From mmarchese at identicum.com  Thu Dec  1 13:26:27 2016
From: mmarchese at identicum.com (Martin Marchese)
Date: Thu, 1 Dec 2016 09:26:27 -0300
Subject: [midPoint] UserTemplate - Role Assignment based on Org
	Assignment Property
In-Reply-To: <2e122bab-5309-b4a6-ff9e-aebbee9b8845@evolveum.com>
References: <CAG3rmdpA67Ai0YYoFOH_n-HnSLhPX+19NmocDtx6PvGnqT2ESQ@mail.gmail.com>
 <42421843-e7bc-4de8-579d-fa2b2c2980b1@evolveum.com>
 <CAG3rmdpejpo0xZLOyE-0ad2VcoEZ4VHViRACz_KxzH92doJMTg@mail.gmail.com>
 <b77ed755-73c2-e1e3-3c17-37de005d0560@evolveum.com>
 <CAG3rmdpUZmOxVr5CpOJvAMLFoV2wJLFMJBaVvBcMD91NsJttAg@mail.gmail.com>
 <1227419311.113453.1479556344398.JavaMail.zimbra@evolveum.com>
 <CAG3rmdp7ZJm=5THvVwaoqBdmjuYy-zJnrSTKDN-r8BVnR6fS+A@mail.gmail.com>
 <2e122bab-5309-b4a6-ff9e-aebbee9b8845@evolveum.com>
Message-ID: <CAG3rmdpDrrDe3V+nTZ+oOCcZgboZLNNZV4v6x2hMYxoWdncYaw@mail.gmail.com>

Hi Ivan,

We have a support-3.4 environment (3.4.2-SNAPSHOT). With the same objects
that I sent in my last email. However, we still have no luck.

If you'd like to take a look at our installation I can send you URL and
credentials thru a private channel for you to see it.

Thanks in advance


*Ing. Martín Marchese*
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
mmarchese at identicum.com
www.identicum.com

On Tue, Nov 22, 2016 at 10:06 AM, Ivan Noris <ivan.noris at evolveum.com>
wrote:

> Hi Martin,
>
> could you please try with midPoint built from git branch named support-3.4?
>
> Thanks,
>
> Ivan
>
> On 11/21/2016 03:48 PM, Martin Marchese wrote:
>
> Ivan,
>
> We run the same test within a 3.4.1 environment and within a 3.5-SNAPSHOT
> one. Same objects. It worked OK in 3.5-SNAPSHOT but again, it did not work
> in 3.4.1.
>
> Any package logging you recommend to enable in order to debug this?
>
> The following are our objects:
>
> Student Role:
> -------------------
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>   oid="00000000-0000-1de4-0004-000000000010">
>    <name>STUDENT</name>
> </role>
>
> Teacher Role:
> -------------------
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>   oid="00000000-0000-1de4-0004-000000000011">
>    <name>TEACHER</name>
> </role>
>
> MetaRole:
> --------------
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>       xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>       oid="00000000-0000-1de4-0004-000000000099">
>    <name>META_ROL</name>
>    <inducement id="1">
>       <targetRef oid="00000000-0000-1de4-0004-000000000010"
> type="c:RoleType">STUDENT</targetRef>
>       <order>2</order>
>       <focusType>UserType</focusType>
>       <condition>
>          <source>
>             <c:path>$focusAssignment/extension/metaRelation</c:path>
>          </source>
>          <expression>
>             <script>
>                <code>metaRelation == 'STUDENT'</code>
>             </script>
>          </expression>
>       </condition>
>    </inducement>
>    <inducement id="2">
>       <targetRef oid="00000000-0000-1de4-0004-000000000011"
> type="c:RoleType"></targetRef>
>       <order>2</order>
>       <focusType>UserType</focusType>
>       <condition>
>          <source>
>             <c:path>$focusAssignment/extension/metaRelation</c:path>
>          </source>
>          <expression>
>             <script>
>                <code>metaRelation == 'TEACHER'</code>
>             </script>
>          </expression>
>       </condition>
>    </inducement>
> </role>
>
> Org:
> ------
>
> <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>      oid="00000000-0000-1de4-0010-000000000001">
>    <name>ORG21</name>
>    <assignment id="1">
>       <targetRef oid="00000000-0000-1de4-0004-000000000099"
> type="c:RoleType"></targetRef>
>    </assignment>
> </org>
>
>
> Org Assignment to User:
> -----------------------------------
>
> <assignment id="1">
>    <extension xmlns:icfcassig="http://midpoint.identicum.com/xml/ns/
> metaAssignment">
>       <icfcassig:metaRelation>STUDENT</icfcassig:metaRelation>
>    </extension>
>    <targetRef oid="00000000-0000-1de4-0010-000000000001"
> type="c:OrgType"><!-- ORG1 --></targetRef>
> </assignment>
>
> Thanks in Advance
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> mmarchese at identicum.com
> www.identicum.com
>
> On Sat, Nov 19, 2016 at 8:52 AM, Ivan Noris <Ivan.Noris at evolveum.com>
> wrote:
>
>> Hi Martin,
>>
>> that's a surprise for me, because I'm not using master but 3.4-based
>> branch... and the main logic is similar to what I'm using, even in older
>> versions...
>>
>> It just didn't work or there were some errors displayed/logged? Maybe the
>> developers would know according to that behaviour.
>>
>> Regards,
>> Ivan
>>
>> ------------------------------
>>
>> *From: *"Martin Marchese" <mmarchese at identicum.com>
>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>> *Sent: *Friday, November 18, 2016 11:20:18 PM
>> *Subject: *Re: [midPoint] UserTemplate - Role Assignment based on
>> Org        Assignment Property
>>
>>
>> Thanks Ivan that worked like charm! And it's a very nice solution!
>>
>> However, just to let you know, it worked only on MidPoint 3.5 snapshot,
>> we tested that in 3.4.1 with no luck.
>>
>> Regards
>>
>> *Ing. Martín Marchese*
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> mmarchese at identicum.com
>> www.identicum.com
>>
>> On Fri, Nov 18, 2016 at 4:19 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>> Hi,
>>>
>>> there might be a way how to do this in object template, but it could be
>>> complicated.
>>>
>>> I would probably try metarole instead:
>>>
>>> 1. all organizations should have a metarole assigned (not induced)
>>>
>>> 2. roles STUDENT and TEACHER will be defined by you to do whatever
>>> needed for users
>>>
>>> 3. the metarole would have two order=2 inducements for users which have
>>> the organization assigned. One of the inducement would induce the STUDENT
>>> role if the assignment parameter metaRelation for "this" organization is
>>> STUDENT. The other would assign the TEACHER role if the assignment
>>> parameter for "this" organization is TEACHER. The inducements would be
>>> indirect, i.e. you would not see the STUDENT/TEACHER role assigned in
>>> user's Assignments tab *(this may or may not be a problem for you)*.
>>>
>>> Technically it would mean that one person with 20 organizations assigned
>>> as TEACHER would end with 20 assignments of the same role TEACHER, but I
>>> believe that midPoint will "normalize" this and only one role TEACHER would
>>> be assigned in real.
>>>
>>> The metarole should look similar to this (untested):
>>>
>>> <role ...>
>>>
>>>   <name>Teacher/Student Org Metarole</name>
>>>
>>>     <inducement>
>>>       <targetRef oid="00000000-dc00-dc00-0004-000000000078"
>>> type="c:RoleType"><!-- STUDENT --></targetRef>
>>>
>>>         <condition>
>>>             <source>
>>>                 <path>$focusAssignment/xyz:metaRelation</path><!-- xyz
>>> is your namespace -->
>>>             </source>
>>>             <expression>
>>>                 <script>
>>>                     <code>metaRelation == 'STUDENT'</code>
>>>                 </script>
>>>             </expression>
>>>         </condition>
>>>
>>>        <focusType>c:UserType</focusType><!-- to apply only to users
>>> even if organization is assigned to another organization -->
>>>
>>>         <order>2</order><!-- to apply to users which have the
>>> organization assigned -->
>>>
>>>    </inducement>
>>>
>>>     <inducement>
>>>       <targetRef oid="00000000-dc00-dc00-0004-000000000111"
>>> type="c:RoleType"><!-- TEACHER --></targetRef>
>>>
>>>         <condition>
>>>             <source>
>>>                 <path>$focusAssignment/xyz:metaRelation</path><!-- xyz
>>> your namespace -->
>>>             </source>
>>>             <expression>
>>>                 <script>
>>>                     <code>metaRelation == 'TEACHER'</code>
>>>                 </script>
>>>             </expression>
>>>         </condition>
>>>
>>>        <focusType>c:UserType</focusType>
>>>
>>>         <order>2</order>
>>>
>>>    </inducement>
>>> </role>
>>>
>>> I hope I'm correct. I have done similar stuff, but not this specific one.
>>>
>>> Regards,
>>>
>>> Ivan
>>> On 11/18/2016 06:44 PM, Martin Marchese wrote:
>>>
>>> Hi Ivan thanks for your answer,
>>>
>>> Yes that's correct, they should be assigned without any parameters based
>>> on the org assignment types.
>>>
>>> Regards
>>>
>>> *Ing. Martín Marchese*
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050
>>> mmarchese at identicum.com
>>> www.identicum.com
>>>
>>> On Fri, Nov 18, 2016 at 12:34 PM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>> Hi Martin,
>>>>
>>>> the STUDENT and TEACHER roles are "static" in means of assignment
>>>> parameters? They are (should be) just assigned without any parameters
>>>> whenever used has any org with STUDENT-type assignment or any role with
>>>> TEACHER-type assignment?
>>>>
>>>>
>>>> Ivan
>>>>
>>>>
>>>> On 11/16/2016 08:37 PM, Martin Marchese wrote:
>>>>
>>>> Hi All,
>>>>
>>>> We had our AssignmentType extended with a "metaRelation" extension
>>>> property.
>>>>
>>>> Users are assigned to an OrgType
>>>>
>>>> Our OrgType represent schools and within this "metaRelation" property,
>>>> we store wether the assigned user is a STUDENT or a TEACHER.
>>>>
>>>> Besides, we have 2 Roles (STUDENT and TEACHER roles).
>>>>
>>>> We would like to use our user template to assign the corresponding role
>>>> to the user based on shich "metaRelation" it has within the Org.
>>>>
>>>> Users could be STUDENT and/or TEACHER on more than one Org, so while
>>>> the user has at least one of this assignments, it needs to have the
>>>> corresponding role assigned.
>>>>
>>>> We are thinking if there's a way to query the user Org assignments
>>>> within the template and use it as source for the target role assignment.
>>>>
>>>> Is this the best/correct way to do it? Do you recommend any other way?
>>>>
>>>> Thanks in Advance
>>>> Regards,
>>>>
>>>> *Ing. Martín Marchese*
>>>> Identicum S.A.
>>>> Jorge Newbery 3226
>>>> Tel: +54 (11) 4552-3050
>>>> mmarchese at identicum.com
>>>> www.identicum.com
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>> --
>>>> Ivan Noris
>>>> Senior Identity Engineerevolveum.com
>>>>
>>>> _______________________________________________ midPoint mailing list
>>>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>>>> man/listinfo/midpoint
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> --
>>> Ivan Noris
>>> Senior Identity Engineerevolveum.com
>>>
>>> _______________________________________________ midPoint mailing list
>>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>>> man/listinfo/midpoint
>>
>> _______________________________________________ midPoint mailing list
>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>> man/listinfo/midpoint
>>
>> --
>> Ivan Noris Senior Identity Engineer evolveum.com
>> _______________________________________________ midPoint mailing list
>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>> man/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161201/78c80059/attachment.htm>

From nrossi at identicum.com  Thu Dec  1 20:07:01 2016
From: nrossi at identicum.com (Nicolas Rossi)
Date: Thu, 1 Dec 2016 16:07:01 -0300
Subject: [midPoint] Assigning role to user when receiving a resource
In-Reply-To: <b26c582b-af04-16c4-e378-bbea29a65a28@evolveum.com>
References: <CAO5EgRqhUU9ysSKHxYMALHDfyGmJ95rMi3qDLVR94hoBDy6i7Q@mail.gmail.com>
 <CAAxX8cgRkcdXy7gh=Uspsh9aoy2tedgn6cB_25kaTbd1=riDBw@mail.gmail.com>
 <0642e8e7-bf9f-63f9-28a9-d264e7d6c6af@evolveum.com>
 <CAAxX8cg6uK8j2ZZJdUhksEFEsY8zDv1rsEAuNnb52306mtmt0g@mail.gmail.com>
 <CAAxX8cgYrqasn--e_f7yUSdqKZOd4DKGKHdTCVXo-YcAryM41Q@mail.gmail.com>
 <69abd9da-19b6-b2ea-bc48-c92f8cd6464e@evolveum.com>
 <CAAxX8chde8YrYJ00e1a040wqJrY==k7qC8E3sHCgkZujezKR_A@mail.gmail.com>
 <b26c582b-af04-16c4-e378-bbea29a65a28@evolveum.com>
Message-ID: <CAAxX8cg3vKx7WgZ4XO833jMKncdz1T4VmeNbizFWAmpaZDA0gw@mail.gmail.com>

You are right Ivan, I should see the association from the projection not
the user's assignments. We can go on with the first example which is
already working !

Thanks for your help !




Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Wed, Nov 30, 2016 at 4:49 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

> Hi Nicholas,
>
> Show all assignments is computing just assignments, both direct and
> indirect. It will show you all assigned:
>
> a) roles (assigned directly or indirectly)
>
> b) organizations
>
> c) projections from inducements - name of resource, kind and intent
>
> It will not show associations there.
>
> If you want to see the "groups" of any account managed by midPoint, open
> that user in midPoint, then Projections, expand the account and see section
> "associations".
>
> I have just checked my user with assigned organization, which as assigned
> metarole and I can see the indirectly referenced resource account which is
> provided by the metarole order=2 inducement.
>
> Regards,
>
> Ivan
>
> On 11/29/2016 11:30 PM, Nicolas Rossi wrote:
>
> Hi Ivan. With the alternative #1 I can see the entitlement provisioned on
> the resource but I cannot see it under the midpoint GUI on the user panel
> -> assignments -> cog icon -> show all assignment. Regards
>
> El El mar, 29 de nov. de 2016 a las 18:26, Ivan Noris <
> ivan.noris at evolveum.com> escribió:
>
>> Hi Nicolas,
>>
>> I have tried to find some time at the evenings, to look for a problem.
>>
>> The first alternative - ScriptedSQL-Grupo1.xml looks pretty much same as
>> my roles in one of my projects. If I understand correctly, you've stated
>> that "It works fine (entitlement is provisioned) but we cannot see this
>> assignment on the GUI." What do you mean by "seeing" it? You should see
>> that user has this association (Grupo 1) in Projections/the scriptedsql
>> account/associations part. And of course in Assignments you should see the
>> "ScriptedSQL-Grupo 1" role assigned.
>>
>> If you cannot see the "associations" part in GUI with "Grupo 1" value,
>> can you ensure that the value is really there manually in the target system
>> and read that user again using midPoint? But as you stated that this
>> alternative "works (entitlement is provisioned)", I'm confused.
>>
>> What surprised me is the name of the association attribute
>> "<ref>ri:GroupObjectClass</ref>" used in inducements. Do you have the
>> same name configured in the resource object in:
>>
>> <association>
>>
>>   <ref>ri:GroupObjectClass</ref>
>>
>> ...
>>
>> </association> ? If yes, it's just the name which confuses me.
>>
>> The alternative ScriptedSQL-Grupo 3 using ScriptedSQL-MetaRole looks also
>> OK to me. I'm trying to find similar example, but so far I don't remember
>> any usage of association using associationFromLink with another association
>> in my projects.
>> Also ScriptedSQL-Metarole-3.xml looks fine.
>> Are you testing the setup on new users and assigning roles, or you
>> already have the (former) roles assigned and after that you change the role
>> definitions? (In the latter case I assume you did also recompute of that
>> user to apply the changed role definitions.)
>>
>> Anyway, the assignment of ScriptedSQL-Grupo 1 (no metarole) should work
>> and be displayed in Assignments (as role) and in Projections as association
>> (Grupo 1).
>>
>> I hope some of my coleagues will also have a good hint, for now I'm out
>> of ideas but I will try to find some new.
>>
>> Best regards,
>> Ivan
>>
>>
>> On 11/29/2016 01:06 PM, Nicolas Rossi wrote:
>>
>> HI Ivan, have you seen something wrong with these configurations ?
>>
>> Best regards
>>
>>
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> www.identicum.com
>>
>> On Fri, Nov 25, 2016 at 12:56 PM, Nicolas Rossi <nrossi at identicum.com>
>> wrote:
>>
>> Hi Ivan, here are the XMLs:
>>
>>    - ScriptedSQL-Grupo1.xml: A role with an association to an entitlement
>>    - ScriptedSQL-Grupo3.xml: A role with an assignment to a MetaRole
>>    - ScriptedSQL-MetaRole-1.xml: First alternative with another
>>    assignment
>>    - ScriptedSQL-MetaRole-2.xml: Second alternative with an inducement
>>    to Group 3
>>    - ScriptedSQL-MetaRole-3.xml: Second alternative with an inducement
>>    to Group 1
>>
>> Thanks in advance !
>>
>> Best regards
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> www.identicum.com
>>
>> On Thu, Nov 24, 2016 at 6:20 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>> Hi Nicolas,
>>
>> can you paste the (three) attempts how the MetaRole looks, anonymized if
>> necessary? Maybe I will have an idea by looking at it.
>>
>> Regards,
>>
>> Ivan
>>
>> On 11/24/2016 09:52 PM, Nicolas Rossi wrote:
>>
>> Hi guys. We are still working on this issue. We have tried 3 alternatives
>> to achieve it. All of them working on the resource MetaRole:
>>
>> 1) Add a new association on the existing inducement constructor directly
>> to the entitlement on the resource. It works fine (entitlement is
>> provisioned) but we cannot see this assignment on the GUI.
>>
>> 2) Add an inducement to an existing role which has an assignment to the
>> resource MetaRole. I can see the assignment on the GUI but the entitlement
>> is not provisioned to the resource.
>>
>> 3) Add an inducement to an existing role which has an inducement with
>> association to the entitlement on the resource. I can see the assignment
>> on the GUI but the entitlement is not provisioned to the resource.
>>
>> Is there any other possible configuration ?
>>
>> ​Best regards,
>> ​
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> www.identicum.com
>>
>> On Mon, Nov 21, 2016 at 5:56 PM, Ana Pereyra <apereyra at identicum.com>
>> wrote:
>>
>> Hi everyone,
>>
>> We are having the following issue:
>>
>> We need to assign the role B to users after being created in resource A,
>> automatically.
>>
>> We are using a scripted sql driver, and a meta role for creating users
>> and groups in the database; and role B is a group in resource A.
>>
>> We have been trying to assign indirectly role B to users using the meta
>> role, with no luck. Any ideas on how to approach this?
>>
>> Thanks in advance.
>> Regards
>>
>> --
>> *Ana Pereyra*
>>  Identicum S.A.
>>
>> *Jorge Newbery 3226, Argentina Tel: +54 (11) **4552.3050*
>> *apereyra at identicum.com <apereyra at identicum.com>*
>> www.identicum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>> _______________________________________________ midPoint mailing list
>> midPoint at lists.evolveum.com http://lists.evolveum.com/
>> mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161201/e9810609/attachment.htm>

From nrossi at identicum.com  Thu Dec  1 20:16:08 2016
From: nrossi at identicum.com (Nicolas Rossi)
Date: Thu, 1 Dec 2016 16:16:08 -0300
Subject: [midPoint] Manage multiple SAP instances
Message-ID: <CAAxX8cjeSQBWfv9SQov=UobBAw3boZ0-hCQbF3t5T_pnnsHe0Q@mail.gmail.com>

Hi guys! We are working on a new deal with a customer with almost 40
instances of SAP. All of them has the same business logic. I was looking on
the samples at github and it seems that I should create one resource for
each SAP instance. Is that ok and the recommended way to do that ? I know
other IDM vendors has a fan-out option where you have one connector with N
target systems.

Best regards,


Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161201/412de621/attachment.htm>

From martin.lizner at ami.cz  Thu Dec  1 21:54:47 2016
From: martin.lizner at ami.cz (=?UTF-8?Q?Martin_L=C3=ADzner_=2D_AMI_Praha_a=2Es=2E?=)
Date: Thu, 1 Dec 2016 21:54:47 +0100
Subject: [midPoint] ScriptedSQL Connector Connection Pooling
Message-ID: <CALOh8ePpg8P+isbvx=iKYQCNEAR78bPQWefNUmcjf=+P0yp+Xw@mail.gmail.com>

Hi, this connector does not appear to have implicit sql-connection pooling
and each "new Sql(connection)" command seems to open new (and expensive)
socket to DB.

Anybody happen to have working solution for connection pooling in
ScriptedSQL connector?

Thank You, Martin

Martin Lízner
solution architect

gsm: [+420] 737 745 571
e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz



[image: AMI Praha a.s.] <http://www.skyidentity.com/>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161201/72f70ff3/attachment.htm>

From legeech at inbox.ru  Fri Dec  2 08:58:46 2016
From: legeech at inbox.ru (=?UTF-8?B?b2xlZyBva3VuZXY=?=)
Date: Fri, 02 Dec 2016 10:58:46 +0300
Subject: [midPoint] =?utf-8?q?Problem_with_Russian_Names_in_ORG?=
In-Reply-To: <7633ccaa-6676-fc26-e342-d7f56e585b48@evolveum.com>
References: <1480022316394.48440@rmit.ee> <1480055579472.39905@rmit.ee>
 <7633ccaa-6676-fc26-e342-d7f56e585b48@evolveum.com>
Message-ID: <1480665526.501852048@f372.i.mail.ru>

Morning!

i have successefully test OrgSync Story Test... with English names 

BUT
when i begin test with russian names i get problem!

Conflicting object already exists (violated constraint 'uc_org_name')(orgType=PPV(String:replicated); {http://midpoint.evolveum.com/xml/ns/story/orgsync/ext}orgpath=PPV(String: Фольклёр/Сказки ); ) 
in expression in mapping 'Org-org mapping' in objectTemplate:10000000-0000-0000-0000-000000000231(Org Template)

midpoint save first org " Сторонние Организации  " and make name_norm only space or just empty 
so all next names trying to create get same emty name_norm and fail to create(((

is any way to fix that?????


costcenter | displayorder | locality_norm          | locality_orig                     | name_norm | name_orig    | tenant | oid
------------+--------------+------------------------------+-------------------------------+-----------+------------------------------------+--------+--------------------------------------
                |                  |                                       |                                        | p0002      | P0002                                 |            | 00000000-8888-6666-0000-200000000002
black       |                  |                                       |                                         |                 | Сторонние Организации  |            | 040346cb-88ce-4012-8d52-93eb1e1d2a4f
black       |                  |                                       |                                        |child          | CHILD                                | f          | 2681372b-3a8b-442d-861c-fc6fa0229471
                |                  |                                       |                                        |ibpm test   | IBPM Test                          |            | 828586f3-1444-42b9-b11a-e012c066099b
                |                  |                                       |                                        |abbwin      | ABB-WIN                           |            | f226c7be-dad5-4415-b4f7-d987fb3856bd
                |                  |       kazan                      | Kazan                            | fil               |  Домен FIL                         |            | e62d247f-bd94-425a-9d82-63927de5b569
------------+--------------+------------------------------+-------------------------------+-----------+-----------------------+--------+-------------------------------------- P.S. " Домен FIL " became " fil". midpoint erase all russian letters.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161202/928a9270/attachment.htm>

From katka.valalikova at evolveum.com  Fri Dec  2 09:33:42 2016
From: katka.valalikova at evolveum.com (Katka Valalikova)
Date: Fri, 2 Dec 2016 09:33:42 +0100 (CET)
Subject: [midPoint] Manage multiple SAP instances
In-Reply-To: <CAAxX8cjeSQBWfv9SQov=UobBAw3boZ0-hCQbF3t5T_pnnsHe0Q@mail.gmail.com>
References: <CAAxX8cjeSQBWfv9SQov=UobBAw3boZ0-hCQbF3t5T_pnnsHe0Q@mail.gmail.com>
Message-ID: <1277042879.217619.1480667622562.JavaMail.zimbra@evolveum.com>

Hi Nicolas, 

unfortunately you are right - currently, you need to create one resource for each SAP instance. I do the same in the environment of my customer. 

Improvement for such situations is planed : https://jira.evolveum.com/browse/MID-1653 

Best regards, 

Katarina Valalikova 
Java Developer 
evolveum.com 

----- Original Message -----

From: "Nicolas Rossi" <nrossi at identicum.com> 
To: "midPoint General Discussion" <midpoint at lists.evolveum.com> 
Sent: Thursday, December 1, 2016 8:16:08 PM 
Subject: [midPoint] Manage multiple SAP instances 

Hi guys! We are working on a new deal with a customer with almost 40 instances of SAP. All of them has the same business logic. I was looking on the samples at github and it seems that I should create one resource for each SAP instance. Is that ok and the recommended way to do that ? I know other IDM vendors has a fan-out option where you have one connector with N target systems. 

Best regards, 


Ing Nicolás Rossi 
Identicum S.A. 
Jorge Newbery 3226 
Tel: +54 (11) 4552-3050 
www.identicum.com 

_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161202/d03cca9b/attachment.htm>

From radovan.semancik at evolveum.com  Fri Dec  2 09:39:22 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Fri, 2 Dec 2016 09:39:22 +0100
Subject: [midPoint] Problem with Russian Names in ORG
In-Reply-To: <1480665526.501852048@f372.i.mail.ru>
References: <1480022316394.48440@rmit.ee> <1480055579472.39905@rmit.ee>
 <7633ccaa-6676-fc26-e342-d7f56e585b48@evolveum.com>
 <1480665526.501852048@f372.i.mail.ru>
Message-ID: <c3e0717b-bc86-6f95-4808-9918e2fb7455@evolveum.com>

Hi,

There is no easy way.

The normalization was originally intended for international alphabet 
support. E.g. it was expected that we could transliterate cyrillic words 
to latin. However, currently alphabets of all the midpoint subscribers 
are latin-based. Therefore current midPoint normalizer only support 
conversion of latin-based national characters and the cyrillic 
transliteration was never implemented. And currently we have other 
development priorities. Our priorities are focused on improving the life 
of midPoint subscribers. Therefore unless we get any substantial 
subscription from the non-latin-based customer we have no plans to 
change that. I'm sorry.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 12/02/2016 08:58 AM, oleg okunev wrote:
> Morning!
>
> i have successefully test OrgSync Story Test... with English names
>
> BUT
> when i begin test with russian names i get problem!
>
> Conflicting object already exists (violated constraint 
> 'uc_org_name')(orgType=PPV(String:replicated); 
> {http://midpoint.evolveum.com/xml/ns/story/orgsync/ext}orgpath=PPV(String:*Фольклёр/Сказки*); 
> )
> in expression in mapping 'Org-org mapping' in 
> objectTemplate:10000000-0000-0000-0000-000000000231(Org Template)
>
> midpoint save first org "*Сторонние Организации* " and make name_norm 
> only space or just empty
> so all next names trying to create get same emty name_norm and fail to 
> create(((
>
> *is any way to fix that?????*
>
>
> costcenter | displayorder | locality_norm          | locality_orig     
>                 | name_norm | name_orig    | tenant | oid
> ------------+--------------+------------------------------+-------------------------------+-----------+------------------------------------+--------+--------------------------------------
>                 |                  |           |                       
>                  | p0002  | P0002                                 |   
>          | 00000000-8888-6666-0000-200000000002
> black       |                  |       | *|                 |* 
> *Сторонние Организации*  |            | 
> 040346cb-88ce-4012-8d52-93eb1e1d2a4f
> black       |                  |       |                               
>          |child          | CHILD                                | f   
>        | 2681372b-3a8b-442d-861c-fc6fa0229471
>                 |                  |           |                       
>                  |ibpm test | IBPM Test                          |     
>        | 828586f3-1444-42b9-b11a-e012c066099b
>                 |                  |           |                       
>                  |abbwin  | ABB-WIN                           |       
>      | f226c7be-dad5-4415-b4f7-d987fb3856bd
>                 |                  |       kazan      | Kazan         
>                    |*fil *           | *Домен FIL *                   
>     |            | e62d247f-bd94-425a-9d82-63927de5b569
>
> ------------+--------------+------------------------------+-------------------------------+-----------+-----------------------+--------+--------------------------------------
>
> P.S. "*Домен FIL*" became " fil". midpoint erase all russian letters.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161202/aa603f97/attachment.htm>

From radovan.semancik at evolveum.com  Fri Dec  2 12:37:19 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Fri, 2 Dec 2016 12:37:19 +0100
Subject: [midPoint] Manage multiple SAP instances
In-Reply-To: <CAAxX8cjeSQBWfv9SQov=UobBAw3boZ0-hCQbF3t5T_pnnsHe0Q@mail.gmail.com>
References: <CAAxX8cjeSQBWfv9SQov=UobBAw3boZ0-hCQbF3t5T_pnnsHe0Q@mail.gmail.com>
Message-ID: <979977c4-944c-dffc-eb26-54567a3d2a66@evolveum.com>

Hi,

MidPoint also has one connector for many target systems. But you need 
one resource definition for each. But I understand what you need. We are 
planning a feature like this for a long time:

https://jira.evolveum.com/browse/MID-1653

This feature was planned for several midPoint versions already. But it 
was always moved out because the subsribers and sponsors preferred other 
features. We haven't secured the funding for this feature yet. However 
there are some indications that it might get implemented in 3.6 or 3.7 
... and that's the preliminary plan. But nothing is sure yet. It still 
may get moved out again. It all depends on the priorities given by 
midPoint subscribers.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 12/01/2016 08:16 PM, Nicolas Rossi wrote:
> Hi guys! We are working on a new deal with a customer with almost 40 
> instances of SAP. All of them has the same business logic. I was 
> looking on the samples at github and it seems that I should create one 
> resource for each SAP instance. Is that ok and the recommended way to 
> do that ? I know other IDM vendors has a fan-out option where you have 
> one connector with N target systems.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161202/2a01fe84/attachment.htm>

From ivan.noris at evolveum.com  Fri Dec  2 12:47:19 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 2 Dec 2016 12:47:19 +0100
Subject: [midPoint] Assigning role to user when receiving a resource
In-Reply-To: <CAAxX8cg3vKx7WgZ4XO833jMKncdz1T4VmeNbizFWAmpaZDA0gw@mail.gmail.com>
References: <CAO5EgRqhUU9ysSKHxYMALHDfyGmJ95rMi3qDLVR94hoBDy6i7Q@mail.gmail.com>
 <CAAxX8cgRkcdXy7gh=Uspsh9aoy2tedgn6cB_25kaTbd1=riDBw@mail.gmail.com>
 <0642e8e7-bf9f-63f9-28a9-d264e7d6c6af@evolveum.com>
 <CAAxX8cg6uK8j2ZZJdUhksEFEsY8zDv1rsEAuNnb52306mtmt0g@mail.gmail.com>
 <CAAxX8cgYrqasn--e_f7yUSdqKZOd4DKGKHdTCVXo-YcAryM41Q@mail.gmail.com>
 <69abd9da-19b6-b2ea-bc48-c92f8cd6464e@evolveum.com>
 <CAAxX8chde8YrYJ00e1a040wqJrY==k7qC8E3sHCgkZujezKR_A@mail.gmail.com>
 <b26c582b-af04-16c4-e378-bbea29a65a28@evolveum.com>
 <CAAxX8cg3vKx7WgZ4XO833jMKncdz1T4VmeNbizFWAmpaZDA0gw@mail.gmail.com>
Message-ID: <d1894cc6-0023-6784-a8f8-6fec9dfe767e@evolveum.com>

Great!

Ivan


On 12/01/2016 08:07 PM, Nicolas Rossi wrote:
> You are right Ivan, I should see the association from the projection
> not the user's assignments. We can go on with the first example which
> is already working !
>
> Thanks for your help !
>
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com <http://www.identicum.com>
>
> On Wed, Nov 30, 2016 at 4:49 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Nicholas,
>
>     Show all assignments is computing just assignments, both direct
>     and indirect. It will show you all assigned:
>
>     a) roles (assigned directly or indirectly)
>
>     b) organizations
>
>     c) projections from inducements - name of resource, kind and intent
>
>     It will not show associations there.
>
>     If you want to see the "groups" of any account managed by
>     midPoint, open that user in midPoint, then Projections, expand the
>     account and see section "associations".
>
>     I have just checked my user with assigned organization, which as
>     assigned metarole and I can see the indirectly referenced resource
>     account which is provided by the metarole order=2 inducement.
>
>     Regards,
>
>     Ivan
>
>
>     On 11/29/2016 11:30 PM, Nicolas Rossi wrote:
>>     Hi Ivan. With the alternative #1 I can see the entitlement
>>     provisioned on the resource but I cannot see it under the
>>     midpoint GUI on the user panel -> assignments -> cog icon -> show
>>     all assignment. Regards
>>
>>     El El mar, 29 de nov. de 2016 a las 18:26, Ivan Noris
>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> escribió:
>>
>>         Hi Nicolas,
>>
>>         I have tried to find some time at the evenings, to look for a
>>         problem.
>>
>>         The first alternative - ScriptedSQL-Grupo1.xml looks pretty
>>         much same as my roles in one of my projects. If I understand
>>         correctly, you've stated that "It works fine (entitlement is
>>         provisioned) but we cannot see this assignment on the GUI."
>>         What do you mean by "seeing" it? You should see that user has
>>         this association (Grupo 1) in Projections/the scriptedsql
>>         account/associations part. And of course in Assignments you
>>         should see the "ScriptedSQL-Grupo 1" role assigned.
>>
>>         If you cannot see the "associations" part in GUI with "Grupo
>>         1" value, can you ensure that the value is really there
>>         manually in the target system and read that user again using
>>         midPoint? But as you stated that this alternative "works
>>         (entitlement is provisioned)", I'm confused.
>>
>>         What surprised me is the name of the association attribute
>>         "<ref>ri:GroupObjectClass</ref>" used in inducements. Do you
>>         have the same name configured in the resource object in:
>>
>>         <association>
>>
>>           <ref>ri:GroupObjectClass</ref>
>>
>>         ...
>>
>>         </association> ? If yes, it's just the name which confuses me.
>>
>>         The alternative ScriptedSQL-Grupo 3 using
>>         ScriptedSQL-MetaRole looks also OK to me. I'm trying to find
>>         similar example, but so far I don't remember any usage of
>>         association using associationFromLink with another
>>         association in my projects.
>>
>>         Also ScriptedSQL-Metarole-3.xml looks fine.
>>         Are you testing the setup on new users and assigning roles,
>>         or you already have the (former) roles assigned and after
>>         that you change the role definitions? (In the latter case I
>>         assume you did also recompute of that user to apply the
>>         changed role definitions.)
>>
>>         Anyway, the assignment of ScriptedSQL-Grupo 1 (no metarole)
>>         should work and be displayed in Assignments (as role) and in
>>         Projections as association (Grupo 1).
>>
>>         I hope some of my coleagues will also have a good hint, for
>>         now I'm out of ideas but I will try to find some new.
>>
>>         Best regards,
>>         Ivan
>>
>>
>>         On 11/29/2016 01:06 PM, Nicolas Rossi wrote:
>>>         HI Ivan, have you seen something wrong with these
>>>         configurations ?
>>>
>>>         Best regards 
>>>
>>>
>>>
>>>
>>>
>>>         Ing Nicolás Rossi
>>>         Identicum S.A.
>>>         Jorge Newbery 3226
>>>         Tel: +54 (11) 4552-3050
>>>         www.identicum.com <http://www.identicum.com>
>>>
>>>         On Fri, Nov 25, 2016 at 12:56 PM, Nicolas Rossi
>>>         <nrossi at identicum.com <mailto:nrossi at identicum.com>> wrote:
>>>
>>>             Hi Ivan, here are the XMLs:
>>>
>>>               * ScriptedSQL-Grupo1.xml: A role with an association
>>>                 to an entitlement
>>>               * ScriptedSQL-Grupo3.xml: A role with an assignment to
>>>                 a MetaRole
>>>               * ScriptedSQL-MetaRole-1.xml: First alternative with
>>>                 another assignment
>>>               * ScriptedSQL-MetaRole-2.xml: Second alternative with
>>>                 an inducement to Group 3
>>>               * ScriptedSQL-MetaRole-3.xml: Second alternative with
>>>                 an inducement to Group 1
>>>
>>>             Thanks in advance ! 
>>>
>>>             Best regards
>>>
>>>
>>>
>>>             Ing Nicolás Rossi
>>>             Identicum S.A.
>>>             Jorge Newbery 3226
>>>             Tel: +54 (11) 4552-3050
>>>             www.identicum.com <http://www.identicum.com>
>>>
>>>             On Thu, Nov 24, 2016 at 6:20 PM, Ivan Noris
>>>             <ivan.noris at evolveum.com
>>>             <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>>                 Hi Nicolas,
>>>
>>>                 can you paste the (three) attempts how the MetaRole
>>>                 looks, anonymized if necessary? Maybe I will have an
>>>                 idea by looking at it.
>>>
>>>                 Regards,
>>>
>>>                 Ivan
>>>
>>>
>>>                 On 11/24/2016 09:52 PM, Nicolas Rossi wrote:
>>>>                 Hi guys. We are still working on this issue. We
>>>>                 have tried 3 alternatives to achieve it. All of
>>>>                 them working on the resource MetaRole:
>>>>
>>>>                 1) Add a new association on the existing inducement
>>>>                 constructor directly to the entitlement on the
>>>>                 resource. It works fine (entitlement is
>>>>                 provisioned) but we cannot see this assignment on
>>>>                 the GUI.
>>>>
>>>>                 2) Add an inducement to an existing role which has
>>>>                 an assignment to the resource MetaRole. I can see
>>>>                 the assignment on the GUI but the entitlement is
>>>>                 not provisioned to the resource.
>>>>
>>>>                 3) Add an inducement to an existing role which has
>>>>                 an inducement with association to the entitlement
>>>>                 on the resource. I can see the assignment on the
>>>>                 GUI but the entitlement is not provisioned to the
>>>>                 resource.
>>>>
>>>>                 Is there any other possible configuration ?
>>>>
>>>>                 ​Best regards,
>>>>                 ​
>>>>
>>>>
>>>>                 Ing Nicolás Rossi
>>>>                 Identicum S.A.
>>>>                 Jorge Newbery 3226
>>>>                 Tel: +54 (11) 4552-3050
>>>>                 www.identicum.com <http://www.identicum.com>
>>>>
>>>>                 On Mon, Nov 21, 2016 at 5:56 PM, Ana Pereyra
>>>>                 <apereyra at identicum.com
>>>>                 <mailto:apereyra at identicum.com>> wrote:
>>>>
>>>>                     Hi everyone,
>>>>
>>>>                     We are having the following issue:
>>>>
>>>>                     We need to assign the role B to users after
>>>>                     being created in resource A, automatically. 
>>>>
>>>>                     We are using a scripted sql driver, and a meta
>>>>                     role for creating users and groups in the
>>>>                     database; and role B is a group in resource A.
>>>>
>>>>                     We have been trying to assign indirectly role B
>>>>                     to users using the meta role, with no luck. Any
>>>>                     ideas on how to approach this?
>>>>
>>>>                     Thanks in advance.
>>>>                     Regards
>>>>
>>>>                     -- 
>>>>                     *Ana Pereyra*
>>>>                      Identicum S.A.
>>>>                     /Jorge Newbery 3226, Argentina
>>>>                     Tel: +54 (11) //4552.3050/
>>>>                     /apereyra at identicum.com
>>>>                     <mailto:apereyra at identicum.com>/
>>>>                     www.identicum.com <http://www.identicum.com/>
>>>>
>>>>                     _______________________________________________
>>>>                     midPoint mailing list
>>>>                     midPoint at lists.evolveum.com
>>>>                     <mailto:midPoint at lists.evolveum.com>
>>>>                     http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>                     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>>
>>>>
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 midPoint mailing list
>>>>                 midPoint at lists.evolveum.com
>>>>                 <mailto:midPoint at lists.evolveum.com>
>>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>                 <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>
>>>                 -- 
>>>                 Ivan Noris
>>>                 Senior Identity Engineer
>>>                 evolveum.com <http://evolveum.com>
>>>
>>>                 _______________________________________________
>>>                 midPoint mailing list midPoint at lists.evolveum.com
>>>                 <mailto:midPoint at lists.evolveum.com>
>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>                 <http://lists.evolveum.com/mailman/listinfo/midpoint> 
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>>         <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>         -- 
>>         Ivan Noris
>>         Senior Identity Engineer
>>         evolveum.com <http://evolveum.com>
>>
>>         _______________________________________________ midPoint
>>         mailing list midPoint at lists.evolveum.com
>>         <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>         <http://lists.evolveum.com/mailman/listinfo/midpoint> 
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>     -- 
>     Ivan Noris
>     Senior Identity Engineer
>     evolveum.com <http://evolveum.com>
>
>     _______________________________________________ midPoint mailing
>     list midPoint at lists.evolveum.com
>     <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint> 
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-- 
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161202/1c9c201a/attachment.htm>

From oskar.butovic at ami.cz  Fri Dec  2 12:49:24 2016
From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=)
Date: Fri, 2 Dec 2016 12:49:24 +0100
Subject: [midPoint] filter in Task deffinition actual date
Message-ID: <CAE8MtZDq5BpvsJgU8cP+uKqunhGY7gbygF0bN8LMgWK_78N3LA@mail.gmail.com>

Hello everybody,

I have extension attribute of type date in users.
I need to recompute only users with this date attribute in past. Is it
possible to do with standard handler somehow or do i need to write my own
task handler for this?

Best Regards

Oskar Butovič
-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161202/827c672f/attachment.htm>

From ivan.noris at evolveum.com  Fri Dec  2 13:13:48 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 2 Dec 2016 13:13:48 +0100
Subject: [midPoint] filter in Task deffinition actual date
In-Reply-To: <CAE8MtZDq5BpvsJgU8cP+uKqunhGY7gbygF0bN8LMgWK_78N3LA@mail.gmail.com>
References: <CAE8MtZDq5BpvsJgU8cP+uKqunhGY7gbygF0bN8LMgWK_78N3LA@mail.gmail.com>
Message-ID: <c7394dfd-3bbb-4cb7-9603-0ea83e378477@evolveum.com>

Hi Oskar,

I was recently using something like this in search filter in recompute task:

    <q:less>
                                <q:path>metadata/createTimestamp</q:path>
                                <q:value>2016-10-14</q:value>
    </q:less>

So maybe this could help for your attribute. I know, it's a constant,
but it was sufficient for me. If you plan to run the recompute
regularly, I hope others (Pavol?) may be able to help.

Regards,

Ivan


On 12/02/2016 12:49 PM, Oskar Butovič - AMI Praha a.s. wrote:
> Hello everybody,
>
> I have extension attribute of type date in users.
> I need to recompute only users with this date attribute in past. Is it
> possible to do with standard handler somehow or do i need to write my
> own task handler for this?
>
> Best Regards
>
> Oskar Butovič
> -- 
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>
> 	    	    	
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz/>
>
> 	    	    	
>
> AMI Praha a.s.
>
>
> AMI Praha a.s.
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161202/5bf08292/attachment.htm>

From oskar.butovic at ami.cz  Fri Dec  2 13:36:20 2016
From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=)
Date: Fri, 2 Dec 2016 13:36:20 +0100
Subject: [midPoint] filter in Task deffinition actual date
In-Reply-To: <c7394dfd-3bbb-4cb7-9603-0ea83e378477@evolveum.com>
References: <CAE8MtZDq5BpvsJgU8cP+uKqunhGY7gbygF0bN8LMgWK_78N3LA@mail.gmail.com>
 <c7394dfd-3bbb-4cb7-9603-0ea83e378477@evolveum.com>
Message-ID: <CAE8MtZD3Nw1aC61KmzZAsG6-598HdkEj4UF-GWW7RSE+N==WmQ@mail.gmail.com>

Thanks Ivan,

constant is regrettably not sufficient i tried scripted expression:

<q:equal>
            <q:path>extension/effectiveEndDate</q:path>
            <expression>
            <script>
            <code>
            log.info("executing script in task");
            return "2027-02-20T00:00:00";
            </code>
            </script>
            </expression>
      </q:equal>

but although expression is accepted as valid it seems to be just ignored a
never executed in tasks searchFilter.

Required task should run at least once a day.


2016-12-02 13:13 GMT+01:00 Ivan Noris <ivan.noris at evolveum.com>:

> Hi Oskar,
>
> I was recently using something like this in search filter in recompute
> task:
>
>     <q:less>
>                                 <q:path>metadata/createTimestamp</q:path>
>                                 <q:value>2016-10-14</q:value>
>     </q:less>
>
> So maybe this could help for your attribute. I know, it's a constant, but
> it was sufficient for me. If you plan to run the recompute regularly, I
> hope others (Pavol?) may be able to help.
>
> Regards,
>
> Ivan
>
> On 12/02/2016 12:49 PM, Oskar Butovič - AMI Praha a.s. wrote:
>
> Hello everybody,
>
> I have extension attribute of type date in users.
> I need to recompute only users with this date attribute in past. Is it
> possible to do with standard handler somehow or do i need to write my own
> task handler for this?
>
> Best Regards
>
> Oskar Butovič
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161202/d11c66b4/attachment.htm>

From oskar.butovic at ami.cz  Fri Dec  2 14:29:40 2016
From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=)
Date: Fri, 2 Dec 2016 14:29:40 +0100
Subject: [midPoint] filter in Task deffinition actual date
In-Reply-To: <CAE8MtZD3Nw1aC61KmzZAsG6-598HdkEj4UF-GWW7RSE+N==WmQ@mail.gmail.com>
References: <CAE8MtZDq5BpvsJgU8cP+uKqunhGY7gbygF0bN8LMgWK_78N3LA@mail.gmail.com>
 <c7394dfd-3bbb-4cb7-9603-0ea83e378477@evolveum.com>
 <CAE8MtZD3Nw1aC61KmzZAsG6-598HdkEj4UF-GWW7RSE+N==WmQ@mail.gmail.com>
Message-ID: <CAE8MtZBu+_eVF6Xr1+53fMsx-ZG-OLt_yx8mtiYni4RMN7m3LQ@mail.gmail.com>

Hi.

Seems i have found solution using execute-script type action from samples
and midpoint.recompute method.

2016-12-02 13:36 GMT+01:00 Oskar Butovič - AMI Praha a.s. <
oskar.butovic at ami.cz>:

> Thanks Ivan,
>
> constant is regrettably not sufficient i tried scripted expression:
>
> <q:equal>
>             <q:path>extension/effectiveEndDate</q:path>
>             <expression>
>             <script>
>             <code>
>             log.info("executing script in task");
>             return "2027-02-20T00:00:00";
>             </code>
>             </script>
>             </expression>
>       </q:equal>
>
> but although expression is accepted as valid it seems to be just ignored a
> never executed in tasks searchFilter.
>
> Required task should run at least once a day.
>
>
> 2016-12-02 13:13 GMT+01:00 Ivan Noris <ivan.noris at evolveum.com>:
>
>> Hi Oskar,
>>
>> I was recently using something like this in search filter in recompute
>> task:
>>
>>     <q:less>
>>                                 <q:path>metadata/createTimestamp</q:path>
>>                                 <q:value>2016-10-14</q:value>
>>     </q:less>
>>
>> So maybe this could help for your attribute. I know, it's a constant, but
>> it was sufficient for me. If you plan to run the recompute regularly, I
>> hope others (Pavol?) may be able to help.
>>
>> Regards,
>>
>> Ivan
>>
>> On 12/02/2016 12:49 PM, Oskar Butovič - AMI Praha a.s. wrote:
>>
>> Hello everybody,
>>
>> I have extension attribute of type date in users.
>> I need to recompute only users with this date attribute in past. Is it
>> possible to do with standard handler somehow or do i need to write my own
>> task handler for this?
>>
>> Best Regards
>>
>> Oskar Butovič
>> --
>>
>> Oskar Butovič
>> solution architect
>>
>> gsm: [+420] 774 480 101
>> e-mail: oskar.butovic at ami.cz
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239
>> web: www.ami.cz
>>
>>
>> [image: AMI Praha a.s.]
>>
>> [image: AMI Praha a.s.]
>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>


-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161202/03e3f161/attachment.htm>

From emir.ozbek at basistek.com  Fri Dec  2 14:54:11 2016
From: emir.ozbek at basistek.com (=?utf-8?q?Emir=20=c3=96zbek?=)
Date: Fri, 02 Dec 2016 13:54:11 +0000
Subject: [midPoint] Listing Users
Message-ID: <em0b6b2d73-c6ab-4a56-88df-981740e40429@dell001>

Hello everybody,

I am working on a project with a user list of 7302 users but when i 
import and run the .xml file , it closes while there are 630 or 690 
users. Also, i get this error message ; "Failed to reconciliation: 
java.lang.IllegalArgumentException: Expected class java.math.BigInteger 
type, but got class java.lang.Integer in inbound expression for 
{http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}guzergah_id 
in resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3deee(Localhost DBTable)". I 
also have an .xsd file for extension attributes.

So my first question is, how should i resolve this error? Is it about 
the .xsd file or something else? And the second question ; is problem 
with the number of users (problem to reach 7302) has any connection with 
this error message? If not, what should i do to resolve it? I am using 
midpoint version 3.4.1. and sqljdbc 4.2.

This is my first project on midpoint so i am not much familiar with it, 
any help would be appreciated.

Thanks in advance,
Emir.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161202/455f85c5/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161202/455f85c5/attachment.png>

From martin.lizner at ami.cz  Sat Dec  3 14:29:42 2016
From: martin.lizner at ami.cz (=?UTF-8?Q?Martin_L=C3=ADzner_=2D_AMI_Praha_a=2Es=2E?=)
Date: Sat, 3 Dec 2016 14:29:42 +0100
Subject: [midPoint] Listing Users
In-Reply-To: <em0b6b2d73-c6ab-4a56-88df-981740e40429@dell001>
References: <em0b6b2d73-c6ab-4a56-88df-981740e40429@dell001>
Message-ID: <CALOh8eNZCzHS66AKvKoTkgG7+AYq2kVikSnJV23L_b6AwsJudQ@mail.gmail.com>

Hi, my guess is that you are using DabaseTable connector and you are trying
to fill custom attribute in user extended schema. This connector is not
very good at working with various column types, so my advice would be doing
everything in varchar/string. First try changing your custom attribute in
xsd to string type. If it does not help, change column type in DB or your
schema handling. M.

Martin Lízner
solution architect

gsm: [+420] 737 745 571
e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz



[image: AMI Praha a.s.] <http://www.skyidentity.com/>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2016-12-02 14:54 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:

> Hello everybody,
>
> I am working on a project with a user list of 7302 users but when i import
> and run the .xml file , it closes while there are 630 or 690 users. Also, i
> get this error message ; "*Failed to reconciliation:
> java.lang.IllegalArgumentException: Expected class java.math.BigInteger
> type, but got class java.lang.Integer in inbound expression for
> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>}guzergah_id
> in resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3deee(Localhost DBTable)*". I
> also have an .xsd file for extension attributes.
>
> So my first question is, how should i resolve this error? Is it about the
> .xsd file or something else? And the second question ; is problem with the
> number of users (problem to reach 7302) has any connection with this
> error message? If not, what should i do to resolve it? I am using midpoint
> version 3.4.1. and sqljdbc 4.2.
>
> This is my first project on midpoint so i am not much familiar with it,
> any help would be appreciated.
>
> Thanks in advance,
> Emir.
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161203/386df1a0/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161203/386df1a0/attachment.png>

From wojciech.staszewski at diagnostyka.pl  Sat Dec  3 14:35:43 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Sat, 03 Dec 2016 14:35:43 +0100
Subject: [midPoint]  Simple question about password and Groovy
Message-ID: <3305789.H4NoNTgEcq@skygge-pc>

Hi!

How to pass password variable to Groovy script?

I have simple web application and almost configured "Table connector", 
everything is warking except setting passwords, which are simple MD5 hashes.
I made groovy script calculating MD5 hash and try to put this sctipt in 
outbound mapping. When I set static clear text as password variable it's work,
but how to get password from $user/credentials/password?
I was trying to use function "attributes.get()" but with no success.
Any help? Thank you!


From wojciech.staszewski at diagnostyka.pl  Sat Dec  3 19:20:01 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Sat, 03 Dec 2016 19:20:01 +0100
Subject: [midPoint] Simple question about password and Groovy
In-Reply-To: <3305789.H4NoNTgEcq@skygge-pc>
References: <3305789.H4NoNTgEcq@skygge-pc>
Message-ID: <2392379.sMcoMoKHMo@skygge-pc>

8 hours of studying documentations and mailing list archves and.... Got it!
   *** midpoint.getPlaintextUserPassword(user).toString() ***

The script (maybe it will be usable for someone else):

import java.security.MessageDigest
def digest = MessageDigest.getInstance("MD5")
def clearpass = midpoint.getPlaintextUserPassword(user).toString()
def md5pass = new 
BigInteger(1,digest.digest(clearpass.getBytes())).toString(16).padLeft(32,"0")
return md5pass

THANK YOU!

Dnia sobota, 3 grudnia 2016 14:35:43 CET Wojciech Staszewski pisze:
> Hi!
> 
> How to pass password variable to Groovy script?
> 
> I have simple web application and almost configured "Table connector",
> everything is working except setting passwords, which are simple MD5 hashes.
> I made groovy script calculating MD5 hash and try to put this sctipt in
> outbound mapping. When I set static clear text as password variable it's
> work, but how to get password from $user/credentials/password?
> I was trying to use function "attributes.get()" but with no success.
> Any help? Thank you!
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint



From emir.ozbek at basistek.com  Mon Dec  5 13:10:42 2016
From: emir.ozbek at basistek.com (=?utf-8?q?Emir=20=c3=96zbek?=)
Date: Mon, 05 Dec 2016 12:10:42 +0000
Subject: [midPoint] Ynt: Re:  Listing Users
In-Reply-To: <CALOh8eNZCzHS66AKvKoTkgG7+AYq2kVikSnJV23L_b6AwsJudQ@mail.gmail.com>
References: <em0b6b2d73-c6ab-4a56-88df-981740e40429@dell001>
 <CALOh8eNZCzHS66AKvKoTkgG7+AYq2kVikSnJV23L_b6AwsJudQ@mail.gmail.com>
Message-ID: <em145aff16-31e8-4e15-be0c-5a2adc8a736c@dell001>

Hi Martin,

I tried the solution you gave and changed all attribute types to string 
in xsd. As a result, it fixed the error but closed again while there are 
690 users. Now i do not get any error messages but still cannot reach to 
7302 users. Is there any other solution for this?

Thank you for your interest,
Emir.





------ Yanıtlanan İleti ------
Gönderen: "Martin Lízner - AMI Praha a.s." <martin.lizner at ami.cz>
Alıcı: "Emir Özbek" <emir.ozbek at basistek.com>; "midPoint General 
Discussion" <midpoint at lists.evolveum.com>
Tarih: 3.12.2016 16:29:42
Konu: Re: [midPoint] Listing Users

>Hi, my guess is that you are using DabaseTable connector and you are 
>trying to fill custom attribute in user extended schema. This connector 
>is not very good at working with various column types, so my advice 
>would be doing everything in varchar/string. First try changing your 
>custom attribute in xsd to string type. If it does not help, change 
>column type in DB or your schema handling. M.
>
>Martin Lízner
>solution architect
>
>gsm: [+420] 737 745 571
>e-mail: martin.lizner at ami.cz
>
>
>AMI Praha a.s.
>Pláničkova 11
>162 00 Praha 6
>tel.: [+420] 274 783 239
>web: www.ami.cz
>
>
>
>
>
>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
>společnost AMI Praha a.s.
>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
>výhradně písemnou formu.
>
>
>2016-12-02 14:54 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:
>>Hello everybody,
>>
>>I am working on a project with a user list of 7302 users but when i 
>>import and run the .xml file , it closes while there are 630 or 690 
>>users. Also, i get this error message ; "Failed to reconciliation: 
>>java.lang.IllegalArgumentException: Expected class 
>>java.math.BigInteger type, but got class java.lang.Integer in inbound 
>>expression for 
>>{http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}guzergah_id 
>>in resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3deee(Localhost DBTable)". 
>>I also have an .xsd file for extension attributes.
>>
>>So my first question is, how should i resolve this error? Is it about 
>>the .xsd file or something else? And the second question ; is problem 
>>with the number of users (problem to reach 7302) has any connection 
>>with this error message? If not, what should i do to resolve it? I am 
>>using midpoint version 3.4.1. and sqljdbc 4.2.
>>
>>This is my first project on midpoint so i am not much familiar with 
>>it, any help would be appreciated.
>>
>>Thanks in advance,
>>Emir.
>>
>>
>>
>>
>>_______________________________________________
>>midPoint mailing list
>>midPoint at lists.evolveum.com
>>http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161205/8c10aba3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161205/8c10aba3/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161205/8c10aba3/attachment-0001.png>

From martin.lizner at ami.cz  Mon Dec  5 21:51:36 2016
From: martin.lizner at ami.cz (=?UTF-8?Q?Martin_L=C3=ADzner_=2D_AMI_Praha_a=2Es=2E?=)
Date: Mon, 5 Dec 2016 21:51:36 +0100
Subject: [midPoint] Listing Users
In-Reply-To: <em145aff16-31e8-4e15-be0c-5a2adc8a736c@dell001>
References: <em0b6b2d73-c6ab-4a56-88df-981740e40429@dell001>
 <CALOh8eNZCzHS66AKvKoTkgG7+AYq2kVikSnJV23L_b6AwsJudQ@mail.gmail.com>
 <em145aff16-31e8-4e15-be0c-5a2adc8a736c@dell001>
Message-ID: <CALOh8ePvnw2z_Sf+_0_YRD6+qapTx7QBoruc0J41R09HzqCmHA@mail.gmail.com>

Hm, that could be almost anything as a problem :-/ Did you check idm.log? I
also suggest turning the trace on for org.identityconnectors.databasetable
package. There might be some wrong value on your 691st user.. but I cannot
see what may conflict with string type. Maybe try to narrow down the set of
attributes you are syncing from this table so you can limit the scope. Or
try creating new extended attribute - just to make sure there is no problem
with already stored values. M.


Martin Lízner
solution architect

gsm: [+420] 737 745 571
e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz



[image: AMI Praha a.s.] <http://www.skyidentity.com/>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2016-12-05 13:10 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:

> Hi Martin,
>
> I tried the solution you gave and changed all attribute types to string in
> xsd. As a result, it fixed the error but closed again while there are 690
> users. Now i do not get any error messages but still cannot reach to 7302
> users. Is there any other solution for this?
>
> Thank you for your interest,
> Emir.
>
>
>
>
>
> ------ Yanıtlanan İleti ------
> Gönderen: "Martin Lízner - AMI Praha a.s." <martin.lizner at ami.cz>
> Alıcı: "Emir Özbek" <emir.ozbek at basistek.com>; "midPoint General
> Discussion" <midpoint at lists.evolveum.com>
> Tarih: 3.12.2016 16:29:42
> Konu: Re: [midPoint] Listing Users
>
> Hi, my guess is that you are using DabaseTable connector and you are
> trying to fill custom attribute in user extended schema. This connector is
> not very good at working with various column types, so my advice would be
> doing everything in varchar/string. First try changing your custom
> attribute in xsd to string type. If it does not help, change column type in
> DB or your schema handling. M.
>
> Martin Lízner
> solution architect
>
> gsm: [+420] 737 745 571
> e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
>
> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
> 2016-12-02 14:54 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:
>
>> Hello everybody,
>>
>> I am working on a project with a user list of 7302 users but when i
>> import and run the .xml file , it closes while there are 630 or 690 users.
>> Also, i get this error message ; "*Failed to reconciliation:
>> java.lang.IllegalArgumentException: Expected class java.math.BigInteger
>> type, but got class java.lang.Integer in inbound expression for
>> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>}guzergah_id
>> in resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3deee(Localhost DBTable)*". I
>> also have an .xsd file for extension attributes.
>>
>> So my first question is, how should i resolve this error? Is it about the
>> .xsd file or something else? And the second question ; is problem with the
>> number of users (problem to reach 7302) has any connection with this
>> error message? If not, what should i do to resolve it? I am using midpoint
>> version 3.4.1. and sqljdbc 4.2.
>>
>> This is my first project on midpoint so i am not much familiar with it,
>> any help would be appreciated.
>>
>> Thanks in advance,
>> Emir.
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161205/2466b533/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161205/2466b533/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161205/2466b533/attachment-0001.png>

From legeech at inbox.ru  Tue Dec  6 08:27:36 2016
From: legeech at inbox.ru (=?UTF-8?B?b2xlZyBva3VuZXY=?=)
Date: Tue, 06 Dec 2016 10:27:36 +0300
Subject: [midPoint] =?utf-8?q?Problem_with_Russian_Names_in_ORG?=
In-Reply-To: <c3e0717b-bc86-6f95-4808-9918e2fb7455@evolveum.com>
References: <1480022316394.48440@rmit.ee> <1480665526.501852048@f372.i.mail.ru>
 <c3e0717b-bc86-6f95-4808-9918e2fb7455@evolveum.com>
Message-ID: <1481009256.894536747@f186.i.mail.ru>

okey...
may be you can help with loop in expression:

<source>
<c:path>$user/description</c:path>
</source>
<expression>
<script>
<code>
ar1 = new ArrayList ('test1','test2')
ar2 = new ArrayList ('replacetest1', 'replacetest2')

for( i = 0; i < ar1.size() ; i++)
{
description= description.replace(ar1[i],ar2[i]);
}
return description

</code>
</script>
</expression>
<target>
<c:path>$user/description</c:path>
</target>
But it show error  element parse error: Error: invalid tagName

Whats wrong?
may be it helps me with translit


>Пятница,  2 декабря 2016, 11:39 +03:00 от Radovan Semancik <radovan.semancik at evolveum.com>:
>
>Hi,
>
>There is no easy way.
>
>The normalization was originally intended for international
      alphabet support. E.g. it was expected that we could transliterate
      cyrillic words to latin. However, currently alphabets of all the
      midpoint subscribers are latin-based. Therefore current midPoint
      normalizer only support conversion of latin-based national
      characters and the cyrillic transliteration was never implemented.
      And currently we have other development priorities. Our priorities
      are focused on improving the life of midPoint subscribers.
      Therefore unless we get any substantial subscription from the
      non-latin-based customer we have no plans to change that. I'm
      sorry.
>
>-- 
Radovan Semancik
Software Architect
evolveum.com
>
>On 12/02/2016 08:58 AM, oleg okunev wrote:
>>Morning!
>>
>>i have successefully test OrgSync Story Test... with English
      names 
>>
>>BUT
>>when i begin test with russian names i get problem!
>>
>>Conflicting object already exists (violated constraint
        'uc_org_name')(orgType=PPV(String:replicated);
{ http://midpoint.evolveum.com/xml/ns/story/orgsync/ext }orgpath=PPV(String: Фольклёр/Сказки ); ) 
>>in expression in mapping 'Org-org mapping' in
        objectTemplate:10000000-0000-0000-0000-000000000231(Org
        Template)
>>
>>midpoint save first org " Сторонние Организации  "
        and make name_norm only space or just empty 
>>so all next names trying to create get same emty name_norm and
        fail to create(((
>>
>>is any way to fix that?????
>>
>>
>>costcenter | displayorder | locality_norm          |
        locality_orig                     | name_norm | name_orig    |
        tenant | oid
>>------------+--------------+------------------------------+-------------------------------+-----------+------------------------------------+--------+--------------------------------------
>>                |                  |                            
                  |                                        | p0002    
         | P0002                                 |            |
        00000000-8888-6666-0000-200000000002
>>black       |                  |                                
              |                                         |                 | Сторонние
            Организации  |            |
        040346cb-88ce-4012-8d52-93eb1e1d2a4f
>>black       |                  |                                
              |                                        |child          |
        CHILD                                | f          |
        2681372b-3a8b-442d-861c-fc6fa0229471
>>                |                  |                            
                  |                                        |ibpm test  
        | IBPM Test                          |            |
        828586f3-1444-42b9-b11a-e012c066099b
>>                |                  |                            
                  |                                        |abbwin    
         | ABB-WIN                           |            |
        f226c7be-dad5-4415-b4f7-d987fb3856bd
>>                |                  |       kazan                
             | Kazan                            | fil               | Домен FIL                         |            |
        e62d247f-bd94-425a-9d82-63927de5b569
>>------------+--------------+------------------------------+-------------------------------+-----------+-----------------------+--------+-------------------------------------- P.S. " Домен FIL " became " fil". midpoint erase all
      russian letters.
>>
>>_______________________________________________
midPoint mailing list
>>midPoint at lists.evolveum.com
>>http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/69c96ce5/attachment.htm>

From mederly at evolveum.com  Tue Dec  6 09:07:35 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Tue, 6 Dec 2016 09:07:35 +0100
Subject: [midPoint] Problem with Russian Names in ORG
In-Reply-To: <1481009256.894536747@f186.i.mail.ru>
References: <1480022316394.48440@rmit.ee> <1480665526.501852048@f372.i.mail.ru>
 <c3e0717b-bc86-6f95-4808-9918e2fb7455@evolveum.com>
 <1481009256.894536747@f186.i.mail.ru>
Message-ID: <577b3cce-4dd8-0135-68f0-debf8a7855b0@evolveum.com>

Oleg,

first thing that catches my eye is:

"i < ar1.size()"

In order to provide correct XML you have to escape the "<" char:

i &lt; ar1.size()

Regards,

Pavol Mederly
Software developer
evolveum.com

On 06.12.2016 8:27, oleg okunev wrote:
> okey...
> may be you can help with loop in expression:
>
> <source>
> <c:path>$user/description</c:path>
> </source>
>
> <expression>
> <script>
> <code>
> ar1 = new ArrayList ('test1','test2')
> ar2 = new ArrayList ('replacetest1', 'replacetest2')
>
> for( i = 0; i < ar1.size() ; i++)
> {
> description= description.replace(ar1[i],ar2[i]);
> }
> return description
>
> </code>
> </script>
> </expression>
>
> <target>
> <c:path>$user/description</c:path>
> </target>
>
>
> But it show error *element parse error: Error: invalid tagName*
>
> Whats wrong?
> may be it helps me with translit
>
>
>     Пятница, 2 декабря 2016, 11:39 +03:00 от Radovan Semancik
>     <radovan.semancik at evolveum.com>:
>
>     Hi,
>
>     There is no easy way.
>
>     The normalization was originally intended for international
>     alphabet support. E.g. it was expected that we could transliterate
>     cyrillic words to latin. However, currently alphabets of all the
>     midpoint subscribers are latin-based. Therefore current midPoint
>     normalizer only support conversion of latin-based national
>     characters and the cyrillic transliteration was never implemented.
>     And currently we have other development priorities. Our priorities
>     are focused on improving the life of midPoint subscribers.
>     Therefore unless we get any substantial subscription from the
>     non-latin-based customer we have no plans to change that. I'm sorry.
>
>     -- 
>     Radovan Semancik
>     Software Architect
>     evolveum.com
>
>
>
>     On 12/02/2016 08:58 AM, oleg okunev wrote:
>>     Morning!
>>
>>     i have successefully test OrgSync Story Test... with English names
>>
>>     BUT
>>     when i begin test with russian names i get problem!
>>
>>     Conflicting object already exists (violated constraint
>>     'uc_org_name')(orgType=PPV(String:replicated);
>>     {http://midpoint.evolveum.com/xml/ns/story/orgsync/ext}orgpath=PPV(String:*Фольклёр/Сказки*);
>>     )
>>     in expression in mapping 'Org-org mapping' in
>>     objectTemplate:10000000-0000-0000-0000-000000000231(Org Template)
>>
>>     midpoint save first org "*Сторонние Организации* " and make
>>     name_norm only space or just empty
>>     so all next names trying to create get same emty name_norm and
>>     fail to create(((
>>
>>     *is any way to fix that?????*
>>
>>
>>     costcenter | displayorder | locality_norm  | locality_orig      
>>                   | name_norm | name_orig    | tenant | oid
>>     ------------+--------------+------------------------------+-------------------------------+-----------+------------------------------------+--------+--------------------------------------
>>                     |                  |                       |    
>>            | p0002      | P0002             |            |
>>     00000000-8888-6666-0000-200000000002
>>     black       |                  |                   | *|        
>>     |* *Сторонние Организации*  |            |
>>     040346cb-88ce-4012-8d52-93eb1e1d2a4f
>>     black       |                  |                   |    
>>        |child          | CHILD          | f          |
>>     2681372b-3a8b-442d-861c-fc6fa0229471
>>                     |                  |                       |    
>>            |ibpm test   | IBPM Test          |            |
>>     828586f3-1444-42b9-b11a-e012c066099b
>>                     |                  |                       |    
>>            |abbwin      | ABB-WIN         |            |
>>     f226c7be-dad5-4415-b4f7-d987fb3856bd
>>                     |                  |       kazan                
>>      | Kazan  |*fil *           | *Домен FIL *                      
>>     |            | e62d247f-bd94-425a-9d82-63927de5b569
>>
>>     ------------+--------------+------------------------------+-------------------------------+-----------+-----------------------+--------+--------------------------------------
>>
>>     P.S. "*Домен FIL*" became " fil". midpoint erase all russian
>>     letters.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/b1aff431/attachment.htm>

From ivan.noris at evolveum.com  Tue Dec  6 09:26:43 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Tue, 6 Dec 2016 09:26:43 +0100
Subject: [midPoint] Problem with Russian Names in ORG
In-Reply-To: <1481009256.894536747@f186.i.mail.ru>
References: <1480022316394.48440@rmit.ee> <1480665526.501852048@f372.i.mail.ru>
 <c3e0717b-bc86-6f95-4808-9918e2fb7455@evolveum.com>
 <1481009256.894536747@f186.i.mail.ru>
Message-ID: <d8556d69-23ce-d4cc-44a6-8d889e8964f1@evolveum.com>

Hi Oleg,

as Pavol already said, the main problem was the "<" character which must
be escaped. This was quite invisible even for me.

I was able to rewrite your expression part to be more "groovy":

(source and target are as before)


tmp = basic.stringify(description)
ar1 = ['test1', 'test2']
ar2 = ['replace1', 'replace2']
for( i = 0; i &lt; ar1.size() ; i++)
{
tmp = tmp?.replace(ar1[i],ar2[i]);
}
return tmp

And it seems to work:

before: abc test1 def test2

after: abc replace1 def replace2

Regards,

Ivan


On 12/06/2016 08:27 AM, oleg okunev wrote:
> okey...
> may be you can help with loop in expression:
>
> <source>
> <c:path>$user/description</c:path>
> </source>
>
> <expression>
> <script>
> <code>
> ar1 = new ArrayList ('test1','test2')
> ar2 = new ArrayList ('replacetest1', 'replacetest2')
>
> for( i = 0; i < ar1.size() ; i++)
> {
> description= description.replace(ar1[i],ar2[i]);
> }
> return description
>
> </code>
> </script>
> </expression>
>
> <target>
> <c:path>$user/description</c:path>
> </target>
>
>
> But it show error *element parse error: Error: invalid tagName*
>
> Whats wrong?
> may be it helps me with translit
>
>
>     Пятница, 2 декабря 2016, 11:39 +03:00 от Radovan Semancik
>     <radovan.semancik at evolveum.com>:
>
>     Hi,
>
>     There is no easy way.
>
>     The normalization was originally intended for international
>     alphabet support. E.g. it was expected that we could transliterate
>     cyrillic words to latin. However, currently alphabets of all the
>     midpoint subscribers are latin-based. Therefore current midPoint
>     normalizer only support conversion of latin-based national
>     characters and the cyrillic transliteration was never implemented.
>     And currently we have other development priorities. Our priorities
>     are focused on improving the life of midPoint subscribers.
>     Therefore unless we get any substantial subscription from the
>     non-latin-based customer we have no plans to change that. I'm sorry.
>
>     -- 
>     Radovan Semancik
>     Software Architect
>     evolveum.com
>
>
>
>     On 12/02/2016 08:58 AM, oleg okunev wrote:
>>     Morning!
>>
>>     i have successefully test OrgSync Story Test... with English names 
>>
>>     BUT
>>     when i begin test with russian names i get problem!
>>
>>     Conflicting object already exists (violated constraint
>>     'uc_org_name')(orgType=PPV(String:replicated);
>>     {http://midpoint.evolveum.com/xml/ns/story/orgsync/ext}orgpath=PPV(String:*Фольклёр/Сказки*);
>>     )
>>     in expression in mapping 'Org-org mapping' in
>>     objectTemplate:10000000-0000-0000-0000-000000000231(Org Template)
>>
>>     midpoint save first org "*Сторонние Организации* " and make
>>     name_norm only space or just empty 
>>     so all next names trying to create get same emty name_norm and
>>     fail to create(((
>>
>>     *is any way to fix that?????*
>>
>>
>>     costcenter | displayorder | locality_norm          |
>>     locality_orig                     | name_norm | name_orig    |
>>     tenant | oid
>>     ------------+--------------+------------------------------+-------------------------------+-----------+------------------------------------+--------+--------------------------------------
>>                     |                  |                            
>>               |                                        | p0002      |
>>     P0002                                 |            |
>>     00000000-8888-6666-0000-200000000002
>>     black       |                  |                                
>>           |                                        *|                
>>     |* *Сторонние Организации*  |            |
>>     040346cb-88ce-4012-8d52-93eb1e1d2a4f
>>     black       |                  |                                
>>           |                                        |child          |
>>     CHILD                                | f          |
>>     2681372b-3a8b-442d-861c-fc6fa0229471
>>                     |                  |                            
>>               |                                        |ibpm test   |
>>     IBPM Test                          |            |
>>     828586f3-1444-42b9-b11a-e012c066099b
>>                     |                  |                            
>>               |                                        |abbwin      |
>>     ABB-WIN                           |            |
>>     f226c7be-dad5-4415-b4f7-d987fb3856bd
>>                     |                  |       kazan                
>>          | Kazan                            |*fil  *             |
>>     *Домен FIL  *                       |            |
>>     e62d247f-bd94-425a-9d82-63927de5b569
>>
>>     ------------+--------------+------------------------------+-------------------------------+-----------+-----------------------+--------+--------------------------------------
>>
>>     P.S. "*Домен FIL*" became " fil". midpoint erase all russian
>>     letters.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/85620290/attachment.htm>

From legeech at inbox.ru  Tue Dec  6 10:18:13 2016
From: legeech at inbox.ru (=?UTF-8?B?b2xlZyBva3VuZXY=?=)
Date: Tue, 06 Dec 2016 12:18:13 +0300
Subject: [midPoint] =?utf-8?q?Problem_with_Russian_Names_in_ORG?=
In-Reply-To: <d8556d69-23ce-d4cc-44a6-8d889e8964f1@evolveum.com>
References: <1480022316394.48440@rmit.ee> <1481009256.894536747@f186.i.mail.ru>
 <d8556d69-23ce-d4cc-44a6-8d889e8964f1@evolveum.com>
Message-ID: <1481015893.172582480@f161.i.mail.ru>

Thanks! it works

and helps with my question.
i think it will be helpfull for you 

for test i used this code

<mapping>
<source>
<c:path>$user/description</c:path>
</source>
<expression>
<script>
<code>
tmp = basic.stringify(description)
myru =['Я','я','Ю','ю','Ч','ч','Ш','ш','Щ','щ','Ж','ж','А','а','Б','б','В','в','Г','г','Д','д','Е','е','Ё','ё','З','з','И','и','Й','й','К','к','Л','л','М','м','Н','н', 'О','о','П','п','Р','р','С','с','Т','т','У','у','Ф','ф','Х','х','Ц','ц','Ы','ы','Ь','ь','Ъ','ъ','Э','э']
myen =['Ya','ya','Yu','yu','Ch','ch','Sh','sh','Sh','sh','Zh','zh','A','a','B','b','V','v','G','g','D','d','E','e','E','e','Z','z','I','i','J','j','K','k','L','l','M','m','N','n', 'O','o','P','p','R','r','S','s','T','t','U','u','F','f','H','h','C','c','Y','y','`','`','\'','\'','E', 'e']
for( i = 0; i &lt; myru.size() ; i++)
{
tmp = tmp?.replace(myru[i],myen[i]);
}
return tmp
</code>
</script>
</expression>
<target>
<c:path>$user/costCenter</c:path>
</target>
</mapping>

and
description       Иванов Иван Иванович
became
costCenter       Ivanov Ivan Ivanovich

But one more question - is it possible to rewrite some attribute?
first i test source and target the same and it get no effect(


>Вторник,  6 декабря 2016, 11:26 +03:00 от Ivan Noris <ivan.noris at evolveum.com>:
>
>Hi Oleg,
>as Pavol already said, the main problem was the "<" character
      which must be escaped. This was quite invisible even for me.
>I was able to rewrite your expression part to be more "groovy":
>(source and target are as before)
>
>tmp = basic.stringify(description)
>ar1 = ['test1', 'test2']
>ar2 = ['replace1', 'replace2']
>for( i = 0; i &lt; ar1.size() ; i++)
>{
>tmp = tmp?.replace(ar1[i],ar2[i]);
>}
>return tmp
>And it seems to work:
>before: abc test1 def test2
>after: abc replace1 def replace2
>Regards,
>Ivan
>
>On 12/06/2016 08:27 AM, oleg okunev
      wrote:
>>okey...
>>may be you can help with loop in expression:
>>
>><source>
>><c:path>$user/description</c:path>
>></source>
>><expression>
>><script>
>><code>
>>ar1 = new ArrayList ('test1','test2')
>>ar2 = new ArrayList ('replacetest1', 'replacetest2')
>>
>>for( i = 0; i < ar1.size() ; i++)
>>{
>>description= description.replace(ar1[i],ar2[i]);
>>}
>>return description
>>
>></code>
>></script>
>></expression>
>><target>
>><c:path>$user/description</c:path>
>></target>
>>But it show error  element parse error: Error: invalid
        tagName
>>
>>Whats wrong?
>>may be it helps me with translit
>>
>>
>>>Пятница, 2 декабря 2016, 11:39 +03:00 от
        Radovan Semancik  <radovan.semancik at evolveum.com> :
>>>
>>>Hi,
>>>
>>>There is no easy way.
>>>
>>>The normalization was originally intended for
                  international alphabet support. E.g. it was expected
                  that we could transliterate cyrillic words to latin.
                  However, currently alphabets of all the midpoint
                  subscribers are latin-based. Therefore current
                  midPoint normalizer only support conversion of
                  latin-based national characters and the cyrillic
                  transliteration was never implemented. And currently
                  we have other development priorities. Our priorities
                  are focused on improving the life of midPoint
                  subscribers. Therefore unless we get any substantial
                  subscription from the non-latin-based customer we have
                  no plans to change that. I'm sorry.
>>>
>>>-- 
Radovan Semancik
Software Architect
evolveum.com
>>>
>>>On 12/02/2016 08:58 AM, oleg okunev wrote:
>>>>Morning!
>>>>
>>>>i have successefully test OrgSync Story Test... with
                  English names 
>>>>
>>>>BUT
>>>>when i begin test with russian names i get problem!
>>>>
>>>>Conflicting object already exists (violated
                    constraint
                    'uc_org_name')(orgType=PPV(String:replicated);
                    { http://midpoint.evolveum.com/xml/ns/story/orgsync/ext }orgpath=PPV(String: Фольклёр/Сказки );
                    ) 
>>>>in expression in mapping 'Org-org mapping' in
                    objectTemplate:10000000-0000-0000-0000-000000000231(Org
                    Template)
>>>>
>>>>midpoint save first org " Сторонние
                        Организации  " and make name_norm
                    only space or just empty 
>>>>so all next names trying to create get same emty
                    name_norm and fail to create(((
>>>>
>>>>is any way to fix that?????
>>>>
>>>>
>>>>costcenter | displayorder | locality_norm        
                     | locality_orig                     | name_norm |
                    name_orig    | tenant | oid
>>>>------------+--------------+------------------------------+-------------------------------+-----------+------------------------------------+--------+--------------------------------------
>>>>                |                  |                
                                          |                            
                               | p0002      | P0002                    
                                |            |
                    00000000-8888-6666-0000-200000000002
>>>>black       |                  |                    
                                      |                                
                            |        
                                | Сторонние
                        Организации  |            |
                    040346cb-88ce-4012-8d52-93eb1e1d2a4f
>>>>black       |                  |                    
                                      |                                
                           |child          | CHILD                      
                             | f          |
                    2681372b-3a8b-442d-861c-fc6fa0229471
>>>>                |                  |                
                                          |                            
                               |ibpm test   | IBPM Test                
                             |            |
                    828586f3-1444-42b9-b11a-e012c066099b
>>>>                |                  |                
                                          |                            
                               |abbwin      | ABB-WIN                  
                            |            |
                    f226c7be-dad5-4415-b4f7-d987fb3856bd
>>>>                |                  |       kazan    
                                     | Kazan                          
                     | fil
                                      |  Домен FIL                         |            |
                    e62d247f-bd94-425a-9d82-63927de5b569
>>>>------------+--------------+------------------------------+-------------------------------+-----------+-----------------------+--------+-------------------------------------- P.S. " Домен FIL "
                  became " fil". midpoint erase all russian letters. 
>>>>
>>>>_______________________________________________
midPoint mailing list
>>>>midPoint at lists.evolveum.com
>>>>http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>_______________________________________________
>>>midPoint mailing list
>>>midPoint at lists.evolveum.com
>>>http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>_______________________________________________
midPoint mailing list
>>midPoint at lists.evolveum.com
>>http://lists.evolveum.com/mailman/listinfo/midpoint
>
>-- 
Ivan Noris
Senior Identity Engineer
evolveum.com
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/22b710c1/attachment.htm>

From ivan.noris at evolveum.com  Tue Dec  6 10:38:20 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Tue, 6 Dec 2016 10:38:20 +0100
Subject: [midPoint] Problem with Russian Names in ORG
In-Reply-To: <1481015893.172582480@f161.i.mail.ru>
References: <1480022316394.48440@rmit.ee> <1481009256.894536747@f186.i.mail.ru>
 <d8556d69-23ce-d4cc-44a6-8d889e8964f1@evolveum.com>
 <1481015893.172582480@f161.i.mail.ru>
Message-ID: <ae38d350-a7ee-3310-cb0c-1c86652972ad@evolveum.com>

Hi Oleg,

try to set <strength>strong</strength> for that mapping. I did that.

Ivan


On 12/06/2016 10:18 AM, oleg okunev wrote:
> Thanks! it works
>
> and helps with my question.
> i think it will be helpfull for you 
>
> for test i used this code
>
> <mapping>
> <source>
> <c:path>$user/description</c:path>
> </source>
> <expression>
> <script>
> <code>
> tmp = basic.stringify(description)
> myru
> =['Я','я','Ю','ю','Ч','ч','Ш','ш','Щ','щ','Ж','ж','А','а','Б','б','В','в','Г','г','Д','д','Е','е','Ё','ё','З','з','И','и','Й','й','К','к','Л','л','М','м','Н','н',
> 'О','о','П','п','Р','р','С','с','Т','т','У','у','Ф','ф','Х','х','Ц','ц','Ы','ы','Ь','ь','Ъ','ъ','Э','э']
> myen
> =['Ya','ya','Yu','yu','Ch','ch','Sh','sh','Sh','sh','Zh','zh','A','a','B','b','V','v','G','g','D','d','E','e','E','e','Z','z','I','i','J','j','K','k','L','l','M','m','N','n',
> 'O','o','P','p','R','r','S','s','T','t','U','u','F','f','H','h','C','c','Y','y','`','`','\'','\'','E',
> 'e']
> for( i = 0; i &lt; myru.size() ; i++)
> {
> tmp = tmp?.replace(myru[i],myen[i]);
> }
> return tmp
> </code>
> </script>
> </expression>
> <target>
> <c:path>$user/costCenter</c:path>
> </target>
> </mapping>
>
>
>
> and
> description       Иванов Иван Иванович
> became
> costCenter       Ivanov Ivan Ivanovich
>
> *But one more question - is it possible to rewrite some attribute?
> *first i test source and target the same and it get no effect(
>
>
>     Вторник, 6 декабря 2016, 11:26 +03:00 от Ivan Noris
>     <ivan.noris at evolveum.com>:
>
>     Hi Oleg,
>
>     as Pavol already said, the main problem was the "<" character
>     which must be escaped. This was quite invisible even for me.
>
>     I was able to rewrite your expression part to be more "groovy":
>
>     (source and target are as before)
>
>
>     tmp = basic.stringify(description)
>     ar1 = ['test1', 'test2']
>     ar2 = ['replace1', 'replace2']
>     for( i = 0; i &lt; ar1.size() ; i++)
>     {
>     tmp = tmp?.replace(ar1[i],ar2[i]);
>     }
>     return tmp
>
>     And it seems to work:
>
>     before: abc test1 def test2
>
>     after: abc replace1 def replace2
>
>     Regards,
>
>     Ivan
>
>
>     On 12/06/2016 08:27 AM, oleg okunev wrote:
>>     okey...
>>     may be you can help with loop in expression:
>>
>>     <source>
>>     <c:path>$user/description</c:path>
>>     </source>
>>
>>     <expression>
>>     <script>
>>     <code>
>>     ar1 = new ArrayList ('test1','test2')
>>     ar2 = new ArrayList ('replacetest1', 'replacetest2')
>>
>>     for( i = 0; i < ar1.size() ; i++)
>>     {
>>     description= description.replace(ar1[i],ar2[i]);
>>     }
>>     return description
>>
>>     </code>
>>     </script>
>>     </expression>
>>
>>     <target>
>>     <c:path>$user/description</c:path>
>>     </target>
>>
>>
>>     But it show error *element parse error: Error: invalid tagName*
>>
>>     Whats wrong?
>>     may be it helps me with translit
>>
>>
>>         Пятница, 2 декабря 2016, 11:39 +03:00 от Radovan Semancik
>>         <radovan.semancik at evolveum.com>
>>         <mailto:radovan.semancik at evolveum.com>:
>>
>>         Hi,
>>
>>         There is no easy way.
>>
>>         The normalization was originally intended for international
>>         alphabet support. E.g. it was expected that we could
>>         transliterate cyrillic words to latin. However, currently
>>         alphabets of all the midpoint subscribers are latin-based.
>>         Therefore current midPoint normalizer only support conversion
>>         of latin-based national characters and the cyrillic
>>         transliteration was never implemented. And currently we have
>>         other development priorities. Our priorities are focused on
>>         improving the life of midPoint subscribers. Therefore unless
>>         we get any substantial subscription from the non-latin-based
>>         customer we have no plans to change that. I'm sorry.
>>
>>         -- 
>>         Radovan Semancik
>>         Software Architect
>>         evolveum.com
>>
>>
>>
>>         On 12/02/2016 08:58 AM, oleg okunev wrote:
>>>         Morning!
>>>
>>>         i have successefully test OrgSync Story Test... with English
>>>         names 
>>>
>>>         BUT
>>>         when i begin test with russian names i get problem!
>>>
>>>         Conflicting object already exists (violated constraint
>>>         'uc_org_name')(orgType=PPV(String:replicated);
>>>         {http://midpoint.evolveum.com/xml/ns/story/orgsync/ext}orgpath=PPV(String:*Фольклёр/Сказки*);
>>>         )
>>>         in expression in mapping 'Org-org mapping' in
>>>         objectTemplate:10000000-0000-0000-0000-000000000231(Org
>>>         Template)
>>>
>>>         midpoint save first org "*Сторонние Организации* " and make
>>>         name_norm only space or just empty 
>>>         so all next names trying to create get same emty name_norm
>>>         and fail to create(((
>>>
>>>         *is any way to fix that?????*
>>>
>>>
>>>         costcenter | displayorder | locality_norm          |
>>>         locality_orig                     | name_norm | name_orig  
>>>          | tenant | oid
>>>         ------------+--------------+------------------------------+-------------------------------+-----------+------------------------------------+--------+--------------------------------------
>>>                         |                  |                        
>>>                       |                                        |
>>>         p0002      | P0002                                 |        
>>>            | 00000000-8888-6666-0000-200000000002
>>>         black       |                  |                            
>>>                   |                                        *|      
>>>                   |* *Сторонние Организации*  |            |
>>>         040346cb-88ce-4012-8d52-93eb1e1d2a4f
>>>         black       |                  |                            
>>>                   |                                        |child  
>>>                | CHILD                                | f          |
>>>         2681372b-3a8b-442d-861c-fc6fa0229471
>>>                         |                  |                        
>>>                       |                                        |ibpm
>>>         test   | IBPM Test                          |            |
>>>         828586f3-1444-42b9-b11a-e012c066099b
>>>                         |                  |                        
>>>                       |                                      
>>>          |abbwin      | ABB-WIN                           |        
>>>            | f226c7be-dad5-4415-b4f7-d987fb3856bd
>>>                         |                  |       kazan            
>>>                  | Kazan                            |*fil  *        
>>>             | *Домен FIL  *                       |            |
>>>         e62d247f-bd94-425a-9d82-63927de5b569
>>>
>>>         ------------+--------------+------------------------------+-------------------------------+-----------+-----------------------+--------+--------------------------------------
>>>
>>>         P.S. "*Домен FIL*" became " fil". midpoint erase all russian
>>>         letters.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com
>>>         <//e.mail.ru/compose/?mailto=mailto%3amidPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com
>>         <//e.mail.ru/compose/?mailto=mailto%3amidPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>     Ivan Noris
>     Senior Identity Engineer
>     evolveum.com
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/9cd93a33/attachment.htm>

From emir.ozbek at basistek.com  Tue Dec  6 15:14:51 2016
From: emir.ozbek at basistek.com (=?utf-8?q?Emir=20=c3=96zbek?=)
Date: Tue, 06 Dec 2016 14:14:51 +0000
Subject: [midPoint] Ynt: Re: Re:  Listing Users
In-Reply-To: <CALOh8ePvnw2z_Sf+_0_YRD6+qapTx7QBoruc0J41R09HzqCmHA@mail.gmail.com>
References: <em0b6b2d73-c6ab-4a56-88df-981740e40429@dell001>
 <CALOh8eNZCzHS66AKvKoTkgG7+AYq2kVikSnJV23L_b6AwsJudQ@mail.gmail.com>
 <em145aff16-31e8-4e15-be0c-5a2adc8a736c@dell001>
 <CALOh8ePvnw2z_Sf+_0_YRD6+qapTx7QBoruc0J41R09HzqCmHA@mail.gmail.com>
Message-ID: <em2e8079dc-a32e-4f49-8b72-3ea3bac374f4@dell001>

So I checked the table, and recognized that the column (say column1) 
which I was using as "key column" is empty for 691st user. Then I 
assigned another column (column2) as the key column just to see if that 
empty box was the problem. And yes, that is the problem. But I must use 
column1 as the key column.

In this case, is there a way to skip an empty value and continue listing 
without system being closed?





------ Yanıtlanan İleti ------
Gönderen: "Martin Lízner - AMI Praha a.s." <martin.lizner at ami.cz>
Alıcı: "Emir Özbek" <emir.ozbek at basistek.com>
Bilgilendir: "midPoint General Discussion" <midpoint at lists.evolveum.com>
Tarih: 5.12.2016 23:51:36
Konu: Re: Re: [midPoint] Listing Users

>Hm, that could be almost anything as a problem :-/ Did you check 
>idm.log? I also suggest turning the trace on for 
>org.identityconnectors.databasetable package. There might be some wrong 
>value on your 691st user.. but I cannot see what may conflict with 
>string type. Maybe try to narrow down the set of attributes you are 
>syncing from this table so you can limit the scope. Or try creating new 
>extended attribute - just to make sure there is no problem with already 
>stored values. M.
>
>
>Martin Lízner
>solution architect
>
>gsm: [+420] 737 745 571
>e-mail: martin.lizner at ami.cz
>
>
>AMI Praha a.s.
>Pláničkova 11
>162 00 Praha 6
>tel.: [+420] 274 783 239
>web: www.ami.cz
>
>
>
>
>
>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
>společnost AMI Praha a.s.
>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
>výhradně písemnou formu.
>
>
>2016-12-05 13:10 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:
>>Hi Martin,
>>
>>I tried the solution you gave and changed all attribute types to 
>>string in xsd. As a result, it fixed the error but closed again while 
>>there are 690 users. Now i do not get any error messages but still 
>>cannot reach to 7302 users. Is there any other solution for this?
>>
>>Thank you for your interest,
>>Emir.
>>
>>
>>
>>
>>
>>------ Yanıtlanan İleti ------
>>Gönderen: "Martin Lízner - AMI Praha a.s." <martin.lizner at ami.cz>
>>Alıcı: "Emir Özbek" <emir.ozbek at basistek.com>; "midPoint General 
>>Discussion" <midpoint at lists.evolveum.com>
>>Tarih: 3.12.2016 16:29:42
>>Konu: Re: [midPoint] Listing Users
>>
>>>Hi, my guess is that you are using DabaseTable connector and you are 
>>>trying to fill custom attribute in user extended schema. This 
>>>connector is not very good at working with various column types, so 
>>>my advice would be doing everything in varchar/string. First try 
>>>changing your custom attribute in xsd to string type. If it does not 
>>>help, change column type in DB or your schema handling. M.
>>>
>>>Martin Lízner
>>>solution architect
>>>
>>>gsm: [+420] 737 745 571
>>>e-mail: martin.lizner at ami.cz
>>>
>>>
>>>AMI Praha a.s.
>>>Pláničkova 11
>>>162 00 Praha 6
>>>tel.: [+420] 274 783 239
>>>web: www.ami.cz
>>>
>>>
>>>
>>>
>>>
>>>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
>>>společnost AMI Praha a.s.
>>>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
>>>výhradně písemnou formu.
>>>
>>>
>>>2016-12-02 14:54 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:
>>>>Hello everybody,
>>>>
>>>>I am working on a project with a user list of 7302 users but when i 
>>>>import and run the .xml file , it closes while there are 630 or 690 
>>>>users. Also, i get this error message ; "Failed to reconciliation: 
>>>>java.lang.IllegalArgumentException: Expected class 
>>>>java.math.BigInteger type, but got class java.lang.Integer in 
>>>>inbound expression for 
>>>>{http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}guzergah_id 
>>>>in resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3deee(Localhost 
>>>>DBTable)". I also have an .xsd file for extension attributes.
>>>>
>>>>So my first question is, how should i resolve this error? Is it 
>>>>about the .xsd file or something else? And the second question ; is 
>>>>problem with the number of users (problem to reach 7302) has any 
>>>>connection with this error message? If not, what should i do to 
>>>>resolve it? I am using midpoint version 3.4.1. and sqljdbc 4.2.
>>>>
>>>>This is my first project on midpoint so i am not much familiar with 
>>>>it, any help would be appreciated.
>>>>
>>>>Thanks in advance,
>>>>Emir.
>>>>
>>>>
>>>>
>>>>
>>>>_______________________________________________
>>>>midPoint mailing list
>>>>midPoint at lists.evolveum.com
>>>>http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/b60ffa0a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/b60ffa0a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/b60ffa0a/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/b60ffa0a/attachment-0002.png>

From gustav.palos at evolveum.com  Tue Dec  6 15:40:23 2016
From: gustav.palos at evolveum.com (=?UTF-8?B?UMOhbG9zIEd1c3TDoXY=?=)
Date: Tue, 6 Dec 2016 15:40:23 +0100
Subject: [midPoint] Ynt: Re: Re: Listing Users
In-Reply-To: <CAPXQVkeCaU2aUHVdY5pe-GTHg5YdwHQ4SKeijtPO==artX_wJg@mail.gmail.com>
References: <em0b6b2d73-c6ab-4a56-88df-981740e40429@dell001>
 <CALOh8eNZCzHS66AKvKoTkgG7+AYq2kVikSnJV23L_b6AwsJudQ@mail.gmail.com>
 <em145aff16-31e8-4e15-be0c-5a2adc8a736c@dell001>
 <CALOh8ePvnw2z_Sf+_0_YRD6+qapTx7QBoruc0J41R09HzqCmHA@mail.gmail.com>
 <em2e8079dc-a32e-4f49-8b72-3ea3bac374f4@dell001>
 <CAPXQVkeCaU2aUHVdY5pe-GTHg5YdwHQ4SKeijtPO==artX_wJg@mail.gmail.com>
Message-ID: <CAPXQVkdnVcs_Y+nVsh7x0AtopPjNe6BSPZ7dj+zrXdS7AY4WMg@mail.gmail.com>

Hi Emir,

you can create DB view and over it ignore not needed lines and use it in
resource.

Best regards,

Gustav



> 2016-12-06 15:14 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:
>
>> So I checked the table, and recognized that the column (say column1)
>> which I was using as "key column" is empty for 691st user. Then I assigned
>> another column (column2) as the key column just to see if that empty box
>> was the problem. And yes, that is the problem. But I must use column1 as
>> the key column.
>>
>> In this case, is there a way to skip an empty value and continue listing
>> without system being closed?
>>
>>
>>
>>
>>
>> ------ Yanıtlanan İleti ------
>> Gönderen: "Martin Lízner - AMI Praha a.s." <martin.lizner at ami.cz>
>> Alıcı: "Emir Özbek" <emir.ozbek at basistek.com>
>> Bilgilendir: "midPoint General Discussion" <midpoint at lists.evolveum.com>
>> Tarih: 5.12.2016 23:51:36
>> Konu: Re: Re: [midPoint] Listing Users
>>
>> Hm, that could be almost anything as a problem :-/ Did you check idm.log?
>> I also suggest turning the trace on for org.identityconnectors.databasetable
>> package. There might be some wrong value on your 691st user.. but I cannot
>> see what may conflict with string type. Maybe try to narrow down the set of
>> attributes you are syncing from this table so you can limit the scope. Or
>> try creating new extended attribute - just to make sure there is no problem
>> with already stored values. M.
>>
>>
>> Martin Lízner
>> solution architect
>>
>> gsm: [+420] 737 745 571 <+420%20737%20745%20571>
>> e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>> web: www.ami.cz
>>
>>
>>
>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>> 2016-12-05 13:10 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:
>>
>>> Hi Martin,
>>>
>>> I tried the solution you gave and changed all attribute types to string
>>> in xsd. As a result, it fixed the error but closed again while there are
>>> 690 users. Now i do not get any error messages but still cannot reach to
>>> 7302 users. Is there any other solution for this?
>>>
>>> Thank you for your interest,
>>> Emir.
>>>
>>>
>>>
>>>
>>>
>>> ------ Yanıtlanan İleti ------
>>> Gönderen: "Martin Lízner - AMI Praha a.s." <martin.lizner at ami.cz>
>>> Alıcı: "Emir Özbek" <emir.ozbek at basistek.com>; "midPoint General
>>> Discussion" <midpoint at lists.evolveum.com>
>>> Tarih: 3.12.2016 16:29:42
>>> Konu: Re: [midPoint] Listing Users
>>>
>>> Hi, my guess is that you are using DabaseTable connector and you are
>>> trying to fill custom attribute in user extended schema. This connector is
>>> not very good at working with various column types, so my advice would be
>>> doing everything in varchar/string. First try changing your custom
>>> attribute in xsd to string type. If it does not help, change column type in
>>> DB or your schema handling. M.
>>>
>>> Martin Lízner
>>> solution architect
>>>
>>> gsm: [+420] 737 745 571
>>> e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>
>>>
>>>
>>> AMI Praha a.s.
>>> Pláničkova 11
>>> 162 00 Praha 6
>>> tel.: [+420] 274 783 239
>>> web: www.ami.cz
>>>
>>>
>>>
>>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>>>
>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>> společnost AMI Praha a.s.
>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>> výhradně písemnou formu.
>>>
>>>
>>> 2016-12-02 14:54 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:
>>>
>>>> Hello everybody,
>>>>
>>>> I am working on a project with a user list of 7302 users but when i
>>>> import and run the .xml file , it closes while there are 630 or 690 users.
>>>> Also, i get this error message ; "*Failed to reconciliation:
>>>> java.lang.IllegalArgumentException: Expected class java.math.BigInteger
>>>> type, but got class java.lang.Integer in inbound expression for
>>>> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>>>> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>}guzergah_id
>>>> in resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3deee(Localhost DBTable)*". I
>>>> also have an .xsd file for extension attributes.
>>>>
>>>> So my first question is, how should i resolve this error? Is it about
>>>> the .xsd file or something else? And the second question ; is problem with
>>>> the number of users (problem to reach 7302) has any connection with this
>>>> error message? If not, what should i do to resolve it? I am using midpoint
>>>> version 3.4.1. and sqljdbc 4.2.
>>>>
>>>> This is my first project on midpoint so i am not much familiar with it,
>>>> any help would be appreciated.
>>>>
>>>> Thanks in advance,
>>>> Emir.
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> --
> s pozdravom
>
> Gustáv Pálos
>
> --
> Gustáv Pálos
> Identity Engineer
> evolveum.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/2fe880e8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/2fe880e8/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/2fe880e8/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161206/2fe880e8/attachment-0002.png>

From gustav.palos at evolveum.com  Wed Dec  7 05:13:53 2016
From: gustav.palos at evolveum.com (=?UTF-8?B?UMOhbG9zIEd1c3TDoXY=?=)
Date: Wed, 7 Dec 2016 05:13:53 +0100
Subject: [midPoint] Ynt: Re: Re: Listing Users
In-Reply-To: <CAPXQVkeCaU2aUHVdY5pe-GTHg5YdwHQ4SKeijtPO==artX_wJg@mail.gmail.com>
References: <em0b6b2d73-c6ab-4a56-88df-981740e40429@dell001>
 <CALOh8eNZCzHS66AKvKoTkgG7+AYq2kVikSnJV23L_b6AwsJudQ@mail.gmail.com>
 <em145aff16-31e8-4e15-be0c-5a2adc8a736c@dell001>
 <CALOh8ePvnw2z_Sf+_0_YRD6+qapTx7QBoruc0J41R09HzqCmHA@mail.gmail.com>
 <em2e8079dc-a32e-4f49-8b72-3ea3bac374f4@dell001>
 <CAPXQVkeCaU2aUHVdY5pe-GTHg5YdwHQ4SKeijtPO==artX_wJg@mail.gmail.com>
Message-ID: <CAPXQVkfj+92y8wbBTDyhRt+M8R8Q1_eRjjzhKazFu44mOs7+Eg@mail.gmail.com>

2016-12-06 15:39 GMT+01:00 Pálos Gustáv <gustav.palos at gmail.com>:

> Hi Emir,
>
> you can create DB view and over it ignore not needed lines and use it in
> resource.
>
> Best regards,
>
> Gustav
>
> 2016-12-06 15:14 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:
>
>> So I checked the table, and recognized that the column (say column1)
>> which I was using as "key column" is empty for 691st user. Then I assigned
>> another column (column2) as the key column just to see if that empty box
>> was the problem. And yes, that is the problem. But I must use column1 as
>> the key column.
>>
>> In this case, is there a way to skip an empty value and continue listing
>> without system being closed?
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161207/d51cbdfc/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Wed Dec  7 15:06:49 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Wed, 7 Dec 2016 15:06:49 +0100
Subject: [midPoint] ScriptedSQL - Activation using group membership - schema
 handling
Message-ID: <411e94eb-5d4c-c630-53c2-7f28028144e3@diagnostyka.pl>

Hello All,

I'm looking for an idea how to implement Activation using ScriptedSQL
connector.

Activation in the application is done by assigning user to group called
"Disabled". I made an "Update" groovy script, it seemd to be working (at
least shows no error). All fine, but "Activation" capability is using an
attribute, but there is no specified attribute in such matter.

I don't want to interfere with the database structure (eg adding
columns, triggers, views and so) due to application upgrade process,
which is sensitive to db structure changes.

Is this possible at all?
Thank you very much

-- 
Wojciech Staszewski


From ivan.noris at evolveum.com  Wed Dec  7 15:22:38 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Wed, 7 Dec 2016 15:22:38 +0100
Subject: [midPoint] ScriptedSQL - Activation using group membership -
 schema handling
In-Reply-To: <411e94eb-5d4c-c630-53c2-7f28028144e3@diagnostyka.pl>
References: <411e94eb-5d4c-c630-53c2-7f28028144e3@diagnostyka.pl>
Message-ID: <7d7bc55a-c3c0-20c8-53ee-21ef5ef11ae1@evolveum.com>

Hi Wojciech,

if I understand it correctly, I think you can do it if you create your
"Update" script so that it reacts on changes of activation attribute
(probably __ENABLE__) by doing whatever you want including putting user
to the group. And you have to modify the "Search" script to return the
information back to midPoint as __ENABLE__ attribute.

Ivan

On 12/07/2016 03:06 PM, Wojciech Staszewski wrote:
> Hello All,
>
> I'm looking for an idea how to implement Activation using ScriptedSQL
> connector.
>
> Activation in the application is done by assigning user to group called
> "Disabled". I made an "Update" groovy script, it seemd to be working (at
> least shows no error). All fine, but "Activation" capability is using an
> attribute, but there is no specified attribute in such matter.
>
> I don't want to interfere with the database structure (eg adding
> columns, triggers, views and so) due to application upgrade process,
> which is sensitive to db structure changes.
>
> Is this possible at all?
> Thank you very much
>

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com



From carlos18619 at gmail.com  Wed Dec  7 16:18:39 2016
From: carlos18619 at gmail.com (Carlos Ferreira)
Date: Wed, 7 Dec 2016 13:18:39 -0200
Subject: [midPoint] TRANSLATE MIDPOINT TO PORTUGUESE
Message-ID: <CAJHEg64Y2zWyY5WZqMj39LVLEajMrV1eBAZeAd7u5NWCdTdGGA@mail.gmail.com>

Hi,

I'd like to contribute do Midpoint Project in translating its messages and
screens to portuguese (BR).

So, I've downloaded the GIT repository (
https://github.com/Evolveum/midpoint/tree/v3.4.1) and tried to build the
software (3.4.1).

Nevertheless, when executing

mvn install -DskipTests=true

it returns

http://pastebin.com/ME7kkkj8


ps: i am using java8 and maven3


Well, if you want to send me the necessary files (with the messages), I can
translate and resend them to you (and so, the build process is not
necessary any more).

Thks,


Carlos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161207/51ad7cd9/attachment.htm>

From petr.gasparik at ami.cz  Wed Dec  7 16:29:21 2016
From: petr.gasparik at ami.cz (=?UTF-8?B?UGV0ciBHYcWhcGFyw61rIC0gQU1JIFByYWhhIGEucy4=?=)
Date: Wed, 7 Dec 2016 16:29:21 +0100
Subject: [midPoint] TRANSLATE MIDPOINT TO PORTUGUESE
In-Reply-To: <CAJHEg64Y2zWyY5WZqMj39LVLEajMrV1eBAZeAd7u5NWCdTdGGA@mail.gmail.com>
References: <CAJHEg64Y2zWyY5WZqMj39LVLEajMrV1eBAZeAd7u5NWCdTdGGA@mail.gmail.com>
Message-ID: <CABAspd0U+kELL8D9TBO=tQ52Rj1eW+8sE+5FmWYqt=aNCAYvwg@mail.gmail.com>

Hi Carlos,
thank you for expressing your will to translate midPoint!

All contributions to midPoint are held at this site:
https://www.transifex.com/evolveum/midpoint

pt_BR is already there, waiting patiently to be translated :)
Please, join transifex and send a request to join midPoint team. I will be
more than happy to accept such request.

About error message, I hope other will help you more.

regards
Petr, head of translators :D

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gasparik at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2016-12-07 16:18 GMT+01:00 Carlos Ferreira <carlos18619 at gmail.com>:

> Hi,
>
> I'd like to contribute do Midpoint Project in translating its messages and
> screens to portuguese (BR).
>
> So, I've downloaded the GIT repository (https://github.com/Evolveum/
> midpoint/tree/v3.4.1) and tried to build the software (3.4.1).
>
> Nevertheless, when executing
>
> mvn install -DskipTests=true
>
> it returns
>
> http://pastebin.com/ME7kkkj8
>
>
> ps: i am using java8 and maven3
>
>
> Well, if you want to send me the necessary files (with the messages), I
> can translate and resend them to you (and so, the build process is not
> necessary any more).
>
> Thks,
>
>
> Carlos
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161207/190b2c44/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Wed Dec  7 16:35:05 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Wed, 7 Dec 2016 16:35:05 +0100
Subject: [midPoint] ScriptedSQL - Activation using group membership -
 schema handling
In-Reply-To: <7d7bc55a-c3c0-20c8-53ee-21ef5ef11ae1@evolveum.com>
References: <411e94eb-5d4c-c630-53c2-7f28028144e3@diagnostyka.pl>
 <7d7bc55a-c3c0-20c8-53ee-21ef5ef11ae1@evolveum.com>
Message-ID: <fadaf0bc-6c12-ea4c-b7a1-735736f87807@diagnostyka.pl>

Thanks, it works perfectly. :*

W dniu 07.12.2016 o 15:22, Ivan Noris pisze:
> Hi Wojciech,
> 
> if I understand it correctly, I think you can do it if you create your
> "Update" script so that it reacts on changes of activation attribute
> (probably __ENABLE__) by doing whatever you want including putting user
> to the group. And you have to modify the "Search" script to return the
> information back to midPoint as __ENABLE__ attribute.
> 
> Ivan
> 
> On 12/07/2016 03:06 PM, Wojciech Staszewski wrote:
>> Hello All,
>>
>> I'm looking for an idea how to implement Activation using ScriptedSQL
>> connector.
>>
>> Activation in the application is done by assigning user to group called
>> "Disabled". I made an "Update" groovy script, it seemd to be working (at
>> least shows no error). All fine, but "Activation" capability is using an
>> attribute, but there is no specified attribute in such matter.
>>
>> I don't want to interfere with the database structure (eg adding
>> columns, triggers, views and so) due to application upgrade process,
>> which is sensitive to db structure changes.
>>
>> Is this possible at all?
>> Thank you very much
>>
> 

-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie,
XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.

Pomyśl o środowisku zanim wydrukujesz ten e-mail.


From carlos18619 at gmail.com  Wed Dec  7 17:47:11 2016
From: carlos18619 at gmail.com (Carlos Ferreira)
Date: Wed, 7 Dec 2016 14:47:11 -0200
Subject: [midPoint] TRANSLATE MIDPOINT TO PORTUGUESE
In-Reply-To: <CABAspd0U+kELL8D9TBO=tQ52Rj1eW+8sE+5FmWYqt=aNCAYvwg@mail.gmail.com>
References: <CAJHEg64Y2zWyY5WZqMj39LVLEajMrV1eBAZeAd7u5NWCdTdGGA@mail.gmail.com>
 <CABAspd0U+kELL8D9TBO=tQ52Rj1eW+8sE+5FmWYqt=aNCAYvwg@mail.gmail.com>
Message-ID: <CAJHEg64GeL+b4=2vVx_fBcLOQV18PBJLBbzrRwbH7LY_d6WKaA@mail.gmail.com>

Hi Petr,


I have already joined the community and I am anxious to start working.


Thank you,


Carlos

2016-12-07 13:29 GMT-02:00 Petr Gašparík - AMI Praha a.s. <
petr.gasparik at ami.cz>:

> Hi Carlos,
> thank you for expressing your will to translate midPoint!
>
> All contributions to midPoint are held at this site:
> https://www.transifex.com/evolveum/midpoint
>
> pt_BR is already there, waiting patiently to be translated :)
> Please, join transifex and send a request to join midPoint team. I will be
> more than happy to accept such request.
>
> About error message, I hope other will help you more.
>
> regards
> Petr, head of translators :D
>
> --
>
> s pozdravem
>
> Petr Gašparík
> solution architect
>
> gsm: [+420] 603 523 860 <+420%20603%20523%20860>
> e-mail: petr.gasparik at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
> 2016-12-07 16:18 GMT+01:00 Carlos Ferreira <carlos18619 at gmail.com>:
>
>> Hi,
>>
>> I'd like to contribute do Midpoint Project in translating its messages
>> and screens to portuguese (BR).
>>
>> So, I've downloaded the GIT repository (https://github.com/Evolveum/m
>> idpoint/tree/v3.4.1) and tried to build the software (3.4.1).
>>
>> Nevertheless, when executing
>>
>> mvn install -DskipTests=true
>>
>> it returns
>>
>> http://pastebin.com/ME7kkkj8
>>
>>
>> ps: i am using java8 and maven3
>>
>>
>> Well, if you want to send me the necessary files (with the messages), I
>> can translate and resend them to you (and so, the build process is not
>> necessary any more).
>>
>> Thks,
>>
>>
>> Carlos
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161207/5ea7d589/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Wed Dec  7 21:32:13 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Wed, 07 Dec 2016 21:32:13 +0100
Subject: [midPoint]  Correlation filter clause error
Message-ID: <14526356.rgTSr8Qidv@skygge-pc>

Hello again,

Everytime I try to create new synchronization correlation, or even update existing rule I must do it by editing XML source
because the Wizard displays error:
"Could not create MaxXNode from provided XML filterClause. Please enter correct expression. Reason: {0}"

Even these imported from Evolveum example resources.

Log (first two lines):
2016-12-07 21:27:35,554 [] [https-openssl-apr-443-exec-50] ERROR (com.evolveum.midpoint.web.component.input.SearchFilterPanel): Could not create MapXNode from provided XML filterClause.. 
java.lang.IllegalStateException: Error parsing XML document The prefix "q" for element "q:equal" is not bound.

Is this a bug? If not, where can I find some working examples? Documentation is XML-based...



From mederly at evolveum.com  Thu Dec  8 00:05:30 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Thu, 8 Dec 2016 00:05:30 +0100
Subject: [midPoint] Correlation filter clause error
In-Reply-To: <14526356.rgTSr8Qidv@skygge-pc>
References: <14526356.rgTSr8Qidv@skygge-pc>
Message-ID: <ad796972-391c-4faf-fb1c-b40192b76219@evolveum.com>

Hello Wojciech,

thank you for pointing to this. Just by the way, which version of 
midPoint do you use? I don't quite remember but I think that in 3.4 the 
resource wizard was relatively well working.

We are a few days before 3.5 release, having quite a lot of bugs to fix 
and, to be honest, Resource Wizard is not a component that is endorsed 
by our subscribers. Therefore it gets "best effort"-style attention. 
However, tomorrow I'll try to have a look at this problem. It doesn't 
seem to be much complicated.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 07.12.2016 21:32, Wojciech Staszewski wrote:
> Hello again,
>
> Everytime I try to create new synchronization correlation, or even update existing rule I must do it by editing XML source
> because the Wizard displays error:
> "Could not create MaxXNode from provided XML filterClause. Please enter correct expression. Reason: {0}"
>
> Even these imported from Evolveum example resources.
>
> Log (first two lines):
> 2016-12-07 21:27:35,554 [] [https-openssl-apr-443-exec-50] ERROR (com.evolveum.midpoint.web.component.input.SearchFilterPanel): Could not create MapXNode from provided XML filterClause..
> java.lang.IllegalStateException: Error parsing XML document The prefix "q" for element "q:equal" is not bound.
>
> Is this a bug? If not, where can I find some working examples? Documentation is XML-based...
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint



From dilek.gider at basistek.com  Wed Dec  7 13:06:47 2016
From: dilek.gider at basistek.com (Dilek Gider)
Date: Wed, 7 Dec 2016 15:06:47 +0300
Subject: [midPoint] Ynt: Re: Re: Listing Users
In-Reply-To: <CAPXQVkdnVcs_Y+nVsh7x0AtopPjNe6BSPZ7dj+zrXdS7AY4WMg@mail.gmail.com>
References: <em0b6b2d73-c6ab-4a56-88df-981740e40429@dell001>
 <CALOh8eNZCzHS66AKvKoTkgG7+AYq2kVikSnJV23L_b6AwsJudQ@mail.gmail.com>
 <em145aff16-31e8-4e15-be0c-5a2adc8a736c@dell001>
 <CALOh8ePvnw2z_Sf+_0_YRD6+qapTx7QBoruc0J41R09HzqCmHA@mail.gmail.com>
 <em2e8079dc-a32e-4f49-8b72-3ea3bac374f4@dell001>
 <CAPXQVkeCaU2aUHVdY5pe-GTHg5YdwHQ4SKeijtPO==artX_wJg@mail.gmail.com>
 <CAPXQVkdnVcs_Y+nVsh7x0AtopPjNe6BSPZ7dj+zrXdS7AY4WMg@mail.gmail.com>
Message-ID: <CAL797Gn9qDvm_OAZj0tzQgG4d8-0GoorM+ZqSYntRL79EZHK2w@mail.gmail.com>

Hi Palos,

First of all, thank you all for your support.
We can manage our db table by modifying sql query as you suggest, but there
is an issue I want to ask.

Actually, I expect that reconciliation will be run for all data, errored
datas will be logged so our customer can check and correct their data.
But when there exists any errored data, reconciliation all stops, it does
not continue on next correct data. I want reconciliation to be continue on
all datas,
errors will be logged but all correct datas will be progressed. Is there
any way to do this? We have already checked "Enable writing empty string"
as true, but nothing changed. (Also tried false or undefined value )

Thank you for your support.



On Tue, Dec 6, 2016 at 5:40 PM, Pálos Gustáv <gustav.palos at evolveum.com>
wrote:

> Hi Emir,
>
> you can create DB view and over it ignore not needed lines and use it in
> resource.
>
> Best regards,
>
> Gustav
>
>
>
>> 2016-12-06 15:14 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:
>>
>>> So I checked the table, and recognized that the column (say column1)
>>> which I was using as "key column" is empty for 691st user. Then I assigned
>>> another column (column2) as the key column just to see if that empty box
>>> was the problem. And yes, that is the problem. But I must use column1 as
>>> the key column.
>>>
>>> In this case, is there a way to skip an empty value and continue listing
>>> without system being closed?
>>>
>>>
>>>
>>>
>>>
>>> ------ Yanıtlanan İleti ------
>>> Gönderen: "Martin Lízner - AMI Praha a.s." <martin.lizner at ami.cz>
>>> Alıcı: "Emir Özbek" <emir.ozbek at basistek.com>
>>> Bilgilendir: "midPoint General Discussion" <midpoint at lists.evolveum.com>
>>> Tarih: 5.12.2016 23:51:36
>>> Konu: Re: Re: [midPoint] Listing Users
>>>
>>> Hm, that could be almost anything as a problem :-/ Did you check
>>> idm.log? I also suggest turning the trace on for
>>> org.identityconnectors.databasetable package. There might be some wrong
>>> value on your 691st user.. but I cannot see what may conflict with string
>>> type. Maybe try to narrow down the set of attributes you are syncing from
>>> this table so you can limit the scope. Or try creating new extended
>>> attribute - just to make sure there is no problem with already stored
>>> values. M.
>>>
>>>
>>> Martin Lízner
>>> solution architect
>>>
>>> gsm: [+420] 737 745 571 <+420%20737%20745%20571>
>>> e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>
>>>
>>>
>>> AMI Praha a.s.
>>> Pláničkova 11
>>> 162 00 Praha 6
>>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>>> web: www.ami.cz
>>>
>>>
>>>
>>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>>>
>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>> společnost AMI Praha a.s.
>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>> výhradně písemnou formu.
>>>
>>>
>>> 2016-12-05 13:10 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:
>>>
>>>> Hi Martin,
>>>>
>>>> I tried the solution you gave and changed all attribute types to string
>>>> in xsd. As a result, it fixed the error but closed again while there are
>>>> 690 users. Now i do not get any error messages but still cannot reach to
>>>> 7302 users. Is there any other solution for this?
>>>>
>>>> Thank you for your interest,
>>>> Emir.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ------ Yanıtlanan İleti ------
>>>> Gönderen: "Martin Lízner - AMI Praha a.s." <martin.lizner at ami.cz>
>>>> Alıcı: "Emir Özbek" <emir.ozbek at basistek.com>; "midPoint General
>>>> Discussion" <midpoint at lists.evolveum.com>
>>>> Tarih: 3.12.2016 16:29:42
>>>> Konu: Re: [midPoint] Listing Users
>>>>
>>>> Hi, my guess is that you are using DabaseTable connector and you are
>>>> trying to fill custom attribute in user extended schema. This connector is
>>>> not very good at working with various column types, so my advice would be
>>>> doing everything in varchar/string. First try changing your custom
>>>> attribute in xsd to string type. If it does not help, change column type in
>>>> DB or your schema handling. M.
>>>>
>>>> Martin Lízner
>>>> solution architect
>>>>
>>>> gsm: [+420] 737 745 571
>>>> e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>
>>>>
>>>>
>>>> AMI Praha a.s.
>>>> Pláničkova 11
>>>> 162 00 Praha 6
>>>> tel.: [+420] 274 783 239
>>>> web: www.ami.cz
>>>>
>>>>
>>>>
>>>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>>>>
>>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>>> společnost AMI Praha a.s.
>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>> výhradně písemnou formu.
>>>>
>>>>
>>>> 2016-12-02 14:54 GMT+01:00 Emir Özbek <emir.ozbek at basistek.com>:
>>>>
>>>>> Hello everybody,
>>>>>
>>>>> I am working on a project with a user list of 7302 users but when i
>>>>> import and run the .xml file , it closes while there are 630 or 690 users.
>>>>> Also, i get this error message ; "*Failed to reconciliation:
>>>>> java.lang.IllegalArgumentException: Expected class java.math.BigInteger
>>>>> type, but got class java.lang.Integer in inbound expression for
>>>>> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>>>>> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>}guzergah_id
>>>>> in resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3deee(Localhost DBTable)*". I
>>>>> also have an .xsd file for extension attributes.
>>>>>
>>>>> So my first question is, how should i resolve this error? Is it about
>>>>> the .xsd file or something else? And the second question ; is problem with
>>>>> the number of users (problem to reach 7302) has any connection with this
>>>>> error message? If not, what should i do to resolve it? I am using midpoint
>>>>> version 3.4.1. and sqljdbc 4.2.
>>>>>
>>>>> This is my first project on midpoint so i am not much familiar with
>>>>> it, any help would be appreciated.
>>>>>
>>>>> Thanks in advance,
>>>>> Emir.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>> --
>> s pozdravom
>>
>> Gustáv Pálos
>>
>> --
>> Gustáv Pálos
>> Identity Engineer
>> evolveum.com
>>
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161207/d88a99f6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161207/d88a99f6/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161207/d88a99f6/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ekran Alıntısı.PNG
Type: image/png
Size: 51942 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161207/d88a99f6/attachment-0002.png>

From wojciech.staszewski at diagnostyka.pl  Thu Dec  8 08:13:36 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Thu, 08 Dec 2016 08:13:36 +0100
Subject: [midPoint] Correlation filter clause error
In-Reply-To: <ad796972-391c-4faf-fb1c-b40192b76219@evolveum.com>
References: <14526356.rgTSr8Qidv@skygge-pc>
 <ad796972-391c-4faf-fb1c-b40192b76219@evolveum.com>
Message-ID: <2102498.1OKbX8RX9n@skygge-pc>

3.4.1

Dnia czwartek, 8 grudnia 2016 00:05:30 CET Pavol Mederly pisze:
> Hello Wojciech,
> 
> thank you for pointing to this. Just by the way, which version of 
> midPoint do you use? I don't quite remember but I think that in 3.4 the 
> resource wizard was relatively well working.
> 
> We are a few days before 3.5 release, having quite a lot of bugs to fix 
> and, to be honest, Resource Wizard is not a component that is endorsed 
> by our subscribers. Therefore it gets "best effort"-style attention. 
> However, tomorrow I'll try to have a look at this problem. It doesn't 
> seem to be much complicated.
> 
> Best regards,
> 
> Pavol Mederly
> Software developer
> evolveum.com
> 
> On 07.12.2016 21:32, Wojciech Staszewski wrote:
> > Hello again,
> >
> > Everytime I try to create new synchronization correlation, or even update existing rule I must do it by editing XML source
> > because the Wizard displays error:
> > "Could not create MaxXNode from provided XML filterClause. Please enter correct expression. Reason: {0}"
> >
> > Even these imported from Evolveum example resources.
> >
> > Log (first two lines):
> > 2016-12-07 21:27:35,554 [] [https-openssl-apr-443-exec-50] ERROR (com.evolveum.midpoint.web.component.input.SearchFilterPanel): Could not create MapXNode from provided XML filterClause..
> > java.lang.IllegalStateException: Error parsing XML document The prefix "q" for element "q:equal" is not bound.
> >
> > Is this a bug? If not, where can I find some working examples? Documentation is XML-based...
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 


-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
Dział IT
DIAGNOSTYKA 
Spółka z ograniczoną odpowiedzialnością 
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
tel.: +48 12 295 01 00
fax: +48 12 295 01 02 
tel. kom: 663 680 236
www.diag.pl
DIAGNOSTYKA Spółka z ograniczoną odpowiedzialnością ul. Prof. M. Życzkowskiego 16, 31-864 Kraków; 
KRS: Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy Krajowego KRS: 0000381559; NIP: 675-12-65-009; REGON: 356366975, Kapitał zakładowy: 33 252 500 zł.


From pertti.kellomaki at datactica.fi  Thu Dec  8 09:25:46 2016
From: pertti.kellomaki at datactica.fi (=?UTF-8?Q?Pertti_Kellom=c3=a4ki?=)
Date: Thu, 8 Dec 2016 10:25:46 +0200
Subject: [midPoint] REST authentication
Message-ID: <27fb0f2f-5411-ba3e-457c-619eb7d76a66@datactica.fi>

Hi,

The SSO Howto 
https://wiki.evolveum.com/display/midPoint/MidPoint+and+SSO+HOWTO states 
that "midPoint can be configured to accept the "authentication" based 
solely on the presence of the username in the HTTP header."

Is it possible to configure the REST api to do the same? I am looking at 
how to do authentication for REST clients that use an external SSO.

Pertti




From petr.gasparik at ami.cz  Thu Dec  8 09:51:09 2016
From: petr.gasparik at ami.cz (=?UTF-8?B?UGV0ciBHYcWhcGFyw61rIC0gQU1JIFByYWhhIGEucy4=?=)
Date: Thu, 8 Dec 2016 09:51:09 +0100
Subject: [midPoint] REST authentication
In-Reply-To: <27fb0f2f-5411-ba3e-457c-619eb7d76a66@datactica.fi>
References: <27fb0f2f-5411-ba3e-457c-619eb7d76a66@datactica.fi>
Message-ID: <CABAspd2dPh=U8yLPSw_+x9m2hj9pHZZxY6+QzAieRcLwO5hRbA@mail.gmail.com>

Hi,
REST API does not work with browser, so what is the concept of "SSO" here?

We did SSO in past, with HTTP header and with CAS, in core concept it
requires user's browser. If you use REST, you use midPiont in API mode.
There is no SSO AFAIK. You submit user/password every time, as REST is
stateless.

cheers, P.

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gasparik at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2016-12-08 9:25 GMT+01:00 Pertti Kellomäki <pertti.kellomaki at datactica.fi>:

> Hi,
>
> The SSO Howto https://wiki.evolveum.com/display/midPoint/MidPoint+and+SSO+
> HOWTO states that "midPoint can be configured to accept the
> "authentication" based solely on the presence of the username in the HTTP
> header."
>
> Is it possible to configure the REST api to do the same? I am looking at
> how to do authentication for REST clients that use an external SSO.
>
> Pertti
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161208/59d17a6e/attachment.htm>

From pertti.kellomaki at datactica.fi  Thu Dec  8 10:43:23 2016
From: pertti.kellomaki at datactica.fi (=?UTF-8?Q?Pertti_Kellom=c3=a4ki?=)
Date: Thu, 8 Dec 2016 11:43:23 +0200
Subject: [midPoint] REST authentication
In-Reply-To: <CABAspd2dPh=U8yLPSw_+x9m2hj9pHZZxY6+QzAieRcLwO5hRbA@mail.gmail.com>
References: <27fb0f2f-5411-ba3e-457c-619eb7d76a66@datactica.fi>
 <CABAspd2dPh=U8yLPSw_+x9m2hj9pHZZxY6+QzAieRcLwO5hRbA@mail.gmail.com>
Message-ID: <5f4e2159-f811-700d-6bff-fe719e203814@datactica.fi>

Hi Petr,

8.12.2016, 10:51, Petr Gašparík - AMI Praha a.s. kirjoitti:

> REST API does not work with browser, so what is the concept of "SSO" here?

The setup is that there is an existing web application where the user 
interacts with the application using a browser. The application uses an 
external identity provider to authenticate the user, and the calls to 
the midPoint REST api come from the backend of the application. There is 
a 1:1 correspondance between users in the identity provider and users in 
midPoint. "SSO" may not be the technically correct term here, but anyway 
I would like to let the application backend use midPoint REST api as the 
authenticated user. There is an Apache httpd in front of midPoint, so it 
can be used for verifying tokens or similar tasks.

Pertti


From paetni1 at gmail.com  Thu Dec  8 10:43:39 2016
From: paetni1 at gmail.com (=?UTF-8?B?TmljbyBQw6R0emVsdC1TY2jDpGtlbA==?=)
Date: Thu, 8 Dec 2016 10:43:39 +0100
Subject: [midPoint] Skip approvelSchema when importing objects
Message-ID: <CAGh9kZxTSuixidV+NSoa1QuSkAEJKaLAAWMgEGCd8X1714Y_-A@mail.gmail.com>

Hello Pavol Mederly,
thanks for the answer. I have checked the output from :

midpoint.getCurrentTask().getChannel()

In both cases (import account as Superuser and request a role via GUI)
the output of getChannel is "null".

I checked the output from midpoint.getCurrentTask() which gives me
something like  Task(id:1481189325403-0-1, name:null, oid:null).

If I search the task ID in the server tasks GUI. There is no task or
subtask with this taskid.

Have you any idea why this is the case?

Kind regards

Nico
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161208/ce3505b2/attachment.htm>

From petr.gasparik at ami.cz  Thu Dec  8 11:40:39 2016
From: petr.gasparik at ami.cz (=?UTF-8?B?UGV0ciBHYcWhcGFyw61rIC0gQU1JIFByYWhhIGEucy4=?=)
Date: Thu, 8 Dec 2016 11:40:39 +0100
Subject: [midPoint] REST authentication
In-Reply-To: <5f4e2159-f811-700d-6bff-fe719e203814@datactica.fi>
References: <27fb0f2f-5411-ba3e-457c-619eb7d76a66@datactica.fi>
 <CABAspd2dPh=U8yLPSw_+x9m2hj9pHZZxY6+QzAieRcLwO5hRbA@mail.gmail.com>
 <5f4e2159-f811-700d-6bff-fe719e203814@datactica.fi>
Message-ID: <CABAspd28PDHU_U-cR-6r-c-4Q6F=YkoWe-2fiDBM+NhMsL-big@mail.gmail.com>

Hi Pertti,
My common approach is to create application user in midPoint, that is used
to call midPoint. Advantage is that you can limit privileges/rights to this
user.

Is that suitable for you? Do you need to call midPoint on behalf of
particular user?

regards, Petr

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gasparik at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2016-12-08 10:43 GMT+01:00 Pertti Kellomäki <pertti.kellomaki at datactica.fi>:

> Hi Petr,
>
> 8.12.2016, 10:51, Petr Gašparík - AMI Praha a.s. kirjoitti:
>
> REST API does not work with browser, so what is the concept of "SSO" here?
>>
>
> The setup is that there is an existing web application where the user
> interacts with the application using a browser. The application uses an
> external identity provider to authenticate the user, and the calls to the
> midPoint REST api come from the backend of the application. There is a 1:1
> correspondance between users in the identity provider and users in
> midPoint. "SSO" may not be the technically correct term here, but anyway I
> would like to let the application backend use midPoint REST api as the
> authenticated user. There is an Apache httpd in front of midPoint, so it
> can be used for verifying tokens or similar tasks.
>
>
> Pertti
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161208/59bdd500/attachment.htm>

From pertti.kellomaki at datactica.fi  Thu Dec  8 11:48:21 2016
From: pertti.kellomaki at datactica.fi (=?UTF-8?Q?Pertti_Kellom=c3=a4ki?=)
Date: Thu, 8 Dec 2016 12:48:21 +0200
Subject: [midPoint] REST authentication
In-Reply-To: <CABAspd28PDHU_U-cR-6r-c-4Q6F=YkoWe-2fiDBM+NhMsL-big@mail.gmail.com>
References: <27fb0f2f-5411-ba3e-457c-619eb7d76a66@datactica.fi>
 <CABAspd2dPh=U8yLPSw_+x9m2hj9pHZZxY6+QzAieRcLwO5hRbA@mail.gmail.com>
 <5f4e2159-f811-700d-6bff-fe719e203814@datactica.fi>
 <CABAspd28PDHU_U-cR-6r-c-4Q6F=YkoWe-2fiDBM+NhMsL-big@mail.gmail.com>
Message-ID: <8689aafe-df46-2b23-d756-d96c86ff667c@datactica.fi>

Hi Petr,

8.12.2016, 12:40, Petr Gašparík - AMI Praha a.s. kirjoitti:
> Hi Pertti,
> My common approach is to create application user in midPoint, that is 
> used to call midPoint. Advantage is that you can limit 
> privileges/rights to this user.
>
> Is that suitable for you? Do you need to call midPoint on behalf of 
> particular user?
>
Having an application user is my plan B. The reason I would like to call 
midPoint on behalf of a particular user is that then I can use 
midPoint's mechanisms for delegated administration, like assigning roles 
to other users.

Pertti



From petr.gasparik at ami.cz  Thu Dec  8 12:33:30 2016
From: petr.gasparik at ami.cz (=?UTF-8?B?UGV0ciBHYcWhcGFyw61rIC0gQU1JIFByYWhhIGEucy4=?=)
Date: Thu, 8 Dec 2016 12:33:30 +0100
Subject: [midPoint] REST authentication
In-Reply-To: <8689aafe-df46-2b23-d756-d96c86ff667c@datactica.fi>
References: <27fb0f2f-5411-ba3e-457c-619eb7d76a66@datactica.fi>
 <CABAspd2dPh=U8yLPSw_+x9m2hj9pHZZxY6+QzAieRcLwO5hRbA@mail.gmail.com>
 <5f4e2159-f811-700d-6bff-fe719e203814@datactica.fi>
 <CABAspd28PDHU_U-cR-6r-c-4Q6F=YkoWe-2fiDBM+NhMsL-big@mail.gmail.com>
 <8689aafe-df46-2b23-d756-d96c86ff667c@datactica.fi>
Message-ID: <CABAspd1OwmKayKZg-aiUpnah7J80PVwYOZfnFZHmQkkKJ7nSUg@mail.gmail.com>

Hi,
Now, I understand.

I think the best answer is from Radovan Semancik itself, the midPoint chief
architect:
http://lists.evolveum.com/pipermail/midpoint/2015-August/001318.html


--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gasparik at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2016-12-08 11:48 GMT+01:00 Pertti Kellomäki <pertti.kellomaki at datactica.fi>:

> Hi Petr,
>
> 8.12.2016, 12:40, Petr Gašparík - AMI Praha a.s. kirjoitti:
>
>> Hi Pertti,
>> My common approach is to create application user in midPoint, that is
>> used to call midPoint. Advantage is that you can limit privileges/rights to
>> this user.
>>
>> Is that suitable for you? Do you need to call midPoint on behalf of
>> particular user?
>>
>> Having an application user is my plan B. The reason I would like to call
> midPoint on behalf of a particular user is that then I can use midPoint's
> mechanisms for delegated administration, like assigning roles to other
> users.
>
>
> Pertti
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161208/f680e2b8/attachment.htm>

From mederly at evolveum.com  Thu Dec  8 13:59:38 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Thu, 8 Dec 2016 13:59:38 +0100
Subject: [midPoint] Correlation filter clause error
In-Reply-To: <2102498.1OKbX8RX9n@skygge-pc>
References: <14526356.rgTSr8Qidv@skygge-pc>
 <ad796972-391c-4faf-fb1c-b40192b76219@evolveum.com>
 <2102498.1OKbX8RX9n@skygge-pc>
Message-ID: <d67e326a-6c93-fd78-3f37-16fb442ed4fa@evolveum.com>

Thanks.

I've hopefully fixed in on master (3.5-snapshot) branch. You can test it 
if you like. If there would be any problem, please just re-open MID-3586 
<https://jira.evolveum.com/browse/MID-3586>.

Concerning Resource Wizard in general: There are some known bugs and 
enhancements requests logged 
<https://jira.evolveum.com/issues/?jql=summary%20%7E%20%22RW%22%20and%20status%3DOpen>. 
Please use it with care, for example beware that it (theoretically) 
could corrupt parts of your resource definition when making changes into 
it. That's why there's also a read-only mode that can be useful for 
browsing the definitions, mappings, and so on, in a semi-visual way. Or 
for generating a DOT (GraphViz) visualization of resource mappings.

Overall, we at Evolveum prefer to edit resources via XML (and also 
JSON/YAML since 3.5); possibly with the help of some intelligent, 
schema-aware XML editor. Or even using the Eclipse plugin 
<https://evolveum.com/blog/midpoint-development-tools-for-eclipse/> 
(although it is also a bit experimental for now).

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 08.12.2016 8:13, Wojciech Staszewski wrote:
> 3.4.1
>
> Dnia czwartek, 8 grudnia 2016 00:05:30 CET Pavol Mederly pisze:
>> Hello Wojciech,
>>
>> thank you for pointing to this. Just by the way, which version of
>> midPoint do you use? I don't quite remember but I think that in 3.4 the
>> resource wizard was relatively well working.
>>
>> We are a few days before 3.5 release, having quite a lot of bugs to fix
>> and, to be honest, Resource Wizard is not a component that is endorsed
>> by our subscribers. Therefore it gets "best effort"-style attention.
>> However, tomorrow I'll try to have a look at this problem. It doesn't
>> seem to be much complicated.
>>
>> Best regards,
>>
>> Pavol Mederly
>> Software developer
>> evolveum.com
>>
>> On 07.12.2016 21:32, Wojciech Staszewski wrote:
>>> Hello again,
>>>
>>> Everytime I try to create new synchronization correlation, or even update existing rule I must do it by editing XML source
>>> because the Wizard displays error:
>>> "Could not create MaxXNode from provided XML filterClause. Please enter correct expression. Reason: {0}"
>>>
>>> Even these imported from Evolveum example resources.
>>>
>>> Log (first two lines):
>>> 2016-12-07 21:27:35,554 [] [https-openssl-apr-443-exec-50] ERROR (com.evolveum.midpoint.web.component.input.SearchFilterPanel): Could not create MapXNode from provided XML filterClause..
>>> java.lang.IllegalStateException: Error parsing XML document The prefix "q" for element "q:equal" is not bound.
>>>
>>> Is this a bug? If not, where can I find some working examples? Documentation is XML-based...
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161208/57e4a072/attachment.htm>

From radovan.semancik at evolveum.com  Thu Dec  8 14:30:41 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Thu, 8 Dec 2016 14:30:41 +0100
Subject: [midPoint] REST authentication
In-Reply-To: <5f4e2159-f811-700d-6bff-fe719e203814@datactica.fi>
References: <27fb0f2f-5411-ba3e-457c-619eb7d76a66@datactica.fi>
 <CABAspd2dPh=U8yLPSw_+x9m2hj9pHZZxY6+QzAieRcLwO5hRbA@mail.gmail.com>
 <5f4e2159-f811-700d-6bff-fe719e203814@datactica.fi>
Message-ID: <9c5fb81d-ffa2-b305-ac33-1ed4b1240103@evolveum.com>

Hi Pertti,

Current midPoint REST interface implementation does not really support 
this use. The REST interface was designed primarily for 
backend-to-backend use. The interface haven't changed much since it was 
created several years ago. We have tried to secure funding to improve 
the REST interface, but for a long time it looked like this is not a 
priority for midPoint subscribers.

It is unlikely that the REST interface could be easily configured for 
this. Yet, it might be possible to modify midPoint code for your use 
case. But I think that it will not be straighforward. The Java world is 
not entirely unified when it comes to authentication and authorization. 
We are using Spring Security for most of the authentication and 
web-focus authorization. But the REST framework has completely separate 
authentication interface. And the SOAP interface has yet another 
interface. It is partially given by the fact that all the protocols have 
their specifics. But another reason is that Java world (and IT world in 
general) tends to reinvent the wheel over and over again.

The bottom line is that you can use the Spring Security modules for GUI 
authentication. But as far as I know there is no simple way how to use 
the same modules for REST authentication. Perhaps the best solution here 
would be to implement OAuth support for our REST interface. There are 
some REST interface improvements already planned for midPoint 3.6. But 
as far as I remember no midPoint subscriber or sponsor has endorsed the 
OAuth support therefore this is not even in the roadmap yet. As usual, 
you have several options:

https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature

Of course, it is possible to use a single "technical" user in the "SSO 
gateway" (definitely NOT in the front-end). However this is far from 
being ideal. MidPoint is designed to quite strictly use the identity of 
the logged-in user in all the actions. Using a single "proxy" user may 
have impact on the authorizations, workflows, features such as "deputy" 
and especially on the audit logging. It may be OK as short-term hack. 
But it is not very good as a long-term solution.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 12/08/2016 10:43 AM, Pertti Kellomäki wrote:
> Hi Petr,
>
> 8.12.2016, 10:51, Petr Gašparík - AMI Praha a.s. kirjoitti:
>
>> REST API does not work with browser, so what is the concept of "SSO" 
>> here?
>
> The setup is that there is an existing web application where the user 
> interacts with the application using a browser. The application uses 
> an external identity provider to authenticate the user, and the calls 
> to the midPoint REST api come from the backend of the application. 
> There is a 1:1 correspondance between users in the identity provider 
> and users in midPoint. "SSO" may not be the technically correct term 
> here, but anyway I would like to let the application backend use 
> midPoint REST api as the authenticated user. There is an Apache httpd 
> in front of midPoint, so it can be used for verifying tokens or 
> similar tasks.
>
> Pertti
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint




From adavenp4 at uwo.ca  Thu Dec  8 15:20:39 2016
From: adavenp4 at uwo.ca (Adam Davenport)
Date: Thu, 8 Dec 2016 14:20:39 +0000
Subject: [midPoint] REST authentication
Message-ID: <MWHPR11MB1263F33B0E2B5D124533C99FE6840@MWHPR11MB1263.namprd11.prod.outlook.com>

We also have a requirement to call the midPoint API on behalf of a particular user.  Not only for the delegated administration mechanisms but also for auditing.  We plan on having a home grown application that users will use that calls the midPoint API.  We require midPoint to audit that userX performed an action on userY rather than the audit record indicating "application user" performed the action.  However, storing userX's credentials to send in the API calls is not a feasible practice.  Thank you.

Adam Davenport
Western University

From radovan.semancik at evolveum.com  Thu Dec  8 15:34:44 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Thu, 8 Dec 2016 15:34:44 +0100
Subject: [midPoint] REST authentication
In-Reply-To: <MWHPR11MB1263F33B0E2B5D124533C99FE6840@MWHPR11MB1263.namprd11.prod.outlook.com>
References: <MWHPR11MB1263F33B0E2B5D124533C99FE6840@MWHPR11MB1263.namprd11.prod.outlook.com>
Message-ID: <1e6f04fd-f3ea-f0fb-a2b1-92c980955ce9@evolveum.com>

Hi Adam,

Now, this is subscriber talking. So we have to listen. Do you have any 
plan how would you like to authenticate with your application? I think 
that using OAuth2 is currently a common practice. If that approach is 
suitable for you I would prefer that solution. But if you need something 
simpler we can do that instead. I think this can still fit into midPoint 
3.6 development plan.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 12/08/2016 03:20 PM, Adam Davenport wrote:
> We also have a requirement to call the midPoint API on behalf of a particular user.  Not only for the delegated administration mechanisms but also for auditing.  We plan on having a home grown application that users will use that calls the midPoint API.  We require midPoint to audit that userX performed an action on userY rather than the audit record indicating "application user" performed the action.  However, storing userX's credentials to send in the API calls is not a feasible practice.  Thank you.
>
> Adam Davenport
> Western University
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint




From adavenp4 at uwo.ca  Thu Dec  8 17:37:39 2016
From: adavenp4 at uwo.ca (Adam Davenport)
Date: Thu, 8 Dec 2016 16:37:39 +0000
Subject: [midPoint] REST authentication
In-Reply-To: <CY4PR11MB1688B40F370B93B113E7CE33AA840@CY4PR11MB1688.namprd11.prod.outlook.com>
References: <MWHPR11MB1263F33B0E2B5D124533C99FE6840@MWHPR11MB1263.namprd11.prod.outlook.com>
 <1e6f04fd-f3ea-f0fb-a2b1-92c980955ce9@evolveum.com>
 <CY4PR11MB1688B40F370B93B113E7CE33AA840@CY4PR11MB1688.namprd11.prod.outlook.com>
Message-ID: <MWHPR11MB1263EF23CA631777B4FE0673E6840@MWHPR11MB1263.namprd11.prod.outlook.com>

Thanks for your response Radovan.  We haven't fully flushed out our requirements yet but we know that we're going to be using the API extensively.  We will definitely be in touch in the near future.  Thanks again.


From keith.hazelton at wisc.edu  Thu Dec  8 18:56:22 2016
From: keith.hazelton at wisc.edu (Keith Hazelton)
Date: Thu, 08 Dec 2016 17:56:22 +0000
Subject: [midPoint] REST authentication
In-Reply-To: <1e6f04fd-f3ea-f0fb-a2b1-92c980955ce9@evolveum.com>
References: <MWHPR11MB1263F33B0E2B5D124533C99FE6840@MWHPR11MB1263.namprd11.prod.outlook.com>
 <1e6f04fd-f3ea-f0fb-a2b1-92c980955ce9@evolveum.com>
Message-ID: <1F88F80C-7E7F-4D35-BA78-B7CA33D0589A@wisc.edu>

Radovan,

Authentication and Authorization for APIs is a current work area in the Intenet2 Trust and Identity program.  As our work progresses, we’d be quite willing to share the API AuthNZ requirements arising out of the research and education domains. We are focusing first on APIs into, out of and within the identity and access control infrastructure itself.

         --Keith
___________________________________
email & jabber: keith.hazelton at wisc.edu
calendar: http://go.wisc.edu/i6zxx0

On 2016-12-08, 08:34 , "midPoint on behalf of Radovan Semancik" <midpoint-bounces at lists.evolveum.com on behalf of radovan.semancik at evolveum.com> wrote:

    Hi Adam,
    
    Now, this is subscriber talking. So we have to listen. Do you have any 
    plan how would you like to authenticate with your application? I think 
    that using OAuth2 is currently a common practice. If that approach is 
    suitable for you I would prefer that solution. But if you need something 
    simpler we can do that instead. I think this can still fit into midPoint 
    3.6 development plan.
    
    -- 
    Radovan Semancik
    Software Architect
    evolveum.com
    
    
    
    On 12/08/2016 03:20 PM, Adam Davenport wrote:
    > We also have a requirement to call the midPoint API on behalf of a particular user.  Not only for the delegated administration mechanisms but also for auditing.  We plan on having a home grown application that users will use that calls the midPoint API.  We require midPoint to audit that userX performed an action on userY rather than the audit record indicating "application user" performed the action.  However, storing userX's credentials to send in the API calls is not a feasible practice.  Thank you.
    >
    > Adam Davenport
    > Western University
    > _______________________________________________
    > midPoint mailing list
    > midPoint at lists.evolveum.com
    > http://lists.evolveum.com/mailman/listinfo/midpoint
    
    
    _______________________________________________
    midPoint mailing list
    midPoint at lists.evolveum.com
    http://lists.evolveum.com/mailman/listinfo/midpoint
    


From mederly at evolveum.com  Thu Dec  8 19:41:44 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Thu, 8 Dec 2016 19:41:44 +0100
Subject: [midPoint] Skip approvelSchema when importing objects
In-Reply-To: <CAGh9kZxTSuixidV+NSoa1QuSkAEJKaLAAWMgEGCd8X1714Y_-A@mail.gmail.com>
References: <CAGh9kZxTSuixidV+NSoa1QuSkAEJKaLAAWMgEGCd8X1714Y_-A@mail.gmail.com>
Message-ID: <df8dd734-621e-2255-fa32-0a828725d882@evolveum.com>

Hello Nico,

I've tried that myself today. You're right - there's no channel there. 
It was due to a bug in midPoint, which I've fixed on master branch 
(https://github.com/Evolveum/midpoint/commit/39581c451f2e06a8cc19932310f41cc0b3da5cba). 
If you want to use it for 3.4.x, please cherry-pick it to 3.4-support 
branch and build + test the WAR file.

However. I verified that when initiating the operation from GUI, the 
channel is really 
/http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user/. When 
doing import from resource, I haven't used a custom hook (as you did), 
but much simpler approach: specific user template:

In the resource definition:

             <reaction>
<situation>unmatched</situation>
                <objectTemplateRef 
oid="7ee3c422-c66a-4725-bb9e-12d5f85ecf6b" type="c:ObjectTemplateType"/>
                <action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser</handlerUri>
                </action>
             </reaction>

The template looks like this:

<objectTemplate oid="7ee3c422-c66a-4725-bb9e-12d5f85ecf6b" 
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
     <name>Custom User Template</name>
     <mapping>
         <expression>
             <value>
                  <targetRef oid="7d8cb641-d247-4b1a-bd73-12db459b7627" 
type="RoleType"/>    <!-- role with the auto approval ... -->
             </value>
         </expression>
         <target>
             <path>assignment</path>
         </target>
     </mapping>
</objectTemplate>

But what's important is that when the user was added via "Import from 
resource", the workflow hook was /not/ involved at all. The operation 
that was executed was a part of the /secondary delta/ - meaning the 
delta that was "induced" by another change. In this particular 
situation, the cause was the existence of resource object that was 
imported. And workflows react only to primary deltas.

What does your custom hook do? Does it modify primary delta? If yes, you 
could maybe change it to work with the secondary delta: that would be 
cleaner. And, if your hook does only the assignment of a role, it would 
be best to replace it by using standard midPoint mechanism for this - 
and this is object template.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 08.12.2016 10:43, Nico Pätzelt-Schäkel wrote:
> Hello Pavol Mederly,
> thanks for the answer. I have checked the output from :
> midpoint.getCurrentTask().getChannel()
> In both cases (import account as Superuser and request a role via GUI) the output of getChannel is "null".
> I checked the output from midpoint.getCurrentTask() which gives me something like  Task(id:1481189325403-0-1, name:null, oid:null).
> If I search the task ID in the server tasks GUI. There is no task or subtask with this taskid.
> Have you any idea why this is the case?
> Kind regards
> Nico
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161208/e5ad92f6/attachment.htm>

From mederly at evolveum.com  Thu Dec  8 19:47:24 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Thu, 8 Dec 2016 19:47:24 +0100
Subject: [midPoint] LDAP (389ds) - Accounts, groups <-> Users, roles
In-Reply-To: <f1553838-620d-8c12-38d0-c3ac7ad9fb46@diagnostyka.pl>
References: <1479898629678.53696@datactica.fi>
 <98ef2dc1-bedc-1bc6-cf13-03b71f0b9e14@datactica.fi>
 <414f95f9-ad66-6ca4-b913-5e6a076779a7@evolveum.com>
 <1480068706129.75463@datactica.fi>
 <f1553838-620d-8c12-38d0-c3ac7ad9fb46@diagnostyka.pl>
Message-ID: <e84842e5-f2b2-3406-c850-27d07be18e7e@evolveum.com>

Hello Wojciech,

I don't know if someone answered this mail, but it seems to me that you 
quite often compose your messages as replies to other - unrelated - ones.

Like this one: it is

"In-Reply-To: <1480068706129.75463 at datactica.fi>"

Which means that e.g. my mail client shows it as a part of unrelated 
message thread; which causes confusion and effectively may hide your 
message.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 25.11.2016 14:46, Wojciech Staszewski wrote:
> Hi all!
>
> Basing on the 389ds resource example I finaly configured the resource,
> imported accounts and groups.
>
> Accounts appeared as users in MidPoint and groups as Roles. This is ok.
>
> But when I open a role imported from LDAP group, the role has no
> members. And vice versa - when open user imported from LDAP he has no
> role assigned.
>
> 1. What and where I need to configure to assign proper roles to users
> according to LDAP group membership? I also want as a default to assign
> "End user" role to every existing and newly created account.
>
> 2. I made a very simple organization structure. I have 5 organizations,
> so I created 5 different trees. I need to assign users to proper
> organization based on LDAP "o" attribute, and to correct branch of this
> tree based on "departmentnumber". Departmentnumber is an integer value
> and branches of organization tree have names. Is this doable? Any tips?
>
> Thanks a lot and sorry for such beginners questions. I tried to analyze
> XMLs from MidPoint examples and to read the documentation, but there is
> so much of it and I actually don't know what I need to search...
>
> WS
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint



From radovan.semancik at evolveum.com  Thu Dec  8 20:06:45 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Thu, 8 Dec 2016 20:06:45 +0100
Subject: [midPoint] REST authentication
In-Reply-To: <1F88F80C-7E7F-4D35-BA78-B7CA33D0589A@wisc.edu>
References: <MWHPR11MB1263F33B0E2B5D124533C99FE6840@MWHPR11MB1263.namprd11.prod.outlook.com>
 <1e6f04fd-f3ea-f0fb-a2b1-92c980955ce9@evolveum.com>
 <1F88F80C-7E7F-4D35-BA78-B7CA33D0589A@wisc.edu>
Message-ID: <b09f81fb-ee68-2cfa-e2c6-2fc469404510@evolveum.com>

Keith,

Yes please. I'm really interested in the results of your work. Thanks a lot.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 12/08/2016 06:56 PM, Keith Hazelton wrote:
> Radovan,
>
> Authentication and Authorization for APIs is a current work area in the Intenet2 Trust and Identity program.  As our work progresses, we’d be quite willing to share the API AuthNZ requirements arising out of the research and education domains. We are focusing first on APIs into, out of and within the identity and access control infrastructure itself.
>
>           --Keith
> ___________________________________
> email & jabber: keith.hazelton at wisc.edu
> calendar: http://go.wisc.edu/i6zxx0
>
> On 2016-12-08, 08:34 , "midPoint on behalf of Radovan Semancik" <midpoint-bounces at lists.evolveum.com on behalf of radovan.semancik at evolveum.com> wrote:
>
>      Hi Adam,
>      
>      Now, this is subscriber talking. So we have to listen. Do you have any
>      plan how would you like to authenticate with your application? I think
>      that using OAuth2 is currently a common practice. If that approach is
>      suitable for you I would prefer that solution. But if you need something
>      simpler we can do that instead. I think this can still fit into midPoint
>      3.6 development plan.
>      
>      --
>      Radovan Semancik
>      Software Architect
>      evolveum.com
>      
>      
>      
>      On 12/08/2016 03:20 PM, Adam Davenport wrote:
>      > We also have a requirement to call the midPoint API on behalf of a particular user.  Not only for the delegated administration mechanisms but also for auditing.  We plan on having a home grown application that users will use that calls the midPoint API.  We require midPoint to audit that userX performed an action on userY rather than the audit record indicating "application user" performed the action.  However, storing userX's credentials to send in the API calls is not a feasible practice.  Thank you.
>      >
>      > Adam Davenport
>      > Western University
>      > _______________________________________________
>      > midPoint mailing list
>      > midPoint at lists.evolveum.com
>      > http://lists.evolveum.com/mailman/listinfo/midpoint
>      
>      
>      _______________________________________________
>      midPoint mailing list
>      midPoint at lists.evolveum.com
>      http://lists.evolveum.com/mailman/listinfo/midpoint
>      
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint




From aivo.kuhlberg at rmit.ee  Fri Dec  9 13:09:27 2016
From: aivo.kuhlberg at rmit.ee (Aivo Kuhlberg)
Date: Fri, 9 Dec 2016 12:09:27 +0000
Subject: [midPoint] shadow vs account
Message-ID: <1481285362674.64790@rmit.ee>

Hi,

I noticed that sometimes in resource correlation xml there is used $shadow variable and sometimes $account variable. Are they the same or completely different parameters with different meaning?


Thanks,

Aivo Kuhlberg

________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161209/a096541a/attachment.htm>

From ivan.noris at evolveum.com  Fri Dec  9 13:26:09 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 9 Dec 2016 13:26:09 +0100
Subject: [midPoint] shadow vs account
In-Reply-To: <1481285362674.64790@rmit.ee>
References: <1481285362674.64790@rmit.ee>
Message-ID: <f52becd6-1ca4-a86f-8ef0-c27c4731ba12@evolveum.com>

Hi Aivo,


very long time ago there were only users and accounts, and $user and
$account were the variables holding the objects.

After midPoint was extended for Generic synchronization, $user still
works, but $focus should be used for all other-than-user Focal objects
($focus works also for Users). $shadow is also more generic
representation of the account (or entitlement or whatever).


So $shadow should work for any resource object, not only for account.


Personally, I usually use $user for User object, $focus for other Focal
objects (Role, Org); and tend to use $shadow everywhere where I
previously used $account.


Maybe the developers can correct/extend what I have written.


Regards,
Ivan

On 12/09/2016 01:09 PM, Aivo Kuhlberg wrote:
>
> Hi,
>
> I noticed that sometimes in resource correlation xml there is used
> $shadow variable and sometimes $account variable. Are they the same or
> completely different parameters with different meaning?
>
>
> Thanks,
>
> Aivo Kuhlberg
>
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161209/6bc53f63/attachment.htm>

From radovan.semancik at evolveum.com  Fri Dec  9 14:43:31 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Fri, 9 Dec 2016 14:43:31 +0100
Subject: [midPoint] shadow vs account
In-Reply-To: <1481285362674.64790@rmit.ee>
References: <1481285362674.64790@rmit.ee>
Message-ID: <525eef99-ee92-e464-6e1d-fbb7a7ff0593@evolveum.com>

Hi,

They are the same. Back in midPoint 2.x we supported only accounts. But 
in midPoint 3.0 we got generic synchronization. So now these objects may 
be anything, not just accounts. Therefore we have changed the variable 
to $shadow. The old $account variable remained there for compatibility 
reasons. It should have the same value as $shadow.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 12/09/2016 01:09 PM, Aivo Kuhlberg wrote:
>
> Hi,
>
> I noticed that sometimes in resource correlation xml there is used 
> $shadow variable and sometimes $account variable. Are they the same or 
> completely different parameters with different meaning?
>
>
> Thanks,
>
> Aivo Kuhlberg
>
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161209/e9b88144/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Sat Dec 10 16:10:30 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Sat, 10 Dec 2016 16:10:30 +0100
Subject: [midPoint]  Can't import LDAP groups,
	user reconciliation ends with errors (3.4.1)
Message-ID: <21475423.PMBmVkBcf3@skygge-pc>

Hello,

Something bad happened to my LDAP resource.
It worked well, I imported all users, some groups, configured synchronization and all task was processed ok.
But two days ago I saw errors in reconciliation:

"Last error when processing object	SystemException: java.lang.NullPointerException"

O the resource -> Accounts -> Result:
Failed to reconciliation: java.lang.IllegalStateException: Subresult com.evolveum.midpoint.model.impl.lens.projector.InboundProcessor.processInbound of operation com.evolveum.midpoint.model.impl.lens.projector.Projector.project is still UNKNOWN during cleanup; during handling of exception java.lang.NullPointerException

Since yesterday I'm trying to import other groups from this resource, but every time i got this error:

"No name in new object null as produced by template null in iteration 0, we cannot process an object without a name"
And the role in Midpoint is created with empty name.

And in error details:

com.evolveum.midpoint.util.exception.NoFocusNameSchemaException: No name in new object null as produced by template null in iteration 0, we cannot process an object without a name

Execute (Model) 
Schema violation during processing shadow: shadow: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx (OID:8c0692d3-3235-4b9d-bd89-da1bc80b3f31): Schema violation: Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error modifying LDAP entry cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx: [remove:uniqueMember: cn=Directory Manager,remove:cn: Accounting Managers,]: objectClassViolation: missing attribute "cn" required by object class "groupOfUniqueNames"? (65))

Ldapsearch on my 389ds shows "cn" attribute in the groups:

# Accounting Managers, Groups, xxx.xx
dn: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Actually I don't know where to find a reason, I reviewed schema, schema handling and synchronization both users and groups, compared them with Evolveum example 389ds resource and see no differences. Any help appreciated.
Wociech Staszewski



From mederly at evolveum.com  Sat Dec 10 16:18:48 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Sat, 10 Dec 2016 16:18:48 +0100
Subject: [midPoint] Can't import LDAP groups,
 user reconciliation ends with errors (3.4.1)
In-Reply-To: <21475423.PMBmVkBcf3@skygge-pc>
References: <21475423.PMBmVkBcf3@skygge-pc>
Message-ID: <496cb94b-a3a6-8dc5-9551-7a2c2dd477c3@evolveum.com>

Hello Wojciech,

NPE is an indication of a bug. It would be helpful if you could provide 
the stack trace, so we could (try to) determine what is the cause.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 10.12.2016 16:10, Wojciech Staszewski wrote:
> Hello,
>
> Something bad happened to my LDAP resource.
> It worked well, I imported all users, some groups, configured synchronization and all task was processed ok.
> But two days ago I saw errors in reconciliation:
>
> "Last error when processing object	SystemException: java.lang.NullPointerException"
>
> O the resource -> Accounts -> Result:
> Failed to reconciliation: java.lang.IllegalStateException: Subresult com.evolveum.midpoint.model.impl.lens.projector.InboundProcessor.processInbound of operation com.evolveum.midpoint.model.impl.lens.projector.Projector.project is still UNKNOWN during cleanup; during handling of exception java.lang.NullPointerException
>
> Since yesterday I'm trying to import other groups from this resource, but every time i got this error:
>
> "No name in new object null as produced by template null in iteration 0, we cannot process an object without a name"
> And the role in Midpoint is created with empty name.
>
> And in error details:
>
> com.evolveum.midpoint.util.exception.NoFocusNameSchemaException: No name in new object null as produced by template null in iteration 0, we cannot process an object without a name
>
> Execute (Model)
> Schema violation during processing shadow: shadow: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx (OID:8c0692d3-3235-4b9d-bd89-da1bc80b3f31): Schema violation: Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error modifying LDAP entry cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx: [remove:uniqueMember: cn=Directory Manager,remove:cn: Accounting Managers,]: objectClassViolation: missing attribute "cn" required by object class "groupOfUniqueNames"? (65))
>
> Ldapsearch on my 389ds shows "cn" attribute in the groups:
>
> # Accounting Managers, Groups, xxx.xx
> dn: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: Accounting Managers
> ou: groups
> description: People who can manage accounting entries
> uniqueMember: cn=Directory Manager
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> Actually I don't know where to find a reason, I reviewed schema, schema handling and synchronization both users and groups, compared them with Evolveum example 389ds resource and see no differences. Any help appreciated.
> Wociech Staszewski
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint



From wojciech.staszewski at diagnostyka.pl  Sat Dec 10 18:19:55 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Sat, 10 Dec 2016 18:19:55 +0100
Subject: [midPoint] Can't import LDAP groups,
	user reconciliation ends with errors (3.4.1)
In-Reply-To: <496cb94b-a3a6-8dc5-9551-7a2c2dd477c3@evolveum.com>
References: <21475423.PMBmVkBcf3@skygge-pc>
 <496cb94b-a3a6-8dc5-9551-7a2c2dd477c3@evolveum.com>
Message-ID: <1757162.3H1S0Lf1O4@skygge-pc>

Hi!
I've just found the reason of reconciliation fail.
Accidentaly I removed my Midpoint account (I wanted to remove projection, but I deleted whole acount).
Obviously my LDAP account also disappeared.
I recreated account in LDAP, imported my account back to Midpoint, added administrator role,
but TASKS I made before have no owner now. I deleted them and recreated and now reconciliation works.

Still cannot import groups.
Stack is here ( I don't want to paste it into e-mail because it is quite long):
https://www.skygge.com/1/ldap_group_import_fail.txt

Dnia sobota, 10 grudnia 2016 16:18:48 CET Pavol Mederly pisze:
> Hello Wojciech,
> 
> NPE is an indication of a bug. It would be helpful if you could provide 
> the stack trace, so we could (try to) determine what is the cause.
> 
> Best regards,
> 
> Pavol Mederly
> Software developer
> evolveum.com
> 
> On 10.12.2016 16:10, Wojciech Staszewski wrote:
> > Hello,
> >
> > Something bad happened to my LDAP resource.
> > It worked well, I imported all users, some groups, configured synchronization and all task was processed ok.
> > But two days ago I saw errors in reconciliation:
> >
> > "Last error when processing object	SystemException: java.lang.NullPointerException"
> >
> > O the resource -> Accounts -> Result:
> > Failed to reconciliation: java.lang.IllegalStateException: Subresult com.evolveum.midpoint.model.impl.lens.projector.InboundProcessor.processInbound of operation com.evolveum.midpoint.model.impl.lens.projector.Projector.project is still UNKNOWN during cleanup; during handling of exception java.lang.NullPointerException
> >
> > Since yesterday I'm trying to import other groups from this resource, but every time i got this error:
> >
> > "No name in new object null as produced by template null in iteration 0, we cannot process an object without a name"
> > And the role in Midpoint is created with empty name.
> >
> > And in error details:
> >
> > com.evolveum.midpoint.util.exception.NoFocusNameSchemaException: No name in new object null as produced by template null in iteration 0, we cannot process an object without a name
> >
> > Execute (Model)
> > Schema violation during processing shadow: shadow: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx (OID:8c0692d3-3235-4b9d-bd89-da1bc80b3f31): Schema violation: Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error modifying LDAP entry cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx: [remove:uniqueMember: cn=Directory Manager,remove:cn: Accounting Managers,]: objectClassViolation: missing attribute "cn" required by object class "groupOfUniqueNames"? (65))
> >
> > Ldapsearch on my 389ds shows "cn" attribute in the groups:
> >
> > # Accounting Managers, Groups, xxx.xx
> > dn: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx
> > objectClass: top
> > objectClass: groupOfUniqueNames
> > cn: Accounting Managers
> > ou: groups
> > description: People who can manage accounting entries
> > uniqueMember: cn=Directory Manager
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> >
> > Actually I don't know where to find a reason, I reviewed schema, schema handling and synchronization both users and groups, compared them with Evolveum example 389ds resource and see no differences. Any help appreciated.
> > Wociech Staszewski
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 


From mederly at evolveum.com  Sat Dec 10 18:31:36 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Sat, 10 Dec 2016 18:31:36 +0100
Subject: [midPoint] Can't import LDAP groups,
 user reconciliation ends with errors (3.4.1)
In-Reply-To: <1757162.3H1S0Lf1O4@skygge-pc>
References: <21475423.PMBmVkBcf3@skygge-pc>
 <496cb94b-a3a6-8dc5-9551-7a2c2dd477c3@evolveum.com>
 <1757162.3H1S0Lf1O4@skygge-pc>
Message-ID: <18de1beb-24e0-690f-d210-a57542dfb00d@evolveum.com>

This doesn't look like midPoint problem at first sight. Maybe some 
misconfiguration.

Error modifying LDAP entry cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx:
[remove:uniqueMember: cn=Directory Manager,remove:cn: Accounting Managers,]:
objectClassViolation: missing attribute "cn" required by object class "groupOfUniqueNames"? (65)

I'm not a particular expert in LDAP but I suspect midPoint is driven 
(maybe by your configuration) to remove "cn" Attribute from your 
Accounting Managers group.

To diagnose that, one probably needs a bit of knowledge of midPoint. I'd 
suggest you to try to follow suggestions mentioned here 
<https://wiki.evolveum.com/display/midPoint/Usual+Troubleshooting+Steps> 
and here 
<https://wiki.evolveum.com/display/midPoint/Troubleshooting+Mappings>.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 10.12.2016 18:19, Wojciech Staszewski wrote:
> Hi!
> I've just found the reason of reconciliation fail.
> Accidentaly I removed my Midpoint account (I wanted to remove projection, but I deleted whole acount).
> Obviously my LDAP account also disappeared.
> I recreated account in LDAP, imported my account back to Midpoint, added administrator role,
> but TASKS I made before have no owner now. I deleted them and recreated and now reconciliation works.
>
> Still cannot import groups.
> Stack is here ( I don't want to paste it into e-mail because it is quite long):
> https://www.skygge.com/1/ldap_group_import_fail.txt
>
> Dnia sobota, 10 grudnia 2016 16:18:48 CET Pavol Mederly pisze:
>> Hello Wojciech,
>>
>> NPE is an indication of a bug. It would be helpful if you could provide
>> the stack trace, so we could (try to) determine what is the cause.
>>
>> Best regards,
>>
>> Pavol Mederly
>> Software developer
>> evolveum.com
>>
>> On 10.12.2016 16:10, Wojciech Staszewski wrote:
>>> Hello,
>>>
>>> Something bad happened to my LDAP resource.
>>> It worked well, I imported all users, some groups, configured synchronization and all task was processed ok.
>>> But two days ago I saw errors in reconciliation:
>>>
>>> "Last error when processing object	SystemException: java.lang.NullPointerException"
>>>
>>> O the resource -> Accounts -> Result:
>>> Failed to reconciliation: java.lang.IllegalStateException: Subresult com.evolveum.midpoint.model.impl.lens.projector.InboundProcessor.processInbound of operation com.evolveum.midpoint.model.impl.lens.projector.Projector.project is still UNKNOWN during cleanup; during handling of exception java.lang.NullPointerException
>>>
>>> Since yesterday I'm trying to import other groups from this resource, but every time i got this error:
>>>
>>> "No name in new object null as produced by template null in iteration 0, we cannot process an object without a name"
>>> And the role in Midpoint is created with empty name.
>>>
>>> And in error details:
>>>
>>> com.evolveum.midpoint.util.exception.NoFocusNameSchemaException: No name in new object null as produced by template null in iteration 0, we cannot process an object without a name
>>>
>>> Execute (Model)
>>> Schema violation during processing shadow: shadow: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx (OID:8c0692d3-3235-4b9d-bd89-da1bc80b3f31): Schema violation: Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error modifying LDAP entry cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx: [remove:uniqueMember: cn=Directory Manager,remove:cn: Accounting Managers,]: objectClassViolation: missing attribute "cn" required by object class "groupOfUniqueNames"? (65))
>>>
>>> Ldapsearch on my 389ds shows "cn" attribute in the groups:
>>>
>>> # Accounting Managers, Groups, xxx.xx
>>> dn: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx
>>> objectClass: top
>>> objectClass: groupOfUniqueNames
>>> cn: Accounting Managers
>>> ou: groups
>>> description: People who can manage accounting entries
>>> uniqueMember: cn=Directory Manager
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>> Actually I don't know where to find a reason, I reviewed schema, schema handling and synchronization both users and groups, compared them with Evolveum example 389ds resource and see no differences. Any help appreciated.
>>> Wociech Staszewski
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161210/986debcb/attachment.htm>

From aivo.kuhlberg at rmit.ee  Mon Dec 12 10:48:17 2016
From: aivo.kuhlberg at rmit.ee (Aivo Kuhlberg)
Date: Mon, 12 Dec 2016 09:48:17 +0000
Subject: [midPoint] ScriptedSQL - create group tries to create account
Message-ID: <1481536095635.31444@rmit.ee>

Hi,
I am trying to sync midPoint role to scriptedSQL table "Groups" but for some reason every time when I add resource projection to role it tries to run CreateScript.groovy with __ACCOUNT__ objectClass. I have specified sync parameters for both accounts and groups but for some reason it does not help to find entitlement. However importing groups works OK - groups in MariaDB Groups table are imported correctly to mipdPoint.
Here are some of the configuration settings I use for ScriptedSQL connector:

   <schemaHandling>
      <objectType>
         <kind>account</kind>
         <intent>account</intent>
         <default>true</default>
         <objectClass>ri:AccountObjectClass</objectClass>
...
      <objectType>
         <kind>entitlement</kind>
         <intent>group</intent>
         <default>true</default>
         <objectClass>ri:CustomGroupObjectClass</objectClass>
...
   <synchronization>
      <objectSynchronization>
         <name>DBAT1 users sync</name>
         <objectClass>ri:AccountObjectClass</objectClass>
         <kind>account</kind>
         <intent>account</intent>
         <enabled>true</enabled>
...
      </objectSynchronization>
      <objectSynchronization>
         <name>DBAT1 Groups sync</name>
         <objectClass>ri:CustomGroupObjectClass</objectClass>
         <kind>entitlement</kind>
         <intent>group</intent>
         <focusType>RoleType</focusType>
         <enabled>true</enabled>
...

And here is what I see in log when I try to add projection to Role with name "DBAT1_test3"
2016-12-12 11:18:57,096 [] [Thread-12] WARN (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Can't do reconciliation. Account context doesn't contain current version of account.
2016-12-12 11:18:57,550 [] [Thread-12] INFO (com.evolveum.midpoint.provisioning.impl.ConnectorManager): Created new connector instance for resource:12784dc4-defd-4ab5-b9bd-70af099d0b38(DBAT1): org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector v1.1.2.0.em3
2016-12-12 11:18:58,426 [] [Thread-12] DEBUG (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method: null msg:Entering CREATE Script for the objectClass __ACCOUNT__
2016-12-12 11:18:58,461 [] [Thread-12] DEBUG (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method: null msg:Create parameter options is: [:]
2016-12-12 11:18:58,461 [] [Thread-12] DEBUG (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method: null msg:Create parameter id is: DBAT1_test3
2016-12-12 11:18:58,487 [] [Thread-12] DEBUG (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method: null msg:Create parameter description is: null
2016-12-12 11:18:58,488 [] [Thread-12] DEBUG (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method: null msg:Create parameter attributes is: [__ENABLE__:[true]]

Regards,
Aivo Kuhlberg


________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161212/ebaf73b1/attachment.htm>

From ivan.noris at evolveum.com  Mon Dec 12 11:13:42 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 12 Dec 2016 11:13:42 +0100
Subject: [midPoint] ScriptedSQL - create group tries to create account
In-Reply-To: <1481536095635.31444@rmit.ee>
References: <1481536095635.31444@rmit.ee>
Message-ID: <33a4881f-0419-566c-681f-2be25e4ff21c@evolveum.com>

Hi Aivo,


are you ADDING projection or assigning role? IMHO add projection always
uses kind=account and intent=default (as of now).


You should assign a role with construction to your role.


Regards,

Ivan


On 12/12/2016 10:48 AM, Aivo Kuhlberg wrote:
>
> Hi,
> I am trying to sync midPoint role to scriptedSQL table "Groups" but
> for some reason every time when I add resource projection to role it
> tries to run CreateScript.groovy with __ACCOUNT__ objectClass. I have
> specified sync parameters for both accounts and groups but for some
> reason it does not help to find entitlement. However importing groups
> works OK - groups in MariaDB Groups table are imported correctly to
> mipdPoint.  
> Here are some of the configuration settings I use for ScriptedSQL
> connector:
>
>    <schemaHandling>
>       <objectType>
>          <kind>account</kind>
>          <intent>account</intent>
>          <default>true</default>
>          <objectClass>ri:AccountObjectClass</objectClass>
> ...
>       <objectType>
>          <kind>entitlement</kind>
>          <intent>group</intent>
>          <default>true</default>
>          <objectClass>ri:CustomGroupObjectClass</objectClass>
> ...
>    <synchronization>
>       <objectSynchronization>
>          <name>DBAT1 users sync</name>
>          <objectClass>ri:AccountObjectClass</objectClass>
>          <kind>account</kind>
>          <intent>account</intent>
>          <enabled>true</enabled>
> ...
>       </objectSynchronization>
>       <objectSynchronization>
>          <name>DBAT1 Groups sync</name>
>          <objectClass>ri:CustomGroupObjectClass</objectClass>
>          <kind>entitlement</kind>
>          <intent>group</intent>
>          <focusType>RoleType</focusType>
>          <enabled>true</enabled>
> ...
>
> And here is what I see in log when I try to add projection to Role
> with name "DBAT1_test3"  
> 2016-12-12 11:18:57,096 [] [Thread-12] WARN
> (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor):
> Can't do reconciliation. Account context doesn't contain current
> version of account.
> 2016-12-12 11:18:57,550 [] [Thread-12] INFO
> (com.evolveum.midpoint.provisioning.impl.ConnectorManager): Created
> new connector instance for
> resource:12784dc4-defd-4ab5-b9bd-70af099d0b38(DBAT1):
> org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector
> v1.1.2.0.em3
> 2016-12-12 11:18:58,426 [] [Thread-12] DEBUG
> (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method:
> null msg:Entering CREATE Script for the objectClass __ACCOUNT__
> 2016-12-12 11:18:58,461 [] [Thread-12] DEBUG
> (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method:
> null msg:Create parameter options is: [:]
> 2016-12-12 11:18:58,461 [] [Thread-12] DEBUG
> (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method:
> null msg:Create parameter id is: DBAT1_test3
> 2016-12-12 11:18:58,487 [] [Thread-12] DEBUG
> (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method:
> null msg:Create parameter description is: null
> 2016-12-12 11:18:58,488 [] [Thread-12] DEBUG
> (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method:
> null msg:Create parameter attributes is: [__ENABLE__:[true]]
>
> Regards,
> Aivo Kuhlberg
>
>
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161212/78cafd3e/attachment.htm>

From aivo.kuhlberg at rmit.ee  Mon Dec 12 11:51:07 2016
From: aivo.kuhlberg at rmit.ee (Aivo Kuhlberg)
Date: Mon, 12 Dec 2016 10:51:07 +0000
Subject: [midPoint] ScriptedSQL - create group tries to create account
In-Reply-To: <33a4881f-0419-566c-681f-2be25e4ff21c@evolveum.com>
References: <1481536095635.31444@rmit.ee>,
 <33a4881f-0419-566c-681f-2be25e4ff21c@evolveum.com>
Message-ID: <1481539865881.47622@rmit.ee>

Hi Ivan,
Thanks for the information. Yes I was ADDING a projection rather than adding a metarole with group inducement. Now when I assigned the metarole the group creation works!
Thank you again.
Regards,
Aivo Kuhlberg


________________________________
Saatja: midPoint <midpoint-bounces at lists.evolveum.com> nimelIvan Noris <ivan.noris at evolveum.com>
Saadetud: 12. detsember 2016 12:13
Adressaat: midpoint at lists.evolveum.com
Teema: Re: [midPoint] ScriptedSQL - create group tries to create account


Hi Aivo,


are you ADDING projection or assigning role? IMHO add projection always uses kind=account and intent=default (as of now).


You should assign a role with construction to your role.


Regards,

Ivan

On 12/12/2016 10:48 AM, Aivo Kuhlberg wrote:

Hi,
I am trying to sync midPoint role to scriptedSQL table "Groups" but for some reason every time when I add resource projection to role it tries to run CreateScript.groovy with __ACCOUNT__ objectClass. I have specified sync parameters for both accounts and groups but for some reason it does not help to find entitlement. However importing groups works OK - groups in MariaDB Groups table are imported correctly to mipdPoint.
Here are some of the configuration settings I use for ScriptedSQL connector:

   <schemaHandling>
      <objectType>
         <kind>account</kind>
         <intent>account</intent>
         <default>true</default>
         <objectClass>ri:AccountObjectClass</objectClass>
...
      <objectType>
         <kind>entitlement</kind>
         <intent>group</intent>
         <default>true</default>
         <objectClass>ri:CustomGroupObjectClass</objectClass>
...
   <synchronization>
      <objectSynchronization>
         <name>DBAT1 users sync</name>
         <objectClass>ri:AccountObjectClass</objectClass>
         <kind>account</kind>
         <intent>account</intent>
         <enabled>true</enabled>
...
      </objectSynchronization>
      <objectSynchronization>
         <name>DBAT1 Groups sync</name>
         <objectClass>ri:CustomGroupObjectClass</objectClass>
         <kind>entitlement</kind>
         <intent>group</intent>
         <focusType>RoleType</focusType>
         <enabled>true</enabled>
...

And here is what I see in log when I try to add projection to Role with name "DBAT1_test3"
2016-12-12 11:18:57,096 [] [Thread-12] WARN (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): Can't do reconciliation. Account context doesn't contain current version of account.
2016-12-12 11:18:57,550 [] [Thread-12] INFO (com.evolveum.midpoint.provisioning.impl.ConnectorManager): Created new connector instance for resource:12784dc4-defd-4ab5-b9bd-70af099d0b38(DBAT1): org.forgerock.openicf.connectors.scriptedsql.ScriptedSQLConnector v1.1.2.0.em3
2016-12-12 11:18:58,426 [] [Thread-12] DEBUG (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method: null msg:Entering CREATE Script for the objectClass __ACCOUNT__
2016-12-12 11:18:58,461 [] [Thread-12] DEBUG (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method: null msg:Create parameter options is: [:]
2016-12-12 11:18:58,461 [] [Thread-12] DEBUG (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method: null msg:Create parameter id is: DBAT1_test3
2016-12-12 11:18:58,487 [] [Thread-12] DEBUG (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method: null msg:Create parameter description is: null
2016-12-12 11:18:58,488 [] [Thread-12] DEBUG (org.forgerock.openicf.misc.scriptedcommon.ScriptedConnector): method: null msg:Create parameter attributes is: [__ENABLE__:[true]]

Regards,
Aivo Kuhlberg


________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint



--
Ivan Noris
Senior Identity Engineer
evolveum.com


________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161212/40a93472/attachment.htm>

From m.benucci at nsr.it  Mon Dec 12 16:57:19 2016
From: m.benucci at nsr.it (m.benucci)
Date: Mon, 12 Dec 2016 16:57:19 +0100
Subject: [midPoint] Sync Virtual Identities and AD Groups using roles
Message-ID: <OI2XNJ$DD551B1CCF2BD8CC06A65B4632B6FDF0@nsr.it>

Hi,

I have imported users from an Active Directory and 

I have successfully synchronized AD groups with midPoint roles using a metarole.

Provisioning and Synchronization seems to works well.

  

Now, given a midPoint Role (an AD entitlement),  I would like to know if is possible to know who is assigned to this role (e.g. I would like to know from midPoint who is assigned to the role/entitlement "Domain Admin").

  

I suppose I necessarily need to assign the role to an user to see if he is a member of it, is there a way to automate this assignment process?

  

  

Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161212/00e28a6b/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Mon Dec 12 23:11:43 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Mon, 12 Dec 2016 23:11:43 +0100
Subject: [midPoint]  ScriptedSQL - add/remove entitlements
Message-ID: <3062999.LUnh5BE5GU@skygge-pc>

Hello,

I'm playing with ScriptedSQL resource, based on Evolveum example from Github.
I'm able to list/add/remove users/groups and enable/disable accounts. Great.
But now I want to apply an assignment (a group) to user. Unfortunately "Update_Script.groovy" is incomplete,
ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
Where can I find some examples?

Thanks a lot!
WS


From m.benucci at nsr.it  Mon Dec 12 17:23:26 2016
From: m.benucci at nsr.it (m.benucci)
Date: Mon, 12 Dec 2016 17:23:26 +0100
Subject: [midPoint] Sync Virtual Identities and AD Groups using roles
Message-ID: <OI2YV2$50BDA1E6677E26552EB1B7A4B39C34FF@nsr.it>

Little Update:

  

I tried to use the assignmentTargetSearch giving as a source the "$account/attributes/groups",

and as target "$user/assignment".

  

It fails with the error "No definition for focus property assignment" and I sow that this bug was fixed in the v3.4devel-1727-g2bcbd00

this is the jira https://jira.evolveum.com/browse/MID-2689.

  

I am using midpoint 3.3.1... So, Will the assignment of multiple Roles, 
based on the multivalued attribute $account/attributes/groups work with 
the assignmentTargetSearch on the latest midpoint Stable version?

  

Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161212/568c89b0/attachment.htm>

From nrossi at identicum.com  Tue Dec 13 01:45:00 2016
From: nrossi at identicum.com (Nicolas Rossi)
Date: Mon, 12 Dec 2016 21:45:00 -0300
Subject: [midPoint] ScriptedSQL - add/remove entitlements
In-Reply-To: <3062999.LUnh5BE5GU@skygge-pc>
References: <3062999.LUnh5BE5GU@skygge-pc>
Message-ID: <CAAxX8cjpmjbCkT6+T9ZGeSAHFRGunuz7HSU0JttpPdb7AWcfWQ@mail.gmail.com>

Hi, you have to add the association between Users and Groups. It's
something like that:

<association>
<ref>ri:GroupObjectClass</ref>
<kind>entitlement</kind>
<intent>default</intent>
<tolerant>false</tolerant>
<direction>subjectToObject</direction>
<associationAttribute>ri:groups</associationAttribute>
<valueAttribute>icfs:uid</valueAttribute>
<shortcutAssociationAttribute>ri:members</shortcutAssociationAttribute>
<shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
</association>

You can find more information about the association and the tolerant
parameter here:
https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition

Inside your Update script the operation should be ADD_ATTRIBUTE_VALUE for
objectClass __ACCOUNT__ and the attribute received should be "groups":

    case "ADD_ATTRIBUTE_VALUES":

        if(objectClass == "__ACCOUNT__")
        {
            for(String group : attributes.get("groups"))
            {
                def existingEntitlement = sql.rows("SELECT 1 FROM
UserGroups WHERE user_id=? AND group_id=?",[uid as String, group as
String]);
                if(existingEntitlement.isEmpty())
                {
                    log.info("Sample - Adding entitlement ${group} to user
${uid}");
                    sql.execute("insert into UserGroups (user_id, group_id)
values (" + uid + "," + group + ")");
                }
                else
                {
                    log.info("Sample - Skipping assignment because user
${uid} already has group ${group}");
                }
            }
        }

You should also handle the REMOVE_ATTRIBUTE_VALUES with the same logic.
Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
resource. You can find the conversation in the mailing list. I am sure it
will help you too.

Regards,





Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
wojciech.staszewski at diagnostyka.pl> wrote:

> Hello,
>
> I'm playing with ScriptedSQL resource, based on Evolveum example from
> Github.
> I'm able to list/add/remove users/groups and enable/disable accounts.
> Great.
> But now I want to apply an assignment (a group) to user. Unfortunately
> "Update_Script.groovy" is incomplete,
> ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
> Where can I find some examples?
>
> Thanks a lot!
> WS
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161212/66bd54b2/attachment.htm>

From ivan.noris at evolveum.com  Tue Dec 13 08:58:59 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Tue, 13 Dec 2016 08:58:59 +0100
Subject: [midPoint] Sync Virtual Identities and AD Groups using roles
In-Reply-To: <OI2XNJ$DD551B1CCF2BD8CC06A65B4632B6FDF0@nsr.it>
References: <OI2XNJ$DD551B1CCF2BD8CC06A65B4632B6FDF0@nsr.it>
Message-ID: <6878ac27-3654-c76e-91d5-fa5baa864fd5@evolveum.com>

Hi,

if you open your role in midPoint, you can see its members in "Members"
tab. Both direct and indirect members should be displayable. So you can
see who has the role assigned.

It's not possible yet to make a report which uses resource data, i.e.
"show all users in midPoint, which have account in AD with attribute
XY". As we do not store resource account attributes, the data would need
to be fetche during such report. This is not implemented yet.

Regards,
Ivan

On 12/12/2016 04:57 PM, m.benucci wrote:
> Hi,
> I have imported users from an Active Directory and
> I have successfully synchronized AD groups with midPoint roles using a
> metarole.
> Provisioning and Synchronization seems to works well.
>
> Now, given a midPoint Role (an AD entitlement), I would like to know
> if is possible to know who is assigned to this role (e.g. I would like
> to know from midPoint who is assigned to the role/entitlement "Domain
> Admin").
>
> I suppose I necessarily need to assign the role to an user to see if
> he is a member of it, is there a way to automate this assignment process?
>
>
> Thank you.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161213/bf69f540/attachment.htm>

From jeverling at bshp.edu  Tue Dec 13 16:08:30 2016
From: jeverling at bshp.edu (Jason Everling)
Date: Tue, 13 Dec 2016 09:08:30 -0600
Subject: [midPoint] Sync Virtual Identities and AD Groups using roles
In-Reply-To: <6878ac27-3654-c76e-91d5-fa5baa864fd5@evolveum.com>
References: <OI2XNJ$DD551B1CCF2BD8CC06A65B4632B6FDF0@nsr.it>
 <6878ac27-3654-c76e-91d5-fa5baa864fd5@evolveum.com>
Message-ID: <CAFkZXY6BQjwHa0SUNMJ7ntRGRqcLxcsWFdLO-Uyv_ULaY+UtZg@mail.gmail.com>

Another note if you want those roles populated with current members from
AD, you would need to create an inbound sync for groups from AD which then
gets assigned the correct role in midpoint. This is not currently supported
in midpoint but I do have a work around, might not be the best way to do it
but it does work.

See my post,
http://lists.evolveum.com/pipermail/midpoint/2016-September/002503.html ,
using AD .NET connector but even with the new AD LDAP connector it should
work the same, just different attribute, maybe ri:memberOf ? Haven't used
the connector yet so not sure. One caveat, it only works on reconcile, not
live sync. I have within the default objectTemplate to assign a role based
on the group name.

JASON

On Tue, Dec 13, 2016 at 1:58 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

> Hi,
>
> if you open your role in midPoint, you can see its members in "Members"
> tab. Both direct and indirect members should be displayable. So you can see
> who has the role assigned.
>
> It's not possible yet to make a report which uses resource data, i.e.
> "show all users in midPoint, which have account in AD with attribute XY".
> As we do not store resource account attributes, the data would need to be
> fetche during such report. This is not implemented yet.
> Regards,
> Ivan
>
>
> On 12/12/2016 04:57 PM, m.benucci wrote:
>
> Hi,
> I have imported users from an Active Directory and
> I have successfully synchronized AD groups with midPoint roles using a
> metarole.
> Provisioning and Synchronization seems to works well.
>
> Now, given a midPoint Role (an AD entitlement), I would like to know if
> is possible to know who is assigned to this role (e.g. I would like to know
> from midPoint who is assigned to the role/entitlement "Domain Admin").
>
> I suppose I necessarily need to assign the role to an user to see if he is
> a member of it, is there a way to automate this assignment process?
>
>
> Thank you.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161213/fcd8d2a9/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Tue Dec 13 18:30:22 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Tue, 13 Dec 2016 18:30:22 +0100
Subject: [midPoint] ScriptedSQL - add/remove entitlements
In-Reply-To: <CAAxX8cjpmjbCkT6+T9ZGeSAHFRGunuz7HSU0JttpPdb7AWcfWQ@mail.gmail.com>
References: <3062999.LUnh5BE5GU@skygge-pc>
 <CAAxX8cjpmjbCkT6+T9ZGeSAHFRGunuz7HSU0JttpPdb7AWcfWQ@mail.gmail.com>
Message-ID: <5203676.ZCdp2b7rXk@skygge-pc>

Thank you very much!
Regards,  WS

Dnia poniedziałek, 12 grudnia 2016 21:45:00 CET Nicolas Rossi pisze:
> Hi, you have to add the association between Users and Groups. It's
> something like that:
> 
> <association>
> <ref>ri:GroupObjectClass</ref>
> <kind>entitlement</kind>
> <intent>default</intent>
> <tolerant>false</tolerant>
> <direction>subjectToObject</direction>
> <associationAttribute>ri:groups</associationAttribute>
> <valueAttribute>icfs:uid</valueAttribute>
> <shortcutAssociationAttribute>ri:members</shortcutAssociationAttribute>
> <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
> </association>
> 
> You can find more information about the association and the tolerant
> parameter here:
> https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition
> 
> Inside your Update script the operation should be ADD_ATTRIBUTE_VALUE for
> objectClass __ACCOUNT__ and the attribute received should be "groups":
> 
>     case "ADD_ATTRIBUTE_VALUES":
> 
>         if(objectClass == "__ACCOUNT__")
>         {
>             for(String group : attributes.get("groups"))
>             {
>                 def existingEntitlement = sql.rows("SELECT 1 FROM
> UserGroups WHERE user_id=? AND group_id=?",[uid as String, group as
> String]);
>                 if(existingEntitlement.isEmpty())
>                 {
>                     log.info("Sample - Adding entitlement ${group} to user
> ${uid}");
>                     sql.execute("insert into UserGroups (user_id, group_id)
> values (" + uid + "," + group + ")");
>                 }
>                 else
>                 {
>                     log.info("Sample - Skipping assignment because user
> ${uid} already has group ${group}");
>                 }
>             }
>         }
> 
> You should also handle the REMOVE_ATTRIBUTE_VALUES with the same logic.
> Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
> resource. You can find the conversation in the mailing list. I am sure it
> will help you too.
> 
> Regards,
> 
> 
> 
> 
> 
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
> 
> On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
> wojciech.staszewski at diagnostyka.pl> wrote:
> 
> > Hello,
> >
> > I'm playing with ScriptedSQL resource, based on Evolveum example from
> > Github.
> > I'm able to list/add/remove users/groups and enable/disable accounts.
> > Great.
> > But now I want to apply an assignment (a group) to user. Unfortunately
> > "Update_Script.groovy" is incomplete,
> > ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
> > Where can I find some examples?
> >
> > Thanks a lot!
> > WS
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
> 


-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
Dział IT
DIAGNOSTYKA 
Spółka z ograniczoną odpowiedzialnością 
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
tel.: +48 12 295 01 00
fax: +48 12 295 01 02 
tel. kom: 663 680 236
www.diag.pl
DIAGNOSTYKA Spółka z ograniczoną odpowiedzialnością ul. Prof. M. Życzkowskiego 16, 31-864 Kraków; 
KRS: Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy Krajowego KRS: 0000381559; NIP: 675-12-65-009; REGON: 356366975, Kapitał zakładowy: 33 252 500 zł.


From vincent.hurtevent at univ-lyon1.fr  Wed Dec 14 11:04:14 2016
From: vincent.hurtevent at univ-lyon1.fr (HURTEVENT VINCENT)
Date: Wed, 14 Dec 2016 10:04:14 +0000
Subject: [midPoint] Unassignement ?
Message-ID: <0E125049-578B-415E-B525-4FCDCBD2564E@univ-lyon1.fr>

Hello,

We’re working on a PoC for our university with the creation of directories accounts with the informations provided by our upstream ressources (HR and student information systems).

As many of our people have several profiles, mainly staff and student, it appears that working with intent is a good solution. So we began to write our process : one user, several intent, and objectTemplates which define assignments which induce accounts in downstream directories.

When a people comes from upstream with a specific profile, for the exemple staff and student, we assign the staff Role and the student Role and the 2 accounts are well created in the downstream directories.

Now, we would like in reaction to a deleted situation in a specific upstream ressources, to keep the user in Midpoint but unassign roles and potentially assign specific roles which could lead to specific manipulation on accounts (disable on AD, modify attributes, etc).

We look at activation status but we don’t really understand how to use it with specific intent. Validity dates will be different between the staff contract dates and the student registration dates for example.

Is there a simple way to define in ressources, an unassign action in reaction to a deleted situation ?

Thank you,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3520 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161214/25bf4222/attachment.bin>

From ivan.noris at evolveum.com  Wed Dec 14 11:42:46 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Wed, 14 Dec 2016 11:42:46 +0100
Subject: [midPoint] Unassignement ?
In-Reply-To: <0E125049-578B-415E-B525-4FCDCBD2564E@univ-lyon1.fr>
References: <0E125049-578B-415E-B525-4FCDCBD2564E@univ-lyon1.fr>
Message-ID: <f546fa78-c72e-846f-f9fd-a5ae8a4ecc58@evolveum.com>

Hi,

by default, if you unassign (last) role which represents the account,
the account would be deleted.

If you assign the roles automatically in object templates, by some
condition e.g. employee status, it would work automatically.

On the other way midPoint can be configured to unassign roles, but not
to delete the accounts, but disable them. Or disable them and delete
later (in 30 days for example). See here:
https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling%3A+Activation

But if you wish to unassign all roles (regardless if they were assigned
automatically by template or manually), this could be more complicated.

Ivan

On 12/14/2016 11:04 AM, HURTEVENT VINCENT wrote:
> Hello,
>
> We’re working on a PoC for our university with the creation of directories accounts with the informations provided by our upstream ressources (HR and student information systems).
>
> As many of our people have several profiles, mainly staff and student, it appears that working with intent is a good solution. So we began to write our process : one user, several intent, and objectTemplates which define assignments which induce accounts in downstream directories.
>
> When a people comes from upstream with a specific profile, for the exemple staff and student, we assign the staff Role and the student Role and the 2 accounts are well created in the downstream directories.
>
> Now, we would like in reaction to a deleted situation in a specific upstream ressources, to keep the user in Midpoint but unassign roles and potentially assign specific roles which could lead to specific manipulation on accounts (disable on AD, modify attributes, etc).
>
> We look at activation status but we don’t really understand how to use it with specific intent. Validity dates will be different between the staff contract dates and the student registration dates for example.
>
> Is there a simple way to define in ressources, an unassign action in reaction to a deleted situation ?
>
> Thank you,
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161214/86921ca2/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Wed Dec 14 13:10:35 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Wed, 14 Dec 2016 13:10:35 +0100
Subject: [midPoint] ScriptedSQL - add/remove entitlements
In-Reply-To: <5203676.ZCdp2b7rXk@skygge-pc>
References: <3062999.LUnh5BE5GU@skygge-pc>
 <CAAxX8cjpmjbCkT6+T9ZGeSAHFRGunuz7HSU0JttpPdb7AWcfWQ@mail.gmail.com>
 <5203676.ZCdp2b7rXk@skygge-pc>
Message-ID: <9ced65c8-bcd7-b237-aeaf-3cf8dd024f43@diagnostyka.pl>

Just 4 more questions.

I have a little trouble with search script.

1. Searching associated groups: can it be in a separate sql query in
__ACCOUNT__ case?
2. It must return: "__UID__", "__NAME__" and "groups" attributes, right?
(the list of groups)
3. Or it must be one single guery returning all attributes including
group membership? But then it will return more than one row...

4. How to construct the SQL query using "where" template?
I tried to put something like this:

"select g.name as name, u.alias from users_groups ug, usrgrp g, users u"
+ where + " AND g.usrgrpid = ug.usrgrpid and u.userid = ug.userid"

(msg:Search WHERE clause is:  WHERE u.userid = 1)

But i got SQL syntax error. I log this query, Ctrl+C from log, Ctrl+V in
SQL console and it works.

Thanks,
Best regards, WS

W dniu 13.12.2016 o 18:30, Wojciech Staszewski pisze:
> Thank you very much!
> Regards,  WS
> 
> Dnia poniedziałek, 12 grudnia 2016 21:45:00 CET Nicolas Rossi pisze:
>> Hi, you have to add the association between Users and Groups. It's
>> something like that:
>>
>> <association>
>> <ref>ri:GroupObjectClass</ref>
>> <kind>entitlement</kind>
>> <intent>default</intent>
>> <tolerant>false</tolerant>
>> <direction>subjectToObject</direction>
>> <associationAttribute>ri:groups</associationAttribute>
>> <valueAttribute>icfs:uid</valueAttribute>
>> <shortcutAssociationAttribute>ri:members</shortcutAssociationAttribute>
>> <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
>> </association>
>>
>> You can find more information about the association and the tolerant
>> parameter here:
>> https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition
>>
>> Inside your Update script the operation should be ADD_ATTRIBUTE_VALUE for
>> objectClass __ACCOUNT__ and the attribute received should be "groups":
>>
>>     case "ADD_ATTRIBUTE_VALUES":
>>
>>         if(objectClass == "__ACCOUNT__")
>>         {
>>             for(String group : attributes.get("groups"))
>>             {
>>                 def existingEntitlement = sql.rows("SELECT 1 FROM
>> UserGroups WHERE user_id=? AND group_id=?",[uid as String, group as
>> String]);
>>                 if(existingEntitlement.isEmpty())
>>                 {
>>                     log.info("Sample - Adding entitlement ${group} to user
>> ${uid}");
>>                     sql.execute("insert into UserGroups (user_id, group_id)
>> values (" + uid + "," + group + ")");
>>                 }
>>                 else
>>                 {
>>                     log.info("Sample - Skipping assignment because user
>> ${uid} already has group ${group}");
>>                 }
>>             }
>>         }
>>
>> You should also handle the REMOVE_ATTRIBUTE_VALUES with the same logic.
>> Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
>> resource. You can find the conversation in the mailing list. I am sure it
>> will help you too.
>>
>> Regards,
>>
>>
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> www.identicum.com
>>
>> On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
>> wojciech.staszewski at diagnostyka.pl> wrote:
>>
>>> Hello,
>>>
>>> I'm playing with ScriptedSQL resource, based on Evolveum example from
>>> Github.
>>> I'm able to list/add/remove users/groups and enable/disable accounts.
>>> Great.
>>> But now I want to apply an assignment (a group) to user. Unfortunately
>>> "Update_Script.groovy" is incomplete,
>>> ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
>>> Where can I find some examples?
>>>
>>> Thanks a lot!
>>> WS
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
> 
> 


From hindog at gmail.com  Thu Dec 15 02:29:04 2016
From: hindog at gmail.com (Aaron Hiniker)
Date: Wed, 14 Dec 2016 17:29:04 -0800
Subject: [midPoint] Provisioning a demo/sample application
Message-ID: <CABCx=MC7qG+GjNrubeaFrxV=UeByqLj5nGqDwpBZ-3_s2roGbQ@mail.gmail.com>

Hi,

I have OpenDJ running and midpoint running on a mysql store and now I want
to configure a sample application.  I see many different configuration
files included in the distribution, but it’s very confusing to understand
what exactly I need to do and which ones to include.  For example, there is
ldap-deeply-hierarchal folder with 3 config files.  I tried to import those
files, along with some of the configs from the common folder and when I try
to assign a user to the “Org Metarule”, I get this error:

Unsatisfied strict dependency of account Discr(RSD(entitlement (group)
@10000000-0000-0000-0000-000000000003)) dependent on Discr(RSD(generic (ou)
@10000000-0000-0000-0000-000000000003)): Account not provisioned


I don’t know how to decipher what the problem is,  “Account not
provisioned” isn’t helpful to me since I have no idea WHY it’s not
provisioned.  Is there a documentation page that would walk me through how
to spin up a nested org/group demo from soup-to-nuts that doesn’t require
me to know every detail of the individual configuration objects/steps
involved?

Thanks,

Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161214/84587c91/attachment.htm>

From nrossi at identicum.com  Thu Dec 15 02:34:43 2016
From: nrossi at identicum.com (Nicolas Rossi)
Date: Thu, 15 Dec 2016 01:34:43 +0000
Subject: [midPoint] ScriptedSQL - add/remove entitlements
In-Reply-To: <9ced65c8-bcd7-b237-aeaf-3cf8dd024f43@diagnostyka.pl>
References: <3062999.LUnh5BE5GU@skygge-pc>
 <CAAxX8cjpmjbCkT6+T9ZGeSAHFRGunuz7HSU0JttpPdb7AWcfWQ@mail.gmail.com>
 <5203676.ZCdp2b7rXk@skygge-pc>
 <9ced65c8-bcd7-b237-aeaf-3cf8dd024f43@diagnostyka.pl>
Message-ID: <CAAxX8chmZ7cvvgfsqoOZxpJ9eLvG27Q7-+egViWdGArwbrGW7g@mail.gmail.com>

The Search script should return the ID, Name and Members of the group. It
doesn't matter if you use 1, 2 or more queries but you should return an
array with one row for each group where the members attribute is an array
too.

Can you copy the sql error of the query with the where filter?

Regards,


Nicolás


El El mié, 14 de dic. de 2016 a las 09:12, Wojciech Staszewski <
wojciech.staszewski at diagnostyka.pl> escribió:

> Just 4 more questions.
>
>
>
> I have a little trouble with search script.
>
>
>
> 1. Searching associated groups: can it be in a separate sql query in
>
> __ACCOUNT__ case?
>
> 2. It must return: "__UID__", "__NAME__" and "groups" attributes, right?
>
> (the list of groups)
>
> 3. Or it must be one single guery returning all attributes including
>
> group membership? But then it will return more than one row...
>
>
>
> 4. How to construct the SQL query using "where" template?
>
> I tried to put something like this:
>
>
>
> "select g.name as name, u.alias from users_groups ug, usrgrp g, users u"
>
> + where + " AND g.usrgrpid = ug.usrgrpid and u.userid = ug.userid"
>
>
>
> (msg:Search WHERE clause is:  WHERE u.userid = 1)
>
>
>
> But i got SQL syntax error. I log this query, Ctrl+C from log, Ctrl+V in
>
> SQL console and it works.
>
>
>
> Thanks,
>
> Best regards, WS
>
>
>
> W dniu 13.12.2016 o 18:30, Wojciech Staszewski pisze:
>
> > Thank you very much!
>
> > Regards,  WS
>
> >
>
> > Dnia poniedziałek, 12 grudnia 2016 21:45:00 CET Nicolas Rossi pisze:
>
> >> Hi, you have to add the association between Users and Groups. It's
>
> >> something like that:
>
> >>
>
> >> <association>
>
> >> <ref>ri:GroupObjectClass</ref>
>
> >> <kind>entitlement</kind>
>
> >> <intent>default</intent>
>
> >> <tolerant>false</tolerant>
>
> >> <direction>subjectToObject</direction>
>
> >> <associationAttribute>ri:groups</associationAttribute>
>
> >> <valueAttribute>icfs:uid</valueAttribute>
>
> >> <shortcutAssociationAttribute>ri:members</shortcutAssociationAttribute>
>
> >> <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
>
> >> </association>
>
> >>
>
> >> You can find more information about the association and the tolerant
>
> >> parameter here:
>
> >>
> https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition
>
> >>
>
> >> Inside your Update script the operation should be ADD_ATTRIBUTE_VALUE
> for
>
> >> objectClass __ACCOUNT__ and the attribute received should be "groups":
>
> >>
>
> >>     case "ADD_ATTRIBUTE_VALUES":
>
> >>
>
> >>         if(objectClass == "__ACCOUNT__")
>
> >>         {
>
> >>             for(String group : attributes.get("groups"))
>
> >>             {
>
> >>                 def existingEntitlement = sql.rows("SELECT 1 FROM
>
> >> UserGroups WHERE user_id=? AND group_id=?",[uid as String, group as
>
> >> String]);
>
> >>                 if(existingEntitlement.isEmpty())
>
> >>                 {
>
> >>                     log.info("Sample - Adding entitlement ${group} to
> user
>
> >> ${uid}");
>
> >>                     sql.execute("insert into UserGroups (user_id,
> group_id)
>
> >> values (" + uid + "," + group + ")");
>
> >>                 }
>
> >>                 else
>
> >>                 {
>
> >>                     log.info("Sample - Skipping assignment because user
>
> >> ${uid} already has group ${group}");
>
> >>                 }
>
> >>             }
>
> >>         }
>
> >>
>
> >> You should also handle the REMOVE_ATTRIBUTE_VALUES with the same logic.
>
> >> Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
>
> >> resource. You can find the conversation in the mailing list. I am sure
> it
>
> >> will help you too.
>
> >>
>
> >> Regards,
>
> >>
>
> >>
>
> >>
>
> >>
>
> >>
>
> >> Ing Nicolás Rossi
>
> >> Identicum S.A.
>
> >> Jorge Newbery 3226
>
> >> Tel: +54 (11) 4552-3050
>
> >> www.identicum.com
>
> >>
>
> >> On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
>
> >> wojciech.staszewski at diagnostyka.pl> wrote:
>
> >>
>
> >>> Hello,
>
> >>>
>
> >>> I'm playing with ScriptedSQL resource, based on Evolveum example from
>
> >>> Github.
>
> >>> I'm able to list/add/remove users/groups and enable/disable accounts.
>
> >>> Great.
>
> >>> But now I want to apply an assignment (a group) to user. Unfortunately
>
> >>> "Update_Script.groovy" is incomplete,
>
> >>> ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
>
> >>> Where can I find some examples?
>
> >>>
>
> >>> Thanks a lot!
>
> >>> WS
>
> >>> _______________________________________________
>
> >>> midPoint mailing list
>
> >>> midPoint at lists.evolveum.com
>
> >>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> >>>
>
> >>
>
> >
>
> >
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161215/0da96fd7/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Thu Dec 15 09:15:09 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Thu, 15 Dec 2016 09:15:09 +0100
Subject: [midPoint] ScriptedSQL - add/remove entitlements
In-Reply-To: <CAAxX8chmZ7cvvgfsqoOZxpJ9eLvG27Q7-+egViWdGArwbrGW7g@mail.gmail.com>
References: <3062999.LUnh5BE5GU@skygge-pc>
 <CAAxX8cjpmjbCkT6+T9ZGeSAHFRGunuz7HSU0JttpPdb7AWcfWQ@mail.gmail.com>
 <5203676.ZCdp2b7rXk@skygge-pc>
 <9ced65c8-bcd7-b237-aeaf-3cf8dd024f43@diagnostyka.pl>
 <CAAxX8chmZ7cvvgfsqoOZxpJ9eLvG27Q7-+egViWdGArwbrGW7g@mail.gmail.com>
Message-ID: <9d0986af-8cd3-c1eb-a956-1df0c49de3c7@diagnostyka.pl>

I've done it with joins instead "where .. and .. and", and it works, but
now I my account appears multiple times on the resource (the number of
accounts = the number of groups). This is definitely not a simple thing
and the documentation is weak. :(

W dniu 15.12.2016 o 02:34, Nicolas Rossi pisze:
> The Search script should return the ID, Name and Members of the group.
> It doesn't matter if you use 1, 2 or more queries but you should return
> an array with one row for each group where the members attribute is an
> array too. 
> 
> Can you copy the sql error of the query with the where filter?
> 
> Regards,
> 
> 
> Nicolás 
> 
> 
> El El mié, 14 de dic. de 2016 a las 09:12, Wojciech Staszewski
> <wojciech.staszewski at diagnostyka.pl
> <mailto:wojciech.staszewski at diagnostyka.pl>> escribió:
> 
>     Just 4 more questions.
> 
> 
> 
>     I have a little trouble with search script.
> 
> 
> 
>     1. Searching associated groups: can it be in a separate sql query in
> 
>     __ACCOUNT__ case?
> 
>     2. It must return: "__UID__", "__NAME__" and "groups" attributes, right?
> 
>     (the list of groups)
> 
>     3. Or it must be one single guery returning all attributes including
> 
>     group membership? But then it will return more than one row...
> 
> 
> 
>     4. How to construct the SQL query using "where" template?
> 
>     I tried to put something like this:
> 
> 
> 
>     "select g.name <http://g.name> as name, u.alias from users_groups
>     ug, usrgrp g, users u"
> 
>     + where + " AND g.usrgrpid = ug.usrgrpid and u.userid = ug.userid"
> 
> 
> 
>     (msg:Search WHERE clause is:  WHERE u.userid = 1)
> 
> 
> 
>     But i got SQL syntax error. I log this query, Ctrl+C from log, Ctrl+V in
> 
>     SQL console and it works.
> 
> 
> 
>     Thanks,
> 
>     Best regards, WS
> 
> 
> 
>     W dniu 13.12.2016 o 18:30, Wojciech Staszewski pisze:
> 
>     > Thank you very much!
> 
>     > Regards,  WS
> 
>     >
> 
>     > Dnia poniedziałek, 12 grudnia 2016 21:45:00 CET Nicolas Rossi pisze:
> 
>     >> Hi, you have to add the association between Users and Groups. It's
> 
>     >> something like that:
> 
>     >>
> 
>     >> <association>
> 
>     >> <ref>ri:GroupObjectClass</ref>
> 
>     >> <kind>entitlement</kind>
> 
>     >> <intent>default</intent>
> 
>     >> <tolerant>false</tolerant>
> 
>     >> <direction>subjectToObject</direction>
> 
>     >> <associationAttribute>ri:groups</associationAttribute>
> 
>     >> <valueAttribute>icfs:uid</valueAttribute>
> 
>     >>
>     <shortcutAssociationAttribute>ri:members</shortcutAssociationAttribute>
> 
>     >> <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
> 
>     >> </association>
> 
>     >>
> 
>     >> You can find more information about the association and the tolerant
> 
>     >> parameter here:
> 
>     >>
>     https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition
> 
>     >>
> 
>     >> Inside your Update script the operation should be
>     ADD_ATTRIBUTE_VALUE for
> 
>     >> objectClass __ACCOUNT__ and the attribute received should be
>     "groups":
> 
>     >>
> 
>     >>     case "ADD_ATTRIBUTE_VALUES":
> 
>     >>
> 
>     >>         if(objectClass == "__ACCOUNT__")
> 
>     >>         {
> 
>     >>             for(String group : attributes.get("groups"))
> 
>     >>             {
> 
>     >>                 def existingEntitlement = sql.rows("SELECT 1 FROM
> 
>     >> UserGroups WHERE user_id=? AND group_id=?",[uid as String, group as
> 
>     >> String]);
> 
>     >>                 if(existingEntitlement.isEmpty())
> 
>     >>                 {
> 
>     >>                     log.info <http://log.info>("Sample - Adding
>     entitlement ${group} to user
> 
>     >> ${uid}");
> 
>     >>                     sql.execute("insert into UserGroups (user_id,
>     group_id)
> 
>     >> values (" + uid + "," + group + ")");
> 
>     >>                 }
> 
>     >>                 else
> 
>     >>                 {
> 
>     >>                     log.info <http://log.info>("Sample - Skipping
>     assignment because user
> 
>     >> ${uid} already has group ${group}");
> 
>     >>                 }
> 
>     >>             }
> 
>     >>         }
> 
>     >>
> 
>     >> You should also handle the REMOVE_ATTRIBUTE_VALUES with the same
>     logic.
> 
>     >> Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
> 
>     >> resource. You can find the conversation in the mailing list. I am
>     sure it
> 
>     >> will help you too.
> 
>     >>
> 
>     >> Regards,
> 
>     >>
> 
>     >>
> 
>     >>
> 
>     >>
> 
>     >>
> 
>     >> Ing Nicolás Rossi
> 
>     >> Identicum S.A.
> 
>     >> Jorge Newbery 3226
> 
>     >> Tel: +54 (11) 4552-3050
> 
>     >> www.identicum.com <http://www.identicum.com>
> 
>     >>
> 
>     >> On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
> 
>     >> wojciech.staszewski at diagnostyka.pl
>     <mailto:wojciech.staszewski at diagnostyka.pl>> wrote:
> 
>     >>
> 
>     >>> Hello,
> 
>     >>>
> 
>     >>> I'm playing with ScriptedSQL resource, based on Evolveum example
>     from
> 
>     >>> Github.
> 
>     >>> I'm able to list/add/remove users/groups and enable/disable
>     accounts.
> 
>     >>> Great.
> 
>     >>> But now I want to apply an assignment (a group) to user.
>     Unfortunately
> 
>     >>> "Update_Script.groovy" is incomplete,
> 
>     >>> ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
> 
>     >>> Where can I find some examples?
> 
>     >>>
> 
>     >>> Thanks a lot!
> 
>     >>> WS
> 
>     >>> _______________________________________________
> 
>     >>> midPoint mailing list
> 
>     >>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> 
>     >>> http://lists.evolveum.com/mailman/listinfo/midpoint
> 
>     >>>
> 
>     >>
> 
>     >
> 
>     >
> 
>     _______________________________________________
> 
>     midPoint mailing list
> 
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> 
>     http://lists.evolveum.com/mailman/listinfo/midpoint
> 
> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 

-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie,
XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.

Pomyśl o środowisku zanim wydrukujesz ten e-mail.


From nrossi at identicum.com  Thu Dec 15 13:43:27 2016
From: nrossi at identicum.com (Nicolas Rossi)
Date: Thu, 15 Dec 2016 09:43:27 -0300
Subject: [midPoint] ScriptedSQL - add/remove entitlements
In-Reply-To: <9d0986af-8cd3-c1eb-a956-1df0c49de3c7@diagnostyka.pl>
References: <3062999.LUnh5BE5GU@skygge-pc>
 <CAAxX8cjpmjbCkT6+T9ZGeSAHFRGunuz7HSU0JttpPdb7AWcfWQ@mail.gmail.com>
 <5203676.ZCdp2b7rXk@skygge-pc>
 <9ced65c8-bcd7-b237-aeaf-3cf8dd024f43@diagnostyka.pl>
 <CAAxX8chmZ7cvvgfsqoOZxpJ9eLvG27Q7-+egViWdGArwbrGW7g@mail.gmail.com>
 <9d0986af-8cd3-c1eb-a956-1df0c49de3c7@diagnostyka.pl>
Message-ID: <CAAxX8cjb8jimz9dvWQVcXA0FNZ29t2Hn0WGJrd2XopO9e+sk5w@mail.gmail.com>

Can you share with us the create and update scripts ?

Regards



Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Thu, Dec 15, 2016 at 5:15 AM, Wojciech Staszewski <
wojciech.staszewski at diagnostyka.pl> wrote:

> I've done it with joins instead "where .. and .. and", and it works, but
> now I my account appears multiple times on the resource (the number of
> accounts = the number of groups). This is definitely not a simple thing
> and the documentation is weak. :(
>
> W dniu 15.12.2016 o 02:34, Nicolas Rossi pisze:
> > The Search script should return the ID, Name and Members of the group.
> > It doesn't matter if you use 1, 2 or more queries but you should return
> > an array with one row for each group where the members attribute is an
> > array too.
> >
> > Can you copy the sql error of the query with the where filter?
> >
> > Regards,
> >
> >
> > Nicolás
> >
> >
> > El El mié, 14 de dic. de 2016 a las 09:12, Wojciech Staszewski
> > <wojciech.staszewski at diagnostyka.pl
> > <mailto:wojciech.staszewski at diagnostyka.pl>> escribió:
> >
> >     Just 4 more questions.
> >
> >
> >
> >     I have a little trouble with search script.
> >
> >
> >
> >     1. Searching associated groups: can it be in a separate sql query in
> >
> >     __ACCOUNT__ case?
> >
> >     2. It must return: "__UID__", "__NAME__" and "groups" attributes,
> right?
> >
> >     (the list of groups)
> >
> >     3. Or it must be one single guery returning all attributes including
> >
> >     group membership? But then it will return more than one row...
> >
> >
> >
> >     4. How to construct the SQL query using "where" template?
> >
> >     I tried to put something like this:
> >
> >
> >
> >     "select g.name <http://g.name> as name, u.alias from users_groups
> >     ug, usrgrp g, users u"
> >
> >     + where + " AND g.usrgrpid = ug.usrgrpid and u.userid = ug.userid"
> >
> >
> >
> >     (msg:Search WHERE clause is:  WHERE u.userid = 1)
> >
> >
> >
> >     But i got SQL syntax error. I log this query, Ctrl+C from log,
> Ctrl+V in
> >
> >     SQL console and it works.
> >
> >
> >
> >     Thanks,
> >
> >     Best regards, WS
> >
> >
> >
> >     W dniu 13.12.2016 o 18:30, Wojciech Staszewski pisze:
> >
> >     > Thank you very much!
> >
> >     > Regards,  WS
> >
> >     >
> >
> >     > Dnia poniedziałek, 12 grudnia 2016 21:45:00 CET Nicolas Rossi
> pisze:
> >
> >     >> Hi, you have to add the association between Users and Groups. It's
> >
> >     >> something like that:
> >
> >     >>
> >
> >     >> <association>
> >
> >     >> <ref>ri:GroupObjectClass</ref>
> >
> >     >> <kind>entitlement</kind>
> >
> >     >> <intent>default</intent>
> >
> >     >> <tolerant>false</tolerant>
> >
> >     >> <direction>subjectToObject</direction>
> >
> >     >> <associationAttribute>ri:groups</associationAttribute>
> >
> >     >> <valueAttribute>icfs:uid</valueAttribute>
> >
> >     >>
> >     <shortcutAssociationAttribute>ri:members</
> shortcutAssociationAttribute>
> >
> >     >> <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
> >
> >     >> </association>
> >
> >     >>
> >
> >     >> You can find more information about the association and the
> tolerant
> >
> >     >> parameter here:
> >
> >     >>
> >     https://wiki.evolveum.com/display/midPoint/Entitlements#
> Entitlements-AssociationDefinition
> >
> >     >>
> >
> >     >> Inside your Update script the operation should be
> >     ADD_ATTRIBUTE_VALUE for
> >
> >     >> objectClass __ACCOUNT__ and the attribute received should be
> >     "groups":
> >
> >     >>
> >
> >     >>     case "ADD_ATTRIBUTE_VALUES":
> >
> >     >>
> >
> >     >>         if(objectClass == "__ACCOUNT__")
> >
> >     >>         {
> >
> >     >>             for(String group : attributes.get("groups"))
> >
> >     >>             {
> >
> >     >>                 def existingEntitlement = sql.rows("SELECT 1 FROM
> >
> >     >> UserGroups WHERE user_id=? AND group_id=?",[uid as String, group
> as
> >
> >     >> String]);
> >
> >     >>                 if(existingEntitlement.isEmpty())
> >
> >     >>                 {
> >
> >     >>                     log.info <http://log.info>("Sample - Adding
> >     entitlement ${group} to user
> >
> >     >> ${uid}");
> >
> >     >>                     sql.execute("insert into UserGroups (user_id,
> >     group_id)
> >
> >     >> values (" + uid + "," + group + ")");
> >
> >     >>                 }
> >
> >     >>                 else
> >
> >     >>                 {
> >
> >     >>                     log.info <http://log.info>("Sample - Skipping
> >     assignment because user
> >
> >     >> ${uid} already has group ${group}");
> >
> >     >>                 }
> >
> >     >>             }
> >
> >     >>         }
> >
> >     >>
> >
> >     >> You should also handle the REMOVE_ATTRIBUTE_VALUES with the same
> >     logic.
> >
> >     >> Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
> >
> >     >> resource. You can find the conversation in the mailing list. I am
> >     sure it
> >
> >     >> will help you too.
> >
> >     >>
> >
> >     >> Regards,
> >
> >     >>
> >
> >     >>
> >
> >     >>
> >
> >     >>
> >
> >     >>
> >
> >     >> Ing Nicolás Rossi
> >
> >     >> Identicum S.A.
> >
> >     >> Jorge Newbery 3226
> >
> >     >> Tel: +54 (11) 4552-3050
> >
> >     >> www.identicum.com <http://www.identicum.com>
> >
> >     >>
> >
> >     >> On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
> >
> >     >> wojciech.staszewski at diagnostyka.pl
> >     <mailto:wojciech.staszewski at diagnostyka.pl>> wrote:
> >
> >     >>
> >
> >     >>> Hello,
> >
> >     >>>
> >
> >     >>> I'm playing with ScriptedSQL resource, based on Evolveum example
> >     from
> >
> >     >>> Github.
> >
> >     >>> I'm able to list/add/remove users/groups and enable/disable
> >     accounts.
> >
> >     >>> Great.
> >
> >     >>> But now I want to apply an assignment (a group) to user.
> >     Unfortunately
> >
> >     >>> "Update_Script.groovy" is incomplete,
> >
> >     >>> ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
> >
> >     >>> Where can I find some examples?
> >
> >     >>>
> >
> >     >>> Thanks a lot!
> >
> >     >>> WS
> >
> >     >>> _______________________________________________
> >
> >     >>> midPoint mailing list
> >
> >     >>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> >
> >     >>> http://lists.evolveum.com/mailman/listinfo/midpoint
> >
> >     >>>
> >
> >     >>
> >
> >     >
> >
> >     >
> >
> >     _______________________________________________
> >
> >     midPoint mailing list
> >
> >     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> >
> >     http://lists.evolveum.com/mailman/listinfo/midpoint
> >
> >
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
>
> --
> Wojciech Staszewski
> Administrator Systemów Sieciowych
> tel. kom: 663 680 236
> www.diagnostyka.pl
> Diagnostyka Sp. z o. o.
> ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
> Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie,
> XI Wydział Gospodarczy KRS)
> NIP: 675-12-65-009; REGON: 356366975
> Kapitał zakładowy: 33 756 500 zł.
>
> Pomyśl o środowisku zanim wydrukujesz ten e-mail.
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161215/2607c773/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Thu Dec 15 15:15:29 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Thu, 15 Dec 2016 15:15:29 +0100
Subject: [midPoint] ScriptedSQL - add/remove entitlements
In-Reply-To: <CAAxX8cjb8jimz9dvWQVcXA0FNZ29t2Hn0WGJrd2XopO9e+sk5w@mail.gmail.com>
References: <3062999.LUnh5BE5GU@skygge-pc>
 <CAAxX8cjpmjbCkT6+T9ZGeSAHFRGunuz7HSU0JttpPdb7AWcfWQ@mail.gmail.com>
 <5203676.ZCdp2b7rXk@skygge-pc>
 <9ced65c8-bcd7-b237-aeaf-3cf8dd024f43@diagnostyka.pl>
 <CAAxX8chmZ7cvvgfsqoOZxpJ9eLvG27Q7-+egViWdGArwbrGW7g@mail.gmail.com>
 <9d0986af-8cd3-c1eb-a956-1df0c49de3c7@diagnostyka.pl>
 <CAAxX8cjb8jimz9dvWQVcXA0FNZ29t2Hn0WGJrd2XopO9e+sk5w@mail.gmail.com>
Message-ID: <204d9146-efd1-8c28-39ec-88240943bba2@diagnostyka.pl>

OK.

It is a very simple system, all stuff is in 3 database tables:

- User table: "users",
- Group table: "usrgrp",
- A table that binds users with groups: "users_groups". It has 3
columns: id, userid and usrgrpid.

User has attributes: __UID__ (db:userid),__NAME__ (db:alias), firstname
(db:name), surname(db:surname), __ENABLE__.

Group has attributes: __UID__ (db:usrgrpid), __NAME__ (db:name).

The users and usrgrp tables have some other columns, I don't need to touch them.

If I understand, adding an entitlement (a group membeship) is made by
"groups" attribute of __ACCOUNT__ and "members" attribute of __GROUP__.

These are multivalued attributes as the user can be a member of
multiple groups, and the group can have multiple members.

###################################
CREATE script:
###################################
import groovy.sql.Sql;
import groovy.sql.DataSet;
import org.identityconnectors.common.security.GuardedString;
import org.identityconnectors.common.security.SecurityUtil;
import java.security.MessageDigest

log.info("Entering "+action+" Script");
def sql = new Sql(connection);
String newUid; //Create must return UID.

switch ( objectClass ) {
    case "__ACCOUNT__":

// MAIL is in separate table "media", column "mediaid" is required, but is not autoincrement, so we have to calculate next value.
// USER is in table "users", column "userid" is required, but is not autoincrement, so we have to calculate next value.

    def nextuserid = sql.firstRow("select ifnull((select userid+1 from users order by userid desc limit 1),1) as userid").userid;
    def nextmediaid = sql.firstRow("select ifnull((select mediaid+1 from media order by mediaid desc limit 1),1) as mediaid").mediaid;

// Password MD5 hashing
    def digest = MessageDigest.getInstance("MD5")
    def clearpass = SecurityUtil.decrypt(attributes?.get("__PASSWORD__")?.get(0)).toString()
    def md5pass = new BigInteger(1,digest.digest(clearpass.getBytes())).toString(16).padLeft(32,"0")

    def keys = sql.executeInsert("INSERT INTO users (userid, alias, name,surname,passwd,url,autologin,autologout,lang,refresh,type,theme,rows_per_page) values (?,?,?,?,?,?,?,?,?,?,?,?,?)",
        [
            nextuserid,
            id,
            attributes?.get("firstname")?.get(0),
            attributes?.get("surname")?.get(0),
            // MD5 passwd
            md5pass,
            "zabbix.php?action=dashboard.view",
            1,
            0,
            "pl_PL",
            120,
            2,
            "default",
            100
        ])
        //newUid = keys[0][0];
        newUid = nextuserid;

    def keys1 = sql.executeInsert("INSERT INTO media (mediaid, userid, mediatypeid,sendto,active,severity,period) values (?,?,?,?,?,?,?)",
        [
            nextmediaid,
            nextuserid,
            1,
            attributes?.get("email")?.get(0),
            // negate __ENABLE__ attribute
            !(attributes?.get("__ENABLE__")?.get(0) as Boolean),
            48,
            "1-7,00:00-24:00"
        ])

    break

    case "Group":

    // Groups are in "usrgrp" table, column "usrgrpid" is required, but is not autoincrement, so we have to calculate next value.
    def nextgrpid = sql.firstRow("select ifnull((select usrgrpid+1 from usrgrp order by usrgrpid desc limit 1),1) as userid").usrgrpid;
    def keys = sql.executeInsert("INSERT INTO usrgrp (usrgrpid,name,gui_access,user_status,debug_mode) values (?,?,?,?,?)",
        [
            nextgrpid,
            id,
            0,
            0,
            0
        ])
        //newUid = keys[0][0];
        newUid = nextgrpid;
    break

    // Don't care about organizations at the moment...
    case "Organization":
    def keys = sql.executeInsert("INSERT INTO Organizations (name,description) values (?,?)",
        [
            id,
            attributes?.get("description")?.get(0)
        ])
        newUid = keys[0][0];
    break
}
return newUid;

###################################
UPDATE script is totaly incomplete
###################################
import groovy.sql.Sql;
import groovy.sql.DataSet;
import org.identityconnectors.common.security.GuardedString;
import org.identityconnectors.common.security.SecurityUtil;
import java.security.MessageDigest

log.info("Entering "+action+" Script");
def sql = new Sql(connection);
def doCommit = false;
def preparedStatementPrefixAccounts = "UPDATE users SET ";
def preparedStatementPrefixGroups = "UPDATE usrgrp SET ";
def preparedStatementPrefixOrganizations = "UPDATE Organizations SET ";
def preparedStatementAttributes = "";
def preparedStatementAttributesList = [];
def preparedStatementColumns = [];
def accountAttrNames = ["__NAME__", "firstname", "surname", "email", "__PASSWORD__", "__ENABLE__", "groups" ];
def groupAttrNames = ["__NAME__", "members" ];
def orgAttrNames = ["__NAME__", "description" ];

switch ( action ) {
    case "UPDATE":
    switch ( objectClass ) {
        case "__ACCOUNT__":
        for (attr in accountAttrNames) {
            if (attributes.get(attr) != null) {
//log.info("XXXX Processing attribute: " + attr + "=" + attributes.get(attr));
                switch (attr) {
                    case "__NAME__":
                        // __NAME__ corresponds to "alias" column
                        preparedStatementAttributesList.add("alias" + " = ?");
                        preparedStatementColumns.add(attributes.get(attr)?.find { true });
                        break;
                    case "__ENABLE__":
                        // Disabling users by adding him to group having "1" in column "user_status".
                        // By default this group is called "Disabled" but it may have any name.
                        def disabledgroup = "Disabled";
                        // We have to find usrgrpid "Disabled" group.
                        def disabledgroupid = sql.firstRow("select usrgrpid from usrgrp where name = ?",[disabledgroup]).usrgrpid as Integer;
                        // isdisabled: 0 - enabled, 1 - disabled
                        def isdisabled = !(attributes.get(attr)?.find { true }) as Boolean;
                        if (isdisabled == true){
                           // generate new id, as id column is not autoincrement
                           def nextid = sql.firstRow("select ifnull((select id+1 from users_groups order by id desc limit 1),1) as id").id as Integer;
                           // Add user to Disabled group
                           sql.execute("INSERT INTO users_groups (id,usrgrpid,userid) VALUES (?,?,?)",[nextid,disabledgroupid,uid])
                        } else {
                           // Remove user from disabled group
                           sql.execute("DELETE FROM users_groups WHERE usrgrpid = ? and userid = ?",[disabledgroupid,uid])
                        }

                        break;
                    case "__PASSWORD__":
                        // Read plain text password, generate MD5 hash
                        def digest = MessageDigest.getInstance("MD5")
                        def clearpass = SecurityUtil.decrypt(attributes?.get("__PASSWORD__")?.get(0)).toString()
                        def md5pass = new BigInteger(1,digest.digest(clearpass.getBytes())).toString(16).padLeft(32,"0")
                        // __PASSWORD__ corresponds to (MD5) "passwd" column
                        preparedStatementAttributesList.add("passwd" + " = ?");
                        preparedStatementColumns.add(md5pass);
                        break;
                    default:
                        // all other attributes
                        preparedStatementAttributesList.add(attr + " = ?");
                        preparedStatementColumns.add(attributes.get(attr)?.find { true });
                }
            }
        }
        preparedStatementAttributes = preparedStatementAttributesList.join(',');

        if (preparedStatementAttributes != "") {
            preparedStatementColumns.add(uid as Integer);
        //    log.info("XXXXXXXXXXXX" + preparedStatementPrefixAccounts + preparedStatementAttributes + " WHERE id = ?", preparedStatementColumns);
            sql.executeUpdate(preparedStatementPrefixAccounts + preparedStatementAttributes + " WHERE userid = ?", preparedStatementColumns);
            doCommit = true;
        }

        //if (doCommit) {
        //      sql.commit();
        //}
        break

        case "Group":

        for (attr in groupAttrNames) {
            if (attributes.get(attr) != null) {
                preparedStatementAttributesList.add((attr == '__NAME__' ? "name" : attr) + " = ?");
                preparedStatementColumns.add(attributes.get(attr)?.find { true });
            }
        }
        preparedStatementAttributes = preparedStatementAttributesList.join(',');

        if (preparedStatementAttributes != "") {
            preparedStatementColumns.add(uid as Integer);
            sql.executeUpdate(preparedStatementPrefixGroups + preparedStatementAttributes + " WHERE usrgrpid = ?", preparedStatementColumns);
            doCommit = true;
        }
        //sql.commit();
        break

        case "Organization":

        for (attr in orgAttrNames) {
            if (attributes.get(attr) != null) {
                preparedStatementAttributesList.add((attr == '__NAME__' ? "name" : attr) + " = ?");
                preparedStatementColumns.add(attributes.get(attr)?.find { true });
            }
        }
        preparedStatementAttributes = preparedStatementAttributesList.join(',');

        if (preparedStatementAttributes != "") {
            preparedStatementColumns.add(uid as Integer);
            sql.executeUpdate(preparedStatementPrefixOrganizations + preparedStatementAttributes + " WHERE id = ?", preparedStatementColumns);
            doCommit = true;
        }
        //sql.commit();
        break

        default:
        uid;
    }
    break

    case "ADD_ATTRIBUTE_VALUES":

        if(objectClass == "__ACCOUNT__")
        {
            for(String group : attributes.get("groups"))
            {
                def existingEntitlement = sql.rows("SELECT 1 FROM users_groups WHERE userid=? AND usrgrpid=?",[uid as String, group as String]);
                if(existingEntitlement.isEmpty())
                {
                    log.info("Sample - Adding entitlement ${group} to user ${uid}");
                    def nextid = sql.firstRow("select ifnull((select id+1 from users_groups order by id desc limit 1),1) as id").id as Integer;
                    sql.execute("insert into users_groups (id, userid, usrgrpid) values (" + nextid + "," + uid + "," + group + ")");
                }
                else
                {
                    log.info("Sample - Skipping assignment because user ${uid} already has group ${group}");
                }
            }
        }

    case "REMOVE_ATTRIBUTE_VALUES":
	//todo
    break

    default:
    uid
}

W dniu 15.12.2016 o 13:43, Nicolas Rossi pisze:
> Can you share with us the create and update scripts ?
> 
> Regards
> 
> 
> 
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com <http://www.identicum.com>
> 
> On Thu, Dec 15, 2016 at 5:15 AM, Wojciech Staszewski
> <wojciech.staszewski at diagnostyka.pl
> <mailto:wojciech.staszewski at diagnostyka.pl>> wrote:
> 
>     I've done it with joins instead "where .. and .. and", and it works, but
>     now I my account appears multiple times on the resource (the number of
>     accounts = the number of groups). This is definitely not a simple thing
>     and the documentation is weak. :(
> 
>     W dniu 15.12.2016 o 02:34, Nicolas Rossi pisze:
>     > The Search script should return the ID, Name and Members of the group.
>     > It doesn't matter if you use 1, 2 or more queries but you should return
>     > an array with one row for each group where the members attribute is an
>     > array too.
>     >
>     > Can you copy the sql error of the query with the where filter?
>     >
>     > Regards,
>     >
>     >
>     > Nicolás
>     >
>     >
>     > El El mié, 14 de dic. de 2016 a las 09:12, Wojciech Staszewski
>     > <wojciech.staszewski at diagnostyka.pl
>     <mailto:wojciech.staszewski at diagnostyka.pl>
>     > <mailto:wojciech.staszewski at diagnostyka.pl
>     <mailto:wojciech.staszewski at diagnostyka.pl>>> escribió:
>     >
>     >     Just 4 more questions.
>     >
>     >
>     >
>     >     I have a little trouble with search script.
>     >
>     >
>     >
>     >     1. Searching associated groups: can it be in a separate sql query in
>     >
>     >     __ACCOUNT__ case?
>     >
>     >     2. It must return: "__UID__", "__NAME__" and "groups" attributes, right?
>     >
>     >     (the list of groups)
>     >
>     >     3. Or it must be one single guery returning all attributes including
>     >
>     >     group membership? But then it will return more than one row...
>     >
>     >
>     >
>     >     4. How to construct the SQL query using "where" template?
>     >
>     >     I tried to put something like this:
>     >
>     >
>     >
>     >     "select g.name <http://g.name> <http://g.name> as name,
>     u.alias from users_groups
>     >     ug, usrgrp g, users u"
>     >
>     >     + where + " AND g.usrgrpid = ug.usrgrpid and u.userid = ug.userid"
>     >
>     >
>     >
>     >     (msg:Search WHERE clause is:  WHERE u.userid = 1)
>     >
>     >
>     >
>     >     But i got SQL syntax error. I log this query, Ctrl+C from log,
>     Ctrl+V in
>     >
>     >     SQL console and it works.
>     >
>     >
>     >
>     >     Thanks,
>     >
>     >     Best regards, WS
>     >
>     >
>     >
>     >     W dniu 13.12.2016 o 18:30, Wojciech Staszewski pisze:
>     >
>     >     > Thank you very much!
>     >
>     >     > Regards,  WS
>     >
>     >     >
>     >
>     >     > Dnia poniedziałek, 12 grudnia 2016 21:45:00 CET Nicolas
>     Rossi pisze:
>     >
>     >     >> Hi, you have to add the association between Users and
>     Groups. It's
>     >
>     >     >> something like that:
>     >
>     >     >>
>     >
>     >     >> <association>
>     >
>     >     >> <ref>ri:GroupObjectClass</ref>
>     >
>     >     >> <kind>entitlement</kind>
>     >
>     >     >> <intent>default</intent>
>     >
>     >     >> <tolerant>false</tolerant>
>     >
>     >     >> <direction>subjectToObject</direction>
>     >
>     >     >> <associationAttribute>ri:groups</associationAttribute>
>     >
>     >     >> <valueAttribute>icfs:uid</valueAttribute>
>     >
>     >     >>
>     >   
>      <shortcutAssociationAttribute>ri:members</shortcutAssociationAttribute>
>     >
>     >     >> <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
>     >
>     >     >> </association>
>     >
>     >     >>
>     >
>     >     >> You can find more information about the association and the
>     tolerant
>     >
>     >     >> parameter here:
>     >
>     >     >>
>     >   
>      https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition
>     <https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition>
>     >
>     >     >>
>     >
>     >     >> Inside your Update script the operation should be
>     >     ADD_ATTRIBUTE_VALUE for
>     >
>     >     >> objectClass __ACCOUNT__ and the attribute received should be
>     >     "groups":
>     >
>     >     >>
>     >
>     >     >>     case "ADD_ATTRIBUTE_VALUES":
>     >
>     >     >>
>     >
>     >     >>         if(objectClass == "__ACCOUNT__")
>     >
>     >     >>         {
>     >
>     >     >>             for(String group : attributes.get("groups"))
>     >
>     >     >>             {
>     >
>     >     >>                 def existingEntitlement = sql.rows("SELECT
>     1 FROM
>     >
>     >     >> UserGroups WHERE user_id=? AND group_id=?",[uid as String,
>     group as
>     >
>     >     >> String]);
>     >
>     >     >>                 if(existingEntitlement.isEmpty())
>     >
>     >     >>                 {
>     >
>     >     >>                     log.info <http://log.info>
>     <http://log.info>("Sample - Adding
>     >     entitlement ${group} to user
>     >
>     >     >> ${uid}");
>     >
>     >     >>                     sql.execute("insert into UserGroups (user_id,
>     >     group_id)
>     >
>     >     >> values (" + uid + "," + group + ")");
>     >
>     >     >>                 }
>     >
>     >     >>                 else
>     >
>     >     >>                 {
>     >
>     >     >>                     log.info <http://log.info>
>     <http://log.info>("Sample - Skipping
>     >     assignment because user
>     >
>     >     >> ${uid} already has group ${group}");
>     >
>     >     >>                 }
>     >
>     >     >>             }
>     >
>     >     >>         }
>     >
>     >     >>
>     >
>     >     >> You should also handle the REMOVE_ATTRIBUTE_VALUES with the same
>     >     logic.
>     >
>     >     >> Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
>     >
>     >     >> resource. You can find the conversation in the mailing list. I am
>     >     sure it
>     >
>     >     >> will help you too.
>     >
>     >     >>
>     >
>     >     >> Regards,
>     >
>     >     >>
>     >
>     >     >>
>     >
>     >     >>
>     >
>     >     >>
>     >
>     >     >>
>     >
>     >     >> Ing Nicolás Rossi
>     >
>     >     >> Identicum S.A.
>     >
>     >     >> Jorge Newbery 3226
>     >
>     >     >> Tel: +54 (11) 4552-3050
>     >
>     >     >> www.identicum.com <http://www.identicum.com>
>     <http://www.identicum.com>
>     >
>     >     >>
>     >
>     >     >> On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
>     >
>     >     >> wojciech.staszewski at diagnostyka.pl
>     <mailto:wojciech.staszewski at diagnostyka.pl>
>     >     <mailto:wojciech.staszewski at diagnostyka.pl
>     <mailto:wojciech.staszewski at diagnostyka.pl>>> wrote:
>     >
>     >     >>
>     >
>     >     >>> Hello,
>     >
>     >     >>>
>     >
>     >     >>> I'm playing with ScriptedSQL resource, based on Evolveum example
>     >     from
>     >
>     >     >>> Github.
>     >
>     >     >>> I'm able to list/add/remove users/groups and enable/disable
>     >     accounts.
>     >
>     >     >>> Great.
>     >
>     >     >>> But now I want to apply an assignment (a group) to user.
>     >     Unfortunately
>     >
>     >     >>> "Update_Script.groovy" is incomplete,
>     >
>     >     >>> ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
>     >
>     >     >>> Where can I find some examples?
>     >
>     >     >>>
>     >
>     >     >>> Thanks a lot!
>     >
>     >     >>> WS
>     >
>     >     >>> _______________________________________________
>     >
>     >     >>> midPoint mailing list
>     >
>     >     >>> midPoint at lists.evolveum.com
>     <mailto:midPoint at lists.evolveum.com>
>     <mailto:midPoint at lists.evolveum.com
>     <mailto:midPoint at lists.evolveum.com>>
>     >
>     >     >>> http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>     >
>     >     >>>
>     >
>     >     >>
>     >
>     >     >
>     >
>     >     >
>     >
>     >     _______________________________________________
>     >
>     >     midPoint mailing list
>     >
>     >     midPoint at lists.evolveum.com
>     <mailto:midPoint at lists.evolveum.com>
>     <mailto:midPoint at lists.evolveum.com
>     <mailto:midPoint at lists.evolveum.com>>
>     >
>     >     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>     >
>     >
>     >
>     > _______________________________________________
>     > midPoint mailing list
>     > midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     > http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>     >
> 
>     --
>     Wojciech Staszewski
>     Administrator Systemów Sieciowych
>     tel. kom: 663 680 236
>     www.diagnostyka.pl <http://www.diagnostyka.pl>
>     Diagnostyka Sp. z o. o.
>     ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
>     Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie,
>     XI Wydział Gospodarczy KRS)
>     NIP: 675-12-65-009; REGON: 356366975
>     Kapitał zakładowy: 33 756 500 zł.
> 
>     Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
> 
> 
> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 

-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie,
XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.

Pomyśl o środowisku zanim wydrukujesz ten e-mail.


From wojciech.staszewski at diagnostyka.pl  Thu Dec 15 21:01:49 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Thu, 15 Dec 2016 21:01:49 +0100
Subject: [midPoint] ScriptedSQL -Multivalued attributes (was: add/remove
	entitlements)
In-Reply-To: <CAAxX8cjpmjbCkT6+T9ZGeSAHFRGunuz7HSU0JttpPdb7AWcfWQ@mail.gmail.com>
References: <3062999.LUnh5BE5GU@skygge-pc>
 <CAAxX8cjpmjbCkT6+T9ZGeSAHFRGunuz7HSU0JttpPdb7AWcfWQ@mail.gmail.com>
Message-ID: <2649462.CX5iVHnTTu@skygge-pc>

Nevermind,
I just wanna know how to handle multivalued attributes, if I know this, the rest is relatively simple.
Search, insert, delete, update.
I found some messages from past years on this mailing list, but nothing valuable.
Please understand I'm not a programmer (except bash scripting). Until I met Midpoint I did not know that something like Groovy exists. :)
I ask for your indulgence.

Dnia poniedziałek, 12 grudnia 2016 21:45:00 CET Nicolas Rossi pisze:
> Hi, you have to add the association between Users and Groups. It's
> something like that:
> 
> <association>
> <ref>ri:GroupObjectClass</ref>
> <kind>entitlement</kind>
> <intent>default</intent>
> <tolerant>false</tolerant>
> <direction>subjectToObject</direction>
> <associationAttribute>ri:groups</associationAttribute>
> <valueAttribute>icfs:uid</valueAttribute>
> <shortcutAssociationAttribute>ri:members</shortcutAssociationAttribute>
> <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
> </association>
> 
> You can find more information about the association and the tolerant
> parameter here:
> https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition
> 
> Inside your Update script the operation should be ADD_ATTRIBUTE_VALUE for
> objectClass __ACCOUNT__ and the attribute received should be "groups":
> 
>     case "ADD_ATTRIBUTE_VALUES":
> 
>         if(objectClass == "__ACCOUNT__")
>         {
>             for(String group : attributes.get("groups"))
>             {
>                 def existingEntitlement = sql.rows("SELECT 1 FROM
> UserGroups WHERE user_id=? AND group_id=?",[uid as String, group as
> String]);
>                 if(existingEntitlement.isEmpty())
>                 {
>                     log.info("Sample - Adding entitlement ${group} to user
> ${uid}");
>                     sql.execute("insert into UserGroups (user_id, group_id)
> values (" + uid + "," + group + ")");
>                 }
>                 else
>                 {
>                     log.info("Sample - Skipping assignment because user
> ${uid} already has group ${group}");
>                 }
>             }
>         }
> 
> You should also handle the REMOVE_ATTRIBUTE_VALUES with the same logic.
> Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
> resource. You can find the conversation in the mailing list. I am sure it
> will help you too.
> 
> Regards,
> 
> 
> 
> 
> 
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
> 
> On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
> wojciech.staszewski at diagnostyka.pl> wrote:
> 
> > Hello,
> >
> > I'm playing with ScriptedSQL resource, based on Evolveum example from
> > Github.
> > I'm able to list/add/remove users/groups and enable/disable accounts.
> > Great.
> > But now I want to apply an assignment (a group) to user. Unfortunately
> > "Update_Script.groovy" is incomplete,
> > ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
> > Where can I find some examples?
> >
> > Thanks a lot!
> > WS
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
> 


From aivo.kuhlberg at rmit.ee  Fri Dec 16 07:55:58 2016
From: aivo.kuhlberg at rmit.ee (Aivo Kuhlberg)
Date: Fri, 16 Dec 2016 06:55:58 +0000
Subject: [midPoint] Managing projects and premissions with midPoint
Message-ID: <1481871353552.37697@rmit.ee>

Hi,
I am planning to manage database tables data with ScriptedSQL connector. This database has users (table USERS), projects (table USER_PROJECTS) and permissions (table PROJECT_PERM). Before I start to set up connector I would like to know how should I manage these structures in midPoint? My current idea is to map users to midpoint users, projects to midPoint roles but what about project permissions? Should I map them to roles too or is there better way how to manage them?

Thanks,
Aivo Kuhlberg

________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161216/6dbcf99b/attachment.htm>

From carlos18619 at gmail.com  Fri Dec 16 16:19:28 2016
From: carlos18619 at gmail.com (Carlos Ferreira)
Date: Fri, 16 Dec 2016 13:19:28 -0200
Subject: [midPoint] Provisioning a demo/sample application
In-Reply-To: <CABCx=MC7qG+GjNrubeaFrxV=UeByqLj5nGqDwpBZ-3_s2roGbQ@mail.gmail.com>
References: <CABCx=MC7qG+GjNrubeaFrxV=UeByqLj5nGqDwpBZ-3_s2roGbQ@mail.gmail.com>
Message-ID: <CAJHEg64UCdRQ=eQ35ZWWsa087deWuGmhAwaqkPFtCWrosvZpHw@mail.gmail.com>

Hi Aaron,


I think a good start is to study and understand everthing that is
configured in the Midpoint Demo application: https://demo.evolveum.com/
midpoint. At least, it worked for me.

When logged in the application:

1. try to see how the resources where configured (option
configuration->repository objects (left side menu) -> resources (combo in
the top right of page);

2. Explore the LDAP Server (OpenLDAP) over new LDAPConn. resource. Pay
attention to the snippet:

         <association>
            <c:ref>ri:ldapGroups</c:ref>
            <displayName>Group Membership</displayName>
            <matchingRule
xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
            <tolerant>true</tolerant>
            <kind>entitlement</kind>
            <intent>group</intent>
            <intent>ldapProject</intent>
            <direction>objectToSubject</direction>
            <associationAttribute>ri:member</associationAttribute>
            <valueAttribute>ri:dn</valueAttribute>

<explicitReferentialIntegrity>true</explicitReferentialIntegrity>
         </association>

It tells us how to deal with role association in the ldap structure;

3. Also see (in the same combo) the configuration of the role LDAP Projects
MetaRole. There you will see how the association is managed by the role
definition.


4. Here (in the resource definition) is the code where Midpoint deals with
nested organizations:

   <schemaHandling>
      <objectType>
         <kind>generic</kind>
         <intent>ou</intent>
         <displayName>Organizational Unit</displayName>
         <objectClass>ri:organizationalUnit</objectClass>
         <attribute>
            <c:ref>ri:dn</c:ref>
            <matchingRule
xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
            <outbound>
               <source>
                  <c:path>$focus/name</c:path>
               </source>
               <expression>
                  <script>
                     <code>

                                import javax.naming.ldap.Rdn
                                import javax.naming.ldap.LdapName
                                import
com.evolveum.midpoint.xml.ns._public.common.common_3.*;

                                dn = new
LdapName('ou=Orgs,dc=example,dc=com')
                                parents = new ArrayList()
                                currentOrg = focus
                                while (currentOrg != null) {
                                parents.add(currentOrg)
                                // see
com.evolveum.midpoint.model.impl.expr.MidpointFunctionsImpl
                                currentOrg =
midpoint.getParentOrgByOrgType(currentOrg, 'functional')
                                }

                                log.info("parents = {}", parents)

                               for (int i = parents.size() -1 ; i &gt;= 0;
i--) {
                                dn.add(new Rdn('ou',
parents.get(i).name.toString()))
                                }                                currentOrg
= focus
                                while (currentOrg != null) {
                                parents.add(currentOrg)
                                // see
com.evolveum.midpoint.model.impl.expr.MidpointFunctionsImpl
                                currentOrg =
midpoint.getParentOrgByOrgType(currentOrg, 'functional')
                                }

                                log.info("parents = {}", parents)


                                log.info("dn = {}", dn)

                                return dn.toString();

                            </code>
                  </script>
               </expression>
            </outbound>
         </attribute>
         <attribute>
            <c:ref>ri:ou</c:ref>
            <matchingRule xmlns:mr="
http://prism.evolveum.com/xml/ns/public/matching-rule-3
">mr:stringIgnoreCase</matchingRule>
         </attribute>
      </objectType>


I hope it may help you.


Carlos

2016-12-14 23:29 GMT-02:00 Aaron Hiniker <hindog at gmail.com>:

> Hi,
>
> I have OpenDJ running and midpoint running on a mysql store and now I want
> to configure a sample application.  I see many different configuration
> files included in the distribution, but it’s very confusing to understand
> what exactly I need to do and which ones to include.  For example, there is
> ldap-deeply-hierarchal folder with 3 config files.  I tried to import
> those files, along with some of the configs from the common folder and
> when I try to assign a user to the “Org Metarule”, I get this error:
>
> Unsatisfied strict dependency of account Discr(RSD(entitlement (group)
> @10000000-0000-0000-0000-000000000003)) dependent on Discr(RSD(generic
> (ou) @10000000-0000-0000-0000-000000000003)): Account not provisioned
>
>
> I don’t know how to decipher what the problem is,  “Account not
> provisioned” isn’t helpful to me since I have no idea WHY it’s not
> provisioned.  Is there a documentation page that would walk me through
> how to spin up a nested org/group demo from soup-to-nuts that doesn’t
> require me to know every detail of the individual configuration
> objects/steps involved?
>
> Thanks,
>
> Aaron
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161216/62d63636/attachment.htm>

From jeverling at bshp.edu  Fri Dec 16 17:05:52 2016
From: jeverling at bshp.edu (Jason Everling)
Date: Fri, 16 Dec 2016 10:05:52 -0600
Subject: [midPoint] Managing projects and premissions with midPoint
In-Reply-To: <1481871353552.37697@rmit.ee>
References: <1481871353552.37697@rmit.ee>
Message-ID: <CAFkZXY5UChqhR3XLB379XkJnaaazjOi1Mj0Nv-AfdziwF_8YtA@mail.gmail.com>

What about midpoint org units for 'projects' and roles for 'permissions'?
How many users are in a project, is it 1 or 2 , or is many, hundreds,
thousands, etc.. same for permissions, how many users would be assigned a
permission? it could be reversed if permissions have many more users than a
project would contain. I think I would base it off that but that is just my
opinion.

We use org units for different things, some are used for AD security
groups, distribution lists, etc.. and others are used for actual ou's
(containers in AD) , each has their own 'root' of course in midpoint. For
example, our domain itself has a root, then 'Security Groups' is another
root, and 'DL Groups' is another root. Each contains their own items. It
was based off midpoint 3.2 before you could see 'members' of a role like
you can now in the later versions.

JASON

On Fri, Dec 16, 2016 at 12:55 AM, Aivo Kuhlberg <aivo.kuhlberg at rmit.ee>
wrote:

> Hi,
> I am planning to manage database tables data with ScriptedSQL connector.
> This database has users (table USERS), projects (table USER_PROJECTS) and
> permissions (table PROJECT_PERM). Before I start to set up connector I
> would like to know how should I manage these structures in midPoint? My
> current idea is to map users to midpoint users, projects to midPoint roles
> but what about project permissions? Should I map them to roles too or is
> there better way how to manage them?
>
> Thanks,
> Aivo Kuhlberg
>
> ------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud
> teavet.
> This e-mail may contain information which is classified for official use.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161216/7d465ab3/attachment.htm>

From carlos18619 at gmail.com  Fri Dec 16 17:20:37 2016
From: carlos18619 at gmail.com (Carlos Ferreira)
Date: Fri, 16 Dec 2016 14:20:37 -0200
Subject: [midPoint] Managing projects and premissions with midPoint
In-Reply-To: <CAFkZXY5UChqhR3XLB379XkJnaaazjOi1Mj0Nv-AfdziwF_8YtA@mail.gmail.com>
References: <1481871353552.37697@rmit.ee>
 <CAFkZXY5UChqhR3XLB379XkJnaaazjOi1Mj0Nv-AfdziwF_8YtA@mail.gmail.com>
Message-ID: <CAJHEg65w093wdZhMwkSQsoOar3GYZyOGL3BU_L325y13gF7OdQ@mail.gmail.com>

Hi Aivo,

I suggest you to have a look at the midpoint list archives:

http://lists.evolveum.com/pipermail/midpoint/

There are a lot of stuff there concerning SCRIPTEDSQL connector.

Carlos



2016-12-16 14:05 GMT-02:00 Jason Everling <jeverling at bshp.edu>:

> What about midpoint org units for 'projects' and roles for 'permissions'?
> How many users are in a project, is it 1 or 2 , or is many, hundreds,
> thousands, etc.. same for permissions, how many users would be assigned a
> permission? it could be reversed if permissions have many more users than a
> project would contain. I think I would base it off that but that is just my
> opinion.
>
> We use org units for different things, some are used for AD security
> groups, distribution lists, etc.. and others are used for actual ou's
> (containers in AD) , each has their own 'root' of course in midpoint. For
> example, our domain itself has a root, then 'Security Groups' is another
> root, and 'DL Groups' is another root. Each contains their own items. It
> was based off midpoint 3.2 before you could see 'members' of a role like
> you can now in the later versions.
>
> JASON
>
> On Fri, Dec 16, 2016 at 12:55 AM, Aivo Kuhlberg <aivo.kuhlberg at rmit.ee>
> wrote:
>
>> Hi,
>> I am planning to manage database tables data with ScriptedSQL connector.
>> This database has users (table USERS), projects (table USER_PROJECTS) and
>> permissions (table PROJECT_PERM). Before I start to set up connector I
>> would like to know how should I manage these structures in midPoint? My
>> current idea is to map users to midpoint users, projects to midPoint roles
>> but what about project permissions? Should I map them to roles too or is
>> there better way how to manage them?
>>
>> Thanks,
>> Aivo Kuhlberg
>>
>> ------------------------------
>> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud
>> teavet.
>> This e-mail may contain information which is classified for official use.
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161216/5abaccad/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Sun Dec 18 00:58:18 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Sun, 18 Dec 2016 00:58:18 +0100
Subject: [midPoint] ScriptedSQL -Multivalued attributes (was: add/remove
	entitlements)
In-Reply-To: <2649462.CX5iVHnTTu@skygge-pc>
References: <3062999.LUnh5BE5GU@skygge-pc>
 <CAAxX8cjpmjbCkT6+T9ZGeSAHFRGunuz7HSU0JttpPdb7AWcfWQ@mail.gmail.com>
 <2649462.CX5iVHnTTu@skygge-pc>
Message-ID: <7270853.cUlnrLkpoZ@skygge-pc>

OK, I got it.
The multivalued attribute MUST BE A LIST type ["value1","value2","value"].
I found it in one post in mailing list archive after 2 days of intense research.

Now anything is possible. At least at the moment.... see you soon!
WS

Dnia czwartek, 15 grudnia 2016 21:01:49 CET Wojciech Staszewski pisze:
> Nevermind,
> I just wanna know how to handle multivalued attributes, if I know this, the rest is relatively simple.
> Search, insert, delete, update.
> I found some messages from past years on this mailing list, but nothing valuable.
> Please understand I'm not a programmer (except bash scripting). Until I met Midpoint I did not know that something like Groovy exists. :)
> I ask for your indulgence.
> 
> Dnia poniedziałek, 12 grudnia 2016 21:45:00 CET Nicolas Rossi pisze:
> > Hi, you have to add the association between Users and Groups. It's
> > something like that:
> > 
> > <association>
> > <ref>ri:GroupObjectClass</ref>
> > <kind>entitlement</kind>
> > <intent>default</intent>
> > <tolerant>false</tolerant>
> > <direction>subjectToObject</direction>
> > <associationAttribute>ri:groups</associationAttribute>
> > <valueAttribute>icfs:uid</valueAttribute>
> > <shortcutAssociationAttribute>ri:members</shortcutAssociationAttribute>
> > <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
> > </association>
> > 
> > You can find more information about the association and the tolerant
> > parameter here:
> > https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition
> > 
> > Inside your Update script the operation should be ADD_ATTRIBUTE_VALUE for
> > objectClass __ACCOUNT__ and the attribute received should be "groups":
> > 
> >     case "ADD_ATTRIBUTE_VALUES":
> > 
> >         if(objectClass == "__ACCOUNT__")
> >         {
> >             for(String group : attributes.get("groups"))
> >             {
> >                 def existingEntitlement = sql.rows("SELECT 1 FROM
> > UserGroups WHERE user_id=? AND group_id=?",[uid as String, group as
> > String]);
> >                 if(existingEntitlement.isEmpty())
> >                 {
> >                     log.info("Sample - Adding entitlement ${group} to user
> > ${uid}");
> >                     sql.execute("insert into UserGroups (user_id, group_id)
> > values (" + uid + "," + group + ")");
> >                 }
> >                 else
> >                 {
> >                     log.info("Sample - Skipping assignment because user
> > ${uid} already has group ${group}");
> >                 }
> >             }
> >         }
> > 
> > You should also handle the REMOVE_ATTRIBUTE_VALUES with the same logic.
> > Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
> > resource. You can find the conversation in the mailing list. I am sure it
> > will help you too.
> > 
> > Regards,
> > 
> > 
> > 
> > 
> > 
> > Ing Nicolás Rossi
> > Identicum S.A.
> > Jorge Newbery 3226
> > Tel: +54 (11) 4552-3050
> > www.identicum.com
> > 
> > On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
> > wojciech.staszewski at diagnostyka.pl> wrote:
> > 
> > > Hello,
> > >
> > > I'm playing with ScriptedSQL resource, based on Evolveum example from
> > > Github.
> > > I'm able to list/add/remove users/groups and enable/disable accounts.
> > > Great.
> > > But now I want to apply an assignment (a group) to user. Unfortunately
> > > "Update_Script.groovy" is incomplete,
> > > ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
> > > Where can I find some examples?
> > >
> > > Thanks a lot!
> > > WS
> > > _______________________________________________
> > > midPoint mailing list
> > > midPoint at lists.evolveum.com
> > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > >
> > 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 


-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
Dział IT
DIAGNOSTYKA 
Spółka z ograniczoną odpowiedzialnością 
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
tel.: +48 12 295 01 00
fax: +48 12 295 01 02 
tel. kom: 663 680 236
www.diag.pl
DIAGNOSTYKA Spółka z ograniczoną odpowiedzialnością ul. Prof. M. Życzkowskiego 16, 31-864 Kraków; 
KRS: Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy Krajowego KRS: 0000381559; NIP: 675-12-65-009; REGON: 356366975, Kapitał zakładowy: 33 252 500 zł.


From carlos18619 at gmail.com  Mon Dec 19 15:23:44 2016
From: carlos18619 at gmail.com (Carlos Ferreira)
Date: Mon, 19 Dec 2016 12:23:44 -0200
Subject: [midPoint] PROBLEM IN TRANSLATION TO PORTUGUESE-BR
Message-ID: <CAJHEg64D7OidyaeO0qdcsoEKcWfE4xrLmHuRnQEvRkgx6BabXA@mail.gmail.com>

Hi,

I have just translated most of MidPoint to Portuguese-BR. However I
realized that some words have a strange behaviour.

For example, when adding a new user (in the left menu, usuário->novo
usuário), you will see, in the upper tabs,the word "Delegações" when it
should be "Delegações". Is is very strange since the word "Projeções" was
correctly written (pay attention that the suffix "ções" is the same).

In the "basics" tab, there are also another problems with the words:

As is written                       how should be

Nome de família               Nome de família
Prefixo honorífico             Prefixo honorífico
Sufixo honorífico              Sufixo honorífico
Título                                Título
Endereço de email          Endereço de email
Núm. de telefone              Número de telefone
Núm. de empregado         Número de empregado
Organização                  Organização
Expiração do Bloqueio   Expiração do Bloqueio
Válido de                           Válido de
Válido até                       Válido até

Similarly, when I select the "Atribuições" tab, "Atribuições" is shown in
the next screen.

Well, I have checked the translation on "transifex" and it is all right
there.

Also, in the left menu (in the main screen), when I select
Configuração->Objetos de repositório, system returns

"
Internal Server Error
19/12/16 11:21 org.apache.wicket.WicketRuntimeException: Exception in
rendering component: [Component id = count]

"


These are just some of the problems that I have realized.



Carlos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161219/5f432a79/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Mon Dec 19 16:05:04 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Mon, 19 Dec 2016 16:05:04 +0100
Subject: [midPoint]  How to change intent in resource accounts?
Message-ID: <c8009d42-56b9-a9ed-d6b7-8f6ef0a94383@diagnostyka.pl>

Hello!

I have configured a resource. In Account schema handling i set intent "defalut" first, but then I've changed my mind and chaged it to "testAccount"
and configured sync for this intent.

But now I see, when I enter accounts on this resource that some of accounts have intent "default" and the rest "testAccount".
Reconciliation, synchronization and import accounts with intent "testAccount" goes OK without errors,
but I cannot do anything with these with "default" intent. Changing owner and import gives me an error.

How to change intent of these accounts to "testAccount"?

Thanks :*


From wojciech.staszewski at diagnostyka.pl  Mon Dec 19 16:45:35 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Mon, 19 Dec 2016 16:45:35 +0100
Subject: [midPoint] How to change intent in resource accounts?
In-Reply-To: <c8009d42-56b9-a9ed-d6b7-8f6ef0a94383@diagnostyka.pl>
References: <c8009d42-56b9-a9ed-d6b7-8f6ef0a94383@diagnostyka.pl>
Message-ID: <b63221d5-7594-6c00-6b26-d2d0ae1035ea@diagnostyka.pl>

Well, I corrected intent of these accounts by clicking them one by one in Configuration->Repository Objects->Shadow.
Fotrunaltely it was only 20 accunts....

W dniu 19.12.2016 o 16:05, Wojciech Staszewski pisze:
> Hello!
> 
> I have configured a resource. In Account schema handling i set intent "defalut" first, but then I've changed my mind and chaged it to "testAccount"
> and configured sync for this intent.
> 
> But now I see, when I enter accounts on this resource that some of accounts have intent "default" and the rest "testAccount".
> Reconciliation, synchronization and import accounts with intent "testAccount" goes OK without errors,
> but I cannot do anything with these with "default" intent. Changing owner and import gives me an error.
> 
> How to change intent of these accounts to "testAccount"?
> 
> Thanks :*
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 

-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.

Pomyśl o środowisku zanim wydrukujesz ten e-mail.


From oskar.butovic at ami.cz  Mon Dec 19 18:07:19 2016
From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=)
Date: Mon, 19 Dec 2016 18:07:19 +0100
Subject: [midPoint] recompute bypass FatalError
Message-ID: <CAE8MtZCMBprcVAnvpBJkMTUEA5eZJ3s0z3bMd6uah55YfxfhEQ@mail.gmail.com>

Hello Everybody,

currently my biggest issue is that google API sometimes returns 503 service
unavailable. This result in fatal error in recompute task.

I need this to result only in partial error for recompute task to continue.
Which exception should I throw from connector? I know that it can be solved
easily in midpoint 3.5 but AFAIK it is not ready yet and when it becomes
ready I have a lot to fix because of prism changes.

I also tried writing script execution task but exception somehow makes it
through try catch in groovy and stops task execution. Code below:

<s:action>
                  <s:type>execute-script</s:type>
                  <s:parameter>
                      <s:name>script</s:name>
                      <c:value xsi:type="c:ScriptExpressionEvaluatorType">
                      <c:code>
                      import
com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
                      import java.io.StringWriter;
                      import java.io.PrintWriter;
                      import
com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;

try{
midpoint.recompute(UserType.class, input.oid);
log.error("recomputing user " + input.getName() + " finished OK");
}catch(Exception exception){
StringWriter errors = new StringWriter();
exception.printStackTrace(new PrintWriter(errors));
stackTrace = errors.toString();
//log.error("recomputing user " + input.getName() + " threw exception " +
stackTrace);
}
                        </c:code>
                      </c:value>
                  </s:parameter>
               </s:action>

Best Regards

Oskar Butovič

-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161219/55a391c9/attachment.htm>

From nrossi at identicum.com  Mon Dec 19 18:09:36 2016
From: nrossi at identicum.com (Nicolas Rossi)
Date: Mon, 19 Dec 2016 14:09:36 -0300
Subject: [midPoint] How to change intent in resource accounts?
In-Reply-To: <b63221d5-7594-6c00-6b26-d2d0ae1035ea@diagnostyka.pl>
References: <c8009d42-56b9-a9ed-d6b7-8f6ef0a94383@diagnostyka.pl>
 <b63221d5-7594-6c00-6b26-d2d0ae1035ea@diagnostyka.pl>
Message-ID: <CAAxX8chus_Rft=RF+0B9YT7CgcUpXdCs5DY5D6QZDZyu6+meyw@mail.gmail.com>

Perfect, so it's working now ?



Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Mon, Dec 19, 2016 at 12:45 PM, Wojciech Staszewski <
wojciech.staszewski at diagnostyka.pl> wrote:

> Well, I corrected intent of these accounts by clicking them one by one in
> Configuration->Repository Objects->Shadow.
> Fotrunaltely it was only 20 accunts....
>
> W dniu 19.12.2016 o 16:05, Wojciech Staszewski pisze:
> > Hello!
> >
> > I have configured a resource. In Account schema handling i set intent
> "defalut" first, but then I've changed my mind and chaged it to
> "testAccount"
> > and configured sync for this intent.
> >
> > But now I see, when I enter accounts on this resource that some of
> accounts have intent "default" and the rest "testAccount".
> > Reconciliation, synchronization and import accounts with intent
> "testAccount" goes OK without errors,
> > but I cannot do anything with these with "default" intent. Changing
> owner and import gives me an error.
> >
> > How to change intent of these accounts to "testAccount"?
> >
> > Thanks :*
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
>
> --
> Wojciech Staszewski
> Administrator Systemów Sieciowych
> tel. kom: 663 680 236
> www.diagnostyka.pl
> Diagnostyka Sp. z o. o.
> ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
> Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI
> Wydział Gospodarczy KRS)
> NIP: 675-12-65-009; REGON: 356366975
> Kapitał zakładowy: 33 756 500 zł.
>
> Pomyśl o środowisku zanim wydrukujesz ten e-mail.
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161219/5f038eed/attachment.htm>

From mederly at evolveum.com  Mon Dec 19 18:17:21 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Mon, 19 Dec 2016 18:17:21 +0100
Subject: [midPoint] How to change intent in resource accounts?
In-Reply-To: <b63221d5-7594-6c00-6b26-d2d0ae1035ea@diagnostyka.pl>
References: <c8009d42-56b9-a9ed-d6b7-8f6ef0a94383@diagnostyka.pl>
 <b63221d5-7594-6c00-6b26-d2d0ae1035ea@diagnostyka.pl>
Message-ID: <78325e69-07f5-0690-634b-e784e2821c4b@evolveum.com>

Generally, you could also delete them and re-import again (this could 
cause problems if e.g. midPoint users are linked to them - no big 
problem, but a round of recompute or reconcile would be needed).

Or you could use bulk actions (a.k.a. scripting) to change the intent.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 19.12.2016 16:45, Wojciech Staszewski wrote:
> Well, I corrected intent of these accounts by clicking them one by one in Configuration->Repository Objects->Shadow.
> Fotrunaltely it was only 20 accunts....
>
> W dniu 19.12.2016 o 16:05, Wojciech Staszewski pisze:
>> Hello!
>>
>> I have configured a resource. In Account schema handling i set intent "defalut" first, but then I've changed my mind and chaged it to "testAccount"
>> and configured sync for this intent.
>>
>> But now I see, when I enter accounts on this resource that some of accounts have intent "default" and the rest "testAccount".
>> Reconciliation, synchronization and import accounts with intent "testAccount" goes OK without errors,
>> but I cannot do anything with these with "default" intent. Changing owner and import gives me an error.
>>
>> How to change intent of these accounts to "testAccount"?
>>
>> Thanks :*
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>



From wstaszewski at wp.pl  Mon Dec 19 18:31:56 2016
From: wstaszewski at wp.pl (Wojciech Staszewski)
Date: Mon, 19 Dec 2016 18:31:56 +0100
Subject: [midPoint] How to change intent in resource accounts?
In-Reply-To: <78325e69-07f5-0690-634b-e784e2821c4b@evolveum.com>
References: <c8009d42-56b9-a9ed-d6b7-8f6ef0a94383@diagnostyka.pl>
 <b63221d5-7594-6c00-6b26-d2d0ae1035ea@diagnostyka.pl>
 <78325e69-07f5-0690-634b-e784e2821c4b@evolveum.com>
Message-ID: <4786484.ghN1xfQCvm@skygge-pc>

Thanks, I will keep it in mind.
Regards!
WS

Dnia poniedziałek, 19 grudnia 2016 18:17:21 CET Pavol Mederly pisze:
> Generally, you could also delete them and re-import again (this could 
> cause problems if e.g. midPoint users are linked to them - no big 
> problem, but a round of recompute or reconcile would be needed).
> 
> Or you could use bulk actions (a.k.a. scripting) to change the intent.
> 
> Best regards,
> 
> Pavol Mederly
> Software developer
> evolveum.com
> 
> On 19.12.2016 16:45, Wojciech Staszewski wrote:
> > Well, I corrected intent of these accounts by clicking them one by one in Configuration->Repository Objects->Shadow.
> > Fotrunaltely it was only 20 accunts....
> >
> > W dniu 19.12.2016 o 16:05, Wojciech Staszewski pisze:
> >> Hello!
> >>
> >> I have configured a resource. In Account schema handling i set intent "defalut" first, but then I've changed my mind and chaged it to "testAccount"
> >> and configured sync for this intent.
> >>
> >> But now I see, when I enter accounts on this resource that some of accounts have intent "default" and the rest "testAccount".
> >> Reconciliation, synchronization and import accounts with intent "testAccount" goes OK without errors,
> >> but I cannot do anything with these with "default" intent. Changing owner and import gives me an error.
> >>
> >> How to change intent of these accounts to "testAccount"?
> >>
> >> Thanks :*
> >> _______________________________________________
> >> midPoint mailing list
> >> midPoint at lists.evolveum.com
> >> http://lists.evolveum.com/mailman/listinfo/midpoint
> >>
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 




From wojciech.staszewski at diagnostyka.pl  Mon Dec 19 20:25:49 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Mon, 19 Dec 2016 20:25:49 +0100
Subject: [midPoint]  ScriptedSQL connector: multiple group types
Message-ID: <2521722.bqbaDruVeg@skygge-pc>

Hello!

Jokes are over. My first scriptedSQL connector works like a charm (Zabbix account with group membership), so it is time for something more sophisticated.
I've got a system, where user's access rights are set by 3 different memberships.
First membership are database roles.
Second are application modules available for user.
Third type are "workplaces" (with time constraints).
These 3 memberships are independent, each user can have for example 3 roles, 12 enabled modules and 5 workplaces.

I thought that I can do multiple group types in SchemaScript and distinguish them by "intent".
But I can't do this. I can declare only 1 CustomGroupObjectClass...
Any advice? Thanks and regards,
WS :)



From mederly at evolveum.com  Mon Dec 19 20:38:42 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Mon, 19 Dec 2016 20:38:42 +0100
Subject: [midPoint] ScriptedSQL connector: multiple group types
In-Reply-To: <2521722.bqbaDruVeg@skygge-pc>
References: <2521722.bqbaDruVeg@skygge-pc>
Message-ID: <0530e20f-ec63-d090-7179-07378a6440a4@evolveum.com>

Wojciech,

I think your original idea is OK. You can create multiple types - i.e. 
object classes - in SchemaScript for your groups. Like Group1, Group2, 
..., BlueGroup, RedGroup, GreenGroup, ..., DatabaseRole, 
ApplicationModule, Workplace. Anything you want. As soon as you 
consistently refer to them in all your scripts.

And yes, you then map these object classes to midPoint terms: 
kind/intent; kind being entitlement in this case, and intents as you 
like. For example, databaseRole, applicationModule, or workplace.

Pavol Mederly
Software developer
evolveum.com

On 19.12.2016 20:25, Wojciech Staszewski wrote:
> Hello!
>
> Jokes are over. My first scriptedSQL connector works like a charm (Zabbix account with group membership), so it is time for something more sophisticated.
> I've got a system, where user's access rights are set by 3 different memberships.
> First membership are database roles.
> Second are application modules available for user.
> Third type are "workplaces" (with time constraints).
> These 3 memberships are independent, each user can have for example 3 roles, 12 enabled modules and 5 workplaces.
>
> I thought that I can do multiple group types in SchemaScript and distinguish them by "intent".
> But I can't do this. I can declare only 1 CustomGroupObjectClass...
> Any advice? Thanks and regards,
> WS :)
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint



From wojciech.staszewski at diagnostyka.pl  Mon Dec 19 21:53:58 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Mon, 19 Dec 2016 21:53:58 +0100
Subject: [midPoint] ScriptedSQL connector: multiple group types
In-Reply-To: <0530e20f-ec63-d090-7179-07378a6440a4@evolveum.com>
References: <2521722.bqbaDruVeg@skygge-pc>
 <0530e20f-ec63-d090-7179-07378a6440a4@evolveum.com>
Message-ID: <1971052.goD7exQ0P1@skygge-pc>

Thanks!

So then, it shouldn't be so hard.
Best regards!

Dnia poniedziałek, 19 grudnia 2016 20:38:42 CET Pavol Mederly pisze:
> Wojciech,
> 
> I think your original idea is OK. You can create multiple types - i.e. 
> object classes - in SchemaScript for your groups. Like Group1, Group2, 
> ..., BlueGroup, RedGroup, GreenGroup, ..., DatabaseRole, 
> ApplicationModule, Workplace. Anything you want. As soon as you 
> consistently refer to them in all your scripts.
> 
> And yes, you then map these object classes to midPoint terms: 
> kind/intent; kind being entitlement in this case, and intents as you 
> like. For example, databaseRole, applicationModule, or workplace.
> 
> Pavol Mederly
> Software developer
> evolveum.com
> 
> On 19.12.2016 20:25, Wojciech Staszewski wrote:
> > Hello!
> >
> > Jokes are over. My first scriptedSQL connector works like a charm (Zabbix account with group membership), so it is time for something more sophisticated.
> > I've got a system, where user's access rights are set by 3 different memberships.
> > First membership are database roles.
> > Second are application modules available for user.
> > Third type are "workplaces" (with time constraints).
> > These 3 memberships are independent, each user can have for example 3 roles, 12 enabled modules and 5 workplaces.
> >
> > I thought that I can do multiple group types in SchemaScript and distinguish them by "intent".
> > But I can't do this. I can declare only 1 CustomGroupObjectClass...
> > Any advice? Thanks and regards,
> > WS :)
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 


-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
Dział IT
DIAGNOSTYKA 
Spółka z ograniczoną odpowiedzialnością 
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
tel.: +48 12 295 01 00
fax: +48 12 295 01 02 
tel. kom: 663 680 236
www.diag.pl
DIAGNOSTYKA Spółka z ograniczoną odpowiedzialnością ul. Prof. M. Życzkowskiego 16, 31-864 Kraków; 
KRS: Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy Krajowego KRS: 0000381559; NIP: 675-12-65-009; REGON: 356366975, Kapitał zakładowy: 33 252 500 zł.


From m.benucci at nsr.it  Tue Dec 20 07:26:25 2016
From: m.benucci at nsr.it (Marco Benucci)
Date: Tue, 20 Dec 2016 07:26:25 +0100
Subject: [midPoint] Notify workflow midpoint 3.3.1
Message-ID: <c8a89711-4c0d-462b-84ea-2cdda1d1683b@typeapp.com>

⁣ Hi, 

I'd like to notify to the role approver that a work item is ready to be approved, but I think there is a bug, described here

http://lists.evolveum.com/pipermail/midpoint/2016-June/001976.html

Because I'm having the same error... 

So, is it possible for me to modify something to make it works on midpoint 3.3.1? We prefer to not update to 3.4 if the 3.5 is close... Thank you, 

Marco

Inviato da BlueMail ​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/3eebbf04/attachment.htm>

From legeech at inbox.ru  Tue Dec 20 08:53:29 2016
From: legeech at inbox.ru (=?UTF-8?B?b2xlZyBva3VuZXY=?=)
Date: Tue, 20 Dec 2016 10:53:29 +0300
Subject: [midPoint] =?utf-8?q?attributeOrValueExists_ERROR_LDAP?=
Message-ID: <1482220409.709205273@f428.i.mail.ru>

Hello.

Strange problem i get when trying to modify decription in user which have link to AD account
config of schema handling

<attribute>
    <ref>ri:description</ref>
       <outbound>
         <source>
             <path>description</path>
         </source>
       </outbound>
       <inbound>
         <target>
             <path>description</path>
         </target>
       </inbound>
</attribute>
Preview changes

Modify   User   Archangel Gabriel   (Gabriel)
 
Item Old value New value
Description New Desc New Desc NEW

Secondary changes: 2 objects
 
Modify   User   Archangel Gabriel   (Gabriel)
 
Item Old value New value
Description New Desc New Desc NEW
Modify   Shadow   CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru
 
Item Value
resourceRef   Active Directory Medusa (LDAPS) v2
kind ACCOUNT
intent default
Modify   attributes
 
Item Old value New value
description   New Desc NEW

GOT this ERROR

Schema violation during processing shadow: 
shadow: CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru (OID:92d4a278-8d4f-46a3-af88-56bdf8529a95): 
Schema violation: Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error modifying LDAP entry CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru: [add:description: New Desc Second,]: attributeOrValueExists: 00002081: AtrErr: DSID-030F154F, #1:??0: 00002081: DSID-030F154F, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att d (description)?? (20)): it looks like midpoint trying to add NEW attribute - i cant understand why not modify existing attribute value

I know it must be simple but i trying to search and failed(((
i got 3 object classes : user group and OU

and one more thing 
after error decription is different - in user new - in AD old
if i make reconcile -  in AD it became emty
and after that any first decription  writes well in AD.



-- 
oleg okunev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/e0a295ac/attachment.htm>

From dick.muller at tahzoo.com  Tue Dec 20 08:59:12 2016
From: dick.muller at tahzoo.com (Dick Muller)
Date: Tue, 20 Dec 2016 07:59:12 +0000
Subject: [midPoint] Office365 password:null
Message-ID: <BY1PR0601MB119231EAF12E3531E5AD19A896900@BY1PR0601MB1192.namprd06.prod.outlook.com>


Hi there,


I have configured two Office 365 connectors.

One to my personal Office365 environment to which I can reconcile and create new accounts with any problem.


The other one is to the Office365 of our business and I used the same configuration as for my personal Office365, but only changed the Service Principal ofcourse.


I can create accounts, but I can't reconcile and get the following error:

Got unexpected exception: java.lang.IllegalArgumentException: can't parse argument number: "password":null


On my test server I deleted all shadows and users, but even then it results in the same error.
It must be something on the side of Office365, but I don't know what. The service principal is member of the Company Admins.


Have you ever seen such an error?


Kindest regards,


Dick Muller

Dick Muller
Senior Systems Engineer
P: 0031 8 82682586 | M: 0031 6 46477690
E: dick.muller at tahzoo.com | W: www.tahzoo.com
A: Delftechpark 37I, 2628 XJDelft, Netherlands

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/bff14fb1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image504000.png
Type: image/png
Size: 1293 bytes
Desc: image504000.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/bff14fb1/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image646001.png
Type: image/png
Size: 1068 bytes
Desc: image646001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/bff14fb1/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: result (4)
Type: application/octet-stream
Size: 63504 bytes
Desc: result (4)
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/bff14fb1/attachment.obj>

From mikko.pekkarinen at datactica.fi  Tue Dec 20 09:36:22 2016
From: mikko.pekkarinen at datactica.fi (Mikko Pekkarinen)
Date: Tue, 20 Dec 2016 08:36:22 +0000
Subject: [midPoint] Synchronize multiple accounts per user?
Message-ID: <03516253baad44abbb1038b87ef25444@EXCH002.Toimisto.local>

Hello,

Use case: A resource maintains user accounts and organization information. I need to synchronize these to midPoint.
The user accounts are associated to the organizations, and one person may have an account in multiple organizations.
The accounts have an ID field that uniquely identifies the person who owns the account, and I use this ID to correlate the accounts to midPoint Users. Straigthforward synchronization leads to constraint violation exceptions, as the different accounts have same (resource, kind, intent).

I can see some possible solutions:
 - Writing a script that creates N copies of the resource configuration, with different 'intent' values.
   This is ugly, possibly inefficient, and limits the maximum number of accounts per user.
 - Create a separate User in midPoint for each account.
   Feels wrong. Seems simple in the short term, but leads at least to usability problems.
   Probably other problems as well?

Are there better choices or any best practices for this situation?
Would the new "identity merging" feature help, i.e. can it merge Users whose shadows have identical
(resource, kind, intent)?


Mikko

From dick.muller at tahzoo.com  Tue Dec 20 10:15:11 2016
From: dick.muller at tahzoo.com (Dick Muller)
Date: Tue, 20 Dec 2016 09:15:11 +0000
Subject: [midPoint] Synchronize multiple accounts per user?
In-Reply-To: <03516253baad44abbb1038b87ef25444@EXCH002.Toimisto.local>
References: <03516253baad44abbb1038b87ef25444@EXCH002.Toimisto.local>
Message-ID: <BY1PR0601MB11927D5F213F30CD2266429996900@BY1PR0601MB1192.namprd06.prod.outlook.com>

Hi Mikko,


I have done more or less the same thing with groups.

I had an existing Domain with users and groups.


I created a custom attribute ADRoles and important the membership to that attribute.

In the default intent I created a little script that read the values in that attribute and assigned them to existing roles that were imported, but if the role didn't exists it was created.


You could do the same thing with organisations.

Create Organizational Units for the organisations with the ID and the name is the displayname.

During Reconcile the users are created only once and the organisation ID's are collected in the User attribute and assigned to the Organisational Unit it will lookup.


Hope this is an interesting way?


Thanks,


Dick

________________________________

Dick Muller
Senior Systems Engineer
P: 0031 8 82682586 | M: 0031 6 46477690
E: dick.muller at tahzoo.com | W: www.tahzoo.com
A: Delftechpark 37I, 2628 XJDelft, Netherlands

Van: midPoint <midpoint-bounces at lists.evolveum.com> namens Mikko Pekkarinen <mikko.pekkarinen at datactica.fi>
Verzonden: dinsdag 20 december 2016 09:36:22
Aan: midpoint at lists.evolveum.com
Onderwerp: [midPoint] Synchronize multiple accounts per user?

Hello,

Use case: A resource maintains user accounts and organization information. I need to synchronize these to midPoint.
The user accounts are associated to the organizations, and one person may have an account in multiple organizations.
The accounts have an ID field that uniquely identifies the person who owns the account, and I use this ID to correlate the accounts to midPoint Users. Straigthforward synchronization leads to constraint violation exceptions, as the different accounts have same (resource, kind, intent).

I can see some possible solutions:
 - Writing a script that creates N copies of the resource configuration, with different 'intent' values.
   This is ugly, possibly inefficient, and limits the maximum number of accounts per user.
 - Create a separate User in midPoint for each account.
   Feels wrong. Seems simple in the short term, but leads at least to usability problems.
   Probably other problems as well?

Are there better choices or any best practices for this situation?
Would the new "identity merging" feature help, i.e. can it merge Users whose shadows have identical
(resource, kind, intent)?


Mikko
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/a84ea07e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image534000.png
Type: image/png
Size: 1293 bytes
Desc: image534000.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/a84ea07e/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image965001.png
Type: image/png
Size: 1068 bytes
Desc: image965001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/a84ea07e/attachment-0001.png>

From aivo.kuhlberg at rmit.ee  Tue Dec 20 10:42:10 2016
From: aivo.kuhlberg at rmit.ee (Aivo Kuhlberg)
Date: Tue, 20 Dec 2016 09:42:10 +0000
Subject: [midPoint] Synchronize multiple accounts per user?
In-Reply-To: <03516253baad44abbb1038b87ef25444@EXCH002.Toimisto.local>
References: <03516253baad44abbb1038b87ef25444@EXCH002.Toimisto.local>
Message-ID: <1482226927224.47051@rmit.ee>

Hi Mikko,
I have exactly the same problem and have not yet found any good solution. There is a JIRA feature request about that (MID-3571) but it is waiting a sponsor.
At the moment my "solution" is just to just avoid the problems - as my accounts data comes from CSV-file then I do pre-processing of the accounts with script and just remove the user accounts who have identical ID-s. In future when we move to production I probably have to do more script processing - create exclusion list where I remove only user accounts which should not be imported. Of course this is not viable solution but at last there is no more users in input data who could create problems.
Regards,
Aivo
________________________________________
Saatja: midPoint <midpoint-bounces at lists.evolveum.com>  nimelMikko Pekkarinen <mikko.pekkarinen at datactica.fi>
Saadetud: 20. detsember 2016 10:36
Adressaat: midpoint at lists.evolveum.com
Teema: [midPoint] Synchronize multiple accounts per user?

Hello,

Use case: A resource maintains user accounts and organization information. I need to synchronize these to midPoint.
The user accounts are associated to the organizations, and one person may have an account in multiple organizations.
The accounts have an ID field that uniquely identifies the person who owns the account, and I use this ID to correlate the accounts to midPoint Users. Straigthforward synchronization leads to constraint violation exceptions, as the different accounts have same (resource, kind, intent).

I can see some possible solutions:
 - Writing a script that creates N copies of the resource configuration, with different 'intent' values.
   This is ugly, possibly inefficient, and limits the maximum number of accounts per user.
 - Create a separate User in midPoint for each account.
   Feels wrong. Seems simple in the short term, but leads at least to usability problems.
   Probably other problems as well?

Are there better choices or any best practices for this situation?
Would the new "identity merging" feature help, i.e. can it merge Users whose shadows have identical
(resource, kind, intent)?


Mikko
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint

________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.


From m.benucci at nsr.it  Tue Dec 20 11:10:10 2016
From: m.benucci at nsr.it (Marco Benucci)
Date: Tue, 20 Dec 2016 11:10:10 +0100
Subject: [midPoint]  Sync Virtual Identities and AD Groups using roles
Message-ID: <d4dcf989-f030-49cb-f5db-8f2885e1ec7c@nsr.it>

I have successfully aligned AD entitlement on midpoint users using a 2 
step approach.


Firstly I have made an inbound mapping of the attribute memberOf in an 
extension and multivalue attribute.

Then, with an object template I have used the assignmentTargetSearch to 
assign midpoint roles (my AD entitlement) to the user based on the 
attribute mentioned above. I thought it could be possible to use the 
assignmentTargetSearch even in inbound mapping on the resource, but I 
did not tested it.

Thank you,
Marco

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/a33980c6/attachment.htm>

From vincent.hurtevent at univ-lyon1.fr  Tue Dec 20 11:32:58 2016
From: vincent.hurtevent at univ-lyon1.fr (HURTEVENT VINCENT)
Date: Tue, 20 Dec 2016 10:32:58 +0000
Subject: [midPoint] Unassignement ?
In-Reply-To: <f546fa78-c72e-846f-f9fd-a5ae8a4ecc58@evolveum.com>
References: <0E125049-578B-415E-B525-4FCDCBD2564E@univ-lyon1.fr>
 <f546fa78-c72e-846f-f9fd-a5ae8a4ecc58@evolveum.com>
Message-ID: <0B29FE34-EED1-4AAF-934D-8B45265C2A24@univ-lyon1.fr>

Hi Ivan,

Thank you for your answer,

We would like to deal with account lifecycle with the rules and validity dates applied to assignment.
How could we write our objectTemplate mapping to apply these dates ?

Could we do this directly using expression and assignmentTargetSearch or do we have to do this with script code as we begin to do in this snippet :

http://pastebin.com/ftsgzvZs

Is there a method to set the validity dates ? Like assignment.setValidityFrom or something like that ?

Thanks !



Le 14 déc. 2016 à 11:42, Ivan Noris <ivan.noris at evolveum.com<mailto:ivan.noris at evolveum.com>> a écrit :


Hi,

by default, if you unassign (last) role which represents the account, the account would be deleted.

If you assign the roles automatically in object templates, by some condition e.g. employee status, it would work automatically.

On the other way midPoint can be configured to unassign roles, but not to delete the accounts, but disable them. Or disable them and delete later (in 30 days for example). See here: https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling%3A+Activation

But if you wish to unassign all roles (regardless if they were assigned automatically by template or manually), this could be more complicated.

Ivan

On 12/14/2016 11:04 AM, HURTEVENT VINCENT wrote:

Hello,

We’re working on a PoC for our university with the creation of directories accounts with the informations provided by our upstream ressources (HR and student information systems).

As many of our people have several profiles, mainly staff and student, it appears that working with intent is a good solution. So we began to write our process : one user, several intent, and objectTemplates which define assignments which induce accounts in downstream directories.

When a people comes from upstream with a specific profile, for the exemple staff and student, we assign the staff Role and the student Role and the 2 accounts are well created in the downstream directories.

Now, we would like in reaction to a deleted situation in a specific upstream ressources, to keep the user in Midpoint but unassign roles and potentially assign specific roles which could lead to specific manipulation on accounts (disable on AD, modify attributes, etc).

We look at activation status but we don’t really understand how to use it with specific intent. Validity dates will be different between the staff contract dates and the student registration dates for example.

Is there a simple way to define in ressources, an unassign action in reaction to a deleted situation ?

Thank you,



_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint



--
Ivan Noris
Senior Identity Engineer
evolveum.com<http://evolveum.com>


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/6ee70720/attachment.htm>

From mederly at evolveum.com  Tue Dec 20 11:40:58 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Tue, 20 Dec 2016 11:40:58 +0100
Subject: [midPoint] Unassignement ?
In-Reply-To: <0B29FE34-EED1-4AAF-934D-8B45265C2A24@univ-lyon1.fr>
References: <0E125049-578B-415E-B525-4FCDCBD2564E@univ-lyon1.fr>
 <f546fa78-c72e-846f-f9fd-a5ae8a4ecc58@evolveum.com>
 <0B29FE34-EED1-4AAF-934D-8B45265C2A24@univ-lyon1.fr>
Message-ID: <4796a3f0-94d9-e776-1881-2dbc5ddcd8b0@evolveum.com>

Vincent,

assignmentTargetSearch most probably does not allow to set the dates. In 
the code it is quite straightforward:

ActivationType act = ...
act.setValidFrom(...)
act.setValidTo(...)
assignment.setActivation(act)

Pavol Mederly
Software developer
evolveum.com

On 20.12.2016 11:32, HURTEVENT VINCENT wrote:
> Hi Ivan,
>
> Thank you for your answer,
>
> We would like to deal with account lifecycle with the rules and 
> validity dates applied to assignment.
> How could we write our objectTemplate mapping to apply these dates ?
>
> Could we do this directly using expression and assignmentTargetSearch 
> or do we have to do this with script code as we begin to do in this 
> snippet :
>
> http://pastebin.com/ftsgzvZs
>
> Is there a method to set the validity dates ? Like 
> assignment.setValidityFrom or something like that ?
>
> Thanks !
>
>
>
>> Le 14 déc. 2016 à 11:42, Ivan Noris <ivan.noris at evolveum.com 
>> <mailto:ivan.noris at evolveum.com>> a écrit :
>>
>> Hi,
>>
>> by default, if you unassign (last) role which represents the account, 
>> the account would be deleted.
>>
>> If you assign the roles automatically in object templates, by some 
>> condition e.g. employee status, it would work automatically.
>>
>> On the other way midPoint can be configured to unassign roles, but 
>> not to delete the accounts, but disable them. Or disable them and 
>> delete later (in 30 days for example). See here: 
>> https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling%3A+Activation
>>
>> But if you wish to unassign all roles (regardless if they were 
>> assigned automatically by template or manually), this could be more 
>> complicated.
>>
>> Ivan
>>
>> On 12/14/2016 11:04 AM, HURTEVENT VINCENT wrote:
>>> Hello,
>>>
>>> We’re working on a PoC for our university with the creation of directories accounts with the informations provided by our upstream ressources (HR and student information systems).
>>>
>>> As many of our people have several profiles, mainly staff and student, it appears that working with intent is a good solution. So we began to write our process : one user, several intent, and objectTemplates which define assignments which induce accounts in downstream directories.
>>>
>>> When a people comes from upstream with a specific profile, for the exemple staff and student, we assign the staff Role and the student Role and the 2 accounts are well created in the downstream directories.
>>>
>>> Now, we would like in reaction to a deleted situation in a specific upstream ressources, to keep the user in Midpoint but unassign roles and potentially assign specific roles which could lead to specific manipulation on accounts (disable on AD, modify attributes, etc).
>>>
>>> We look at activation status but we don’t really understand how to use it with specific intent. Validity dates will be different between the staff contract dates and the student registration dates for example.
>>>
>>> Is there a simple way to define in ressources, an unassign action in reaction to a deleted situation ?
>>>
>>> Thank you,
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> -- 
>> Ivan Noris
>> Senior Identity Engineer
>> evolveum.com <http://evolveum.com>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/8f49609b/attachment.htm>

From jeverling at bshp.edu  Tue Dec 20 15:35:31 2016
From: jeverling at bshp.edu (Jason Everling)
Date: Tue, 20 Dec 2016 08:35:31 -0600
Subject: [midPoint] Sync Virtual Identities and AD Groups using roles
In-Reply-To: <d4dcf989-f030-49cb-f5db-8f2885e1ec7c@nsr.it>
References: <d4dcf989-f030-49cb-f5db-8f2885e1ec7c@nsr.it>
Message-ID: <CAFkZXY4Yr+P9n7kmBFR_Y1NTGfP2y8r4LSUnJPNYdXaLmXK1XA@mail.gmail.com>

Quick question, I am assuming you are using the AD-LDAP connector
(ri:memberOf), does inbound work during live sync or just during reconcile?

Thanks!
JASON



On Tue, Dec 20, 2016 at 4:10 AM, Marco Benucci <m.benucci at nsr.it> wrote:

> I have successfully aligned AD entitlement on midpoint users using a 2
> step approach.
>
>
> Firstly I have made an inbound mapping of the attribute memberOf in an
> extension and multivalue attribute.
>
> Then, with an object template I have used the assignmentTargetSearch to
> assign midpoint roles (my AD entitlement) to the user based on the
> attribute mentioned above. I thought it could be possible to use the
> assignmentTargetSearch even in inbound mapping on the resource, but I did
> not tested it.
>
> Thank you,
> Marco
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/1456930c/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Tue Dec 20 16:44:47 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Tue, 20 Dec 2016 16:44:47 +0100
Subject: [midPoint] ScriptedSQL connector: multiple group types
In-Reply-To: <1971052.goD7exQ0P1@skygge-pc>
References: <2521722.bqbaDruVeg@skygge-pc>
 <0530e20f-ec63-d090-7179-07378a6440a4@evolveum.com>
 <1971052.goD7exQ0P1@skygge-pc>
Message-ID: <2a34b2fd-4a2b-b4af-8ef5-0ef1aac08d41@diagnostyka.pl>

Hello again!

It is possibe and how to configure group membership (association), each with different time constraints?
User may have assigned multiple "workplaces", each workplace must have it's own time constraint. Example:
user "jdoe" has:
- workplace "Serology lab 1" from 2015.04.01 to 2016.12.31
- workplace "Microbiology lab 2" from 2015.05.05 to 2017.05.05
- and workplace "Analytics lab 1" from 2012.01.01 to 2020.12.31

Is that possible to do?
Best regards,
WS

W dniu 19.12.2016 o 21:53, Wojciech Staszewski pisze:
> Thanks!
> 
> So then, it shouldn't be so hard.
> Best regards!
> 
> Dnia poniedziałek, 19 grudnia 2016 20:38:42 CET Pavol Mederly pisze:
>> Wojciech,
>>
>> I think your original idea is OK. You can create multiple types - i.e. 
>> object classes - in SchemaScript for your groups. Like Group1, Group2, 
>> ..., BlueGroup, RedGroup, GreenGroup, ..., DatabaseRole, 
>> ApplicationModule, Workplace. Anything you want. As soon as you 
>> consistently refer to them in all your scripts.
>>
>> And yes, you then map these object classes to midPoint terms: 
>> kind/intent; kind being entitlement in this case, and intents as you 
>> like. For example, databaseRole, applicationModule, or workplace.
>>
>> Pavol Mederly
>> Software developer
>> evolveum.com
>>
>> On 19.12.2016 20:25, Wojciech Staszewski wrote:
>>> Hello!
>>>
>>> Jokes are over. My first scriptedSQL connector works like a charm (Zabbix account with group membership), so it is time for something more sophisticated.
>>> I've got a system, where user's access rights are set by 3 different memberships.
>>> First membership are database roles.
>>> Second are application modules available for user.
>>> Third type are "workplaces" (with time constraints).
>>> These 3 memberships are independent, each user can have for example 3 roles, 12 enabled modules and 5 workplaces.
>>>
>>> I thought that I can do multiple group types in SchemaScript and distinguish them by "intent".
>>> But I can't do this. I can declare only 1 CustomGroupObjectClass...
>>> Any advice? Thanks and regards,
>>> WS :)
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
> 
> 


From nrossi at identicum.com  Tue Dec 20 17:05:55 2016
From: nrossi at identicum.com (Nicolas Rossi)
Date: Tue, 20 Dec 2016 13:05:55 -0300
Subject: [midPoint] ScriptedSQL connector: multiple group types
In-Reply-To: <2a34b2fd-4a2b-b4af-8ef5-0ef1aac08d41@diagnostyka.pl>
References: <2521722.bqbaDruVeg@skygge-pc>
 <0530e20f-ec63-d090-7179-07378a6440a4@evolveum.com>
 <1971052.goD7exQ0P1@skygge-pc>
 <2a34b2fd-4a2b-b4af-8ef5-0ef1aac08d41@diagnostyka.pl>
Message-ID: <CAAxX8cgKNP-he2eA=Vu6ezYKV89GQsbwHe37eWz_9HNDk_=CgA@mail.gmail.com>

Maybe you can add custom parameters to the role assignment but AFAIK there
is no timeframe configuration to the role assignments in midpoint.

Regards,



Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Tue, Dec 20, 2016 at 12:44 PM, Wojciech Staszewski <
wojciech.staszewski at diagnostyka.pl> wrote:

> Hello again!
>
> It is possibe and how to configure group membership (association), each
> with different time constraints?
> User may have assigned multiple "workplaces", each workplace must have
> it's own time constraint. Example:
> user "jdoe" has:
> - workplace "Serology lab 1" from 2015.04.01 to 2016.12.31
> - workplace "Microbiology lab 2" from 2015.05.05 to 2017.05.05
> - and workplace "Analytics lab 1" from 2012.01.01 to 2020.12.31
>
> Is that possible to do?
> Best regards,
> WS
>
> W dniu 19.12.2016 o 21:53, Wojciech Staszewski pisze:
> > Thanks!
> >
> > So then, it shouldn't be so hard.
> > Best regards!
> >
> > Dnia poniedziałek, 19 grudnia 2016 20:38:42 CET Pavol Mederly pisze:
> >> Wojciech,
> >>
> >> I think your original idea is OK. You can create multiple types - i.e.
> >> object classes - in SchemaScript for your groups. Like Group1, Group2,
> >> ..., BlueGroup, RedGroup, GreenGroup, ..., DatabaseRole,
> >> ApplicationModule, Workplace. Anything you want. As soon as you
> >> consistently refer to them in all your scripts.
> >>
> >> And yes, you then map these object classes to midPoint terms:
> >> kind/intent; kind being entitlement in this case, and intents as you
> >> like. For example, databaseRole, applicationModule, or workplace.
> >>
> >> Pavol Mederly
> >> Software developer
> >> evolveum.com
> >>
> >> On 19.12.2016 20:25, Wojciech Staszewski wrote:
> >>> Hello!
> >>>
> >>> Jokes are over. My first scriptedSQL connector works like a charm
> (Zabbix account with group membership), so it is time for something more
> sophisticated.
> >>> I've got a system, where user's access rights are set by 3 different
> memberships.
> >>> First membership are database roles.
> >>> Second are application modules available for user.
> >>> Third type are "workplaces" (with time constraints).
> >>> These 3 memberships are independent, each user can have for example 3
> roles, 12 enabled modules and 5 workplaces.
> >>>
> >>> I thought that I can do multiple group types in SchemaScript and
> distinguish them by "intent".
> >>> But I can't do this. I can declare only 1 CustomGroupObjectClass...
> >>> Any advice? Thanks and regards,
> >>> WS :)
> >>>
> >>> _______________________________________________
> >>> midPoint mailing list
> >>> midPoint at lists.evolveum.com
> >>> http://lists.evolveum.com/mailman/listinfo/midpoint
> >>
> >> _______________________________________________
> >> midPoint mailing list
> >> midPoint at lists.evolveum.com
> >> http://lists.evolveum.com/mailman/listinfo/midpoint
> >>
> >
> >
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/f5c3ed2d/attachment.htm>

From mederly at evolveum.com  Tue Dec 20 17:18:15 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Tue, 20 Dec 2016 17:18:15 +0100
Subject: [midPoint] ScriptedSQL connector: multiple group types
In-Reply-To: <2a34b2fd-4a2b-b4af-8ef5-0ef1aac08d41@diagnostyka.pl>
References: <2521722.bqbaDruVeg@skygge-pc>
 <0530e20f-ec63-d090-7179-07378a6440a4@evolveum.com>
 <1971052.goD7exQ0P1@skygge-pc>
 <2a34b2fd-4a2b-b4af-8ef5-0ef1aac08d41@diagnostyka.pl>
Message-ID: <87988ade-e2d3-10ee-9c51-d473eb7b8d8b@evolveum.com>

Wojciech,

as discussed today on this list: in midPoint this is represented by the 
activation item (specifically, its validFrom/validTo properties) 
residing in the user's assignment (pointing to given role).

Pavol Mederly
Software developer
evolveum.com

On 20.12.2016 16:44, Wojciech Staszewski wrote:
> Hello again!
>
> It is possibe and how to configure group membership (association), each with different time constraints?
> User may have assigned multiple "workplaces", each workplace must have it's own time constraint. Example:
> user "jdoe" has:
> - workplace "Serology lab 1" from 2015.04.01 to 2016.12.31
> - workplace "Microbiology lab 2" from 2015.05.05 to 2017.05.05
> - and workplace "Analytics lab 1" from 2012.01.01 to 2020.12.31
>
> Is that possible to do?
> Best regards,
> WS
>
> W dniu 19.12.2016 o 21:53, Wojciech Staszewski pisze:
>> Thanks!
>>
>> So then, it shouldn't be so hard.
>> Best regards!
>>
>> Dnia poniedziałek, 19 grudnia 2016 20:38:42 CET Pavol Mederly pisze:
>>> Wojciech,
>>>
>>> I think your original idea is OK. You can create multiple types - i.e.
>>> object classes - in SchemaScript for your groups. Like Group1, Group2,
>>> ..., BlueGroup, RedGroup, GreenGroup, ..., DatabaseRole,
>>> ApplicationModule, Workplace. Anything you want. As soon as you
>>> consistently refer to them in all your scripts.
>>>
>>> And yes, you then map these object classes to midPoint terms:
>>> kind/intent; kind being entitlement in this case, and intents as you
>>> like. For example, databaseRole, applicationModule, or workplace.
>>>
>>> Pavol Mederly
>>> Software developer
>>> evolveum.com
>>>
>>> On 19.12.2016 20:25, Wojciech Staszewski wrote:
>>>> Hello!
>>>>
>>>> Jokes are over. My first scriptedSQL connector works like a charm (Zabbix account with group membership), so it is time for something more sophisticated.
>>>> I've got a system, where user's access rights are set by 3 different memberships.
>>>> First membership are database roles.
>>>> Second are application modules available for user.
>>>> Third type are "workplaces" (with time constraints).
>>>> These 3 memberships are independent, each user can have for example 3 roles, 12 enabled modules and 5 workplaces.
>>>>
>>>> I thought that I can do multiple group types in SchemaScript and distinguish them by "intent".
>>>> But I can't do this. I can declare only 1 CustomGroupObjectClass...
>>>> Any advice? Thanks and regards,
>>>> WS :)
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint



From vincent.hurtevent at univ-lyon1.fr  Tue Dec 20 18:14:37 2016
From: vincent.hurtevent at univ-lyon1.fr (HURTEVENT VINCENT)
Date: Tue, 20 Dec 2016 17:14:37 +0000
Subject: [midPoint] Unassignement ?
In-Reply-To: <4796a3f0-94d9-e776-1881-2dbc5ddcd8b0@evolveum.com>
References: <0E125049-578B-415E-B525-4FCDCBD2564E@univ-lyon1.fr>
 <f546fa78-c72e-846f-f9fd-a5ae8a4ecc58@evolveum.com>
 <0B29FE34-EED1-4AAF-934D-8B45265C2A24@univ-lyon1.fr>
 <4796a3f0-94d9-e776-1881-2dbc5ddcd8b0@evolveum.com>
Message-ID: <87F4480D-F568-4950-AAB9-E1939250BD72@univ-lyon1.fr>

We have this working now, it was a bit tricky as we had to deal with null values from extension user attributes we use to store validity dates by role. we don’t exactly understand why, but it’s working.

The next step is  updating validity dates of an assignment with the dates which could be updated upstreams, in our HR system for a reconduction of a staff contract for example.

For now, we use objectTemplate to assign role to user but as we understand, objectTemplates are useful only during the user creation time.

When the user already exists, could we update validity dates of an assignment when running a simple reconcile ? Do we have to write code in inbound mapping of the validity dates in order to retrieve the assignment for the current user and a specific role, and then update the dates ?

Thanks !



> Le 20 déc. 2016 à 11:40, Pavol Mederly <mederly at evolveum.com> a écrit :
> 
> Vincent,
> 
> assignmentTargetSearch most probably does not allow to set the dates. In the code it is quite straightforward:
> 
> ActivationType act = ...
> act.setValidFrom(...)
> act.setValidTo(...)
> assignment.setActivation(act)
> 
> Pavol Mederly
> Software developer
> evolveum.com
> On 20.12.2016 11:32, HURTEVENT VINCENT wrote:
>> Hi Ivan,
>> 
>> Thank you for your answer,
>> 
>> We would like to deal with account lifecycle with the rules and validity dates applied to assignment.
>> How could we write our objectTemplate mapping to apply these dates ?
>> 
>> Could we do this directly using expression and assignmentTargetSearch or do we have to do this with script code as we begin to do in this snippet :
>> 
>> http://pastebin.com/ftsgzvZs <http://pastebin.com/ftsgzvZs>
>> 
>> Is there a method to set the validity dates ? Like assignment.setValidityFrom or something like that ?
>> 
>> Thanks !
>> 
>> 
>> 
>>> Le 14 déc. 2016 à 11:42, Ivan Noris <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> a écrit :
>>> 
>>> Hi,
>>> 
>>> by default, if you unassign (last) role which represents the account, the account would be deleted.
>>> 
>>> If you assign the roles automatically in object templates, by some condition e.g. employee status, it would work automatically.
>>> 
>>> On the other way midPoint can be configured to unassign roles, but not to delete the accounts, but disable them. Or disable them and delete later (in 30 days for example). See here: https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling%3A+Activation <https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling%3A+Activation>
>>> But if you wish to unassign all roles (regardless if they were assigned automatically by template or manually), this could be more complicated.
>>> 
>>> Ivan
>>> On 12/14/2016 11:04 AM, HURTEVENT VINCENT wrote:
>>>> Hello,
>>>> 
>>>> We’re working on a PoC for our university with the creation of directories accounts with the informations provided by our upstream ressources (HR and student information systems).
>>>> 
>>>> As many of our people have several profiles, mainly staff and student, it appears that working with intent is a good solution. So we began to write our process : one user, several intent, and objectTemplates which define assignments which induce accounts in downstream directories.
>>>> 
>>>> When a people comes from upstream with a specific profile, for the exemple staff and student, we assign the staff Role and the student Role and the 2 accounts are well created in the downstream directories.
>>>> 
>>>> Now, we would like in reaction to a deleted situation in a specific upstream ressources, to keep the user in Midpoint but unassign roles and potentially assign specific roles which could lead to specific manipulation on accounts (disable on AD, modify attributes, etc).
>>>> 
>>>> We look at activation status but we don’t really understand how to use it with specific intent. Validity dates will be different between the staff contract dates and the student registration dates for example.
>>>> 
>>>> Is there a simple way to define in ressources, an unassign action in reaction to a deleted situation ?
>>>> 
>>>> Thank you,
>>>> 
>>>> 
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>> 
>>> -- 
>>> Ivan Noris
>>> Senior Identity Engineer
>>> evolveum.com <http://evolveum.com/>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint <http://lists.evolveum.com/mailman/listinfo/midpoint>
>> 
>> 
>> 
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint <http://lists.evolveum.com/mailman/listinfo/midpoint>
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/dd70bdd0/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3520 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/dd70bdd0/attachment.bin>

From m.benucci at nsr.it  Tue Dec 20 19:30:57 2016
From: m.benucci at nsr.it (Marco Benucci)
Date: Tue, 20 Dec 2016 19:30:57 +0100
Subject: [midPoint] Sync Virtual Identities and AD Groups using roles
In-Reply-To: <CAFkZXY4Yr+P9n7kmBFR_Y1NTGfP2y8r4LSUnJPNYdXaLmXK1XA@mail.gmail.com>
References: <d4dcf989-f030-49cb-f5db-8f2885e1ec7c@nsr.it>
 <CAFkZXY4Yr+P9n7kmBFR_Y1NTGfP2y8r4LSUnJPNYdXaLmXK1XA@mail.gmail.com>
Message-ID: <c30111f1-775c-4ee1-940f-8dca94d015d2@typeapp.com>

Hi, I was using the old ad connector because we are on midpoint 3.3.1... 

Moreover, I have only tested it during a reconciliation, because from now we are managing ad groups with midpoint....but I think it should work during livesync. Have you got troubles? 

Inviato da BlueMail ​

Il giorno 20 dic 2016, 15:44, alle ore 15:44, Jason Everling <jeverling at bshp.edu> ha scritto:
>Quick question, I am assuming you are using the AD-LDAP connector
>(ri:memberOf), does inbound work during live sync or just during
>reconcile?
>
>Thanks!
>JASON
>
>
>
>On Tue, Dec 20, 2016 at 4:10 AM, Marco Benucci <m.benucci at nsr.it>
>wrote:
>
>> I have successfully aligned AD entitlement on midpoint users using a
>2
>> step approach.
>>
>>
>> Firstly I have made an inbound mapping of the attribute memberOf in
>an
>> extension and multivalue attribute.
>>
>> Then, with an object template I have used the assignmentTargetSearch
>to
>> assign midpoint roles (my AD entitlement) to the user based on the
>> attribute mentioned above. I thought it could be possible to use the
>> assignmentTargetSearch even in inbound mapping on the resource, but I
>did
>> not tested it.
>>
>> Thank you,
>> Marco
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/54af2bf5/attachment.htm>

From jeverling at bshp.edu  Tue Dec 20 20:11:20 2016
From: jeverling at bshp.edu (Jason Everling)
Date: Tue, 20 Dec 2016 13:11:20 -0600
Subject: [midPoint] Sync Virtual Identities and AD Groups using roles
In-Reply-To: <c30111f1-775c-4ee1-940f-8dca94d015d2@typeapp.com>
References: <d4dcf989-f030-49cb-f5db-8f2885e1ec7c@nsr.it>
 <CAFkZXY4Yr+P9n7kmBFR_Y1NTGfP2y8r4LSUnJPNYdXaLmXK1XA@mail.gmail.com>
 <c30111f1-775c-4ee1-940f-8dca94d015d2@typeapp.com>
Message-ID: <CAFkZXY719uyy9BpeOL93ZVjuBY8FsgzO7mMpsYhAYcxRN5N=TA@mail.gmail.com>

hmm... so, I am guessing then you added memberOf to the .net xml? I am
using icfs:groups and that maybe could be why then it doesn't work on
livesync, I didn't think to just add the virtual attribute,

So did you use the below?

            <AttributeInfo name="memberOf" type="String">
                <AttributeInfoFlag value="MULTIVALUED"/>
            </AttributeInfo>

JASON

On Tue, Dec 20, 2016 at 12:30 PM, Marco Benucci <m.benucci at nsr.it> wrote:

> Hi, I was using the old ad connector because we are on midpoint 3.3.1...
>
> Moreover, I have only tested it during a reconciliation, because from now
> we are managing ad groups with midpoint....but I think it should work
> during livesync. Have you got troubles?
>
> Inviato da BlueMail <http://www.bluemail.me/r>
> Il giorno 20 dic 2016, alle ore 15:44, Jason Everling <jeverling at bshp.edu>
> ha scritto:
>>
>> Quick question, I am assuming you are using the AD-LDAP connector
>> (ri:memberOf), does inbound work during live sync or just during reconcile?
>>
>> Thanks!
>> JASON
>>
>>
>>
>> On Tue, Dec 20, 2016 at 4:10 AM, Marco Benucci <m.benucci at nsr.it> wrote:
>>
>>> I have successfully aligned AD entitlement on midpoint users using a 2
>>> step approach.
>>>
>>>
>>> Firstly I have made an inbound mapping of the attribute memberOf in an
>>> extension and multivalue attribute.
>>>
>>> Then, with an object template I have used the assignmentTargetSearch to
>>> assign midpoint roles (my AD entitlement) to the user based on the
>>> attribute mentioned above. I thought it could be possible to use the
>>> assignmentTargetSearch even in inbound mapping on the resource, but I
>>> did not tested it.
>>>
>>> Thank you,
>>> Marco
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>> ------------------------------
>>
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/ea13e97b/attachment.htm>

From m.benucci at nsr.it  Tue Dec 20 20:29:20 2016
From: m.benucci at nsr.it (Marco Benucci)
Date: Tue, 20 Dec 2016 20:29:20 +0100
Subject: [midPoint] Sync Virtual Identities and AD Groups using roles
In-Reply-To: <CAFkZXY719uyy9BpeOL93ZVjuBY8FsgzO7mMpsYhAYcxRN5N=TA@mail.gmail.com>
References: <d4dcf989-f030-49cb-f5db-8f2885e1ec7c@nsr.it>
 <CAFkZXY4Yr+P9n7kmBFR_Y1NTGfP2y8r4LSUnJPNYdXaLmXK1XA@mail.gmail.com>
 <c30111f1-775c-4ee1-940f-8dca94d015d2@typeapp.com>
 <CAFkZXY719uyy9BpeOL93ZVjuBY8FsgzO7mMpsYhAYcxRN5N=TA@mail.gmail.com>
Message-ID: <ad2b1576-83f4-4720-994c-2629fa59ba14@typeapp.com>

Oh, I'm very sorry... 
Theese days I'm working with 2 ldap and I frequently refer to ad groups using the ldap memberof... ⁣
So, I have done what I have described previously using the icfs:groups from the ad connector. 

For a quick and dirty work, you could use an inbound mapping on the employeeType attribute without have to restart the application. I have used a simple inbound mapping, no expression. 

Inviato da BlueMail ​

Il giorno 20 dic 2016, 20:17, alle ore 20:17, Jason Everling <jeverling at bshp.edu> ha scritto:
>hmm... so, I am guessing then you added memberOf to the .net xml? I am
>using icfs:groups and that maybe could be why then it doesn't work on
>livesync, I didn't think to just add the virtual attribute,
>
>So did you use the below?
>
>            <AttributeInfo name="memberOf" type="String">
>                <AttributeInfoFlag value="MULTIVALUED"/>
>            </AttributeInfo>
>
>JASON
>
>On Tue, Dec 20, 2016 at 12:30 PM, Marco Benucci <m.benucci at nsr.it>
>wrote:
>
>> Hi, I was using the old ad connector because we are on midpoint
>3.3.1...
>>
>> Moreover, I have only tested it during a reconciliation, because from
>now
>> we are managing ad groups with midpoint....but I think it should work
>> during livesync. Have you got troubles?
>>
>> Inviato da BlueMail <http://www.bluemail.me/r>
>> Il giorno 20 dic 2016, alle ore 15:44, Jason Everling
><jeverling at bshp.edu>
>> ha scritto:
>>>
>>> Quick question, I am assuming you are using the AD-LDAP connector
>>> (ri:memberOf), does inbound work during live sync or just during
>reconcile?
>>>
>>> Thanks!
>>> JASON
>>>
>>>
>>>
>>> On Tue, Dec 20, 2016 at 4:10 AM, Marco Benucci <m.benucci at nsr.it>
>wrote:
>>>
>>>> I have successfully aligned AD entitlement on midpoint users using
>a 2
>>>> step approach.
>>>>
>>>>
>>>> Firstly I have made an inbound mapping of the attribute memberOf in
>an
>>>> extension and multivalue attribute.
>>>>
>>>> Then, with an object template I have used the
>assignmentTargetSearch to
>>>> assign midpoint roles (my AD entitlement) to the user based on the
>>>> attribute mentioned above. I thought it could be possible to use
>the
>>>> assignmentTargetSearch even in inbound mapping on the resource, but
>I
>>>> did not tested it.
>>>>
>>>> Thank you,
>>>> Marco
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>> ------------------------------
>>>
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/64d57bfb/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Tue Dec 20 21:04:16 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Tue, 20 Dec 2016 21:04:16 +0100
Subject: [midPoint] ScriptedSQL connector: multiple group types
In-Reply-To: <87988ade-e2d3-10ee-9c51-d473eb7b8d8b@evolveum.com>
References: <2521722.bqbaDruVeg@skygge-pc>
 <2a34b2fd-4a2b-b4af-8ef5-0ef1aac08d41@diagnostyka.pl>
 <87988ade-e2d3-10ee-9c51-d473eb7b8d8b@evolveum.com>
Message-ID: <4664728.Tpi2V9YQTm@skygge-pc>

OK, thanks for advice.
This must be something like LDAP group membership when each group is time restricted.
If it can be done by activation - that's awesome.

Dnia wtorek, 20 grudnia 2016 17:18:15 CET Pavol Mederly pisze:
> Wojciech,
> 
> as discussed today on this list: in midPoint this is represented by the 
> activation item (specifically, its validFrom/validTo properties) 
> residing in the user's assignment (pointing to given role).
> 
> Pavol Mederly
> Software developer
> evolveum.com
> 
> On 20.12.2016 16:44, Wojciech Staszewski wrote:
> > Hello again!
> >
> > It is possibe and how to configure group membership (association), each with different time constraints?
> > User may have assigned multiple "workplaces", each workplace must have it's own time constraint. Example:
> > user "jdoe" has:
> > - workplace "Serology lab 1" from 2015.04.01 to 2016.12.31
> > - workplace "Microbiology lab 2" from 2015.05.05 to 2017.05.05
> > - and workplace "Analytics lab 1" from 2012.01.01 to 2020.12.31
> >
> > Is that possible to do?
> > Best regards,
> > WS
> >
> > W dniu 19.12.2016 o 21:53, Wojciech Staszewski pisze:
> >> Thanks!
> >>
> >> So then, it shouldn't be so hard.
> >> Best regards!
> >>
> >> Dnia poniedziałek, 19 grudnia 2016 20:38:42 CET Pavol Mederly pisze:
> >>> Wojciech,
> >>>
> >>> I think your original idea is OK. You can create multiple types - i.e.
> >>> object classes - in SchemaScript for your groups. Like Group1, Group2,
> >>> ..., BlueGroup, RedGroup, GreenGroup, ..., DatabaseRole,
> >>> ApplicationModule, Workplace. Anything you want. As soon as you
> >>> consistently refer to them in all your scripts.
> >>>
> >>> And yes, you then map these object classes to midPoint terms:
> >>> kind/intent; kind being entitlement in this case, and intents as you
> >>> like. For example, databaseRole, applicationModule, or workplace.
> >>>
> >>> Pavol Mederly
> >>> Software developer
> >>> evolveum.com
> >>>
> >>> On 19.12.2016 20:25, Wojciech Staszewski wrote:
> >>>> Hello!
> >>>>
> >>>> Jokes are over. My first scriptedSQL connector works like a charm (Zabbix account with group membership), so it is time for something more sophisticated.
> >>>> I've got a system, where user's access rights are set by 3 different memberships.
> >>>> First membership are database roles.
> >>>> Second are application modules available for user.
> >>>> Third type are "workplaces" (with time constraints).
> >>>> These 3 memberships are independent, each user can have for example 3 roles, 12 enabled modules and 5 workplaces.
> >>>>
> >>>> I thought that I can do multiple group types in SchemaScript and distinguish them by "intent".
> >>>> But I can't do this. I can declare only 1 CustomGroupObjectClass...
> >>>> Any advice? Thanks and regards,
> >>>> WS :)
> >>>>
> >>>> _______________________________________________
> >>>> midPoint mailing list
> >>>> midPoint at lists.evolveum.com
> >>>> http://lists.evolveum.com/mailman/listinfo/midpoint
> >>> _______________________________________________
> >>> midPoint mailing list
> >>> midPoint at lists.evolveum.com
> >>> http://lists.evolveum.com/mailman/listinfo/midpoint
> >>>
> >>
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 


-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
Dział IT
DIAGNOSTYKA 
Spółka z ograniczoną odpowiedzialnością 
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
tel.: +48 12 295 01 00
fax: +48 12 295 01 02 
tel. kom: 663 680 236
www.diag.pl
DIAGNOSTYKA Spółka z ograniczoną odpowiedzialnością ul. Prof. M. Życzkowskiego 16, 31-864 Kraków; 
KRS: Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy Krajowego KRS: 0000381559; NIP: 675-12-65-009; REGON: 356366975, Kapitał zakładowy: 33 252 500 zł.


From jeverling at bshp.edu  Tue Dec 20 22:41:21 2016
From: jeverling at bshp.edu (Jason Everling)
Date: Tue, 20 Dec 2016 15:41:21 -0600
Subject: [midPoint] Sync Virtual Identities and AD Groups using roles
In-Reply-To: <ad2b1576-83f4-4720-994c-2629fa59ba14@typeapp.com>
References: <d4dcf989-f030-49cb-f5db-8f2885e1ec7c@nsr.it>
 <CAFkZXY4Yr+P9n7kmBFR_Y1NTGfP2y8r4LSUnJPNYdXaLmXK1XA@mail.gmail.com>
 <c30111f1-775c-4ee1-940f-8dca94d015d2@typeapp.com>
 <CAFkZXY719uyy9BpeOL93ZVjuBY8FsgzO7mMpsYhAYcxRN5N=TA@mail.gmail.com>
 <ad2b1576-83f4-4720-994c-2629fa59ba14@typeapp.com>
Message-ID: <CAFkZXY5kcj_2efNK4n+usb=-DBnDVzQr5WXmv3=X-Pen_pDACQ@mail.gmail.com>

It ok, I tested it out anyways with memberOf, but it still does not work
during livesync, only reconcile :( . Which is ok for now

JASON

On Tue, Dec 20, 2016 at 1:29 PM, Marco Benucci <m.benucci at nsr.it> wrote:

> Oh, I'm very sorry...
> Theese days I'm working with 2 ldap and I frequently refer to ad groups
> using the ldap memberof...
> So, I have done what I have described previously using the icfs:groups
> from the ad connector.
>
> For a quick and dirty work, you could use an inbound mapping on the
> employeeType attribute without have to restart the application. I have used
> a simple inbound mapping, no expression.
>
> Inviato da BlueMail <http://www.bluemail.me/r>
> Il giorno 20 dic 2016, alle ore 20:17, Jason Everling <jeverling at bshp.edu>
> ha scritto:
>>
>> hmm... so, I am guessing then you added memberOf to the .net xml? I am
>> using icfs:groups and that maybe could be why then it doesn't work on
>> livesync, I didn't think to just add the virtual attribute,
>>
>> So did you use the below?
>>
>>             <AttributeInfo name="memberOf" type="String">
>>                 <AttributeInfoFlag value="MULTIVALUED"/>
>>             </AttributeInfo>
>>
>> JASON
>>
>> On Tue, Dec 20, 2016 at 12:30 PM, Marco Benucci <m.benucci at nsr.it> wrote:
>>
>>> Hi, I was using the old ad connector because we are on midpoint 3.3.1...
>>>
>>> Moreover, I have only tested it during a reconciliation, because from
>>> now we are managing ad groups with midpoint....but I think it should work
>>> during livesync. Have you got troubles?
>>>
>>> Inviato da BlueMail <http://www.bluemail.me/r>
>>> Il giorno 20 dic 2016, alle ore 15:44, Jason Everling <
>>> jeverling at bshp.edu> ha scritto:
>>>>
>>>> Quick question, I am assuming you are using the AD-LDAP connector
>>>> (ri:memberOf), does inbound work during live sync or just during reconcile?
>>>>
>>>> Thanks!
>>>> JASON
>>>>
>>>>
>>>>
>>>> On Tue, Dec 20, 2016 at 4:10 AM, Marco Benucci <m.benucci at nsr.it>
>>>> wrote:
>>>>
>>>>> I have successfully aligned AD entitlement on midpoint users using a 2
>>>>> step approach.
>>>>>
>>>>>
>>>>> Firstly I have made an inbound mapping of the attribute memberOf in an
>>>>> extension and multivalue attribute.
>>>>>
>>>>> Then, with an object template I have used the assignmentTargetSearch
>>>>> to assign midpoint roles (my AD entitlement) to the user based on the
>>>>> attribute mentioned above. I thought it could be possible to use the
>>>>> assignmentTargetSearch even in inbound mapping on the resource, but I
>>>>> did not tested it.
>>>>>
>>>>> Thank you,
>>>>> Marco
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>> ------------------------------
>>>>
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>> ------------------------------
>>
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/483f02f3/attachment.htm>

From legeech at inbox.ru  Wed Dec 21 07:17:02 2016
From: legeech at inbox.ru (=?UTF-8?B?b2xlZyBva3VuZXY=?=)
Date: Wed, 21 Dec 2016 09:17:02 +0300
Subject: [midPoint] =?utf-8?q?attributeOrValueExists_ERROR_LDAP?=
Message-ID: <1482301022.505386634@f434.i.mail.ru>


Hello.

Strange problem i get when trying to modify decription in user which have link to AD account
config of schema handling

<attribute>
    <ref>ri:description</ref>
       <outbound>
         <source>
             <path>description</path>
         </source>
       </outbound>
       <inbound>
         <target>
             <path>description</path>
         </target>
       </inbound>
</attribute>
Preview changes

Modify   User   Archangel Gabriel   (Gabriel)
 
Item Old value New value
Description New Desc New Desc NEW

Secondary changes: 2 objects
 
Modify   User   Archangel Gabriel   (Gabriel)
 
Item Old value New value
Description New Desc New Desc NEW
Modify   Shadow   CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru
 
Item Value
resourceRef   Active Directory Medusa (LDAPS) v2
kind ACCOUNT
intent default
Modify   attributes
 
Item Old value New value
description   New Desc NEW

GOT this ERROR

Schema violation during processing shadow: 
shadow: CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru (OID:92d4a278-8d4f-46a3-af88-56bdf8529a95): 
Schema violation: Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error modifying LDAP entry CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru: [add:description: New Desc Second,]: attributeOrValueExists: 00002081: AtrErr: DSID-030F154F, #1:??0: 00002081: DSID-030F154F, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att d (description)?? (20)): it looks like midpoint trying to add NEW attribute - i cant understand why not modify existing attribute value

I know it must be simple but i trying to search and failed(((
i got 3 object classes : user group and OU

and one more thing 
after error decription is different - in user new - in AD old
if i make reconcile -  in AD it became emty
and after that any first decription  writes well in AD.



-- 
oleg okunev
----------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161221/be6431ee/attachment.htm>

From vincent.hurtevent at univ-lyon1.fr  Wed Dec 21 10:35:24 2016
From: vincent.hurtevent at univ-lyon1.fr (HURTEVENT VINCENT)
Date: Wed, 21 Dec 2016 09:35:24 +0000
Subject: [midPoint] Unassignement ?
In-Reply-To: <87F4480D-F568-4950-AAB9-E1939250BD72@univ-lyon1.fr>
References: <0E125049-578B-415E-B525-4FCDCBD2564E@univ-lyon1.fr>
 <f546fa78-c72e-846f-f9fd-a5ae8a4ecc58@evolveum.com>
 <0B29FE34-EED1-4AAF-934D-8B45265C2A24@univ-lyon1.fr>
 <4796a3f0-94d9-e776-1881-2dbc5ddcd8b0@evolveum.com>
 <87F4480D-F568-4950-AAB9-E1939250BD72@univ-lyon1.fr>
Message-ID: <4D70587D-8035-4878-A527-295BB5280409@univ-lyon1.fr>

I answer my own question and ask a new one :)

When using livesync we enter in the objectTemplate and targets are well updated including validity dates of an unassignment.
Cool !

But, when we update from expired assignment validity dates to valid dates, the target account induced by the assignment is created, but if we update from valid dates to expired dates, the target account is not deleted unless we manually trigger a reconcile on the user.

We already set reconcile at true on all objectSynchronization situations on the upstream and downstream ressource.

Do we have to enforce reconcile elsewhere ?



> Le 20 déc. 2016 à 18:14, HURTEVENT VINCENT <vincent.hurtevent at univ-lyon1.fr> a écrit :
> 
> We have this working now, it was a bit tricky as we had to deal with null values from extension user attributes we use to store validity dates by role. we don’t exactly understand why, but it’s working.
> 
> The next step is  updating validity dates of an assignment with the dates which could be updated upstreams, in our HR system for a reconduction of a staff contract for example.
> 
> For now, we use objectTemplate to assign role to user but as we understand, objectTemplates are useful only during the user creation time.
> 
> When the user already exists, could we update validity dates of an assignment when running a simple reconcile ? Do we have to write code in inbound mapping of the validity dates in order to retrieve the assignment for the current user and a specific role, and then update the dates ?
> 
> Thanks !
> 
> 
> 
>> Le 20 déc. 2016 à 11:40, Pavol Mederly <mederly at evolveum.com <mailto:mederly at evolveum.com>> a écrit :
>> 
>> Vincent,
>> 
>> assignmentTargetSearch most probably does not allow to set the dates. In the code it is quite straightforward:
>> 
>> ActivationType act = ...
>> act.setValidFrom(...)
>> act.setValidTo(...)
>> assignment.setActivation(act)
>> 
>> Pavol Mederly
>> Software developer
>> evolveum.com <http://evolveum.com/>
>> On 20.12.2016 11:32, HURTEVENT VINCENT wrote:
>>> Hi Ivan,
>>> 
>>> Thank you for your answer,
>>> 
>>> We would like to deal with account lifecycle with the rules and validity dates applied to assignment.
>>> How could we write our objectTemplate mapping to apply these dates ?
>>> 
>>> Could we do this directly using expression and assignmentTargetSearch or do we have to do this with script code as we begin to do in this snippet :
>>> 
>>> http://pastebin.com/ftsgzvZs <http://pastebin.com/ftsgzvZs>
>>> 
>>> Is there a method to set the validity dates ? Like assignment.setValidityFrom or something like that ?
>>> 
>>> Thanks !
>>> 
>>> 
>>> 
>>>> Le 14 déc. 2016 à 11:42, Ivan Noris <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> a écrit :
>>>> 
>>>> Hi,
>>>> 
>>>> by default, if you unassign (last) role which represents the account, the account would be deleted.
>>>> 
>>>> If you assign the roles automatically in object templates, by some condition e.g. employee status, it would work automatically.
>>>> 
>>>> On the other way midPoint can be configured to unassign roles, but not to delete the accounts, but disable them. Or disable them and delete later (in 30 days for example). See here: https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling%3A+Activation <https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling%3A+Activation>
>>>> But if you wish to unassign all roles (regardless if they were assigned automatically by template or manually), this could be more complicated.
>>>> 
>>>> Ivan
>>>> On 12/14/2016 11:04 AM, HURTEVENT VINCENT wrote:
>>>>> Hello,
>>>>> 
>>>>> We’re working on a PoC for our university with the creation of directories accounts with the informations provided by our upstream ressources (HR and student information systems).
>>>>> 
>>>>> As many of our people have several profiles, mainly staff and student, it appears that working with intent is a good solution. So we began to write our process : one user, several intent, and objectTemplates which define assignments which induce accounts in downstream directories.
>>>>> 
>>>>> When a people comes from upstream with a specific profile, for the exemple staff and student, we assign the staff Role and the student Role and the 2 accounts are well created in the downstream directories.
>>>>> 
>>>>> Now, we would like in reaction to a deleted situation in a specific upstream ressources, to keep the user in Midpoint but unassign roles and potentially assign specific roles which could lead to specific manipulation on accounts (disable on AD, modify attributes, etc).
>>>>> 
>>>>> We look at activation status but we don’t really understand how to use it with specific intent. Validity dates will be different between the staff contract dates and the student registration dates for example.
>>>>> 
>>>>> Is there a simple way to define in ressources, an unassign action in reaction to a deleted situation ?
>>>>> 
>>>>> Thank you,
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>> 
>>>> -- 
>>>> Ivan Noris
>>>> Senior Identity Engineer
>>>> evolveum.com <http://evolveum.com/>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint <http://lists.evolveum.com/mailman/listinfo/midpoint>
>> 
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161221/7200b91a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3520 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161221/7200b91a/attachment.bin>

From wojciech.staszewski at diagnostyka.pl  Wed Dec 21 13:03:36 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Wed, 21 Dec 2016 13:03:36 +0100
Subject: [midPoint] attributeOrValueExists ERROR LDAP
In-Reply-To: <1482301022.505386634@f434.i.mail.ru>
References: <1482301022.505386634@f434.i.mail.ru>
Message-ID: <baff7d13-cf76-504f-3d1f-c58fb1874e80@diagnostyka.pl>

I have the same issue with LDAP with attributes from some objectclasses (e.g. SambaSamAccount).
And when I'm using my own custom auxiliary objectclass (OC), Midpoint tries to add this objectclass to LDAP accounts which already have this OC and I got errors.
I temoprary removed these OC from schema and don't use attributes from them.


W dniu 21.12.2016 o 07:17, oleg okunev pisze:
> Hello.
> 
> Strange problem i get when trying to modify decription in user which have link to AD account
> config of schema handling
> 
> <attribute>
>     <ref>ri:description</ref>
>        <outbound>
>          <source>
>              <path>description</path>
>          </source>
>        </outbound>
>        <inbound>
>          <target>
>              <path>description</path>
>          </target>
>        </inbound>
> </attribute>
> 
> 
> *Preview changes*
> 
> 
>       Modify User Archangel Gabriel (Gabriel)
> 
>  
> Item	Old value	New value
> Description	New Desc	New Desc NEW
> 
> 
> 
>       Secondary changes: 2 objects
> 
>  
> 
> 
>       Modify User Archangel Gabriel (Gabriel)
> 
>  
> Item	Old value	New value
> Description	New Desc	New Desc NEW
> 
> 
>       Modify Shadow CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru
> 
>  
> Item	Value
> resourceRef	 Active Directory Medusa (LDAPS) v2
> kind	ACCOUNT
> intent	default
> 
> 
>       Modify attributes
> 
>  
> Item	Old value	New value
> description	 	New Desc NEW
> 
> 
> 
> GOT this ERROR
> 
> Schema violation during processing shadow:
> shadow: CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru (OID:92d4a278-8d4f-46a3-af88-56bdf8529a95):
> Schema violation: Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error modifying LDAP entry CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru: [add:description: New Desc Second,]: attributeOrValueExists: 00002081: AtrErr: DSID-030F154F, #1:??0: 00002081: DSID-030F154F, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att d (description)?? (20)):
> 
> it looks like midpoint trying to add NEW attribute - i cant understand why not modify existing attribute value
> 
> I know it must be simple but i trying to search and failed(((
> i got 3 object classes : user group and OU
> 
> and one more thing
> after error decription is different - in user new - in AD old
> if i make reconcile -  in AD it became emty
> and after that any first decription  writes well in AD.
> 
> 
> 
> -- 
> oleg okunev
> 
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.

Pomyśl o środowisku zanim wydrukujesz ten e-mail.


From legeech at inbox.ru  Wed Dec 21 13:44:30 2016
From: legeech at inbox.ru (=?UTF-8?B?b2xlZyBva3VuZXY=?=)
Date: Wed, 21 Dec 2016 15:44:30 +0300
Subject: [midPoint] =?utf-8?q?attributeOrValueExists_ERROR_LDAP?=
In-Reply-To: <baff7d13-cf76-504f-3d1f-c58fb1874e80@diagnostyka.pl>
References: <1482301022.505386634@f434.i.mail.ru>
 <baff7d13-cf76-504f-3d1f-c58fb1874e80@diagnostyka.pl>
Message-ID: <1482324270.365423911@f391.i.mail.ru>

Hi!
But I do not use custom class

i use this 
<schema>
  <generationConstraints>
   <generateObjectClass>ri:user</generateObjectClass>
   <generateObjectClass>ri:group</generateObjectClass>
   <generateObjectClass>ri:organizationalUnit</generateObjectClass>
  </generationConstraints> 
</schema>



>Среда, 21 декабря 2016, 15:03 +03:00 от Wojciech Staszewski <wojciech.staszewski at diagnostyka.pl>:
>
>I have the same issue with LDAP with attributes from some objectclasses (e.g. SambaSamAccount).
>And when I'm using my own custom auxiliary objectclass (OC), Midpoint tries to add this objectclass to LDAP accounts which already have this OC and I got errors.
>I temoprary removed these OC from schema and don't use attributes from them.
>
>
>W dniu 21.12.2016 o 07:17, oleg okunev pisze:
>> Hello.
>> 
>> Strange problem i get when trying to modify decription in user which have link to AD account
>> config of schema handling
>> 
>> <attribute>
>>     <ref>ri:description</ref>
>>        <outbound>
>>          <source>
>>              <path>description</path>
>>          </source>
>>        </outbound>
>>        <inbound>
>>          <target>
>>              <path>description</path>
>>          </target>
>>        </inbound>
>> </attribute>
>> 
>> 
>> *Preview changes*
>> 
>> 
>>       Modify User Archangel Gabriel (Gabriel)
>> 
>> 
>> Item	Old value	New value
>> Description	New Desc	New Desc NEW
>> 
>> 
>> 
>>       Secondary changes: 2 objects
>> 
>> 
>> 
>> 
>>       Modify User Archangel Gabriel (Gabriel)
>> 
>> 
>> Item	Old value	New value
>> Description	New Desc	New Desc NEW
>> 
>> 
>>       Modify Shadow CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru
>> 
>> 
>> Item	Value
>> resourceRef	 Active Directory Medusa (LDAPS) v2
>> kind	ACCOUNT
>> intent	default
>> 
>> 
>>       Modify attributes
>> 
>> 
>> Item	Old value	New value
>> description	 	New Desc NEW
>> 
>> 
>> 
>> GOT this ERROR
>> 
>> Schema violation during processing shadow:
>> shadow: CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru (OID:92d4a278-8d4f-46a3-af88-56bdf8529a95):
>> Schema violation: Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error modifying LDAP entry CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru: [add:description: New Desc Second,]: attributeOrValueExists: 00002081: AtrErr: DSID-030F154F, #1:??0: 00002081: DSID-030F154F, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att d (description)?? (20)):
>> 
>> it looks like midpoint trying to add NEW attribute - i cant understand why not modify existing attribute value
>> 
>> I know it must be simple but i trying to search and failed(((
>> i got 3 object classes : user group and OU
>> 
>> and one more thing
>> after error decription is different - in user new - in AD old
>> if i make reconcile -  in AD it became emty
>> and after that any first decription  writes well in AD.
>> 
>> 
>> 
>> -- 
>> oleg okunev
>> 
>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> 
>> 
>> _______________________________________________
>> midPoint mailing list
>>  midPoint at lists.evolveum.com
>>  http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
>NIP: 675-12-65-009; REGON: 356366975
>Kapitał zakładowy: 33 756 500 zł.
>
>Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161221/c6aafa2b/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Wed Dec 21 14:12:32 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Wed, 21 Dec 2016 14:12:32 +0100
Subject: [midPoint] - How to connect file server
 (Linux+Samba+LDAP+smbldaptools)?
Message-ID: <9eea31bf-3ee1-4b89-f6f1-897a156845c7@diagnostyka.pl>

Hello!

I'm thinking how to connect my file server to Midpoint for accounts/groups management. It's Linux with OpenLDAP and Samba and smbldaptools...
LDAP connector? I don't think so, because every created user gets homedir on Samba, it must be created on filesystem.
Unix connector? This is not a solution as well. Managing accounts is done by smbldaptools (smbldap-useradd, smbldap-passwd, smbldap-usermod, smbldap-groupadd and so...), not by default Linux commands.

Maybe Commandline scripted connector?

Anyone has some experience with this and got some hints for me?
Thanks, regards,
WS


From roman.pudil at ami.cz  Wed Dec 21 14:23:38 2016
From: roman.pudil at ami.cz (Roman Pudil - AMI Praha a.s.)
Date: Wed, 21 Dec 2016 13:23:38 +0000
Subject: [midPoint] attributeOrValueExists ERROR LDAP
In-Reply-To: <baff7d13-cf76-504f-3d1f-c58fb1874e80@diagnostyka.pl>
References: <1482301022.505386634@f434.i.mail.ru>
 <baff7d13-cf76-504f-3d1f-c58fb1874e80@diagnostyka.pl>
Message-ID: <emb0eddf11-4646-4411-8be5-c6c0f1970472@rpudil-dell7440>

Hi,

there is some interesting behavior: Attribute ri:description seems to be 
multivalued (see the schema section in AD resource definition), but 
attribute is single-valued.

Workaround - use limitations on "ri:description" attribute in schema 
handling section:

          <attribute>
            <c:ref>ri:description</c:ref>
            <displayName>Description</displayName>
            <limitations>
        	        	<maxOccurs>1</maxOccurs>
			            </limitations>
            <outbound>
             .......


Regards


Roman Pudil
solution architect

gsm: [+420] 775 663 666
e-mail: roman.pudil at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel./fax: [+420] 274 783 239
web: www.ami.cz




<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
výhradně písemnou formu.



------ Původní zpráva ------
Od: "Wojciech Staszewski" <wojciech.staszewski at diagnostyka.pl>
Komu: midpoint at lists.evolveum.com
Odesláno: 21.12.2016 13:03:36
Předmět: Re: [midPoint] attributeOrValueExists ERROR LDAP

>I have the same issue with LDAP with attributes from some objectclasses 
>(e.g. SambaSamAccount).
>And when I'm using my own custom auxiliary objectclass (OC), Midpoint 
>tries to add this objectclass to LDAP accounts which already have this 
>OC and I got errors.
>I temoprary removed these OC from schema and don't use attributes from 
>them.
>
>
>W dniu 21.12.2016 o 07:17, oleg okunev pisze:
>>  Hello.
>>
>>  Strange problem i get when trying to modify decription in user which 
>>have link to AD account
>>  config of schema handling
>>
>>  <attribute>
>>      <ref>ri:description</ref>
>>         <outbound>
>>           <source>
>>               <path>description</path>
>>           </source>
>>         </outbound>
>>         <inbound>
>>           <target>
>>               <path>description</path>
>>           </target>
>>         </inbound>
>>  </attribute>
>>
>>
>>  *Preview changes*
>>
>>
>>        Modify User Archangel Gabriel (Gabriel)
>>
>>
>>  Item	Old value	New value
>>  Description	New Desc	New Desc NEW
>>
>>
>>
>>        Secondary changes: 2 objects
>>
>>
>>
>>
>>        Modify User Archangel Gabriel (Gabriel)
>>
>>
>>  Item	Old value	New value
>>  Description	New Desc	New Desc NEW
>>
>>
>>        Modify Shadow CN=Archangel 
>>Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru
>>
>>
>>  Item	Value
>>  resourceRef	 Active Directory Medusa (LDAPS) v2
>>  kind	ACCOUNT
>>  intent	default
>>
>>
>>        Modify attributes
>>
>>
>>  Item	Old value	New value
>>  description	 	New Desc NEW
>>
>>
>>
>>  GOT this ERROR
>>
>>  Schema violation during processing shadow:
>>  shadow: CN=Archangel 
>>Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru 
>>(OID:92d4a278-8d4f-46a3-af88-56bdf8529a95):
>>  Schema violation: Invalid attribute: 
>>org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error 
>>modifying LDAP entry CN=Archangel 
>>Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru: [add:description: 
>>New Desc Second,]: attributeOrValueExists: 00002081: AtrErr: 
>>DSID-030F154F, #1:??0: 00002081: DSID-030F154F, problem 1006 
>>(ATT_OR_VALUE_EXISTS), data 0, Att d (description)?? (20)):
>>
>>  it looks like midpoint trying to add NEW attribute - i cant 
>>understand why not modify existing attribute value
>>
>>  I know it must be simple but i trying to search and failed(((
>>  i got 3 object classes : user group and OU
>>
>>  and one more thing
>>  after error decription is different - in user new - in AD old
>>  if i make reconcile - in AD it became emty
>>  and after that any first decription writes well in AD.
>>
>>
>>
>>  --
>>  oleg okunev
>>
>>  
>>--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>>
>>  _______________________________________________
>>  midPoint mailing list
>>  midPoint at lists.evolveum.com
>>  http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, 
>XI Wydział Gospodarczy KRS)
>NIP: 675-12-65-009; REGON: 356366975
>Kapitał zakładowy: 33 756 500 zł.
>
>Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161221/3e646143/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4339 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161221/3e646143/attachment.bin>

From legeech at inbox.ru  Wed Dec 21 15:10:19 2016
From: legeech at inbox.ru (=?UTF-8?B?b2xlZyBva3VuZXY=?=)
Date: Wed, 21 Dec 2016 17:10:19 +0300
Subject: [midPoint] =?utf-8?q?attributeOrValueExists_ERROR_LDAP?=
In-Reply-To: <emb0eddf11-4646-4411-8be5-c6c0f1970472@rpudil-dell7440>
References: <1482301022.505386634@f434.i.mail.ru>
 <baff7d13-cf76-504f-3d1f-c58fb1874e80@diagnostyka.pl>
 <emb0eddf11-4646-4411-8be5-c6c0f1970472@rpudil-dell7440>
Message-ID: <1482329419.653810606@f351.i.mail.ru>

Hi

yes it is

<xsd:element 
maxOccurs=" unbounded "
minOccurs="0"
name="description"
type="xsd:string">
<xsd:annotation>
<xsd:appinfo>
<a:displayOrder>590</a:displayOrder>
<ra:nativeAttributeName>description</ra:nativeAttributeName>
<ra:frameworkAttributeName>description</ra:frameworkAttributeName>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>

intresting but sad.

Workaround WORKS. Thanks 



>Среда, 21 декабря 2016, 16:23 +03:00 от "Roman Pudil - AMI Praha a.s." <roman.pudil at ami.cz>:
>
>Hi,
>
>there is some interesting behavior:  Attribute ri:description seems to be multivalued (see the schema section in AD resource definition), but attribute is single-valued.
>
>Workaround - use limitations on "ri:description" attribute in schema handling section:
>
>         <attribute>
>           <c:ref>ri:description</c:ref>
>           <displayName>Description</displayName>
>           <limitations>
>       	        	<maxOccurs>1</maxOccurs>
>            </limitations>
>           <outbound>
>            .......
>
>
>Regards
>
>
>Roman Pudil
>solution architect
>
>gsm: [+420] 775 663 666
>e-mail:   roman.pudil at ami.cz        
>AMI Praha a.s.
>Pláničkova 11
>162 00 Praha 6
>tel./fax: [+420] 274 783 239
>web:   www.ami.cz        
>
>
>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.
>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.
>
>
>
>------ Původní zpráva ------
>Od: "Wojciech Staszewski" < wojciech.staszewski at diagnostyka.pl >
>Komu:  midpoint at lists.evolveum.com
>Odesláno: 21.12.2016 13:03:36
>Předmět: Re: [midPoint] attributeOrValueExists ERROR LDAP
>
>>I have the same issue with LDAP with attributes from some objectclasses (e.g. SambaSamAccount).
>>And when I'm using my own custom auxiliary objectclass (OC), Midpoint tries to add this objectclass to LDAP accounts which already have this OC and I got errors.
>>I temoprary removed these OC from schema and don't use attributes from them.
>> 
>> 
>>W dniu 21.12.2016 o 07:17, oleg okunev pisze:
>>> Hello.
>>> 
>>> Strange problem i get when trying to modify decription in user which have link to AD account
>>> config of schema handling
>>> 
>>> <attribute>
>>>     <ref>ri:description</ref>
>>>        <outbound>
>>>          <source>
>>>              <path>description</path>
>>>          </source>
>>>        </outbound>
>>>        <inbound>
>>>          <target>
>>>              <path>description</path>
>>>          </target>
>>>        </inbound>
>>> </attribute>
>>> 
>>> 
>>> *Preview changes*
>>> 
>>> 
>>>       Modify User Archangel Gabriel (Gabriel)
>>> 
>>>  
>>> Item	Old value	New value
>>> Description	New Desc	New Desc NEW
>>> 
>>> 
>>> 
>>>       Secondary changes: 2 objects
>>> 
>>>  
>>> 
>>> 
>>>       Modify User Archangel Gabriel (Gabriel)
>>> 
>>>  
>>> Item	Old value	New value
>>> Description	New Desc	New Desc NEW
>>> 
>>> 
>>>       Modify Shadow CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru
>>> 
>>>  
>>> Item	Value
>>> resourceRef	 Active Directory Medusa (LDAPS) v2
>>> kind	ACCOUNT
>>> intent	default
>>> 
>>> 
>>>       Modify attributes
>>> 
>>>  
>>> Item	Old value	New value
>>> description	 	New Desc NEW
>>> 
>>> 
>>> 
>>> GOT this ERROR
>>> 
>>> Schema violation during processing shadow:
>>> shadow: CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru (OID:92d4a278-8d4f-46a3-af88-56bdf8529a95):
>>> Schema violation: Invalid attribute: org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Error modifying LDAP entry CN=Archangel Gabriel,OU=Sky,OU=Earth,DC=abb-test,DC=akbars,DC=ru: [add:description: New Desc Second,]: attributeOrValueExists: 00002081: AtrErr: DSID-030F154F, #1:??0: 00002081: DSID-030F154F, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att d (description)?? (20)):
>>> 
>>> it looks like midpoint trying to add NEW attribute - i cant understand why not modify existing attribute value
>>> 
>>> I know it must be simple but i trying to search and failed(((
>>> i got 3 object classes : user group and OU
>>> 
>>> and one more thing
>>> after error decription is different - in user new - in AD old
>>> if i make reconcile -  in AD it became emty
>>> and after that any first decription  writes well in AD.
>>> 
>>> 
>>> 
>>> --
>>> oleg okunev
>>> 
>>> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>> 
>>> 
>>> _______________________________________________
>>> midPoint mailing list
>>>  midPoint at lists.evolveum.com
>>>  http://lists.evolveum.com/mailman/listinfo/midpoint
>>> 
>>Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
>>NIP: 675-12-65-009; REGON: 356366975
>>Kapitał zakładowy: 33 756 500 zł.
>> 
>>Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>>_______________________________________________
>>midPoint mailing list
>>midPoint at lists.evolveum.com
>>http://lists.evolveum.com/mailman/listinfo/midpoint
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161221/ee87928f/attachment.htm>

From ivan.noris at evolveum.com  Wed Dec 21 18:01:26 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Wed, 21 Dec 2016 18:01:26 +0100
Subject: [midPoint] - How to connect file server
 (Linux+Samba+LDAP+smbldaptools)?
In-Reply-To: <9eea31bf-3ee1-4b89-f6f1-897a156845c7@diagnostyka.pl>
References: <9eea31bf-3ee1-4b89-f6f1-897a156845c7@diagnostyka.pl>
Message-ID: <b198cfdb-b7cd-fa13-c9fd-7e0bd2c02fff@evolveum.com>

Hi Wojciech,

maybe the Command scripted connector, but it's very "simple" connector.
I may have real production skills for this in a few weeks (the customer
delayed one of the resource where this connector will be used).

I have not worked with Samba for years, but isn't there a possibility to
auto-create the homedirs after the LDAP record is created or when user
tries to login/map the drive or something like that?

Regards,

Ivan


On 12/21/2016 02:12 PM, Wojciech Staszewski wrote:
> Hello!
>
> I'm thinking how to connect my file server to Midpoint for accounts/groups management. It's Linux with OpenLDAP and Samba and smbldaptools...
> LDAP connector? I don't think so, because every created user gets homedir on Samba, it must be created on filesystem.
> Unix connector? This is not a solution as well. Managing accounts is done by smbldaptools (smbldap-useradd, smbldap-passwd, smbldap-usermod, smbldap-groupadd and so...), not by default Linux commands.
>
> Maybe Commandline scripted connector?
>
> Anyone has some experience with this and got some hints for me?
> Thanks, regards,
> WS
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com



From radovan.semancik at evolveum.com  Wed Dec 21 19:10:14 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Wed, 21 Dec 2016 19:10:14 +0100
Subject: [midPoint] MidPoint 3.5 "Einstein" released
Message-ID: <94dd4d9c-831e-afbb-efc9-bfb1bc95fd5c@evolveum.com>

The Evolveum team is proud to announce the release of midPoint version 3.5

Release 3.5 is eighteenth midPoint release code-named Einstein. The 3.5 
release brings lots of features related to identity governance, 
self-registration and support for JSON/YAML.

For more information about the 3.5 release please see release notes at 
http://wiki.evolveum.com/display/midPoint/Release+3.5

We would like to express a special thanks for all midPoint subscribers, 
supporters and especially the contributors. The Evolveum team would like 
to express many thanks for your interest, feedback and contributions.

About MidPoint

MidPoint is a comprehensive open-source identity management and 
governanace system. It is a system that synchronizes several identity 
repositories, manages them and makes them available in unified form. It 
handles identity provisioning, identity synchronization, identity 
workflow automation, it implements advanced access control models, 
enforces policies and provides numerous features in the field of 
enterprise and Internet identity management and identity governance. The 
development process of midPoint is pragmatic and open, it focuses on 
usability and solutions to the practical identity management challenges.

For more information please see http://midpoint.evolveum.com/

About Evolveum

Evolveum is a company committed to develop creative, open and - most 
importantly - working software. We work hard to continually improve the 
software in a creative way. All software that we develop is open-source 
using completely open development process. The software is created with 
one critical goal in mind: usability. The software must work, it must be 
efficient solution to an existing problem, the software must provide 
value. Evolveum works in a close cooperation with partners and volunteer 
contributors to make this possible.

For more details please see http://evolveum.com/

-- 
Radovan Semancik
Software Architect
evolveum.com


From wojciech.staszewski at diagnostyka.pl  Wed Dec 21 21:34:48 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Wed, 21 Dec 2016 21:34:48 +0100
Subject: [midPoint] - How to connect file server
	(Linux+Samba+LDAP+smbldaptools)? And image attribute
In-Reply-To: <b198cfdb-b7cd-fa13-c9fd-7e0bd2c02fff@evolveum.com>
References: <9eea31bf-3ee1-4b89-f6f1-897a156845c7@diagnostyka.pl>
 <b198cfdb-b7cd-fa13-c9fd-7e0bd2c02fff@evolveum.com>
Message-ID: <1562699.ZiszaSp3YZ@skygge-pc>

Thanks. I have to check if modyfing ldap entries are enough to manage the users and groups.
But I suppose that these commands from smbldaptools are doing something more than just ldap modifications...

By the way:
I have an image type attribute (scriptedSQL), I guess it must be "byte[]" type, but how to convert database "blob" to byte array in groovy (and vice versa)? I'm googling this right now, but Google finds only some javascripts which are not working correctly...
Thanks!

Dnia środa, 21 grudnia 2016 18:01:26 CET Ivan Noris pisze:
> Hi Wojciech,
> 
> maybe the Command scripted connector, but it's very "simple" connector.
> I may have real production skills for this in a few weeks (the customer
> delayed one of the resource where this connector will be used).
> 
> I have not worked with Samba for years, but isn't there a possibility to
> auto-create the homedirs after the LDAP record is created or when user
> tries to login/map the drive or something like that?
> 
> Regards,
> 
> Ivan
> 
> 
> On 12/21/2016 02:12 PM, Wojciech Staszewski wrote:
> > Hello!
> >
> > I'm thinking how to connect my file server to Midpoint for accounts/groups management. It's Linux with OpenLDAP and Samba and smbldaptools...
> > LDAP connector? I don't think so, because every created user gets homedir on Samba, it must be created on filesystem.
> > Unix connector? This is not a solution as well. Managing accounts is done by smbldaptools (smbldap-useradd, smbldap-passwd, smbldap-usermod, smbldap-groupadd and so...), not by default Linux commands.
> >
> > Maybe Commandline scripted connector?
> >
> > Anyone has some experience with this and got some hints for me?
> > Thanks, regards,
> > WS
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> 
> 


-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
Dział IT
DIAGNOSTYKA 
Spółka z ograniczoną odpowiedzialnością 
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
tel.: +48 12 295 01 00
fax: +48 12 295 01 02 
tel. kom: 663 680 236
www.diag.pl
DIAGNOSTYKA Spółka z ograniczoną odpowiedzialnością ul. Prof. M. Życzkowskiego 16, 31-864 Kraków; 
KRS: Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy Krajowego KRS: 0000381559; NIP: 675-12-65-009; REGON: 356366975, Kapitał zakładowy: 33 252 500 zł.


From radovan.semancik at evolveum.com  Thu Dec 22 11:28:55 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Thu, 22 Dec 2016 11:28:55 +0100
Subject: [midPoint] - How to connect file server
 (Linux+Samba+LDAP+smbldaptools)?
In-Reply-To: <9eea31bf-3ee1-4b89-f6f1-897a156845c7@diagnostyka.pl>
References: <9eea31bf-3ee1-4b89-f6f1-897a156845c7@diagnostyka.pl>
Message-ID: <ee0f4f30-ab5d-9bfe-8e05-8e2480c828fa@evolveum.com>

Hi,

I think you already know the answer: there is no good way how to do this 
now. However, there are two options for future midPoint development:

1) Add ssh scripting support to the LDAP connector. This should be quite 
simple. And there is a precedent for this. The LDAP-based AD connector 
(which is in the same bundle) already has powershell scripting support. 
This is quite easy and very practical solution. Yet the application is 
somehow limited.

2) Implement a way how to use scripting methods from one resource in 
another resource. The ConnId script execution operations are not bound 
to any account or provisioning operation. So this is theoretically 
possible. However, midPoint was designed with good interface design and 
encapsulation in mind and this is currently not directly possible. 
However it can be added if needed - and it would still be quite clean. 
This would be nice and generic feature. E.g. it could be used to combine 
CSV connector with ssh scripts (from Unix connector) to copy the file 
from remote server - and this could do a lot of interesting tricks.

As usual, these are the options: 
https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature

We are now preparing development plan for midPoint 3.6. It looks like 
there will be a lot of sponsored features and the development team will 
be very busy. But some sponsoring is still not confirmed so there may 
still be some place in the plan. First come, first serve.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 12/21/2016 02:12 PM, Wojciech Staszewski wrote:
> Hello!
>
> I'm thinking how to connect my file server to Midpoint for accounts/groups management. It's Linux with OpenLDAP and Samba and smbldaptools...
> LDAP connector? I don't think so, because every created user gets homedir on Samba, it must be created on filesystem.
> Unix connector? This is not a solution as well. Managing accounts is done by smbldaptools (smbldap-useradd, smbldap-passwd, smbldap-usermod, smbldap-groupadd and so...), not by default Linux commands.
>
> Maybe Commandline scripted connector?
>
> Anyone has some experience with this and got some hints for me?
> Thanks, regards,
> WS
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint




From wojciech.staszewski at diagnostyka.pl  Thu Dec 22 12:12:04 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Thu, 22 Dec 2016 12:12:04 +0100
Subject: [midPoint] - How to connect file server
 (Linux+Samba+LDAP+smbldaptools)?
In-Reply-To: <ee0f4f30-ab5d-9bfe-8e05-8e2480c828fa@evolveum.com>
References: <9eea31bf-3ee1-4b89-f6f1-897a156845c7@diagnostyka.pl>
 <ee0f4f30-ab5d-9bfe-8e05-8e2480c828fa@evolveum.com>
Message-ID: <cbdca48c-b732-6806-16d9-fea5b145457b@diagnostyka.pl>

Thank you for your answer.

Adding scripting support for Unix connector would be nice too.
I have several dozens of servers hosting virtual machines (proxmox VE).
Users allowed to manage virtual machines must be added by running shell command "pveum useradd $user at pam && pveum aclmod / -user $user at pam -role Administrator".
And deleting users in the same way.
Unfortunately Unix connector can't execute scripts, so it must be done by workaround (i'm thinking right now how to do it).

Greets!
WS

W dniu 22.12.2016 o 11:28, Radovan Semancik pisze:
> Hi,
> 
> I think you already know the answer: there is no good way how to do this now. However, there are two options for future midPoint development:
> 
> 1) Add ssh scripting support to the LDAP connector. This should be quite simple. And there is a precedent for this. The LDAP-based AD connector (which is in the same bundle) already has powershell scripting support. This is quite easy and very practical solution. Yet the application is somehow limited.
> 
> 2) Implement a way how to use scripting methods from one resource in another resource. The ConnId script execution operations are not bound to any account or provisioning operation. So this is theoretically possible. However, midPoint was designed with good interface design and encapsulation in mind and this is currently not directly possible. However it can be added if needed - and it would still be quite clean. This would be nice and generic feature. E.g. it could be used to combine CSV
> connector with ssh scripts (from Unix connector) to copy the file from remote server - and this could do a lot of interesting tricks.
> 
> As usual, these are the options: https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature
> 
> We are now preparing development plan for midPoint 3.6. It looks like there will be a lot of sponsored features and the development team will be very busy. But some sponsoring is still not confirmed so there may still be some place in the plan. First come, first serve.
> 


From pertti.kellomaki at datactica.fi  Thu Dec 22 12:33:16 2016
From: pertti.kellomaki at datactica.fi (=?UTF-8?Q?Pertti_Kellom=c3=a4ki?=)
Date: Thu, 22 Dec 2016 13:33:16 +0200
Subject: [midPoint] Role assignment in object template vs. explicit
	assignment
Message-ID: <4f592b5c-bf9e-a3e6-6fdf-913d9adfc9a4@datactica.fi>

Hi,

I have a role that creates an ou in ldap when assigned to an 
organizational unit in midPoint. Ldap ou creation works if I first 
create the midPoint organizational unit, and then assign the role to it. 
However, if I move the role assignment to an object template used when 
importing organizational units from another resource, the role is 
assigned to the midPoint organizational unit, but no ldap ou is 
created.  The ldap ou is created if I edit the organizational unit and 
explicitly ask for reconciliation.

What is the correct way to ensure that the ldap ou is created when an 
object is imported? Should I have a reconciliation task that 
periodically keeps the ldap resource up to date? Or is there something I 
could do in the object template?

Thanks, Pertti



From radovan.semancik at evolveum.com  Thu Dec 22 13:09:15 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Thu, 22 Dec 2016 13:09:15 +0100
Subject: [midPoint] - How to connect file server
 (Linux+Samba+LDAP+smbldaptools)?
In-Reply-To: <cbdca48c-b732-6806-16d9-fea5b145457b@diagnostyka.pl>
References: <9eea31bf-3ee1-4b89-f6f1-897a156845c7@diagnostyka.pl>
 <ee0f4f30-ab5d-9bfe-8e05-8e2480c828fa@evolveum.com>
 <cbdca48c-b732-6806-16d9-fea5b145457b@diagnostyka.pl>
Message-ID: <3f554bf0-137e-90de-f212-bbf34527d4d4@evolveum.com>

Hi,

Yes. And that would be actually the right place to do it. We have taken 
the Unix connector from the ConnId project and we have significantly 
improved it. And contributed the changes back to ConnId project. You can 
do the same thing and implement the scripting support there.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 12/22/2016 12:12 PM, Wojciech Staszewski wrote:
> Thank you for your answer.
>
> Adding scripting support for Unix connector would be nice too.
> I have several dozens of servers hosting virtual machines (proxmox VE).
> Users allowed to manage virtual machines must be added by running shell command "pveum useradd $user at pam && pveum aclmod / -user $user at pam -role Administrator".
> And deleting users in the same way.
> Unfortunately Unix connector can't execute scripts, so it must be done by workaround (i'm thinking right now how to do it).
>
> Greets!
> WS
>
> W dniu 22.12.2016 o 11:28, Radovan Semancik pisze:
>> Hi,
>>
>> I think you already know the answer: there is no good way how to do this now. However, there are two options for future midPoint development:
>>
>> 1) Add ssh scripting support to the LDAP connector. This should be quite simple. And there is a precedent for this. The LDAP-based AD connector (which is in the same bundle) already has powershell scripting support. This is quite easy and very practical solution. Yet the application is somehow limited.
>>
>> 2) Implement a way how to use scripting methods from one resource in another resource. The ConnId script execution operations are not bound to any account or provisioning operation. So this is theoretically possible. However, midPoint was designed with good interface design and encapsulation in mind and this is currently not directly possible. However it can be added if needed - and it would still be quite clean. This would be nice and generic feature. E.g. it could be used to combine CSV
>> connector with ssh scripts (from Unix connector) to copy the file from remote server - and this could do a lot of interesting tricks.
>>
>> As usual, these are the options: https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature
>>
>> We are now preparing development plan for midPoint 3.6. It looks like there will be a lot of sponsored features and the development team will be very busy. But some sponsoring is still not confirmed so there may still be some place in the plan. First come, first serve.
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint




From wojciech.staszewski at diagnostyka.pl  Thu Dec 22 13:38:10 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Thu, 22 Dec 2016 13:38:10 +0100
Subject: [midPoint] - How to connect file server
 (Linux+Samba+LDAP+smbldaptools)?
In-Reply-To: <3f554bf0-137e-90de-f212-bbf34527d4d4@evolveum.com>
References: <9eea31bf-3ee1-4b89-f6f1-897a156845c7@diagnostyka.pl>
 <ee0f4f30-ab5d-9bfe-8e05-8e2480c828fa@evolveum.com>
 <cbdca48c-b732-6806-16d9-fea5b145457b@diagnostyka.pl>
 <3f554bf0-137e-90de-f212-bbf34527d4d4@evolveum.com>
Message-ID: <feb9d293-bcf3-d718-92df-6fd669cede7c@diagnostyka.pl>

Very keen, if only I know how to program...
I'm Linux admin with some bash scripting skills, I suppose it's not enough.

W dniu 22.12.2016 o 13:09, Radovan Semancik pisze:
> Hi,
> 
> Yes. And that would be actually the right place to do it. We have taken the Unix connector from the ConnId project and we have significantly improved it.
> And contributed the changes back to ConnId project. You can do the same thing and implement the scripting support there.
> 

-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.

Pomyśl o środowisku zanim wydrukujesz ten e-mail.


From petr.gasparik at ami.cz  Thu Dec 22 13:40:48 2016
From: petr.gasparik at ami.cz (=?UTF-8?B?UGV0ciBHYcWhcGFyw61rIC0gQU1JIFByYWhhIGEucy4=?=)
Date: Thu, 22 Dec 2016 13:40:48 +0100
Subject: [midPoint] - How to connect file server
	(Linux+Samba+LDAP+smbldaptools)?
In-Reply-To: <3f554bf0-137e-90de-f212-bbf34527d4d4@evolveum.com>
References: <9eea31bf-3ee1-4b89-f6f1-897a156845c7@diagnostyka.pl>
 <ee0f4f30-ab5d-9bfe-8e05-8e2480c828fa@evolveum.com>
 <cbdca48c-b732-6806-16d9-fea5b145457b@diagnostyka.pl>
 <3f554bf0-137e-90de-f212-bbf34527d4d4@evolveum.com>
Message-ID: <CABAspd2anqYdeatmUiCwHbgzgkY9m_jqhUr=xJ-+HAF9Fw+e2g@mail.gmail.com>

Hi,
we needed something similar, calling script for adding/removing VPN users
via SSH commands.
So far we ended with calling SSH directly on model hook level.

--

s pozdravem

Petr Gašparík
solution architect

gsm: [+420] 603 523 860
e-mail: petr.gasparik at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2016-12-22 13:09 GMT+01:00 Radovan Semancik <radovan.semancik at evolveum.com>:

> Hi,
>
> Yes. And that would be actually the right place to do it. We have taken
> the Unix connector from the ConnId project and we have significantly
> improved it. And contributed the changes back to ConnId project. You can do
> the same thing and implement the scripting support there.
>
> --
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
>
> On 12/22/2016 12:12 PM, Wojciech Staszewski wrote:
>
>> Thank you for your answer.
>>
>> Adding scripting support for Unix connector would be nice too.
>> I have several dozens of servers hosting virtual machines (proxmox VE).
>> Users allowed to manage virtual machines must be added by running shell
>> command "pveum useradd $user at pam && pveum aclmod / -user $user at pam -role
>> Administrator".
>> And deleting users in the same way.
>> Unfortunately Unix connector can't execute scripts, so it must be done by
>> workaround (i'm thinking right now how to do it).
>>
>> Greets!
>> WS
>>
>> W dniu 22.12.2016 o 11:28, Radovan Semancik pisze:
>>
>>> Hi,
>>>
>>> I think you already know the answer: there is no good way how to do this
>>> now. However, there are two options for future midPoint development:
>>>
>>> 1) Add ssh scripting support to the LDAP connector. This should be quite
>>> simple. And there is a precedent for this. The LDAP-based AD connector
>>> (which is in the same bundle) already has powershell scripting support.
>>> This is quite easy and very practical solution. Yet the application is
>>> somehow limited.
>>>
>>> 2) Implement a way how to use scripting methods from one resource in
>>> another resource. The ConnId script execution operations are not bound to
>>> any account or provisioning operation. So this is theoretically possible.
>>> However, midPoint was designed with good interface design and encapsulation
>>> in mind and this is currently not directly possible. However it can be
>>> added if needed - and it would still be quite clean. This would be nice and
>>> generic feature. E.g. it could be used to combine CSV
>>> connector with ssh scripts (from Unix connector) to copy the file from
>>> remote server - and this could do a lot of interesting tricks.
>>>
>>> As usual, these are the options: https://wiki.evolveum.com/disp
>>> lay/midPoint/I+Need+New+Feature
>>>
>>> We are now preparing development plan for midPoint 3.6. It looks like
>>> there will be a lot of sponsored features and the development team will be
>>> very busy. But some sponsoring is still not confirmed so there may still be
>>> some place in the plan. First come, first serve.
>>>
>>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161222/f85aec5c/attachment.htm>

From carlos18619 at gmail.com  Thu Dec 22 16:36:44 2016
From: carlos18619 at gmail.com (Carlos Ferreira)
Date: Thu, 22 Dec 2016 13:36:44 -0200
Subject: [midPoint] SELF-REGISTRATION - MIDPOINT 3.5
Message-ID: <CAJHEg663PAe=dx2-JRsmeJTEWh4TS0Q2YesiaMNGRa1HoyzJtw@mail.gmail.com>

Hi,

I am trying to configure self-registration on Midpoint 3.5 according to


https://wiki.evolveum.com/display/midPoint/Self+Registration+Configuration


My Security Policy is as follows:


<securityPolicy xmlns="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
                xmlns:c="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
                xmlns:icfs="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
"
                xmlns:ri="
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
                oid="28bf845a-b107-11e3-85bc-001e8c717e5b"
                version="3">
   <name>Global Security Policy</name>
   <metadata>
      <createTimestamp>2016-12-22T13:03:27.065-02:00</createTimestamp>
      <creatorRef oid="00000000-0000-0000-0000-000000000002"
type="c:UserType"><!-- administrator --></creatorRef>
      <createChannel>
http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport
</createChannel>
   </metadata>
   <authentication>
      <mailAuthentication>
         <name>confirmationLink</name>
         <displayName>Additional mail authentication</displayName>
         <mailNonce>mailNonce</mailNonce>
      </mailAuthentication>
   </authentication>
   <credentials>
      <nonce>
         <maxAge>PT10M</maxAge>
         <name>mailNonce</name>
      </nonce>
   </credentials>
   <registration>
      <selfRegistration>
         <name>selfRegistration</name>
         <initialLifecycleState>proposed</initialLifecycleState>
         <requiredLifecycleState>proposed</requiredLifecycleState>
         <displayName>Self Registration</displayName>

<additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
         <defaultRole oid="00000000-0000-0000-0000-000000000008"
type="c:RoleType"><!-- End user --></defaultRole>
      </selfRegistration>
   </registration>
</securityPolicy>


However, when a try to register a new user, after filling the attributes on
screen, I receive the message




*Registration process not allowed. Please contact system administrator.*
In the IDM.LOG, this line is appended:



*2016-12-22 13:35:12,092 [] [http-nio-8080-exec-23] ERROR
(com.evolveum.midpoint.web.page.login.PageSelfRegistration): Registration
not allowed for a user carlosaf at trt3.jus.br <carlosaf at trt3.jus.br> ->
Unsatisfied Configuration for required lifecycle, expected proposed but was
null*

Thks in advance,


Carlos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161222/630a7d5f/attachment.htm>

From oskar.butovic at ami.cz  Thu Dec 22 17:42:56 2016
From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=)
Date: Thu, 22 Dec 2016 17:42:56 +0100
Subject: [midPoint] tasks - fatal error
Message-ID: <CAE8MtZCoc-aymcXvA=m8g9cdNRspHAM1zECkfkT9nqWgZU6qsQ@mail.gmail.com>

Hello everybody,

is there any way in midpoint how to make task continue on another user even
when experienced fatal error during execution?

Best Regards

Oskar Butovič

-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161222/69e06200/attachment.htm>

From mederly at evolveum.com  Thu Dec 22 18:19:48 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Thu, 22 Dec 2016 18:19:48 +0100
Subject: [midPoint] tasks - fatal error
In-Reply-To: <CAE8MtZCoc-aymcXvA=m8g9cdNRspHAM1zECkfkT9nqWgZU6qsQ@mail.gmail.com>
References: <CAE8MtZCoc-aymcXvA=m8g9cdNRspHAM1zECkfkT9nqWgZU6qsQ@mail.gmail.com>
Message-ID: <1e41e56b-9b28-015b-6769-5884ab34adcd@evolveum.com>

Oskar,

it depends on what kind of task you are working with. Generally, tasks 
like reconciliation, recomputation, live sync, import should continue 
even in the face of fatal errors.

However, bulk actions are quite unfinished in this respect. I planned to 
implement some kind of configurable "on error" behaviors, but ... there 
was (and still is) no time to do that. So the only approach for bulk 
actions is "stop on first error".

Pavol Mederly
Software developer
evolveum.com

On 22.12.2016 17:42, Oskar Butovič - AMI Praha a.s. wrote:
> Hello everybody,
>
> is there any way in midpoint how to make task continue on another user 
> even when experienced fatal error during execution?
>
> Best Regards
>
> Oskar Butovič
>
> -- 
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>
> 			
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz/>
>
> 			
>
> AMI Praha a.s.
>
>
> AMI Praha a.s. 
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
> výhradně písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161222/88429426/attachment.htm>

From ggallard at identicum.com  Thu Dec 22 22:35:57 2016
From: ggallard at identicum.com (Gustavo J Gallardo)
Date: Thu, 22 Dec 2016 18:35:57 -0300
Subject: [midPoint] Reset password by mail
Message-ID: <CAA68kP9LtYG1PQd0akuLDbXYkGoUb3pZw9LewRBxRg2JDap0sg@mail.gmail.com>

Hi all,
I'm trying to configure Password Reset according to
https://wiki.evolveum.com/display/midPoint/Reset+Password+Configuration

Is there any example of a "Mail Nonce Policy" like the one referenced from
the example (00000000-0000-1111-0000-000000000003)?


Thanks,

Gustavo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161222/4a1a67e0/attachment.htm>

From oskar.butovic at ami.cz  Fri Dec 23 09:19:06 2016
From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=)
Date: Fri, 23 Dec 2016 09:19:06 +0100
Subject: [midPoint] tasks - fatal error
In-Reply-To: <1e41e56b-9b28-015b-6769-5884ab34adcd@evolveum.com>
References: <CAE8MtZCoc-aymcXvA=m8g9cdNRspHAM1zECkfkT9nqWgZU6qsQ@mail.gmail.com>
 <1e41e56b-9b28-015b-6769-5884ab34adcd@evolveum.com>
Message-ID: <CAE8MtZBL1qr8Qqz6+xmPEyY7DifUvkB1mj+5H8S+yFEvn7x7JQ@mail.gmail.com>

Ok thanks a lot Pavol.

I did the mistake by using bulk task (
http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3 ) for
rocompute. Which was mayor problem due to its stop on first error. Ill try
using
http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/recompute/handler-3
then.

2016-12-22 18:19 GMT+01:00 Pavol Mederly <mederly at evolveum.com>:

> Oskar,
>
> it depends on what kind of task you are working with. Generally, tasks
> like reconciliation, recomputation, live sync, import should continue even
> in the face of fatal errors.
>
> However, bulk actions are quite unfinished in this respect. I planned to
> implement some kind of configurable "on error" behaviors, but ... there was
> (and still is) no time to do that. So the only approach for bulk actions is
> "stop on first error".
>
> Pavol Mederly
> Software developerevolveum.com
>
> On 22.12.2016 17:42, Oskar Butovič - AMI Praha a.s. wrote:
>
> Hello everybody,
>
> is there any way in midpoint how to make task continue on another user
> even when experienced fatal error during execution?
>
> Best Regards
>
> Oskar Butovič
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101 <+420%20774%20480%20101>
> e-mail: oskar.butovic at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161223/8747ff56/attachment.htm>

From radovan.semancik at evolveum.com  Sun Dec 25 09:24:31 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Sun, 25 Dec 2016 09:24:31 +0100
Subject: [midPoint] Merry Christmas!
Message-ID: <e8c00f7e-93ec-772d-aeec-69e0ae87e5f5@evolveum.com>

Dear midPoint community,

I would like to wish you merry Christmas and happy new year! Thank you 
all for your support, contributions and suggestions. And we have a small 
present for you:

https://evolveum.com/midpoint/midpoint-guide-about-practical-identity-management/

-- 
Radovan Semancik
Software Architect
evolveum.com



From ggallard at identicum.com  Mon Dec 26 14:25:06 2016
From: ggallard at identicum.com (Gustavo J Gallardo)
Date: Mon, 26 Dec 2016 10:25:06 -0300
Subject: [midPoint] Reset password by email - REST API?
Message-ID: <CAA68kP_jYT0tVPT65hpKgmO0W6SPHD55jg44tCwQGRjn5sSpFw@mail.gmail.com>

Hi everyone,
is there any way to consume the functionality from our own front-end?

Basically, a way to call an API to "request" (generate nonce and send
email) and then to "use" (validate user with nonce and allow her/him to
reset own password).

Additional to control the UI, we want to avoid exposing the midpoint server
publicly to internet.


Thanks in advance, Merry Christmas and Happy New Year!

GJG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161226/aeb78783/attachment.htm>

From mmoayyed at unicon.net  Tue Dec 27 00:01:42 2016
From: mmoayyed at unicon.net (=?UTF-8?B?TWlzYWdoIE1vYXl5ZWQ=?=)
Date: Tue, 27 Dec 2016 02:01:42 +0300
Subject: [midPoint] =?utf-8?q?Merry_Christmas!?=
In-Reply-To: <e8c00f7e-93ec-772d-aeec-69e0ae87e5f5@evolveum.com>
References: <e8c00f7e-93ec-772d-aeec-69e0ae87e5f5@evolveum.com>
Message-ID: <1482793302.784212455@f3.my.com>


Thank you so much for this extremely valuable resource. Much appreciated!
Happy holidays. 
--
Sent from myMail for Android Sunday, 25 December 2016, 01:24AM -07:00 from Radovan Semancik  radovan.semancik at evolveum.com :

>Dear midPoint community,
>
>I would like to wish you merry Christmas and happy new year! Thank you 
>all for your support, contributions and suggestions. And we have a small 
>present for you:
>
>https://evolveum.com/midpoint/midpoint-guide-about-practical-identity-management/
>
>-- 
>Radovan Semancik
>Software Architect
>evolveum.com
>
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161227/c92c7fbf/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Wed Dec 28 00:16:46 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Wed, 28 Dec 2016 00:16:46 +0100
Subject: [midPoint]  Bunch of problems with resource configuration
Message-ID: <13246234.bdH9Dy2h9Q@skygge-pc>

Hello!

I was hoping that I will not bother you at least until New Year, but...
Every small step forward generates new problems.

1. How to configure resource attribute outbound mapping with Lookup Table? In  role inducement or user assignment configuration I want to pick some attribute values from drop-down list. I got simple LT and Object template "User Profile" with item "userProfile": 
<item>
      <c:ref>userProfile</c:ref>
      <displayName>User Profile</displayName>
      <valueEnumerationRef oid="83f670d2-e2d5-4037-8722-0350102cfbff"/> <!-- my lookup table oid -->
</item>

In my resource configuration I have:
<objectTemplateRef oid="47df067e-c725-4566-ba74-371d6e76125e" type="c:ObjectTemplateType"> <!-- my object template oid -->
            <targetName>
               <t:orig>User Profile</t:orig>
               <t:norm>user profile</t:norm>
            </targetName>
</objectTemplateRef>

but It doesn't work. i tried to add valueEnumerationRef also to schema handling and outbound mapping but I still see only text input instead list.... I don't know what I'm doing wrong...

2. I have an attribute (jpeg image) stored in oracle database blob. I need some hints how to handle this attribute type in scriptedsql connector groovy script, cause I got only errors: "java.lang.IllegalArgumentException: Attribute 'stamp' type 'class oracle.sql.BLOB' is not supported."

3. Is there a possibility to create "dynamic" lookup tables? Something like Jasper Server dynamic report parameters (define SQL query, column "A" is a key, column "B" is a label)?

Thank you very much!
Best regards
Wojciech Staszewski





From m.benucci at nsr.it  Wed Dec 28 14:49:32 2016
From: m.benucci at nsr.it (m.benucci at nsr.it)
Date: Wed, 28 Dec 2016 14:49:32 +0100
Subject: [midPoint] CSS Error - upgrade from 3.3.1 to 3.4.1
Message-ID: <20161228134941.8CA10D3C@minerva.evolveum.com>

Hi I’m upgrading from midpoint 3.3.1 to 3.4.1.

I have successfully upgraded midpoint db using the upgrade sql script,
redeployed the war and now, when I log in, the idm.log logs lot of error related to a (I suppose)
wrong-writed html file…

Logs are like theese:
[http-nio-8080-exec-8] ERROR (ro.isdc.wro.extensions.processor.css.Less4jProcessor): 1:3 mismatched character 'D' expecting '-'.
[http-nio-8080-exec-8] ERROR (ro.isdc.wro.extensions.processor.css.Less4jProcessor): 1:4 no viable alternative at input 'OCTYPE' in ruleset (which started at 1:4).

This is the log that occur when I go to the login page and login http://pastebin.com/MhqrV264

Is this something stored in the database that goes corrupted or it is something in the webapps/midpoint folder?

Thank you,
Marco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161228/b877e4e0/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Thu Dec 29 12:02:21 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Thu, 29 Dec 2016 12:02:21 +0100
Subject: [midPoint]  SelfService v3.5 - basket
Message-ID: <2629135.Wbr9mbeUsO@skygge-pc>

Hello!

Just a quick question: How to remove role from basket?

Regards, WS


From honchar at evolveum.com  Thu Dec 29 12:49:38 2016
From: honchar at evolveum.com (Kateryna Honchar)
Date: Thu, 29 Dec 2016 12:49:38 +0100
Subject: [midPoint] HA:   SelfService v3.5 - basket
In-Reply-To: <2629135.Wbr9mbeUsO@skygge-pc>
References: <2629135.Wbr9mbeUsO@skygge-pc>
Message-ID: <003d01d261c9$a3d742c0$eb85c840$@evolveum.com>

Hi!
You can do it with Unassign menu item from the right top cog menu.

-----Исходное сообщение-----
От: midPoint [mailto:midpoint-bounces at lists.evolveum.com] От имени Wojciech Staszewski
Отправлено: 29 декабря 2016 г. 12:02
Кому: midPoint General Discussion
Тема: [midPoint] SelfService v3.5 - basket

Hello!

Just a quick question: How to remove role from basket?

Regards, WS
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint



From wojciech.staszewski at diagnostyka.pl  Thu Dec 29 13:47:13 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Thu, 29 Dec 2016 13:47:13 +0100
Subject: [midPoint] HA:   SelfService v3.5 - basket
In-Reply-To: <003d01d261c9$a3d742c0$eb85c840$@evolveum.com>
References: <2629135.Wbr9mbeUsO@skygge-pc>
 <003d01d261c9$a3d742c0$eb85c840$@evolveum.com>
Message-ID: <1755243.xYkemoXNkS@skygge-pc>

OK, thanks, I can't see this menu item, I must be blind...

Another question:
- Why user can request an Organization Unit marked as "Requestable: False"?
Roles marked as "Requestable false" are unavailable for request, and that's OK, I thought that Org should behave the same way...
Regards, WS

Dnia czwartek, 29 grudnia 2016 12:49:38 CET Kateryna Honchar pisze:
> Hi!
> You can do it with Unassign menu item from the right top cog menu.
> 
> -----Исходное сообщение-----
> От: midPoint [mailto:midpoint-bounces at lists.evolveum.com] От имени Wojciech Staszewski
> Отправлено: 29 декабря 2016 г. 12:02
> Кому: midPoint General Discussion
> Тема: [midPoint] SelfService v3.5 - basket
> 
> Hello!
> 
> Just a quick question: How to remove role from basket?
> 
> Regards, WS
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 



Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl[1]
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł. 
Pomyśl o środowisku zanim wydrukujesz ten e-mail.

--------
[1] http://www.diagnostyka.pl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161229/3ebeba10/attachment.htm>

From mmarchese at identicum.com  Thu Dec 29 19:25:05 2016
From: mmarchese at identicum.com (Martin Marchese)
Date: Thu, 29 Dec 2016 15:25:05 -0300
Subject: [midPoint] Inducement Inheritance not Working
Message-ID: <CAG3rmdq2D-KoX8r8s8Ovb9-Y-=80dE-cFiYj+ifByPXzAFS1Ug@mail.gmail.com>

Hi All,

We have a role model designed as it follows:

Users are assigned to an Org (the AssignmentType is extended with
metaRelation attribute). This Org, has a Meta Role assigned.

Based on the value of the metaRelation attribute (STUDENT or TEACHER) the
Meta Role induces a Role (order 2 inducement) to the user.

These induced roles have their own inducements, to resources (OpenLDAP,
google apps, office 365, etc).

Once a user is assigned to an Org, it receives the inderect assignment
based on the metaRelation attribute value. However, it's not receiving the
resource inducements, hence, the accounts are not being created in the
resources.

Any idea if this is normal behavior or if we are missing something?

Below are examples of how our objects look like.

*Org XML:*

<org>
   <name>MEGC</name>
...
   <assignment id="1">
      <targetRef oid="00000000-0000-1de4-0004-000000000099"
type="c:RoleType"></targetRef>
   </assignment>
...
</org>

*Meta Role XML:*

<role>
   <name>META_ROLE</name>
   ...
   <inducement id="4">
      <targetRef oid="00000000-0000-1de4-0004-000000000011"
type="c:RoleType"></targetRef>
      <order>2</order>
      <focusType>UserType</focusType>
      <condition>
         <source>
            <c:path>$focusAssignment/extension/metaRelation</c:path>
         </source>
         <expression>
            <script>
               <code>metaRelation == 'TEACHER'</code>
            </script>
         </expression>
      </condition>
   </inducement>
...
</role>

*Induced Role:*

<role>
   <name>TEACHER</name>
...
   <inducement id="1">
      <construction>
         <resourceRef oid="00000000-0000-1de4-0002-000000000002"
type="c:ResourceType"></resourceRef>
         <kind>account</kind>
      </construction>
   </inducement>
...
</role>

Thanks in Advance

*Ing. Martín Marchese*
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
mmarchese at identicum.com
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161229/cd88d277/attachment.htm>

From honchar at evolveum.com  Thu Dec 29 22:13:49 2016
From: honchar at evolveum.com (Kateryna Honchar)
Date: Thu, 29 Dec 2016 22:13:49 +0100
Subject: [midPoint] HA:  HA:   SelfService v3.5 - basket
In-Reply-To: <1755243.xYkemoXNkS@skygge-pc>
References: <2629135.Wbr9mbeUsO@skygge-pc>
 <003d01d261c9$a3d742c0$eb85c840$@evolveum.com> <1755243.xYkemoXNkS@skygge-pc>
Message-ID: <004b01d26218$765d7860$63186920$@evolveum.com>

I guess you use some user who doesn’t have “unassign” authorization. Just add the following authorization to the user role, then you’ll see this Unassign menu item.

 

<authorization id="7">

      <name>unassign</name>

       <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>

      <phase>request</phase>

      <object>

         <special>self</special>

      </object>

   </authorization>

But I agree that this authorization has no sense on this page. So you can create jira issue to show this menu item for any user regardless of its authorization. 

 

And I’m not sure how requestable flag should influence on OrgType and ServiceType. I’ll figure it out.

Best regards.

Kateryna Honchar.

 

 

От: midPoint [mailto:midpoint-bounces at lists.evolveum.com] От имени Wojciech Staszewski
Отправлено: 29 декабря 2016 г. 13:47
Кому: midpoint at lists.evolveum.com
Тема: Re: [midPoint] HA: SelfService v3.5 - basket

 

OK, thanks, I can't see this menu item, I must be blind...

 

Another question:

- Why user can request an Organization Unit marked as "Requestable: False"?

Roles marked as "Requestable false" are unavailable for request, and that's OK, I thought that Org should behave the same way...

Regards, WS

 

Dnia czwartek, 29 grudnia 2016 12:49:38 CET Kateryna Honchar pisze:

> Hi!

> You can do it with Unassign menu item from the right top cog menu.

> 

> -----Исходное сообщение-----

> От: midPoint [mailto:midpoint-bounces at lists.evolveum.com] От имени Wojciech Staszewski

> Отправлено: 29 декабря 2016 г. 12:02

> Кому: midPoint General Discussion

> Тема: [midPoint] SelfService v3.5 - basket

> 

> Hello!

> 

> Just a quick question: How to remove role from basket?

> 

> Regards, WS

> _______________________________________________

> midPoint mailing list

> midPoint at lists.evolveum.com

> http://lists.evolveum.com/mailman/listinfo/midpoint

> 

> _______________________________________________

> midPoint mailing list

> midPoint at lists.evolveum.com

> http://lists.evolveum.com/mailman/listinfo/midpoint

> 

 


-- 

Wojciech Staszewski

Administrator Systemów Sieciowych

tel. kom: 663 680 236

 <http://www.diagnostyka.pl> www.diagnostyka.pl

Diagnostyka Sp. z o. o.

ul. Prof. M. Życzkowskiego 16, 31-864 Kraków

Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)

NIP: 675-12-65-009; REGON: 356366975

Kapitał zakładowy: 33 756 500 zł. 

Pomyśl o środowisku zanim wydrukujesz ten e-mail.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161229/049a77bc/attachment.htm>

From nrossi at identicum.com  Fri Dec 30 13:49:29 2016
From: nrossi at identicum.com (Nicolas Rossi)
Date: Fri, 30 Dec 2016 09:49:29 -0300
Subject: [midPoint] midPoint SSO with SAML
Message-ID: <CAAxX8ci=WyECdD0jSO3UbJPebmyHG-BKhpyffvS4XNa1PNHL6g@mail.gmail.com>

Hi guys, I just wondering if I can configure SSO in midPoint with SAML. I
read on the wiki (
https://wiki.evolveum.com/display/midPoint/MidPoint+and+SSO+HOWTO) that the
security layer is based on Spring Security and it supports SAML (
http://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-sso.html).
Has anyone tried it before ?

Kind regards and happy new year !


Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161230/6c31dafb/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Sat Dec 31 03:58:50 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Sat, 31 Dec 2016 03:58:50 +0100
Subject: [midPoint]  Role configuration with dynamic inducements
Message-ID: <f3603ac5993b753f4b13f04ec41d584b@diag.pl>

 

Hello All 

I'm just reading documentation about roles, metaroles,
assignments, inducements, patametric assignments, etc, and I'm little
confused (maybe because it's late and I should sleep instead thinking of
midpoint). 

Anyway, I need to create role with some kind of dynamic
inducement. 

I have several hundreds of servers, including about 70
database servers, I organized them by type in Organizational structure
(IT infrastructure -> DB servers), and also added them to the Company
regional structure in separate tree. 

The role called "Master Oracle
administrator" should have inducement to all servers in "DB servers"
(shell accounts). 

The role called "North-west Admin" should induce all
DB servers which are also in Company OU "North-west region". 

When I
install new db server and put it in Midpoint Org units, proper accounts
should be created on that server without touching anything else. 

Is
this possible to do? Can I use Assignment target search do do it?


--
Best regards, 
Wojciech Staszewski

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161231/7d0bbf20/attachment.htm>

From martin.lizner at ami.cz  Sat Dec 31 10:22:36 2016
From: martin.lizner at ami.cz (=?UTF-8?Q?Martin_L=C3=ADzner_=2D_AMI_Praha_a=2Es=2E?=)
Date: Sat, 31 Dec 2016 10:22:36 +0100
Subject: [midPoint] Inducement Inheritance not Working
In-Reply-To: <CAG3rmdq2D-KoX8r8s8Ovb9-Y-=80dE-cFiYj+ifByPXzAFS1Ug@mail.gmail.com>
References: <CAG3rmdq2D-KoX8r8s8Ovb9-Y-=80dE-cFiYj+ifByPXzAFS1Ug@mail.gmail.com>
Message-ID: <CALOh8eN=nhFkZT4OpC0gAVh4xqY7kw=TwbtAU8R21ThX9nO1vg@mail.gmail.com>

Hi, this is indeed very nice and advanced business logic.

I would suggest you try dropping the meta role completely and use
organization to induce the logic. If you need higher level of abstraction,
you can imagine orgs (e.g. root) as meta roles and put logic there.

Something like (but Im not sure how will focusAssignment behave):

*Org XML:*

<org>
   <name>MEGC</name>
...
   <inducement id="4">
      <targetRef oid="00000000-0000-1de4-0004-000000000011"
type="c:RoleType"></targetRef>
      <focusType>UserType</focusType>
      <condition>
         <source>
            <c:path>$focusAssignment/extension/metaRelation</c:path>
         </source>
         <expression>
            <script>
               <code>metaRelation == 'TEACHER'</code>
            </script>
         </expression>
      </condition>
   </inducement>
...
</org>

Regards, M.

Martin Lízner
solution architect

gsm: [+420] 737 745 571 <+420%20737%20745%20571>
e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239 <+420%20274%20783%20239>
web: www.ami.cz



[image: AMI Praha a.s.] <http://www.skyidentity.com/>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2016-12-29 19:25 GMT+01:00 Martin Marchese <mmarchese at identicum.com>:

> Hi All,
>
> We have a role model designed as it follows:
>
> Users are assigned to an Org (the AssignmentType is extended with
> metaRelation attribute). This Org, has a Meta Role assigned.
>
> Based on the value of the metaRelation attribute (STUDENT or TEACHER) the
> Meta Role induces a Role (order 2 inducement) to the user.
>
> These induced roles have their own inducements, to resources (OpenLDAP,
> google apps, office 365, etc).
>
> Once a user is assigned to an Org, it receives the inderect assignment
> based on the metaRelation attribute value. However, it's not receiving the
> resource inducements, hence, the accounts are not being created in the
> resources.
>
> Any idea if this is normal behavior or if we are missing something?
>
> Below are examples of how our objects look like.
>
> *Org XML:*
>
> <org>
>    <name>MEGC</name>
> ...
>    <assignment id="1">
>       <targetRef oid="00000000-0000-1de4-0004-000000000099"
> type="c:RoleType"></targetRef>
>    </assignment>
> ...
> </org>
>
> *Meta Role XML:*
>
> <role>
>    <name>META_ROLE</name>
>    ...
>    <inducement id="4">
>       <targetRef oid="00000000-0000-1de4-0004-000000000011"
> type="c:RoleType"></targetRef>
>       <order>2</order>
>       <focusType>UserType</focusType>
>       <condition>
>          <source>
>             <c:path>$focusAssignment/extension/metaRelation</c:path>
>          </source>
>          <expression>
>             <script>
>                <code>metaRelation == 'TEACHER'</code>
>             </script>
>          </expression>
>       </condition>
>    </inducement>
> ...
> </role>
>
> *Induced Role:*
>
> <role>
>    <name>TEACHER</name>
> ...
>    <inducement id="1">
>       <construction>
>          <resourceRef oid="00000000-0000-1de4-0002-000000000002"
> type="c:ResourceType"></resourceRef>
>          <kind>account</kind>
>       </construction>
>    </inducement>
> ...
> </role>
>
> Thanks in Advance
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
> mmarchese at identicum.com
> www.identicum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161231/caf862a5/attachment.htm>

From wojciech.staszewski at diagnostyka.pl  Sat Dec 31 23:41:29 2016
From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski)
Date: Sat, 31 Dec 2016 23:41:29 +0100
Subject: [midPoint]  Exception when translating PP
Message-ID: <3933242.eiTyqETxpQ@skygge-pc>

Hi....

The image (binary) attribute in my ScriptedSQL resource drives me crazy...
What I did:

Custom schema extension:
           <xsd:element name="stamp" type="xsd:base64Binary" minOccurs="0"> 
               <xsd:annotation> 
                   <xsd:appinfo> 
                       <a:indexed>true</a:indexed> 
                       <a:displayName>User stamp</a:displayName> 
                       <a:displayOrder>370</a:displayOrder> 
                   </xsd:appinfo> 
               </xsd:annotation> 
           </xsd:element>

SchemaScript.groovy:
account.addAttributeInfo(AttributeInfoBuilder.build("userstamp", byte[].class));

SearchScript.groovy:
        def stampquery = "select u.stamp from users u" + where;
        row = sql.firstRow(stampquery);
        stamp_blob = (oracle.sql.BLOB)row[0];
        stamp = stamp_blob.getBinaryStream().getBytes();

Midpoint GUI: My ScriptedSQL Resource->Accounts->Resource->click on some user
I see the user stamp attribute, I can download it and open correctly in image viewer.

I made inbound mapping userstamp -> extension/stamp
but reconciliation gives me error:

ERROR (com.evolveum.midpoint.web.component.progress.ProgressReporter): Error executing changes.
com.evolveum.midpoint.util.exception.SchemaException: Exception when translating PP({http://midpoint.evolveum.com/xml/ns/story/unix-1}stamp):[PPV(byte[]:byte[-1,-40,-1,-32,0,16,74,70,73,70,0,1,1,1,0,0,0,0,0,0,-1,-37,0,67,0,9,6,7,19,19,18,21,19,18,18,22,22,21,22,23,23,23,25,24,21,25,21,24,24,27,26,26,29,29,23,23,29,26,25,24,30,40,32,25,,... 10849 bytes total])]: Can't extract value for saving from prism property value
PPV(byte[]:byte[-1,-40,-1,-32,0,16,74,70,73,70,0,1,1,1,0,0,0,0,0,0,-1,-37,0,67,0,9,6,7,19,19,18,21,19,18,18,22,22,21,22,23,23,23,25,24,21,25,21,24,24,27,26,26,29,29,23,23,29,26,25,24,30,40,32,25,,... 10849 bytes total])

*****   What attribute types should I use for image attribute? In schema extension is base64Binary, on resource byte[], I suspect is something wrong here ;(  ******

I know, I'm workaholic...
Happy New Year!!!!