: <1036051784.94453.1447336800642.JavaMail.zimbra@evolveum.com> Hi Roberto, You have several options to use a new type in midPoint: 1) There is a GenericType XSD type already in midPoint schema. You can use that. It is almost empty type that has just the extension section. This was designed for run-time extensibility of object types (without the need to recompile midPoint). 2) You can add your type definition to stock midPoint common-3.xsd schema and rebuild the project. But you will also have to change the implementation of repo-sql-impl component to be able to store objects into the database. 3) The "Device" data type seems interesting and my colleagues are discussing midPoint extensions such as this so some time. So, maybe it is right time to add "DeviceType" object into starndard midPoint schema. We can cooperate on that. It is not a big task for the core midPoint team. The more demanding task would be to define the properties for this object type. Maybe we can cooperate on that? If you are interested in this option please drop me or Igor a private message and we can set up the call to discuss this. Just a couple of words of explanation: MidPoint data model is divided in two parts: fixed and dynamic. The fixed part is processed during compilation. Java source code is generated from that. This allow us to conveniently use it in midPoint logic, do efficient refactorings, optimize object storage in the database and so on. This gives us great maintanability and operation qualities. The drawback is that this part is not easily extensible. Therefore each object has also run-time extensible part (the part). This is easily extensible, but the capabilities are limited. So far we have been able to model all the use cases as an extension of basic object types that are in midPoint (User, Role, Org). But it is maybe the right time to look beyond that and add new object types. -- RS ----- Original Message ----- From: "Roberto Casiano" To: midpoint at lists.evolveum.com Sent: Thursday, 12 November, 2015 4:28:35 AM Subject: [midPoint] need help creating new object type Hi, Is it possible to create a new object type? We have a requirement to have a separate Device object in midpoint that we could associate to Users. So we’re thinking of creating a new object type called Device. I tried to create an .xsd file, the contents of which are similar to that used when creating extensions, but extending FocusType instead. I placed it in midpoint.home/schema and restarted tomcat. I don’t see any errors when tomcat starts up, but I don’t know how to test if a new object type was indeed created. I have a hunch it did not create a new object type, but instead extended the definition of FocusType. Can you please explain how to create a new object type, and how to test and verify? Thanks, Rob This email, and any attachment, is confidential and also privileged. If you have received it in error, please notify me immediately and delete it from your system along with any attachments. You should not copy or use it for any purpose, nor disclose its contents to any other person. _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Thu Nov 12 15:30:18 2015 From: jeverling at bshp.edu (Jason Everling) Date: Thu, 12 Nov 2015 08:30:18 -0600 Subject: [midPoint] AD Sync Error Message-ID: We had a second batch of new users, they were all created but the sync task no longer runs, It states: -- JASON -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Thu Nov 12 15:31:08 2015 From: jeverling at bshp.edu (Jason Everling) Date: Thu, 12 Nov 2015 08:31:08 -0600 Subject: [midPoint] AD Sync Error In-Reply-To: References: Message-ID: We had a second batch of new users, they were all created but the sync task no longer runs, i tried to delete sync token but still no luck It states: 1000000000005552898 com.evolveum.midpoint.common.operation.liveSync FATAL_ERROR Internal Error: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1 1000000000005552848 com.evolveum.midpoint.provisioning.api.ProvisioningService.getObject SUCCESS 1000000000005552899 com.evolveum.midpoint.provisioning.api.ProvisioningService.synchronize FATAL_ERROR Synchronization error: unexpected problem: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1 On Thu, Nov 12, 2015 at 8:30 AM, Jason Everling wrote: > We had a second batch of new users, they were all created but the sync > task no longer runs, > > It states: > > > -- > JASON > -- JASON -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Thu Nov 12 16:32:19 2015 From: jeverling at bshp.edu (Jason Everling) Date: Thu, 12 Nov 2015 09:32:19 -0600 Subject: [midPoint] AD Sync Error In-Reply-To: References:

Message-ID: I had to delete the task and recreate to get it to work again just so the processes could continue, I checked accounts before the task has the error and after and their accounts were created in AD so I am not sure how this happened. I have the debug logs I could send to whoever over private email. Thanks JASON On Thu, Nov 12, 2015 at 8:31 AM, Jason Everling wrote: > We had a second batch of new users, they were all created but the sync > task no longer runs, i tried to delete sync token but still no luck > > It states: > > 1000000000005552898 > com.evolveum.midpoint.common.operation.liveSync > FATAL_ERROR > Internal Error: Batch update returned unexpected row count from update > [0]; actual row count: 0; expected: 1 > 1000000000005552848 > com.evolveum.midpoint.provisioning.api.ProvisioningService.getObject > SUCCESS > 1000000000005552899 > com.evolveum.midpoint.provisioning.api.ProvisioningService.synchronize > FATAL_ERROR > Synchronization error: unexpected problem: Batch update returned > unexpected row count from update [0]; actual row count: 0; expected: 1 > > On Thu, Nov 12, 2015 at 8:30 AM, Jason Everling > wrote: > >> We had a second batch of new users, they were all created but the sync >> task no longer runs, >> >> It states: >> >> >> -- >> JASON >> > > > > -- > JASON > -- JASON -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Thu Nov 12 17:17:08 2015 From: jeverling at bshp.edu (Jason Everling) Date: Thu, 12 Nov 2015 10:17:08 -0600 Subject: [midPoint] Found AD Sync Error, how to cleanup Message-ID: It was because a name had a ~ symbol above the last letter in their first name, I had to manually delete from AD and fix in our system. I cannot delete the AD shadow from midpoint Or how can my user creation template remove these values, I attached a screenshot of what it looks like. -- JASON -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Capture.PNG Type: image/png Size: 758 bytes Desc: not available URL: From jeverling at bshp.edu Thu Nov 12 17:49:59 2015 From: jeverling at bshp.edu (Jason Everling) Date: Thu, 12 Nov 2015 10:49:59 -0600 Subject: [midPoint] Found AD Sync Error, how to cleanup In-Reply-To: References: Message-ID: Ohhh, I need to use the basic. functions when importing the first and last names so that the diacritics are removed, Now I just need to get the old shadow deleted from midpoint, it doesn't let me? JASON On Thu, Nov 12, 2015 at 10:17 AM, Jason Everling wrote: > It was because a name had a ~ symbol above the last letter in their first > name, I had to manually delete from AD and fix in our system. > > I cannot delete the AD shadow from midpoint > > Or how can my user creation template remove these values, I attached a > screenshot of what it looks like. > > > > -- > JASON > -- JASON -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Thu Nov 12 18:14:48 2015 From: ivan.noris at evolveum.com (Ivan Noris) Date: Thu, 12 Nov 2015 18:14:48 +0100 Subject: [midPoint] Found AD Sync Error, how to cleanup In-Reply-To: References:

Message-ID: <5644C908.9030209@evolveum.com> Hi Jason, I always use basic.norm because our language has many diacritic characters unsuitable for most systems... Example from my object template for Users: (mapping, where user/givenName and user/familyName are sources) tmpGivenName = basic.norm(basic.stringify(givenName))?.tr(' ', '.') tmpFamilyName = basic.norm(basic.stringify(familyName))?.tr(' ', '.') return tmpGivenName + '.' + tmpFamilyName + iterationToken (everything is "normalized", diacritic characters replaced by ASCII, spaces are then replaced by dot (because basic.norm returns spaces as well) Regarding deleting shadow: how are you trying to delete it and what error you get? Are you deleting from "normal" GUI (editing user) or in Repository objects GUI? Regards, Ivan On 11/12/2015 05:49 PM, Jason Everling wrote: > Ohhh, I need to use the basic. functions when importing the first and > last names so that the diacritics are removed, > > Now I just need to get the old shadow deleted from midpoint, it > doesn't let me? > > JASON > > On Thu, Nov 12, 2015 at 10:17 AM, Jason Everling > wrote: > > It was because a name had a ~ symbol above the last letter in > their first name, I had to manually delete from AD and fix in our > system. > > I cannot delete the AD shadow from midpoint > > Or how can my user creation template remove these values, I > attached a screenshot of what it looks like. > > > > -- > JASON > > > > > -- > JASON > > > > CONFIDENTIALITY NOTICE: > This e-mail together with any attachments is proprietary and > confidential; intended for only the recipient(s) named above and may > contain information that is privileged. You should not retain, copy or > use this e-mail or any attachments for any purpose, or disclose all or > any part of the contents to any person. Any views or opinions > expressed in this e-mail are those of the author and do not represent > those of the Baptist School of Health Professions. If you have > received this e-mail in error, or are not the named recipient(s), you > are hereby notified that any review, dissemination, distribution or > copying of this communication is prohibited by the sender and to do so > might constitute a violation of the Electronic Communications Privacy > Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender > and delete this e-mail and any attachments from your computer. > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect evolveum.com evolveum.com/blog/ ___________________________________________________ "Semper Id(e)M Vix." -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Thu Nov 12 18:37:30 2015 From: jeverling at bshp.edu (Jason Everling) Date: Thu, 12 Nov 2015 11:37:30 -0600 Subject: [midPoint] Found AD Sync Error, how to cleanup In-Reply-To: <5644C908.9030209@evolveum.com> References:

<5644C908.9030209@evolveum.com> Message-ID: I had my username geenration using that format but I need to do that also for the regular givenName and familyName attributes, Which function removes the diacritics while preserving the first letter uppercase? I was able to delete the user from the GUI but it got an error afterwards while trying to remove the shadow. The user is gone in the gui users list but in the debug pages shadow I can still see the old shadow. When trying to delete from the debug side is where i get there error. I attached a screenshot of the error JASON On Thu, Nov 12, 2015 at 11:14 AM, Ivan Noris wrote: > Hi Jason, > > I always use basic.norm because our language has many diacritic characters > unsuitable for most systems... > > Example from my object template for Users: > (mapping, where user/givenName and user/familyName are sources) > > tmpGivenName = basic.norm(basic.stringify(givenName))?.tr(' ', '.') > tmpFamilyName = basic.norm(basic.stringify(familyName))?.tr(' ', '.') > return tmpGivenName + '.' + tmpFamilyName + iterationToken > > (everything is "normalized", diacritic characters replaced by ASCII, > spaces are then replaced by dot (because basic.norm returns spaces as well) > > Regarding deleting shadow: how are you trying to delete it and what error > you get? Are you deleting from "normal" GUI (editing user) or in Repository > objects GUI? > > Regards, > Ivan > > > On 11/12/2015 05:49 PM, Jason Everling wrote: > > Ohhh, I need to use the basic. functions when importing the first and last > names so that the diacritics are removed, > > Now I just need to get the old shadow deleted from midpoint, it doesn't > let me? > > JASON > > On Thu, Nov 12, 2015 at 10:17 AM, Jason Everling > wrote: > >> It was because a name had a ~ symbol above the last letter in their first >> name, I had to manually delete from AD and fix in our system. >> >> I cannot delete the AD shadow from midpoint >> >> Or how can my user creation template remove these values, I attached a >> screenshot of what it looks like. >> >> >> >> -- >> JASON >> > > > > -- > JASON > > > > CONFIDENTIALITY NOTICE: > This e-mail together with any attachments is proprietary and confidential; > intended for only the recipient(s) named above and may contain information > that is privileged. You should not retain, copy or use this e-mail or any > attachments for any purpose, or disclose all or any part of the contents to > any person. Any views or opinions expressed in this e-mail are those of the > author and do not represent those of the Baptist School of Health > Professions. If you have received this e-mail in error, or are not the > named recipient(s), you are hereby notified that any review, dissemination, > distribution or copying of this communication is prohibited by the sender > and to do so might constitute a violation of the Electronic Communications > Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the > sender and delete this e-mail and any attachments from your computer. > > > _______________________________________________ > midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint > > > -- > Ing. Ivan Noris > Senior Identity Management Engineer & IDM Architect > evolveum.com evolveum.com/blog/ > ___________________________________________________ > "Semper Id(e)M Vix." > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- JASON -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Capture.PNG Type: image/png Size: 96404 bytes Desc: not available URL: From ivan.noris at evolveum.com Thu Nov 12 19:16:59 2015 From: ivan.noris at evolveum.com (Ivan Noris) Date: Thu, 12 Nov 2015 19:16:59 +0100 Subject: [midPoint] Found AD Sync Error, how to cleanup In-Reply-To: References:

<5644C908.9030209@evolveum.com> Message-ID: <5644D79B.4040905@evolveum.com> You can use something like: basic.norm(basic.stringify(givenName))?.replaceAll(/\w+/, { it[0].toUpperCase() + ((it.size() > 1) ? it[1..-1] : '') } )?.replace(' ', '') (this was not invented by me) Regarding the error - it's strange. AFAIK debug pages are not using provisioning, and this error seems to come from provisioning. I don't understand this... Ivan On 11/12/2015 06:37 PM, Jason Everling wrote: > I had my username geenration using that format but I need to do that > also for the regular givenName and familyName attributes, > > Which function removes the diacritics while preserving the first > letter uppercase? > > I was able to delete the user from the GUI but it got an error > afterwards while trying to remove the shadow. The user is gone in the > gui users list but in the debug pages shadow I can still see the old > shadow. When trying to delete from the debug side is where i get there > error. I attached a screenshot of the error > > JASON > > On Thu, Nov 12, 2015 at 11:14 AM, Ivan Noris > wrote: > > Hi Jason, > > I always use basic.norm because our language has many diacritic > characters unsuitable for most systems... > > Example from my object template for Users: > (mapping, where user/givenName and user/familyName are sources) > > tmpGivenName = basic.norm(basic.stringify(givenName))?.tr(' ', '.') > tmpFamilyName = basic.norm(basic.stringify(familyName))?.tr(' ', '.') > return tmpGivenName + '.' + tmpFamilyName + iterationToken > > (everything is "normalized", diacritic characters replaced by > ASCII, spaces are then replaced by dot (because basic.norm returns > spaces as well) > > Regarding deleting shadow: how are you trying to delete it and > what error you get? Are you deleting from "normal" GUI (editing > user) or in Repository objects GUI? > > Regards, > Ivan > > > On 11/12/2015 05:49 PM, Jason Everling wrote: >> Ohhh, I need to use the basic. functions when importing the first >> and last names so that the diacritics are removed, >> >> Now I just need to get the old shadow deleted from midpoint, it >> doesn't let me? >> >> JASON >> >> On Thu, Nov 12, 2015 at 10:17 AM, Jason Everling >> > wrote: >> >> It was because a name had a ~ symbol above the last letter in >> their first name, I had to manually delete from AD and fix in >> our system. >> >> I cannot delete the AD shadow from midpoint >> >> Or how can my user creation template remove these values, I >> attached a screenshot of what it looks like. >> >> >> >> -- >> JASON >> >> >> >> >> -- >> JASON >> >> >> >> CONFIDENTIALITY NOTICE: >> This e-mail together with any attachments is proprietary and >> confidential; intended for only the recipient(s) named above and >> may contain information that is privileged. You should not >> retain, copy or use this e-mail or any attachments for any >> purpose, or disclose all or any part of the contents to any >> person. Any views or opinions expressed in this e-mail are those >> of the author and do not represent those of the Baptist School of >> Health Professions. If you have received this e-mail in error, or >> are not the named recipient(s), you are hereby notified that any >> review, dissemination, distribution or copying of this >> communication is prohibited by the sender and to do so might >> constitute a violation of the Electronic Communications Privacy >> Act, 18 U.S.C. section 2510-2521. Please immediately notify the >> sender and delete this e-mail and any attachments from your >> computer. >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint > > -- > Ing. Ivan Noris > Senior Identity Management Engineer & IDM Architect > evolveum.com evolveum.com/blog/ > ___________________________________________________ > "Semper Id(e)M Vix." > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > > -- > JASON > > > > CONFIDENTIALITY NOTICE: > This e-mail together with any attachments is proprietary and > confidential; intended for only the recipient(s) named above and may > contain information that is privileged. You should not retain, copy or > use this e-mail or any attachments for any purpose, or disclose all or > any part of the contents to any person. Any views or opinions > expressed in this e-mail are those of the author and do not represent > those of the Baptist School of Health Professions. If you have > received this e-mail in error, or are not the named recipient(s), you > are hereby notified that any review, dissemination, distribution or > copying of this communication is prohibited by the sender and to do so > might constitute a violation of the Electronic Communications Privacy > Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender > and delete this e-mail and any attachments from your computer. > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect evolveum.com evolveum.com/blog/ ___________________________________________________ "Semper Id(e)M Vix." -------------- next part -------------- An HTML attachment was scrubbed... URL: From mederly at evolveum.com Thu Nov 12 19:22:17 2015 From: mederly at evolveum.com (Pavol Mederly) Date: Thu, 12 Nov 2015 19:22:17 +0100 Subject: [midPoint] Found AD Sync Error, how to cleanup In-Reply-To: <5644D79B.4040905@evolveum.com> References:

<5644C908.9030209@evolveum.com> <5644D79B.4040905@evolveum.com> Message-ID: <5644D8D9.1090002@evolveum.com> Ivo, the error actually comes from the repository; even if it is invoked by the provisioning (as it deals with shadows). I'm afraid it would be necessary to do some SQL magic :| Something like (writing from my head, hope it would work) update m_user set givenname_orig = 'x' where oid='y' (provided the problem is in given name, not in name itself - in that case it would be necessary to update name_orig in m_user and m_object tables as well. Pavol > You can use something like: > > basic.norm(basic.stringify(givenName))?.replaceAll(/\w+/, { > it[0].toUpperCase() + ((it.size() > 1) ? it[1..-1] : '') } > )?.replace(' ', '') > > (this was not invented by me) > > Regarding the error - it's strange. AFAIK debug pages are not using > provisioning, and this error seems to come from provisioning. I don't > understand this... > > Ivan > > On 11/12/2015 06:37 PM, Jason Everling wrote: >> I had my username geenration using that format but I need to do that >> also for the regular givenName and familyName attributes, >> >> Which function removes the diacritics while preserving the first >> letter uppercase? >> >> I was able to delete the user from the GUI but it got an error >> afterwards while trying to remove the shadow. The user is gone in the >> gui users list but in the debug pages shadow I can still see the old >> shadow. When trying to delete from the debug side is where i get >> there error. I attached a screenshot of the error >> >> JASON >> >> On Thu, Nov 12, 2015 at 11:14 AM, Ivan Noris > > wrote: >> >> Hi Jason, >> >> I always use basic.norm because our language has many diacritic >> characters unsuitable for most systems... >> >> Example from my object template for Users: >> (mapping, where user/givenName and user/familyName are sources) >> >> tmpGivenName = basic.norm(basic.stringify(givenName))?.tr(' ', '.') >> tmpFamilyName = basic.norm(basic.stringify(familyName))?.tr(' ', '.') >> return tmpGivenName + '.' + tmpFamilyName + iterationToken >> >> (everything is "normalized", diacritic characters replaced by >> ASCII, spaces are then replaced by dot (because basic.norm >> returns spaces as well) >> >> Regarding deleting shadow: how are you trying to delete it and >> what error you get? Are you deleting from "normal" GUI (editing >> user) or in Repository objects GUI? >> >> Regards, >> Ivan >> >> >> On 11/12/2015 05:49 PM, Jason Everling wrote: >>> Ohhh, I need to use the basic. functions when importing the >>> first and last names so that the diacritics are removed, >>> >>> Now I just need to get the old shadow deleted from midpoint, it >>> doesn't let me? >>> >>> JASON >>> >>> On Thu, Nov 12, 2015 at 10:17 AM, Jason Everling >>> wrote: >>> >>> It was because a name had a ~ symbol above the last letter >>> in their first name, I had to manually delete from AD and >>> fix in our system. >>> >>> I cannot delete the AD shadow from midpoint >>> >>> Or how can my user creation template remove these values, I >>> attached a screenshot of what it looks like. >>> >>> >>> >>> -- >>> JASON >>> >>> >>> >>> >>> -- >>> JASON >>> >>> >>> >>> CONFIDENTIALITY NOTICE: >>> This e-mail together with any attachments is proprietary and >>> confidential; intended for only the recipient(s) named above and >>> may contain information that is privileged. You should not >>> retain, copy or use this e-mail or any attachments for any >>> purpose, or disclose all or any part of the contents to any >>> person. Any views or opinions expressed in this e-mail are those >>> of the author and do not represent those of the Baptist School >>> of Health Professions. If you have received this e-mail in >>> error, or are not the named recipient(s), you are hereby >>> notified that any review, dissemination, distribution or copying >>> of this communication is prohibited by the sender and to do so >>> might constitute a violation of the Electronic Communications >>> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately >>> notify the sender and delete this e-mail and any attachments >>> from your computer. >>> >>> >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> -- >> Ing. Ivan Noris >> Senior Identity Management Engineer & IDM Architect >> evolveum.com evolveum.com/blog/ >> ___________________________________________________ >> "Semper Id(e)M Vix." >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> >> >> -- >> JASON >> >> >> >> CONFIDENTIALITY NOTICE: >> This e-mail together with any attachments is proprietary and >> confidential; intended for only the recipient(s) named above and may >> contain information that is privileged. You should not retain, copy >> or use this e-mail or any attachments for any purpose, or disclose >> all or any part of the contents to any person. Any views or opinions >> expressed in this e-mail are those of the author and do not represent >> those of the Baptist School of Health Professions. If you have >> received this e-mail in error, or are not the named recipient(s), you >> are hereby notified that any review, dissemination, distribution or >> copying of this communication is prohibited by the sender and to do >> so might constitute a violation of the Electronic Communications >> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify >> the sender and delete this e-mail and any attachments from your >> computer. >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint > > -- > Ing. Ivan Noris > Senior Identity Management Engineer & IDM Architect > evolveum.com evolveum.com/blog/ > ___________________________________________________ > "Semper Id(e)M Vix." > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Thu Nov 12 20:03:31 2015 From: jeverling at bshp.edu (Jason Everling) Date: Thu, 12 Nov 2015 13:03:31 -0600 Subject: [midPoint] Found AD Sync Error, how to cleanup In-Reply-To: <5644D8D9.1090002@evolveum.com> References:

<5644C908.9030209@evolveum.com> <5644D79B.4040905@evolveum.com> <5644D8D9.1090002@evolveum.com> Message-ID: Yeah it is in the shadow and the only attributes are , , After I update using sql statements I should be able to delete it? Thanks Ivan, ill see what I come up with JASON JASON On Thu, Nov 12, 2015 at 12:22 PM, Pavol Mederly wrote: > Ivo, > > the error actually comes from the repository; even if it is invoked by the > provisioning (as it deals with shadows). > > I'm afraid it would be necessary to do some SQL magic :| Something like > (writing from my head, hope it would work) > > update m_user set givenname_orig = 'x' where oid='y' > > (provided the problem is in given name, not in name itself - in that case > it would be necessary to update name_orig in m_user and m_object tables as > well. > > Pavol > > You can use something like: > > basic.norm(basic.stringify(givenName))?.replaceAll(/\w+/, { > it[0].toUpperCase() + ((it.size() > 1) ? it[1..-1] : '') } )?.replace(' ', > '') > > (this was not invented by me) > > Regarding the error - it's strange. AFAIK debug pages are not using > provisioning, and this error seems to come from provisioning. I don't > understand this... > > Ivan > > On 11/12/2015 06:37 PM, Jason Everling wrote: > > I had my username geenration using that format but I need to do that also > for the regular givenName and familyName attributes, > > Which function removes the diacritics while preserving the first letter > uppercase? > > I was able to delete the user from the GUI but it got an error afterwards > while trying to remove the shadow. The user is gone in the gui users list > but in the debug pages shadow I can still see the old shadow. When trying > to delete from the debug side is where i get there error. I attached a > screenshot of the error > > JASON > > On Thu, Nov 12, 2015 at 11:14 AM, Ivan Noris > wrote: > >> Hi Jason, >> >> I always use basic.norm because our language has many diacritic >> characters unsuitable for most systems... >> >> Example from my object template for Users: >> (mapping, where user/givenName and user/familyName are sources) >> >> tmpGivenName = basic.norm(basic.stringify(givenName))?.tr(' ', '.') >> tmpFamilyName = basic.norm(basic.stringify(familyName))?.tr(' ', '.') >> return tmpGivenName + '.' + tmpFamilyName + iterationToken >> >> (everything is "normalized", diacritic characters replaced by ASCII, >> spaces are then replaced by dot (because basic.norm returns spaces as well) >> >> Regarding deleting shadow: how are you trying to delete it and what error >> you get? Are you deleting from "normal" GUI (editing user) or in Repository >> objects GUI? >> >> Regards, >> Ivan >> >> >> On 11/12/2015 05:49 PM, Jason Everling wrote: >> >> Ohhh, I need to use the basic. functions when importing the first and >> last names so that the diacritics are removed, >> >> Now I just need to get the old shadow deleted from midpoint, it doesn't >> let me? >> >> JASON >> >> On Thu, Nov 12, 2015 at 10:17 AM, Jason Everling < >> jeverling at bshp.edu> wrote: >> >>> It was because a name had a ~ symbol above the last letter in their >>> first name, I had to manually delete from AD and fix in our system. >>> >>> I cannot delete the AD shadow from midpoint >>> >>> Or how can my user creation template remove these values, I attached a >>> screenshot of what it looks like. >>> >>> >>> >>> -- >>> JASON >>> >> >> >> >> -- >> JASON >> >> >> >> CONFIDENTIALITY NOTICE: >> This e-mail together with any attachments is proprietary and >> confidential; intended for only the recipient(s) named above and may >> contain information that is privileged. You should not retain, copy or use >> this e-mail or any attachments for any purpose, or disclose all or any part >> of the contents to any person. Any views or opinions expressed in this >> e-mail are those of the author and do not represent those of the Baptist >> School of Health Professions. If you have received this e-mail in error, or >> are not the named recipient(s), you are hereby notified that any review, >> dissemination, distribution or copying of this communication is prohibited >> by the sender and to do so might constitute a violation of the Electronic >> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately >> notify the sender and delete this e-mail and any attachments from your >> computer. >> >> >> _______________________________________________ >> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> -- >> Ing. Ivan Noris >> Senior Identity Management Engineer & IDM Architect >> evolveum.com evolveum.com/blog/ >> ___________________________________________________ >> "Semper Id(e)M Vix." >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> > > > -- > JASON > > > > CONFIDENTIALITY NOTICE: > This e-mail together with any attachments is proprietary and confidential; > intended for only the recipient(s) named above and may contain information > that is privileged. You should not retain, copy or use this e-mail or any > attachments for any purpose, or disclose all or any part of the contents to > any person. Any views or opinions expressed in this e-mail are those of the > author and do not represent those of the Baptist School of Health > Professions. If you have received this e-mail in error, or are not the > named recipient(s), you are hereby notified that any review, dissemination, > distribution or copying of this communication is prohibited by the sender > and to do so might constitute a violation of the Electronic Communications > Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the > sender and delete this e-mail and any attachments from your computer. > > > _______________________________________________ > midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint > > > -- > Ing. Ivan Noris > Senior Identity Management Engineer & IDM Architect > evolveum.com evolveum.com/blog/ > ___________________________________________________ > "Semper Id(e)M Vix." > > > > _______________________________________________ > midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Thu Nov 12 20:21:06 2015 From: jeverling at bshp.edu (Jason Everling) Date: Thu, 12 Nov 2015 13:21:06 -0600 Subject: [midPoint] Found AD Sync Error, how to cleanup In-Reply-To: References:

<5644C908.9030209@evolveum.com> <5644D79B.4040905@evolveum.com> <5644D8D9.1090002@evolveum.com> Message-ID: I checked the m_user, does not exist, probably because I deleted in gui, m_shadow does not have diacritic, name_norm and name_orig look fine m_object also does not have the diacritic either I don't know where else to look, would it hurt anything if I do not worry about? JASON JASON On Thu, Nov 12, 2015 at 1:03 PM, Jason Everling wrote: > Yeah it is in the shadow and the only attributes are , , > > > After I update using sql statements I should be able to delete it? > > Thanks Ivan, ill see what I come up with > > JASON > > JASON > > On Thu, Nov 12, 2015 at 12:22 PM, Pavol Mederly > wrote: > >> Ivo, >> >> the error actually comes from the repository; even if it is invoked by >> the provisioning (as it deals with shadows). >> >> I'm afraid it would be necessary to do some SQL magic :| Something like >> (writing from my head, hope it would work) >> >> update m_user set givenname_orig = 'x' where oid='y' >> >> (provided the problem is in given name, not in name itself - in that case >> it would be necessary to update name_orig in m_user and m_object tables as >> well. >> >> Pavol >> >> You can use something like: >> >> basic.norm(basic.stringify(givenName))?.replaceAll(/\w+/, { >> it[0].toUpperCase() + ((it.size() > 1) ? it[1..-1] : '') } )?.replace(' ', >> '') >> >> (this was not invented by me) >> >> Regarding the error - it's strange. AFAIK debug pages are not using >> provisioning, and this error seems to come from provisioning. I don't >> understand this... >> >> Ivan >> >> On 11/12/2015 06:37 PM, Jason Everling wrote: >> >> I had my username geenration using that format but I need to do that also >> for the regular givenName and familyName attributes, >> >> Which function removes the diacritics while preserving the first letter >> uppercase? >> >> I was able to delete the user from the GUI but it got an error afterwards >> while trying to remove the shadow. The user is gone in the gui users list >> but in the debug pages shadow I can still see the old shadow. When trying >> to delete from the debug side is where i get there error. I attached a >> screenshot of the error >> >> JASON >> >> On Thu, Nov 12, 2015 at 11:14 AM, Ivan Noris >> wrote: >> >>> Hi Jason, >>> >>> I always use basic.norm because our language has many diacritic >>> characters unsuitable for most systems... >>> >>> Example from my object template for Users: >>> (mapping, where user/givenName and user/familyName are sources) >>> >>> tmpGivenName = basic.norm(basic.stringify(givenName))?.tr(' ', '.') >>> tmpFamilyName = basic.norm(basic.stringify(familyName))?.tr(' ', '.') >>> return tmpGivenName + '.' + tmpFamilyName + iterationToken >>> >>> (everything is "normalized", diacritic characters replaced by ASCII, >>> spaces are then replaced by dot (because basic.norm returns spaces as well) >>> >>> Regarding deleting shadow: how are you trying to delete it and what >>> error you get? Are you deleting from "normal" GUI (editing user) or in >>> Repository objects GUI? >>> >>> Regards, >>> Ivan >>> >>> >>> On 11/12/2015 05:49 PM, Jason Everling wrote: >>> >>> Ohhh, I need to use the basic. functions when importing the first and >>> last names so that the diacritics are removed, >>> >>> Now I just need to get the old shadow deleted from midpoint, it doesn't >>> let me? >>> >>> JASON >>> >>> On Thu, Nov 12, 2015 at 10:17 AM, Jason Everling < >>> jeverling at bshp.edu> wrote: >>> >>>> It was because a name had a ~ symbol above the last letter in their >>>> first name, I had to manually delete from AD and fix in our system. >>>> >>>> I cannot delete the AD shadow from midpoint >>>> >>>> Or how can my user creation template remove these values, I attached a >>>> screenshot of what it looks like. >>>> >>>> >>>> >>>> -- >>>> JASON >>>> >>> >>> >>> >>> -- >>> JASON >>> >>> >>> >>> CONFIDENTIALITY NOTICE: >>> This e-mail together with any attachments is proprietary and >>> confidential; intended for only the recipient(s) named above and may >>> contain information that is privileged. You should not retain, copy or use >>> this e-mail or any attachments for any purpose, or disclose all or any part >>> of the contents to any person. Any views or opinions expressed in this >>> e-mail are those of the author and do not represent those of the Baptist >>> School of Health Professions. If you have received this e-mail in error, or >>> are not the named recipient(s), you are hereby notified that any review, >>> dissemination, distribution or copying of this communication is prohibited >>> by the sender and to do so might constitute a violation of the Electronic >>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately >>> notify the sender and delete this e-mail and any attachments from your >>> computer. >>> >>> >>> _______________________________________________ >>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint >>> >>> >>> -- >>> Ing. Ivan Noris >>> Senior Identity Management Engineer & IDM Architect >>> evolveum.com evolveum.com/blog/ >>> ___________________________________________________ >>> "Semper Id(e)M Vix." >>> >>> >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> http://lists.evolveum.com/mailman/listinfo/midpoint >>> >>> >> >> >> -- >> JASON >> >> >> >> CONFIDENTIALITY NOTICE: >> This e-mail together with any attachments is proprietary and >> confidential; intended for only the recipient(s) named above and may >> contain information that is privileged. You should not retain, copy or use >> this e-mail or any attachments for any purpose, or disclose all or any part >> of the contents to any person. Any views or opinions expressed in this >> e-mail are those of the author and do not represent those of the Baptist >> School of Health Professions. If you have received this e-mail in error, or >> are not the named recipient(s), you are hereby notified that any review, >> dissemination, distribution or copying of this communication is prohibited >> by the sender and to do so might constitute a violation of the Electronic >> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately >> notify the sender and delete this e-mail and any attachments from your >> computer. >> >> >> _______________________________________________ >> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> -- >> Ing. Ivan Noris >> Senior Identity Management Engineer & IDM Architect >> evolveum.com evolveum.com/blog/ >> ___________________________________________________ >> "Semper Id(e)M Vix." >> >> >> >> _______________________________________________ >> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> > -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Thu Nov 12 20:25:33 2015 From: jeverling at bshp.edu (Jason Everling) Date: Thu, 12 Nov 2015 13:25:33 -0600 Subject: [midPoint] Found AD Sync Error, how to cleanup In-Reply-To: References:

<5644C908.9030209@evolveum.com> <5644D79B.4040905@evolveum.com> <5644D8D9.1090002@evolveum.com> Message-ID: Below is from debug and only place it exist, i changed the last names and oid's on purpose cn=Sam� V. Student,OU=Dept,OU=Students,DC=DOMAIN,DC=EDU 2015-11-12T08:21:54.668-06:00 http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync ri:AccountObjectClass account default 0 <GUID=12345678910111213456677> cn=sam� v. student,ou=dept,ou=students,dc=domain,dc=edu enabled 2015-11-12T08:21:54.281-06:00 JASON On Thu, Nov 12, 2015 at 1:21 PM, Jason Everling wrote: > I checked the m_user, does not exist, probably because I deleted in gui, > > m_shadow does not have diacritic, name_norm and name_orig look fine > > m_object also does not have the diacritic either > > I don't know where else to look, would it hurt anything if I do not worry > about? > > JASON > > JASON > > On Thu, Nov 12, 2015 at 1:03 PM, Jason Everling > wrote: > >> Yeah it is in the shadow and the only attributes are , , >> >> >> After I update using sql statements I should be able to delete it? >> >> Thanks Ivan, ill see what I come up with >> >> JASON >> >> JASON >> >> On Thu, Nov 12, 2015 at 12:22 PM, Pavol Mederly >> wrote: >> >>> Ivo, >>> >>> the error actually comes from the repository; even if it is invoked by >>> the provisioning (as it deals with shadows). >>> >>> I'm afraid it would be necessary to do some SQL magic :| Something like >>> (writing from my head, hope it would work) >>> >>> update m_user set givenname_orig = 'x' where oid='y' >>> >>> (provided the problem is in given name, not in name itself - in that >>> case it would be necessary to update name_orig in m_user and m_object >>> tables as well. >>> >>> Pavol >>> >>> You can use something like: >>> >>> basic.norm(basic.stringify(givenName))?.replaceAll(/\w+/, { >>> it[0].toUpperCase() + ((it.size() > 1) ? it[1..-1] : '') } )?.replace(' ', >>> '') >>> >>> (this was not invented by me) >>> >>> Regarding the error - it's strange. AFAIK debug pages are not using >>> provisioning, and this error seems to come from provisioning. I don't >>> understand this... >>> >>> Ivan >>> >>> On 11/12/2015 06:37 PM, Jason Everling wrote: >>> >>> I had my username geenration using that format but I need to do that >>> also for the regular givenName and familyName attributes, >>> >>> Which function removes the diacritics while preserving the first letter >>> uppercase? >>> >>> I was able to delete the user from the GUI but it got an error >>> afterwards while trying to remove the shadow. The user is gone in the gui >>> users list but in the debug pages shadow I can still see the old shadow. >>> When trying to delete from the debug side is where i get there error. I >>> attached a screenshot of the error >>> >>> JASON >>> >>> On Thu, Nov 12, 2015 at 11:14 AM, Ivan Noris >>> wrote: >>> >>>> Hi Jason, >>>> >>>> I always use basic.norm because our language has many diacritic >>>> characters unsuitable for most systems... >>>> >>>> Example from my object template for Users: >>>> (mapping, where user/givenName and user/familyName are sources) >>>> >>>> tmpGivenName = basic.norm(basic.stringify(givenName))?.tr(' ', '.') >>>> tmpFamilyName = basic.norm(basic.stringify(familyName))?.tr(' ', '.') >>>> return tmpGivenName + '.' + tmpFamilyName + iterationToken >>>> >>>> (everything is "normalized", diacritic characters replaced by ASCII, >>>> spaces are then replaced by dot (because basic.norm returns spaces as well) >>>> >>>> Regarding deleting shadow: how are you trying to delete it and what >>>> error you get? Are you deleting from "normal" GUI (editing user) or in >>>> Repository objects GUI? >>>> >>>> Regards, >>>> Ivan >>>> >>>> >>>> On 11/12/2015 05:49 PM, Jason Everling wrote: >>>> >>>> Ohhh, I need to use the basic. functions when importing the first and >>>> last names so that the diacritics are removed, >>>> >>>> Now I just need to get the old shadow deleted from midpoint, it doesn't >>>> let me? >>>> >>>> JASON >>>> >>>> On Thu, Nov 12, 2015 at 10:17 AM, Jason Everling < >>>> jeverling at bshp.edu> wrote: >>>> >>>>> It was because a name had a ~ symbol above the last letter in their >>>>> first name, I had to manually delete from AD and fix in our system. >>>>> >>>>> I cannot delete the AD shadow from midpoint >>>>> >>>>> Or how can my user creation template remove these values, I attached a >>>>> screenshot of what it looks like. >>>>> >>>>> >>>>> >>>>> -- >>>>> JASON >>>>> >>>> >>>> >>>> >>>> -- >>>> JASON >>>> >>>> >>>> >>>> CONFIDENTIALITY NOTICE: >>>> This e-mail together with any attachments is proprietary and >>>> confidential; intended for only the recipient(s) named above and may >>>> contain information that is privileged. You should not retain, copy or use >>>> this e-mail or any attachments for any purpose, or disclose all or any part >>>> of the contents to any person. Any views or opinions expressed in this >>>> e-mail are those of the author and do not represent those of the Baptist >>>> School of Health Professions. If you have received this e-mail in error, or >>>> are not the named recipient(s), you are hereby notified that any review, >>>> dissemination, distribution or copying of this communication is prohibited >>>> by the sender and to do so might constitute a violation of the Electronic >>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately >>>> notify the sender and delete this e-mail and any attachments from your >>>> computer. >>>> >>>> >>>> _______________________________________________ >>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint >>>> >>>> >>>> -- >>>> Ing. Ivan Noris >>>> Senior Identity Management Engineer & IDM Architect >>>> evolveum.com evolveum.com/blog/ >>>> ___________________________________________________ >>>> "Semper Id(e)M Vix." >>>> >>>> >>>> _______________________________________________ >>>> midPoint mailing list >>>> midPoint at lists.evolveum.com >>>> http://lists.evolveum.com/mailman/listinfo/midpoint >>>> >>>> >>> >>> >>> -- >>> JASON >>> >>> >>> >>> CONFIDENTIALITY NOTICE: >>> This e-mail together with any attachments is proprietary and >>> confidential; intended for only the recipient(s) named above and may >>> contain information that is privileged. You should not retain, copy or use >>> this e-mail or any attachments for any purpose, or disclose all or any part >>> of the contents to any person. Any views or opinions expressed in this >>> e-mail are those of the author and do not represent those of the Baptist >>> School of Health Professions. If you have received this e-mail in error, or >>> are not the named recipient(s), you are hereby notified that any review, >>> dissemination, distribution or copying of this communication is prohibited >>> by the sender and to do so might constitute a violation of the Electronic >>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately >>> notify the sender and delete this e-mail and any attachments from your >>> computer. >>> >>> >>> _______________________________________________ >>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint >>> >>> >>> -- >>> Ing. Ivan Noris >>> Senior Identity Management Engineer & IDM Architect >>> evolveum.com evolveum.com/blog/ >>> ___________________________________________________ >>> "Semper Id(e)M Vix." >>> >>> >>> >>> _______________________________________________ >>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint >>> >>> >>> >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> http://lists.evolveum.com/mailman/listinfo/midpoint >>> >>> >> > -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mederly at evolveum.com Thu Nov 12 22:10:45 2015 From: mederly at evolveum.com (Pavol Mederly) Date: Thu, 12 Nov 2015 22:10:45 +0100 Subject: [midPoint] Found AD Sync Error, how to cleanup In-Reply-To: References:

<5644C908.9030209@evolveum.com> <5644D79B.4040905@evolveum.com> <5644D8D9.1090002@evolveum.com> Message-ID: <56450055.20000@evolveum.com> Jason, silly me... I interchanged m_user with m_shadow. Sorry for that. :( You say that name_orig in m_shadow looks fine. But below you show that the name is "cn=Sam� V. Student" -> i.e. it does contain diacritics. So I'm a bit confused. :) What is the content of the name_orig in m_shadow / m_object? Also, the problematic can be the value. It is in the table m_object_ext_string in column stringvalue in a row with owner_oid = Shadow OID and ename = 'http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3#name'. You could check that one as well. Before trying to update the database directly, I would try to fix the name/icfs:name via debug pages (if you haven't already tried that), and then delete it. If that's not possible (as I expect), I see two possible ways out: 1) fix the name/icfs:name in the database and then delete the shadow via repository objects functionality or 2) directly delete the relevant records in m_shadow, m_object and m_object_ext_string. Hopefully I haven't left out any relevant table... (if yes, you'd probably get reference violation error). Of course, directly editing/modifying the database data can be a bit dangerous. I'm not sure if anyone actually tried that in this way. So, I'd prefer to be 100% sure in identifying the exact cause of the problem before trying to remediate it. If you could send me (either here or in private) 1) the value m_shadow.name_orig, m_object.name_orig, m_object_ext_string.stringvalue for rows with corresponding oid/owner_oid, 2) the exact stack trace of the exception you get when trying to delete the shadow via Repository Objects, I/we would be hopefully able to provide some hints. Overall, as you've asked, if you would not worry about this, it should not be an immediate problem. However, I'm not quite sure how would the DB react when it would encounter such a shadow e.g. when doing a reconciliation or something like that. I'd expect that you would (at least) get some exceptions in the log, or (in the worst case) interruptions of tasks' executions. So I'd suggest to solve that somehow :) Best regards, Pavol On 12. 11. 2015 20:25, Jason Everling wrote: > Below is from debug and only place it exist, i changed the last names > and oid's on purpose > > > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" > > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > oid="00000000000000000000000000000000000" > version="0"> > cn=Sam� V. Student,OU=Dept,OU=Students,DC=DOMAIN,DC=EDU > > 2015-11-12T08:21:54.668-06:00 > type="c:UserType"> > > http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync > > type="c:ResourceType"> > ri:AccountObjectClass > account > default > 0 > > > <GUID=12345678910111213456677> > cn=sam� v. > student,ou=dept,ou=students,dc=domain,dc=edu > > > enabled > 2015-11-12T08:21:54.281-06:00 > > > > JASON > > On Thu, Nov 12, 2015 at 1:21 PM, Jason Everling > wrote: > > I checked the m_user, does not exist, probably because I deleted > in gui, > > m_shadow does not have diacritic, name_norm and name_orig look fine > > m_object also does not have the diacritic either > > I don't know where else to look, would it hurt anything if I do > not worry about? > > JASON > > JASON > > On Thu, Nov 12, 2015 at 1:03 PM, Jason Everling > > wrote: > > Yeah it is in the shadow and the only attributes are , > , > > After I update using sql statements I should be able to delete it? > > Thanks Ivan, ill see what I come up with > > JASON > > JASON > > On Thu, Nov 12, 2015 at 12:22 PM, Pavol Mederly > > wrote: > > Ivo, > > the error actually comes from the repository; even if it > is invoked by the provisioning (as it deals with shadows). > > I'm afraid it would be necessary to do some SQL magic :| > Something like (writing from my head, hope it would work) > > update m_user set givenname_orig = 'x' where oid='y' > > (provided the problem is in given name, not in name itself > - in that case it would be necessary to update name_orig > in m_user and m_object tables as well. > > Pavol > >> You can use something like: >> >> basic.norm(basic.stringify(givenName))?.replaceAll(/\w+/, >> { it[0].toUpperCase() + ((it.size() > 1) ? it[1..-1] : >> '') } )?.replace(' ', '') >> >> (this was not invented by me) >> >> Regarding the error - it's strange. AFAIK debug pages are >> not using provisioning, and this error seems to come from >> provisioning. I don't understand this... >> >> Ivan >> >> On 11/12/2015 06:37 PM, Jason Everling wrote: >>> I had my username geenration using that format but I >>> need to do that also for the regular givenName and >>> familyName attributes, >>> >>> Which function removes the diacritics while preserving >>> the first letter uppercase? >>> >>> I was able to delete the user from the GUI but it got an >>> error afterwards while trying to remove the shadow. The >>> user is gone in the gui users list but in the debug >>> pages shadow I can still see the old shadow. When trying >>> to delete from the debug side is where i get there >>> error. I attached a screenshot of the error >>> >>> JASON >>> >>> On Thu, Nov 12, 2015 at 11:14 AM, Ivan Noris >>> >> > wrote: >>> >>> Hi Jason, >>> >>> I always use basic.norm because our language has >>> many diacritic characters unsuitable for most systems... >>> >>> Example from my object template for Users: >>> (mapping, where user/givenName and user/familyName >>> are sources) >>> >>> tmpGivenName = >>> basic.norm(basic.stringify(givenName))?.tr(' ', '.') >>> tmpFamilyName = >>> basic.norm(basic.stringify(familyName))?.tr(' ', '.') >>> return tmpGivenName + '.' + tmpFamilyName + >>> iterationToken >>> >>> (everything is "normalized", diacritic characters >>> replaced by ASCII, spaces are then replaced by dot >>> (because basic.norm returns spaces as well) >>> >>> Regarding deleting shadow: how are you trying to >>> delete it and what error you get? Are you deleting >>> from "normal" GUI (editing user) or in Repository >>> objects GUI? >>> >>> Regards, >>> Ivan >>> >>> >>> On 11/12/2015 05:49 PM, Jason Everling wrote: >>>> Ohhh, I need to use the basic. functions when >>>> importing the first and last names so that the >>>> diacritics are removed, >>>> >>>> Now I just need to get the old shadow deleted from >>>> midpoint, it doesn't let me? >>>> >>>> JASON >>>> >>>> On Thu, Nov 12, 2015 at 10:17 AM, Jason Everling >>>> > wrote: >>>> >>>> It was because a name had a ~ symbol above the >>>> last letter in their first name, I had to >>>> manually delete from AD and fix in our system. >>>> >>>> I cannot delete the AD shadow from midpoint >>>> >>>> Or how can my user creation template remove >>>> these values, I attached a screenshot of what >>>> it looks like. >>>> >>>> >>>> >>>> -- >>>> JASON >>>> >>>> >>>> >>>> >>>> -- >>>> JASON >>>> >>>> >>>> >>>> CONFIDENTIALITY NOTICE: >>>> This e-mail together with any attachments is >>>> proprietary and confidential; intended for only the >>>> recipient(s) named above and may contain >>>> information that is privileged. You should not >>>> retain, copy or use this e-mail or any attachments >>>> for any purpose, or disclose all or any part of the >>>> contents to any person. Any views or opinions >>>> expressed in this e-mail are those of the author >>>> and do not represent those of the Baptist School of >>>> Health Professions. If you have received this >>>> e-mail in error, or are not the named recipient(s), >>>> you are hereby notified that any review, >>>> dissemination, distribution or copying of this >>>> communication is prohibited by the sender and to do >>>> so might constitute a violation of the Electronic >>>> Communications Privacy Act, 18 U.S.C. section >>>> 2510-2521. Please immediately notify the sender and >>>> delete this e-mail and any attachments from your >>>> computer. >>>> >>>> >>>> _______________________________________________ >>>> midPoint mailing list >>>> midPoint at lists.evolveum.com >>>> >>>> http://lists.evolveum.com/mailman/listinfo/midpoint >>> >>> -- >>> Ing. Ivan Noris >>> Senior Identity Management Engineer & IDM Architect >>> evolveum.com evolveum.com/blog/ >>> ___________________________________________________ >>> "Semper Id(e)M Vix." >>> >>> >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> >>> http://lists.evolveum.com/mailman/listinfo/midpoint >>> >>> >>> >>> >>> -- >>> JASON >>> >>> >>> >>> CONFIDENTIALITY NOTICE: >>> This e-mail together with any attachments is proprietary >>> and confidential; intended for only the recipient(s) >>> named above and may contain information that is >>> privileged. You should not retain, copy or use this >>> e-mail or any attachments for any purpose, or disclose >>> all or any part of the contents to any person. Any views >>> or opinions expressed in this e-mail are those of the >>> author and do not represent those of the Baptist School >>> of Health Professions. If you have received this e-mail >>> in error, or are not the named recipient(s), you are >>> hereby notified that any review, dissemination, >>> distribution or copying of this communication is >>> prohibited by the sender and to do so might constitute a >>> violation of the Electronic Communications Privacy Act, >>> 18 U.S.C. section 2510-2521. Please immediately notify >>> the sender and delete this e-mail and any attachments >>> from your computer. >>> >>> >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> >>> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> -- >> Ing. Ivan Noris >> Senior Identity Management Engineer & IDM Architect >> evolveum.com evolveum.com/blog/ >> ___________________________________________________ >> "Semper Id(e)M Vix." >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> >> http://lists.evolveum.com/mailman/listinfo/midpoint > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > > > > > CONFIDENTIALITY NOTICE: > This e-mail together with any attachments is proprietary and > confidential; intended for only the recipient(s) named above and may > contain information that is privileged. You should not retain, copy or > use this e-mail or any attachments for any purpose, or disclose all or > any part of the contents to any person. Any views or opinions > expressed in this e-mail are those of the author and do not represent > those of the Baptist School of Health Professions. If you have > received this e-mail in error, or are not the named recipient(s), you > are hereby notified that any review, dissemination, distribution or > copying of this communication is prohibited by the sender and to do so > might constitute a violation of the Electronic Communications Privacy > Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender > and delete this e-mail and any attachments from your computer. > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From zamppa90 at hotmail.com Mon Nov 16 15:22:40 2015 From: zamppa90 at hotmail.com (Samu Viitanen) Date: Mon, 16 Nov 2015 16:22:40 +0200 Subject: [midPoint] Connector read operation Message-ID: Hello, Not entirely sure if this is the right place to ask this, but any help would be appreciated. I would like to know what is required in a customized connector to allow midpoint to read the resource objects? I am currently getting a "Resource does not support 'read' operation" when i try to open the account in User administration. I am currently not on my project computer so I can not paste the stacktrace here, but I can paste it later if it helps. PS: I seem to be able to search the objects by clicking "Accounts" in resource administration and get relatively correct results. Best Regards Samu Viitanen -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglist at j-b-s.de Mon Nov 16 18:05:16 2015 From: mailinglist at j-b-s.de (mailinglist at j-b-s.de) Date: Mon, 16 Nov 2015 18:05:16 +0100 Subject: [midPoint] user login / password Message-ID: <330D59BC-E9FB-4997-BC7F-B3DED7B6794B@j-b-s.de> Hi all! I am currently evaluating midpoint and created several users. Setting a password and saving the user always hides the password fields instead of showing '***', nevertheless it's stored correctly. But using the user and passwort it's impossible to query data via the rest interface (403 forbidden). Therefore I created a new user (superuser) and rest access works. Obviously I can not assign a superuser role to all users. Is there a particular "rest allowed" role? If not how can I check validity of a particular username / password? The superuser returns a "credential element" containg the hashed password but without duplicating the hash functionality it's not comparable.. Any idea? Thanks Jens Von meinem iPhone gesendet From jeverling at bshp.edu Mon Nov 16 20:43:37 2015 From: jeverling at bshp.edu (Jason Everling) Date: Mon, 16 Nov 2015 13:43:37 -0600 Subject: [midPoint] Any type of fail safe tricks or settings? In-Reply-To: References: <29257670.18512.1447240271503.JavaMail.defaultUser@defaultHost>

Message-ID: Thanks for the ideas! I was able to create a couple of new processes in my talend job, so basically instead of what I was doing, checking connection > database query > write file , I am now checking connection > database query > write temp file in temp location > get total enrollment count from external source > analyze temp file to match enrollment count to row count in temp csv > if correct > send to folder where midpoint syncs > else > error, send email alert and do not copy file. I feel much more confident that it will not send over an empty file now. Awesome JASON JASON On Thu, Nov 12, 2015 at 12:48 AM, Petr Gašparík wrote: > Also, you can incorporate some logic like If there is more than 100 > changes, wait for manual confirmation of changes. > > P. > > Dne st 11. 11. 2015 15:36 uživatel Jason Everling > napsal: > >> I didn't actually think to run anything on the file itself or check total >> count before transfer to file on source system. I am pretty sure I could >> write something up in Talend to check the source and count before >> processing any further. >> >> Thanks! >> JASON >> >> On Wed, Nov 11, 2015 at 5:11 AM, wrote: >> >>> Hi Jason, >>> >>> I've had to solve these kinds of problems for various projects in the >>> past, admittedly >>> not using midPoint. There are also other things that could be >>> happening that cause >>> similar issues; e.g. in-flight / broken transfers etc. >>> >>> Solving the problem with midPoint would imply having some sort of >>> preview or a running >>> count of changes vs non-changes, or validation in the connector. Not >>> aware of anything >>> like this ... >>> >>> Having a system with some decent scripting can help. Some strategies I >>> used in the past: >>> >>> - Check that modification time on target is at least # mins ago; >>> e.g. not in-flight transfer >>> - Generate a checksum on the source and validate that on the target >>> (md5sum, sha1sum, ...) >>> - A status line at the end; e.g. end of feed, a count, checksum, etc >>> >>> >>> You could, if using (UNIX / Linux) do a grep -v on header - check >>> result for zero size. >>> Incoming transmission write to a filename different from what your >>> resource expects; validation >>> copies / renames to resource input name is validation ok. >>> >>> Regards, >>> Anton >>> >>> ----Original message---- >>> From : jeverling at bshp.edu >>> Date : 05/11/2015 - 18:16 (GMT) >>> To : midpoint at lists.evolveum.com >>> Subject : [midPoint] Any type of fail safe tricks or settings? >>> >>> >>> I was thinking about this today.. >>> >>> What if one day my CSV file sends out a file that is blank with just the >>> headers, like if something just goes wrong with the connection or base >>> query. Since my CSV resource is authoritative for who should be enabled or >>> disabled, it would disable everyone because they are missing from the file. >>> >>> I don't think that could happen, I wrote in as many fail safes as I >>> could into the Talend job that creates the CSV but.... >>> >>> Is there any type of mechanism that I can set that says if accounts to >>> be changed is more than {n} then stop or suspend task? >>> >>> Just thinking! >>> >>> JASON >>> >>> >>> >>> CONFIDENTIALITY NOTICE: >>> This e-mail together with any attachments is proprietary and >>> confidential; intended for only the recipient(s) named above and may >>> contain information that is privileged. You should not retain, copy or use >>> this e-mail or any attachments for any purpose, or disclose all or any part >>> of the contents to any person. Any views or opinions expressed in this >>> e-mail are those of the author and do not represent those of the Baptist >>> School of Health Professions. If you have received this e-mail in error, or >>> are not the named recipient(s), you are hereby notified that any review, >>> dissemination, distribution or copying of this communication is prohibited >>> by the sender and to do so might constitute a violation of the Electronic >>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately >>> notify the sender and delete this e-mail and any attachments from your >>> computer. >>> >>> >>> >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> http://lists.evolveum.com/mailman/listinfo/midpoint >>> >>> >> >> >> -- >> JASON >> >> >> >> CONFIDENTIALITY NOTICE: >> This e-mail together with any attachments is proprietary and >> confidential; intended for only the recipient(s) named above and may >> contain information that is privileged. You should not retain, copy or use >> this e-mail or any attachments for any purpose, or disclose all or any part >> of the contents to any person. Any views or opinions expressed in this >> e-mail are those of the author and do not represent those of the Baptist >> School of Health Professions. If you have received this e-mail in error, or >> are not the named recipient(s), you are hereby notified that any review, >> dissemination, distribution or copying of this communication is prohibited >> by the sender and to do so might constitute a violation of the Electronic >> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately >> notify the sender and delete this e-mail and any attachments from your >> computer. >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> > -- > -- > Petr G. > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglist at j-b-s.de Tue Nov 17 18:30:20 2015 From: mailinglist at j-b-s.de (Jens Breitenstein) Date: Tue, 17 Nov 2015 18:30:20 +0100 Subject: [midPoint] user login / password (rest-role) In-Reply-To: <330D59BC-E9FB-4997-BC7F-B3DED7B6794B@j-b-s.de> References: <330D59BC-E9FB-4997-BC7F-B3DED7B6794B@j-b-s.de> Message-ID: <564B642C.7080305@j-b-s.de> I am trying to figure out how to add a "rest-role" in modpoint unfortunately without success... Digging in the sources I found two xml files: one for the "admin" the other for "superuser" definition, both located in "initial-objects". Furthermore I found a "Role-rest.xml" which is never used apart from tests. Naivly I copied the Role-rest.xml to initial-objects and restarted the server, no success. I simply tried to recreate the REST-role via the admin UI (similar to End User or Superuser), but again without success, access still fails. Can anyone please give me a hint how to activate the "REST"-role in midpoint so I can assign it to a particular user via admin UI? Any hint or link to the documentation is appreciated. Thanks in advance Jens Am 16/11/15 um 18:05 schrieb mailinglist at j-b-s.de: > Hi all! > > I am currently evaluating midpoint and created several users. > > Setting a password and saving the user always hides the password fields instead of showing '***', nevertheless it's stored correctly. > > But using the user and passwort it's impossible to query data via the rest interface (403 forbidden). Therefore I created a new user (superuser) and rest access works. > > Obviously I can not assign a superuser role to all users. Is there a particular "rest allowed" role? > > If not how can I check validity of a particular username / password? The superuser returns a "credential element" containg the hashed password but without duplicating the hash functionality it's not comparable.. > > Any idea? > > Thanks > > Jens > > > > > > Von meinem iPhone gesendet > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint From devin at identityworksllc.com Tue Nov 17 19:07:53 2015 From: devin at identityworksllc.com (Devin Rosenbauer) Date: Tue, 17 Nov 2015 13:07:53 -0500 Subject: [midPoint] LDAP connector SSL Message-ID: Hey all, I'm working on deploying a demo LDAP connector to an OpenDJ LDAP instance. I've got everything set up and working great in non-SSL mode. When I switch the connection security configuration property to "ssl", the connection times out every time, with this root cause stack trace: Caused by: org.apache.directory.api.ldap.model.exception.LdapException: TimeOut occurred at org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4138) ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1] at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1287) ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1] at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1185) ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1] at com.evolveum.polygon.connector.ldap.LdapConnector.bind(LdapConnector.java:1030) ~[connector-ldap-1.4.1.23.jar:na] After looking through the code, I'm guessing that the SSL filter is attempting to prompt the non-existent keyboard user to accept or deny the certificate. I've imported the cert as a trusted certificate into the Java cacerts file, but I'm not sure that that's what the LDAP connector is using. Any suggestions? -- Devin Rosenbauer Principal Consultant Identity Works LLC +1 585 210 3201 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Tue Nov 17 19:11:41 2015 From: jeverling at bshp.edu (Jason Everling) Date: Tue, 17 Nov 2015 12:11:41 -0600 Subject: [midPoint] LDAP connector SSL In-Reply-To: References: Message-ID: I would try and import your LDAP Certs or LDAP CA Certs into the midpoint.home/keystore.jceks keystore. I had to put all our CA certs into this file and also Google's mail ca certs so that notifications would go out. The default password for the keystore is in your config.xml file JASON JASON On Tue, Nov 17, 2015 at 12:07 PM, Devin Rosenbauer < devin at identityworksllc.com> wrote: > Hey all, > > I'm working on deploying a demo LDAP connector to an OpenDJ LDAP instance. > I've got everything set up and working great in non-SSL mode. When I switch > the connection security configuration property to "ssl", the connection > times out every time, with this root cause stack trace: > > Caused by: org.apache.directory.api.ldap.model.exception.LdapException: > TimeOut occurred > at > org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4138) > ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1] > at > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1287) > ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1] > at > org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1185) > ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1] > at > com.evolveum.polygon.connector.ldap.LdapConnector.bind(LdapConnector.java:1030) > ~[connector-ldap-1.4.1.23.jar:na] > > After looking through the code, I'm guessing that the SSL filter is > attempting to prompt the non-existent keyboard user to accept or deny the > certificate. I've imported the cert as a trusted certificate into the Java > cacerts file, but I'm not sure that that's what the LDAP connector is using. > > Any suggestions? > > > > -- > Devin Rosenbauer > Principal Consultant > Identity Works LLC > +1 585 210 3201 > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- CONFIDENTIALITY NOTICE: This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gustav.palos at gmail.com Tue Nov 17 22:54:32 2015 From: gustav.palos at gmail.com (=?UTF-8?B?UMOhbG9zIEd1c3TDoXY=?=) Date: Tue, 17 Nov 2015 22:54:32 +0100 Subject: [midPoint] LDAP connector SSL In-Reply-To: References: Message-ID: Hi, You can inspirate from: https://wiki.evolveum.com/pages/viewpage.action?pageId=15859743 Gusto 2015-11-17 19:11 GMT+01:00 Jason Everling : > I would try and import your LDAP Certs or LDAP CA Certs into the > midpoint.home/keystore.jceks keystore. I had to put all our CA certs into > this file and also Google's mail ca certs so that notifications would go > out. The default password for the keystore is in your config.xml file > > JASON > > JASON > > On Tue, Nov 17, 2015 at 12:07 PM, Devin Rosenbauer < > devin at identityworksllc.com> wrote: > >> Hey all, >> >> I'm working on deploying a demo LDAP connector to an OpenDJ LDAP >> instance. I've got everything set up and working great in non-SSL mode. >> When I switch the connection security configuration property to "ssl", the >> connection times out every time, with this root cause stack trace: >> >> Caused by: org.apache.directory.api.ldap.model.exception.LdapException: >> TimeOut occurred >> at >> org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4138) >> ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1] >> at >> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1287) >> ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1] >> at >> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1185) >> ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1] >> at >> com.evolveum.polygon.connector.ldap.LdapConnector.bind(LdapConnector.java:1030) >> ~[connector-ldap-1.4.1.23.jar:na] >> >> After looking through the code, I'm guessing that the SSL filter is >> attempting to prompt the non-existent keyboard user to accept or deny the >> certificate. I've imported the cert as a trusted certificate into the Java >> cacerts file, but I'm not sure that that's what the LDAP connector is using. >> >> Any suggestions? >> >> >> >> -- >> Devin Rosenbauer >> Principal Consultant >> Identity Works LLC >> +1 585 210 3201 >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> > > > > CONFIDENTIALITY NOTICE: > This e-mail together with any attachments is proprietary and confidential; > intended for only the recipient(s) named above and may contain information > that is privileged. You should not retain, copy or use this e-mail or any > attachments for any purpose, or disclose all or any part of the contents to > any person. Any views or opinions expressed in this e-mail are those of the > author and do not represent those of the Baptist School of Health > Professions. If you have received this e-mail in error, or are not the > named recipient(s), you are hereby notified that any review, dissemination, > distribution or copying of this communication is prohibited by the sender > and to do so might constitute a violation of the Electronic Communications > Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the > sender and delete this e-mail and any attachments from your computer. > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- s pozdravom Gustáv Pálos -------------- next part -------------- An HTML attachment was scrubbed... URL: From radovan.semancik at evolveum.com Wed Nov 18 18:25:51 2015 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Wed, 18 Nov 2015 18:25:51 +0100 Subject: [midPoint] LDAP connector SSL In-Reply-To: References: Message-ID: <564CB49F.3080802@evolveum.com> Hi, That's right. All the client-side certificate validations have to be non-interactive. So everything needs to be imported to midpoint.home/keystore.jceks. The guide is here: https://wiki.evolveum.com/pages/viewpage.action?pageId=15859743 The timeout error usually indicates failed SSL/TLS handshake. One of the issues that I have seen is that som OpenLDAP configurations are not SSL, but STARTTLS. This is different way how to initiate TLS connection. In that case "starttls" has to be used instead "ssl". Another issue can be that the client and server cannot agree on the cipher suites. It looks like recent TLS versions have quite limited set of supported cipher suites. Unfortunately the Java libraries and/or Apache Directory API are not very good at reporting errors, so this one can also look like timeout. If that is the case please try to force the use of older TLS version on either client or server. I have added a connector configuration options sslProtocol, enabledSecurityProtocols and enabledCipherSuites for that purpose. However, those are only supported in development (master) version of the connector. Setting sslProtocol might help in your case (the values are protocol names from javax.net.ssl.SSLContext). -- Radovan Semancik Software Architect evolveum.com On 11/17/2015 07:11 PM, Jason Everling wrote: > I would try and import your LDAP Certs or LDAP CA Certs into the > midpoint.home/keystore.jceks keystore. I had to put all our CA certs > into this file and also Google's mail ca certs so that notifications > would go out. The default password for the keystore is in your > config.xml file > > JASON > > JASON > > On Tue, Nov 17, 2015 at 12:07 PM, Devin Rosenbauer > > wrote: > > Hey all, > > I'm working on deploying a demo LDAP connector to an OpenDJ LDAP > instance. I've got everything set up and working great in non-SSL > mode. When I switch the connection security configuration property > to "ssl", the connection times out every time, with this root > cause stack trace: > > Caused by: > org.apache.directory.api.ldap.model.exception.LdapException: > TimeOut occurred > at > org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4138) > ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1] > at > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1287) > ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1] > at > org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1185) > ~[api-all-1.0.0-M31-e1.jar:1.0.0-M31-e1] > at > com.evolveum.polygon.connector.ldap.LdapConnector.bind(LdapConnector.java:1030) > ~[connector-ldap-1.4.1.23.jar:na] > > After looking through the code, I'm guessing that the SSL filter > is attempting to prompt the non-existent keyboard user to accept > or deny the certificate. I've imported the cert as a trusted > certificate into the Java cacerts file, but I'm not sure that > that's what the LDAP connector is using. > > Any suggestions? > > > > -- > Devin Rosenbauer > Principal Consultant > Identity Works LLC > +1 585 210 3201 > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > > > CONFIDENTIALITY NOTICE: > This e-mail together with any attachments is proprietary and > confidential; intended for only the recipient(s) named above and may > contain information that is privileged. You should not retain, copy or > use this e-mail or any attachments for any purpose, or disclose all or > any part of the contents to any person. Any views or opinions > expressed in this e-mail are those of the author and do not represent > those of the Baptist School of Health Professions. If you have > received this e-mail in error, or are not the named recipient(s), you > are hereby notified that any review, dissemination, distribution or > copying of this communication is prohibited by the sender and to do so > might constitute a violation of the Electronic Communications Privacy > Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender > and delete this e-mail and any attachments from your computer. > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From devin at identityworksllc.com Thu Nov 19 19:00:07 2015 From: devin at identityworksllc.com (Devin Rosenbauer) Date: Thu, 19 Nov 2015 13:00:07 -0500 Subject: [midPoint] One connector for separate accounts on many Unix systems Message-ID: I'm curious if there's a clean way to do this in Midpoint. I have some ideas but don't want to reinvent the wheel if this sort of thing already exists. I've got a demo setup with ten different Unix systems which are authenticated locally. I would like to be able to provision an identical account to any / all of this Unix systems without creating ten identical connectors, replicating configuration, etc. That's just asking for misconfiguration disasters down the line. Is there a good Midpoint-y way to do this? Is there a good way to store the admin credentials separately for each of the ten hosts without making separate connectors? -- Devin Rosenbauer Principal Consultant Identity Works LLC +1 585 210 3201 -------------- next part -------------- An HTML attachment was scrubbed... URL: From radovan.semancik at evolveum.com Thu Nov 19 19:13:54 2015 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Thu, 19 Nov 2015 19:13:54 +0100 Subject: [midPoint] One connector for separate accounts on many Unix systems In-Reply-To: References: Message-ID: <564E1162.1000203@evolveum.com> Hi, No, currently there is no easy way to do this. But you are not the first one to request this and such a feature is planned. All that is needed is that some midPoint subscriber/contributor/sponzor explicitly requests it so the priority of this feature is increased. -- Radovan Semancik Software Architect evolveum.com On 11/19/2015 07:00 PM, Devin Rosenbauer wrote: > I'm curious if there's a clean way to do this in Midpoint. I have some > ideas but don't want to reinvent the wheel if this sort of thing > already exists. > > I've got a demo setup with ten different Unix systems which are > authenticated locally. I would like to be able to provision an > identical account to any / all of this Unix systems without creating > ten identical connectors, replicating configuration, etc. That's just > asking for misconfiguration disasters down the line. > > Is there a good Midpoint-y way to do this? Is there a good way to > store the admin credentials separately for each of the ten hosts > without making separate connectors? > > -- > Devin Rosenbauer > Principal Consultant > Identity Works LLC > +1 585 210 3201 > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From devin at identityworksllc.com Thu Nov 19 19:17:06 2015 From: devin at identityworksllc.com (Devin Rosenbauer) Date: Thu, 19 Nov 2015 13:17:06 -0500 Subject: [midPoint] One connector for separate accounts on many Unix systems In-Reply-To: <564E1162.1000203@evolveum.com> References: <564E1162.1000203@evolveum.com> Message-ID: Is it possible to define a complex configuration type for a connector's connection-configuration info? Or is that restricted to strings and other simple types? If so, it would be easy enough to create a nested connection info like this: And have the connector decide up which host info to use at an ICF level. Problem then, of course, is that you're passing around dozens of credentials with every connector call. On Thu, Nov 19, 2015 at 1:13 PM, Radovan Semancik < radovan.semancik at evolveum.com> wrote: > Hi, > > No, currently there is no easy way to do this. But you are not the first > one to request this and such a feature is planned. All that is needed is > that some midPoint subscriber/contributor/sponzor explicitly requests it so > the priority of this feature is increased. > > -- > Radovan Semancik > Software Architectevolveum.com > > > > On 11/19/2015 07:00 PM, Devin Rosenbauer wrote: > > I'm curious if there's a clean way to do this in Midpoint. I have some > ideas but don't want to reinvent the wheel if this sort of thing already > exists. > > I've got a demo setup with ten different Unix systems which are > authenticated locally. I would like to be able to provision an identical > account to any / all of this Unix systems without creating ten identical > connectors, replicating configuration, etc. That's just asking for > misconfiguration disasters down the line. > > Is there a good Midpoint-y way to do this? Is there a good way to store > the admin credentials separately for each of the ten hosts without making > separate connectors? > > -- > Devin Rosenbauer > Principal Consultant > Identity Works LLC > +1 585 210 3201 > > > _______________________________________________ > midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- Devin Rosenbauer Principal Consultant Identity Works LLC +1 585 210 3201 -------------- next part -------------- An HTML attachment was scrubbed... URL: From radovan.semancik at evolveum.com Thu Nov 19 19:22:33 2015 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Thu, 19 Nov 2015 19:22:33 +0100 Subject: [midPoint] One connector for separate accounts on many Unix systems In-Reply-To: References: <564E1162.1000203@evolveum.com> Message-ID: <564E1369.8080103@evolveum.com> I'm not sure what you mean by "connector's connection-configuration info". If you mean connector configuration parameters (the part) then the answer is no. This is limited by the design of ConnId (which is based on Sun Identity Connectors). Only primitive values can be used there. So the multi-resource feature needs to be implemented inside midPoint. What we plan if having something like "resource templates" that can hold parameters common for all similar resources. Then the actual resource definition will have just the special parameters (hostname, admin password) and the generic parameters and configurations will be taken from the template. See https://jira.evolveum.com/browse/MID-1653 -- Radovan Semancik Software Architect evolveum.com On 11/19/2015 07:17 PM, Devin Rosenbauer wrote: > Is it possible to define a complex configuration type for a > connector's connection-configuration info? Or is that restricted to > strings and other simple types? If so, it would be easy enough to > create a nested connection info like this: > > > > > > > > > > > And have the connector decide up which host info to use at an ICF level. > > Problem then, of course, is that you're passing around dozens of > credentials with every connector call. > > On Thu, Nov 19, 2015 at 1:13 PM, Radovan Semancik > > > wrote: > > Hi, > > No, currently there is no easy way to do this. But you are not the > first one to request this and such a feature is planned. All that > is needed is that some midPoint subscriber/contributor/sponzor > explicitly requests it so the priority of this feature is increased. > > -- > Radovan Semancik > Software Architect > evolveum.com > > > > On 11/19/2015 07:00 PM, Devin Rosenbauer wrote: >> I'm curious if there's a clean way to do this in Midpoint. I have >> some ideas but don't want to reinvent the wheel if this sort of >> thing already exists. >> >> I've got a demo setup with ten different Unix systems which are >> authenticated locally. I would like to be able to provision an >> identical account to any / all of this Unix systems without >> creating ten identical connectors, replicating configuration, >> etc. That's just asking for misconfiguration disasters down the line. >> >> Is there a good Midpoint-y way to do this? Is there a good way to >> store the admin credentials separately for each of the ten hosts >> without making separate connectors? >> >> -- >> Devin Rosenbauer >> Principal Consultant >> Identity Works LLC >> +1 585 210 3201 >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > > -- > Devin Rosenbauer > Principal Consultant > Identity Works LLC > +1 585 210 3201 > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From devin at identityworksllc.com Thu Nov 19 19:41:05 2015 From: devin at identityworksllc.com (Devin Rosenbauer) Date: Thu, 19 Nov 2015 13:41:05 -0500 Subject: [midPoint] One connector for separate accounts on many Unix systems In-Reply-To: <564E1369.8080103@evolveum.com> References: <564E1162.1000203@evolveum.com> <564E1369.8080103@evolveum.com> Message-ID: That could work. I'd still like to avoid creating several hundred resource definitions just for Unix, if I can avoid it. We've seen clients with that many individually controlled Unix systems in Production. However, since it's easy enough to script creating 400 resource definitions with the hostname configurations, the template model would definitely work for now. On Thu, Nov 19, 2015 at 1:22 PM, Radovan Semancik < radovan.semancik at evolveum.com> wrote: > I'm not sure what you mean by "connector's connection-configuration info". > If you mean connector configuration parameters (the > part) then the answer is no. This is limited by > the design of ConnId (which is based on Sun Identity Connectors). Only > primitive values can be used there. > > So the multi-resource feature needs to be implemented inside midPoint. > What we plan if having something like "resource templates" that can hold > parameters common for all similar resources. Then the actual resource > definition will have just the special parameters (hostname, admin password) > and the generic parameters and configurations will be taken from the > template. See https://jira.evolveum.com/browse/MID-1653 > > -- > Radovan Semancik > Software Architectevolveum.com > > > > On 11/19/2015 07:17 PM, Devin Rosenbauer wrote: > > Is it possible to define a complex configuration type for a connector's > connection-configuration info? Or is that restricted to strings and other > simple types? If so, it would be easy enough to create a nested connection > info like this: > > > > > > > > > > > And have the connector decide up which host info to use at an ICF level. > > Problem then, of course, is that you're passing around dozens of > credentials with every connector call. > > On Thu, Nov 19, 2015 at 1:13 PM, Radovan Semancik < > radovan.semancik at evolveum.com> wrote: > >> Hi, >> >> No, currently there is no easy way to do this. But you are not the first >> one to request this and such a feature is planned. All that is needed is >> that some midPoint subscriber/contributor/sponzor explicitly requests it so >> the priority of this feature is increased. >> >> -- >> Radovan Semancik >> Software Architectevolveum.com >> >> >> >> On 11/19/2015 07:00 PM, Devin Rosenbauer wrote: >> >> I'm curious if there's a clean way to do this in Midpoint. I have some >> ideas but don't want to reinvent the wheel if this sort of thing already >> exists. >> >> I've got a demo setup with ten different Unix systems which are >> authenticated locally. I would like to be able to provision an identical >> account to any / all of this Unix systems without creating ten identical >> connectors, replicating configuration, etc. That's just asking for >> misconfiguration disasters down the line. >> >> Is there a good Midpoint-y way to do this? Is there a good way to store >> the admin credentials separately for each of the ten hosts without making >> separate connectors? >> >> -- >> Devin Rosenbauer >> Principal Consultant >> Identity Works LLC >> +1 585 210 3201 <%2B1%20585%20210%203201> >> >> >> _______________________________________________ >> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> > > > -- > Devin Rosenbauer > Principal Consultant > Identity Works LLC > +1 585 210 3201 > > > _______________________________________________ > midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- Devin Rosenbauer Principal Consultant Identity Works LLC +1 585 210 3201 -------------- next part -------------- An HTML attachment was scrubbed... URL: From devin at identityworksllc.com Fri Nov 20 21:49:31 2015 From: devin at identityworksllc.com (Devin Rosenbauer) Date: Fri, 20 Nov 2015 15:49:31 -0500 Subject: [midPoint] CSV connector - reading passwords for new users Message-ID: Good afternoon, I'm attempting to set up and modify another of the sample connectors. Specifically, I would like to use one of the samples/resources/csvfile connectors to read new users (not assignments) out of a CSV file. I imported the sample file *localhost-csvfile-resource-advanced-sync-2.xml* and created a CSV file that looks like this: "id","firstname","lastname","description","disabled","password","testfield" "test12",Test,User1,"Test User","false","secret","something" Midpoint scans the schema, as appropriate, and identifies that one user in the file. You can see, in the UI, all of the fields associated with that account, with the exception of the password. When I attempt to do "Import Account" in the UI to pull it in as a user (or on the resource screen, "Import accounts"), I get the following error message: Failed to import: com.evolveum.midpoint.model.api.PolicyViolationException: Provided password does not satisfy password policies. Required minimal size (5) of password is not met (password length: 4) As far as I can tell, the imported password is simply blank. If I click on the account and view "Account details", the password shows up only when I select "show empty fields". However, in that case, shouldn't the tag under tell Midpoint to just create a policy-satisfying password for that user? -- Devin Rosenbauer Principal Consultant Identity Works LLC +1 585 210 3201 -------------- next part -------------- An HTML attachment was scrubbed... URL: From radovan.semancik at evolveum.com Mon Nov 23 10:21:27 2015 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Mon, 23 Nov 2015 10:21:27 +0100 Subject: [midPoint] One connector for separate accounts on many Unix systems In-Reply-To: References: <564E1162.1000203@evolveum.com> <564E1369.8080103@evolveum.com> Message-ID: <5652DA97.90304@evolveum.com> For the record: creating 400 resource definitions is really not that hard. But it is much harder to maintain them. E.g. midPoint GUI will not work well with 400 similar resource. Therefore we also have https://jira.evolveum.com/browse/MID-2521 If you need to do something about that there are the usual options: https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature -- Radovan Semancik Software Architect evolveum.com On 11/19/2015 07:41 PM, Devin Rosenbauer wrote: > That could work. I'd still like to avoid creating several hundred > resource definitions just for Unix, if I can avoid it. We've seen > clients with that many individually controlled Unix systems in > Production. However, since it's easy enough to script creating 400 > resource definitions with the hostname configurations, the template > model would definitely work for now. > > > On Thu, Nov 19, 2015 at 1:22 PM, Radovan Semancik > > > wrote: > > I'm not sure what you mean by "connector's > connection-configuration info". If you mean connector > configuration parameters (the part) then > the answer is no. This is limited by the design of ConnId (which > is based on Sun Identity Connectors). Only primitive values can be > used there. > > So the multi-resource feature needs to be implemented inside > midPoint. What we plan if having something like "resource > templates" that can hold parameters common for all similar > resources. Then the actual resource definition will have just the > special parameters (hostname, admin password) and the generic > parameters and configurations will be taken from the template. See > https://jira.evolveum.com/browse/MID-1653 > > -- > Radovan Semancik > Software Architect > evolveum.com > > > > On 11/19/2015 07:17 PM, Devin Rosenbauer wrote: >> Is it possible to define a complex configuration type for a >> connector's connection-configuration info? Or is that restricted >> to strings and other simple types? If so, it would be easy enough >> to create a nested connection info like this: >> >> >> >> >> >> >> >> >> >> >> And have the connector decide up which host info to use at an ICF >> level. >> >> Problem then, of course, is that you're passing around dozens of >> credentials with every connector call. >> >> On Thu, Nov 19, 2015 at 1:13 PM, Radovan Semancik >> > > wrote: >> >> Hi, >> >> No, currently there is no easy way to do this. But you are >> not the first one to request this and such a feature is >> planned. All that is needed is that some midPoint >> subscriber/contributor/sponzor explicitly requests it so the >> priority of this feature is increased. >> >> -- >> Radovan Semancik >> Software Architect >> evolveum.com >> >> >> >> On 11/19/2015 07:00 PM, Devin Rosenbauer wrote: >>> I'm curious if there's a clean way to do this in Midpoint. I >>> have some ideas but don't want to reinvent the wheel if this >>> sort of thing already exists. >>> >>> I've got a demo setup with ten different Unix systems which >>> are authenticated locally. I would like to be able to >>> provision an identical account to any / all of this Unix >>> systems without creating ten identical connectors, >>> replicating configuration, etc. That's just asking for >>> misconfiguration disasters down the line. >>> >>> Is there a good Midpoint-y way to do this? Is there a good >>> way to store the admin credentials separately for each of >>> the ten hosts without making separate connectors? >>> >>> -- >>> Devin Rosenbauer >>> Principal Consultant >>> Identity Works LLC >>> +1 585 210 3201 >>> >>> >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> >> >> -- >> Devin Rosenbauer >> Principal Consultant >> Identity Works LLC >> +1 585 210 3201 >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > > -- > Devin Rosenbauer > Principal Consultant > Identity Works LLC > +1 585 210 3201 > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From zamppa90 at hotmail.com Tue Nov 24 16:06:36 2015 From: zamppa90 at hotmail.com (Samu Viitanen) Date: Tue, 24 Nov 2015 17:06:36 +0200 Subject: [midPoint] Conditional Assignments Message-ID: Hello, I am having trouble finding a solution on how to create conditional assignments in an Object Template. I have an Object Template and I would like to see if the Focus user's attribute "organization" matches to a specific string before creating my assignment. See mapping below organization assignment This is the point where I am stuck. I figured that the example above is somewhat correct, but the condition is still never true even though I know my focus user's organization is 'org'. I am not very familiar with expressions and conditions yet. I tried to find the answer in Wiki, but didn't find a related example. I also looked into the live demo's Object Template, where a similar thing is done, but it did not help me here. Best Regards Samu Viitanen -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Tue Nov 24 16:28:19 2015 From: ivan.noris at evolveum.com (Ivan Noris) Date: Tue, 24 Nov 2015 16:28:19 +0100 Subject: [midPoint] Conditional Assignments In-Reply-To: References: Message-ID: <56548213.7060005@evolveum.com> Hi Samu, although I'm not assigning resource account but a role instead, this is my working code: My Object Template: Assign Role XYZ true $user/employeeType c:RoleType 00000000-dc00-dc00-0004-000000000077 assignment Could you please the construction from the above - for your case probably you need to change c:RoleType to c:ResourceType... Some other questions: 1) are other mappings from the same object template working? (To avoid problem of not using template at all...) 2) how is the attribute organization set in your scenario? Best regards, Ivan On 11/24/2015 04:06 PM, Samu Viitanen wrote: > Hello, > > I am having trouble finding a solution on how to create conditional > assignments in an Object Template. I have an Object Template and I > would like to see if the Focus user's attribute "organization" matches > to a specific string before creating my assignment. See mapping below > > > > organization > > > > > > > > assignment > > > > > > > This is the point where I am stuck. I figured that the example above > is somewhat correct, but the condition is still never true even though > I know my focus user's organization is 'org'. I am not very familiar > with expressions and conditions yet. I tried to find the answer in > Wiki, but didn't find a related example. I also looked into the live > demo's Object Template, where a similar thing is done, but it did not > help me here. > > Best Regards > Samu Viitanen > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect evolveum.com evolveum.com/blog/ ___________________________________________________ "Semper Id(e)M Vix." -------------- next part -------------- An HTML attachment was scrubbed... URL: From zamppa90 at hotmail.com Tue Nov 24 18:17:35 2015 From: zamppa90 at hotmail.com (Samu Viitanen) Date: Tue, 24 Nov 2015 19:17:35 +0200 Subject: [midPoint] Conditional Assignments In-Reply-To: <56548213.7060005@evolveum.com> References: , <56548213.7060005@evolveum.com> Message-ID: Hello Ivan, Thank you for your quick response. I will try this tomorrow on my solution, it looks like it could work. Other mappings from my template are working, so it's just this conditional that is giving me trouble. I set the organization attribute when I create focus users in midpoint via the Web Service Interface and it seems to be map correctly. It's just this one that was bugging me. BR.Samu To: midpoint at lists.evolveum.com From: ivan.noris at evolveum.com Date: Tue, 24 Nov 2015 16:28:19 +0100 Subject: Re: [midPoint] Conditional Assignments Hi Samu, although I'm not assigning resource account but a role instead, this is my working code: My Object Template: Assign Role XYZ true $user/employeeType c:RoleType 00000000-dc00-dc00-0004-000000000077 assignment Could you please the construction from the above - for your case probably you need to change c:RoleType to c:ResourceType... Some other questions: 1) are other mappings from the same object template working? (To avoid problem of not using template at all...) 2) how is the attribute organization set in your scenario? Best regards, Ivan On 11/24/2015 04:06 PM, Samu Viitanen wrote: Hello, I am having trouble finding a solution on how to create conditional assignments in an Object Template. I have an Object Template and I would like to see if the Focus user's attribute "organization" matches to a specific string before creating my assignment. See mapping below organization assignment This is the point where I am stuck. I figured that the example above is somewhat correct, but the condition is still never true even though I know my focus user's organization is 'org'. I am not very familiar with expressions and conditions yet. I tried to find the answer in Wiki, but didn't find a related example. I also looked into the live demo's Object Template, where a similar thing is done, but it did not help me here. Best Regards Samu Viitanen _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- Ing. Ivan Noris Senior Identity Management Engineer & IDM Architect evolveum.com evolveum.com/blog/ ___________________________________________________ "Semper Id(e)M Vix." _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: