From s.mamayeva at ktg.kz  Fri Jul  1 07:46:21 2016
From: s.mamayeva at ktg.kz (=?utf-8?B?0JzQsNC80LDQtdCy0LAg0KHQsNGD0LvQtSDQodC10YDQuNC60L7QstC90LA=?=)
Date: Fri, 1 Jul 2016 05:46:21 +0000
Subject: [midPoint] Condition for inducment in Metarole
In-Reply-To: <32c02f7b-d853-481c-7c1b-087a2036729d@evolveum.com>
References: <0c7820a108da42b4811a911bbda21139@exch-02.ktg.kz>
 <c190f63d-b180-9145-1cd7-329eb7a58678@evolveum.com>
 <32c02f7b-d853-481c-7c1b-087a2036729d@evolveum.com>
Message-ID: <dc6972b442604afb96976a93e1efc8e3@exch-02.ktg.kz>

Hello, Pavol!
Thanks for the code. It also works for me.



Best regards,
Saule

From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Pavol Mederly
Sent: Friday, July 01, 2016 12:05 AM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Condition for inducment in Metarole


Saule,

one correction:

focus?.assignment.find { it.targetRef?.oid == 'd13681fb-88df-472a-a7fe-d869a1ea4c37' } != null

...in order to work also when adding users. In such cases 'focus' variable is null for 'original state' evaluation.

Pavol

On 30.06.2016 17:44, Pavol Mederly wrote:

Hello Saule,

sorry for the late answer.

Yes, it is possible to add a condition for an inducement. This works for me:

   <inducement id="2">
      <construction>
         <resourceRef oid="b94c683d-517c-4c3e-a307-7c2bbe14453e" type="c:ResourceType"><!-- LDAP --></resourceRef>
         <kind>account</kind>
         <intent>default</intent>
         <association>
            <c:ref>ri:group</c:ref>
            <outbound>
               <expression>
                  <associationFromLink>
                     <projectionDiscriminator>
                        <kind>entitlement</kind>
                        <intent>group</intent>
                     </projectionDiscriminator>
                  </associationFromLink>
               </expression>
            </outbound>
         </association>
      </construction>
      <order>2</order>
      <condition>
         <expression>
            <script>
               <code>
                  focus.assignment.find { it.targetRef?.oid == 'd13681fb-88df-472a-a7fe-d869a1ea4c37' } != null
              </code>
            </script>
         </expression>
      </condition>
   </inducement>
Note that d13681fb-88df-472a-a7fe-d869a1ea4c37 is an OID of AD user role.

When having this condition, it seems to work:

  1.  if adding a user into an org, the account is not automatically created on a resource
  2.  after assigning AD user role to the user, an account is created, and becomes a member of the AD group
  3.  after unassigning AD user role from the user, account is deleted

Hope this helps,

Pavol

On 16.06.2016 12:26, Мамаева Сауле Сериковна wrote:
Hello,
I have meta role for groups, that is assigned to organization when creating organization by org template. This role creates groups with members associated with this created midpoint organization in Active Directory(AD). But I want to create only groups in AD by this role and members of this groups should appear in AD only after assigning another role (AD user role) to users. I have another role  -  AD user role, that is assigned to the user manually and by approval of administrator and this role creates account of user in AD.
How and where can I add  such condition? Is it  possible to add condition for inducement?
This is xml of meta role for groups:

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"<http://midpoint.evolveum.com/xml/ns/public/common/common-3>
      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"<http://prism.evolveum.com/xml/ns/public/query-3>
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"<http://midpoint.evolveum.com/xml/ns/public/common/common-3>
      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"<http://prism.evolveum.com/xml/ns/public/types-3>
      xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"<http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>
      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"<http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>
      oid="11111111-2222-3333-4444-200000000055"
      version="8">
   <name>Metarole for groups</name>
   <metadata>
      <createTimestamp>2016-06-06T12:47:04.200+06:00</createTimestamp>
      <creatorRef oid="00000000-0000-0000-0000-000000000002" type="c:UserType"><!-- administrator --></creatorRef>
      <createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
   </metadata>
   <inducement id="1">
      <construction>
         <resourceRef oid="ef2bc95b-76e0-11e2-86d6-1111111111" type="c:ResourceType"><!-- Ldap_AD_Saule --></resourceRef>
         <kind>entitlement</kind>
         <intent>group</intent>
      </construction>
   </inducement>
   <inducement id="2">
      <construction>
         <resourceRef oid="ef2bc95b-76e0-11e2-86d6-1111111111" type="c:ResourceType"><!-- Ldap_AD_ Saule --></resourceRef>
         <kind>account</kind>
         <intent>default</intent>
         <association>
            <c:ref>ri:group</c:ref>
            <outbound>
               <expression>
                  <associationFromLink>
                     <projectionDiscriminator>
                        <kind>entitlement</kind>
                        <intent>group</intent>
                     </projectionDiscriminator>
                  </associationFromLink>
               </expression>
            </outbound>
         </association>
      </construction>
      <order>2</order>
   </inducement>
</role>

Best regards,
Saule





_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint





_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160701/d88b242d/attachment.htm>

From dick.muller at tahzoo.com  Fri Jul  1 10:15:43 2016
From: dick.muller at tahzoo.com (Dick Muller)
Date: Fri, 1 Jul 2016 08:15:43 +0000
Subject: [midPoint] Duplicate node in the Cluster
Message-ID: <BY1PR0601MB11921B8DBB30CA0BD191181996250@BY1PR0601MB1192.namprd06.prod.outlook.com>

Hi,


I run two MidPoint servers in a cluster and that worked fine, but since the last two weeks the first server is complianing that there is a duplicate nodeId.

That is strange because the server is not renewed. I deleted the nodes in the Task manager, rebuild the quartz database in MySQL and restarted the tomcat instances.

But still no luck, the same error comes back.


In the idm.log the following error is raised:


2016-07-01 08:07:05,974 [] [ClusterManagerThread] ERROR (com.evolveum.midpoint.task.quartzimpl.cluster.NodeRegistrar): The record of this node cannot be read (OID 9eca6710-ec8f-4380-a3e4-62de4c97deb4 not found), but another node record with the name 'NA1-IDM-PRD01' exists. It seems that in this cluster there are two or more nodes with the same name 'NA1-IDM-PRD01'. Stopping the scheduler to minimize the damage., reason: Object of type 'NodeType' with oid '9eca6710-ec8f-4380-a3e4-62de4c97deb4' was not found. (class com.evolveum.midpoint.util.exception.ObjectNotFoundException)


Regards,

________________________________

Dick Muller

Systems Engineer

Delftechpark 37i
2628 XJ Delft
d: +31 88 2682586
m: +31 6 46477690

[http://client.tahzoo.com/tahzoo/logo_blue_100w.png]<http://www.tahzoo.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160701/91ab3ac7/attachment.htm>

From mederly at evolveum.com  Fri Jul  1 10:26:39 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Fri, 1 Jul 2016 10:26:39 +0200
Subject: [midPoint] Duplicate node in the Cluster
In-Reply-To: <BY1PR0601MB11921B8DBB30CA0BD191181996250@BY1PR0601MB1192.namprd06.prod.outlook.com>
References: <BY1PR0601MB11921B8DBB30CA0BD191181996250@BY1PR0601MB1192.namprd06.prod.outlook.com>
Message-ID: <2e52da3a-a157-81ec-19a0-cf51994c260e@evolveum.com>

Hello Dick,


this is really strange. If - after your cleanup procedure - you start 
only that one node (NA1-IDM-PRD01), does the error still occur?


Pavol


On 01.07.2016 10:15, Dick Muller wrote:
>
> Hi,
>
>
> I run two MidPoint servers in a cluster and that worked fine, but 
> since the last two weeks the first server is complianing that there is 
> a duplicate nodeId.
>
> That is strange because the server is not renewed. I deleted the nodes 
> in the Task manager, rebuild the quartz database in MySQL and 
> restarted the tomcat instances.
>
> But still no luck, the same error comes back.
>
>
> In the idm.log the following error is raised:
>
>
> 2016-07-01 08:07:05,974 [] [ClusterManagerThread] ERROR 
> (com.evolveum.midpoint.task.quartzimpl.cluster.NodeRegistrar): The 
> record of this node cannot be read (OID 
> 9eca6710-ec8f-4380-a3e4-62de4c97deb4 not found), but another node 
> record with the name 'NA1-IDM-PRD01' exists. It seems that in this 
> cluster there are two or more nodes with the same name 
> 'NA1-IDM-PRD01'. Stopping the scheduler to minimize the damage., 
> reason: Object of type 'NodeType' with oid 
> '9eca6710-ec8f-4380-a3e4-62de4c97deb4' was not found. (class 
> com.evolveum.midpoint.util.exception.ObjectNotFoundException)
>
>
> Regards,
>
> ------------------------------------------------------------------------
>
> *Dick Muller*
>
> Systems Engineer
>
> Delftechpark 37i
> 2628 XJ Delft*
> d*: +31 88 2682586
> *m:* +31 6 46477690
>
> http://client.tahzoo.com/tahzoo/logo_blue_100w.png 
> <http://www.tahzoo.com/>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160701/1c0799c4/attachment.htm>

From dick.muller at tahzoo.com  Fri Jul  1 10:45:17 2016
From: dick.muller at tahzoo.com (Dick Muller)
Date: Fri, 1 Jul 2016 08:45:17 +0000
Subject: [midPoint] Duplicate node in the Cluster
In-Reply-To: <2e52da3a-a157-81ec-19a0-cf51994c260e@evolveum.com>
References: <BY1PR0601MB11921B8DBB30CA0BD191181996250@BY1PR0601MB1192.namprd06.prod.outlook.com>,
 <2e52da3a-a157-81ec-19a0-cf51994c260e@evolveum.com>
Message-ID: <BY1PR0601MB1192D1DF8C06EBE90B2C3C9296250@BY1PR0601MB1192.namprd06.prod.outlook.com>

Hi Pavol,


I deleted the two nodes, recreated the Quartz tables and only started the node that was having a problem.

Also the same thing.


Strangest thing is that in the log it states that it notices an existing node with that name and a specific OID, but can't find it.

And then stops the Task manager.


This is the peace of the log from the latest attempt:


2016-07-01 08:41:30,481 [] [ClusterManagerThread] ERROR (com.evolveum.midpoint.task.quartzimpl.cluster.NodeRegistrar): The record of this node cannot be read (OID 42745a2a-6010-4716-9718-b0de1c5aa436 not found), but another node record with the name 'NA1-IDM-PRD01' exists. It seems that in this cluster there are two or more nodes with the same name 'NA1-IDM-PRD01'. Stopping the scheduler to minimize the damage., reason: Object of type 'NodeType' with oid '42745a2a-6010-4716-9718-b0de1c5aa436' was not found. (class com.evolveum.midpoint.util.exception.ObjectNotFoundException)


Thanks,


Dick

________________________________
Van: midPoint <midpoint-bounces at lists.evolveum.com> namens Pavol Mederly <mederly at evolveum.com>
Verzonden: vrijdag 1 juli 2016 10:26:39
Aan: midpoint at lists.evolveum.com
Onderwerp: Re: [midPoint] Duplicate node in the Cluster


Hello Dick,


this is really strange. If - after your cleanup procedure - you start only that one node (NA1-IDM-PRD01), does the error still occur?


Pavol

On 01.07.2016 10:15, Dick Muller wrote:

Hi,


I run two MidPoint servers in a cluster and that worked fine, but since the last two weeks the first server is complianing that there is a duplicate nodeId.

That is strange because the server is not renewed. I deleted the nodes in the Task manager, rebuild the quartz database in MySQL and restarted the tomcat instances.

But still no luck, the same error comes back.


In the idm.log the following error is raised:


2016-07-01 08:07:05,974 [] [ClusterManagerThread] ERROR (com.evolveum.midpoint.task.quartzimpl.cluster.NodeRegistrar): The record of this node cannot be read (OID 9eca6710-ec8f-4380-a3e4-62de4c97deb4 not found), but another node record with the name 'NA1-IDM-PRD01' exists. It seems that in this cluster there are two or more nodes with the same name 'NA1-IDM-PRD01'. Stopping the scheduler to minimize the damage., reason: Object of type 'NodeType' with oid '9eca6710-ec8f-4380-a3e4-62de4c97deb4' was not found. (class com.evolveum.midpoint.util.exception.ObjectNotFoundException)


Regards,

________________________________

Dick Muller

Systems Engineer

Delftechpark 37i
2628 XJ Delft
d: +31 88 2682586
m: +31 6 46477690

[http://client.tahzoo.com/tahzoo/logo_blue_100w.png]<http://www.tahzoo.com/>




_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160701/a0ccdd7a/attachment.htm>

From pavol.mederly at gmail.com  Fri Jul  1 16:12:13 2016
From: pavol.mederly at gmail.com (Pavol Mederly)
Date: Fri, 1 Jul 2016 16:12:13 +0200
Subject: [midPoint] Duplicate node in the Cluster
In-Reply-To: <BY1PR0601MB1192D1DF8C06EBE90B2C3C9296250@BY1PR0601MB1192.namprd06.prod.outlook.com>
References: <BY1PR0601MB11921B8DBB30CA0BD191181996250@BY1PR0601MB1192.namprd06.prod.outlook.com>
 <2e52da3a-a157-81ec-19a0-cf51994c260e@evolveum.com>
 <BY1PR0601MB1192D1DF8C06EBE90B2C3C9296250@BY1PR0601MB1192.namprd06.prod.outlook.com>
Message-ID: <813b3a90-6706-42f1-15b3-e98b5620efa4@gmail.com>

Dick,


I'm out of ideas.


Please, could you turn the repository logging to TRACE, and repeat the test?

And then send me the zipped log - along with your config.xml file?


Best regards,

Pavol


On 01.07.2016 10:45, Dick Muller wrote:
>
> Hi Pavol,
>
>
> I deleted the two nodes, recreated the Quartz tables and only started 
> the node that was having a problem.
>
> Also the same thing.
>
>
> Strangest thing is that in the log it states that it notices an 
> existing node with that name and a specific OID, but can't find it.
>
> And then stops the Task manager.
>
>
> This is the peace of the log from the latest attempt:
>
>
> 2016-07-01 08:41:30,481 [] [ClusterManagerThread] ERROR 
> (com.evolveum.midpoint.task.quartzimpl.cluster.NodeRegistrar): The 
> record of this node cannot be read (OID 
> 42745a2a-6010-4716-9718-b0de1c5aa436 not found), but another node 
> record with the name 'NA1-IDM-PRD01' exists. It seems that in this 
> cluster there are two or more nodes with the same name 
> 'NA1-IDM-PRD01'. Stopping the scheduler to minimize the damage., 
> reason: Object of type 'NodeType' with oid 
> '42745a2a-6010-4716-9718-b0de1c5aa436' was not found. (class 
> com.evolveum.midpoint.util.exception.ObjectNotFoundException)
>
>
> Thanks,
>
>
> Dick
>
> ------------------------------------------------------------------------
> *Van:* midPoint <midpoint-bounces at lists.evolveum.com> namens Pavol 
> Mederly <mederly at evolveum.com>
> *Verzonden:* vrijdag 1 juli 2016 10:26:39
> *Aan:* midpoint at lists.evolveum.com
> *Onderwerp:* Re: [midPoint] Duplicate node in the Cluster
>
> Hello Dick,
>
>
> this is really strange. If - after your cleanup procedure - you start 
> only that one node (NA1-IDM-PRD01), does the error still occur?
>
>
> Pavol
>
>
> On 01.07.2016 10:15, Dick Muller wrote:
>>
>> Hi,
>>
>>
>> I run two MidPoint servers in a cluster and that worked fine, but 
>> since the last two weeks the first server is complianing that there 
>> is a duplicate nodeId.
>>
>> That is strange because the server is not renewed. I deleted the 
>> nodes in the Task manager, rebuild the quartz database in MySQL and 
>> restarted the tomcat instances.
>>
>> But still no luck, the same error comes back.
>>
>>
>> In the idm.log the following error is raised:
>>
>>
>> 2016-07-01 08:07:05,974 [] [ClusterManagerThread] ERROR 
>> (com.evolveum.midpoint.task.quartzimpl.cluster.NodeRegistrar): The 
>> record of this node cannot be read (OID 
>> 9eca6710-ec8f-4380-a3e4-62de4c97deb4 not found), but another node 
>> record with the name 'NA1-IDM-PRD01' exists. It seems that in this 
>> cluster there are two or more nodes with the same name 
>> 'NA1-IDM-PRD01'. Stopping the scheduler to minimize the damage., 
>> reason: Object of type 'NodeType' with oid 
>> '9eca6710-ec8f-4380-a3e4-62de4c97deb4' was not found. (class 
>> com.evolveum.midpoint.util.exception.ObjectNotFoundException)
>>
>>
>> Regards,
>>
>> ------------------------------------------------------------------------
>>
>> *Dick Muller*
>>
>> Systems Engineer
>>
>> Delftechpark 37i
>> 2628 XJ Delft*
>> d*: +31 88 2682586
>> *m:* +31 6 46477690
>>
>> http://client.tahzoo.com/tahzoo/logo_blue_100w.png 
>> <http://www.tahzoo.com/>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160701/d285f942/attachment.htm>

From ggallard at identicum.com  Fri Jul  1 19:50:38 2016
From: ggallard at identicum.com (Gustavo J Gallardo)
Date: Fri, 1 Jul 2016 14:50:38 -0300
Subject: [midPoint] End-user "Change Password" custom web component
Message-ID: <CAA68kP8ZH8xU=2RDvB+LNTrphmO=hsrAfL6Yt2mh1hryP8a=3Q@mail.gmail.com>

Hi all,
we are running midPoint 3.4 and our customer has an existing web portal
where they want to maintain all end-user interaction.
They are building a component to allow end-users to change their passwords.
We would like them to use the REST API. From the portal, they will have the
username from the session and present a form to ask the user's old_password
and new_password.

Our idea so far:
1) Grant our end-users a custom role with
http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all
authorization, in addition to the minimum requirements to change his own
credentials and it's shadow's credentials.
2) use http://xxxxx/midpoint/ws/rest/users/search, to find the user by name
and parsing the XML result to get his oid.
3) use http://xxxxxx/midpoint/ws/rest/users/{user_oid} to POST an
objectModification to set credentials/password
(both REST calls would use username:old_password for authorization)

Is this the correct approach? Is there any better/easier way to achieve
this?


Thanks,

GJG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160701/950a65c1/attachment.htm>

From oskar.butovic at ami.cz  Mon Jul 11 16:06:03 2016
From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=)
Date: Mon, 11 Jul 2016 16:06:03 +0200
Subject: [midPoint] storing passwords for external applications
In-Reply-To: <5762A113.2050505@evolveum.com>
References: <CAE8MtZBFr5=kjkU4oUyPGsG07wzJ3an1miT3ohDGq75AzOMnNQ@mail.gmail.com>
 <5762A113.2050505@evolveum.com>
Message-ID: <CAE8MtZB-8Wc6cN090fwhW_dABfrmoGYMFLO3bXwVQV6-8bS10g@mail.gmail.com>

Hi,

I have been able to make it work. Setting implicit location of xsd solved
the issue.
<xsd:import namespace="
http://midpoint.evolveum.com/xml/ns/public/common/common-3" schemaLocation="
http://serverIp:8080/schema/common-3.xsd=http://midpoint.evolveum.com/xml/ns/public/common/common-3
"/>

But I have another issue with storing multiple passwords. When I try to
write outbound mapping for password in credentials in resource handling I
am unable to get to any other variables then the input. Following code
throws "com.evolveum.midpoint.util.exception.SchemaException: No variable
with name user in source definition in mapping in outbound password mapping
in account type Discr(RSD(account (default) @AD-connector-resource))"

<credentials>
            <password>
               <outbound>
                  <source>
                     <c:path>$user/extension/googleAppsPassword</c:path>
                  </source>
                  <expression>
                     <script>
                        <code>
                            result = googleAppsPassword;
                            return result;
                        </code>
                     </script>
                  </expression>
               </outbound>
            </password>
         </credentials>

is there any way how to get to the user variable from the password mapping?

Best regards

Oskar Butovič

2016-06-16 14:52 GMT+02:00 Radovan Semancik <radovan.semancik at evolveum.com>:

> Hi,
>
> Congratulations. It looks like you have found a bug.
>
> This should work exactly the way as you are trying to use it. Please
> report that bug in the Jira. Also please specify the operation that you are
> trying to do when you are getting the exception so we can reproduce the
> issue easier. Thanks.
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
>
> On 06/13/2016 10:17 AM, Oskar Butovič - AMI Praha a.s. wrote:
>
> Hello Everybody,
>
> I am trying to add password for external application (google apps) as a
> new attribute for user because i need to store it and be able to edit it
> later. I tried to use ProtectedStringType in extension schema. But somehow
> this type doesnt work. Midpoint throws exception.
>
> relevant configuration:
>
> <xsd:schema elementFormDefault="qualified"
>             targetNamespace=" <http://avast.com/xml/ns/idmSchema>
> http://avast.com/xml/ns/idmSchema"
>             xmlns:tns=" <http://avast.com/xml/ns/idmSchema>
> http://avast.com/xml/ns/idmSchema"
>             xmlns:a="
> <http://prism.evolveum.com/xml/ns/public/annotation-3>
> http://prism.evolveum.com/xml/ns/public/annotation-3"
>             xmlns:c="
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:t=" <http://prism.evolveum.com/xml/ns/public/types-3>
> http://prism.evolveum.com/xml/ns/public/types-3"
>             xmlns:xsd=" <http://www.w3.org/2001/XMLSchema>
> http://www.w3.org/2001/XMLSchema">
>
>     <xsd:complexType name="UserExtensionType">
>         <xsd:annotation>
>             <xsd:appinfo>
>                 <a:extension ref="c:UserType"/>
>             </xsd:appinfo>
>         </xsd:annotation>
>         <xsd:sequence>
> <xsd:element name="googleAppsPassword" type="t:ProtectedStringType"
> minOccurs="0" maxOccurs="unbounded">
>                 <xsd:annotation>
>                     <xsd:appinfo>
>                         <a:displayName>Google Apps Password</a:displayName>
>                         <a:displayOrder>110</a:displayOrder>
>                         <a:help>Password for google apps account</a:help>
>                     </xsd:appinfo>
>                 </xsd:annotation>
>             </xsd:element>
>
> exception:
>
> Caused by: org.xml.sax.SAXParseException: undefined simple or complex type
> 't:ProtectedStringType'
>         at
> com.sun.xml.xsom.impl.parser.ParserContext$1.reportError(ParserContext.java:180)
> ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>         at
> com.sun.xml.xsom.impl.parser.NGCCRuntimeEx.reportError(NGCCRuntimeEx.java:175)
> ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>         at
> com.sun.xml.xsom.impl.parser.DelayedRef.resolve(DelayedRef.java:110)
> ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>         at com.sun.xml.xsom.impl.parser.DelayedRef.run(DelayedRef.java:85)
> ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>         at
> com.sun.xml.xsom.impl.parser.ParserContext.getResult(ParserContext.java:135)
> ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>         at
> com.sun.xml.xsom.parser.XSOMParser.getResult(XSOMParser.java:214)
> ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>         at
> com.evolveum.midpoint.prism.schema.DomToSchemaProcessor.parseSchema(DomToSchemaProcessor.java:233)
> ~[prism-3.3.1.jar:na]
>         ... 75 common frames omitted
>
>
> Is it a right approach for storing passwords for external applications?
> Should i use another type?
>
>
> Thanks.
>
> Regards,
>
> Oskar Butovič
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160711/204a2945/attachment.htm>

From ivan.noris at evolveum.com  Mon Jul 11 16:10:28 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 11 Jul 2016 16:10:28 +0200
Subject: [midPoint] storing passwords for external applications
In-Reply-To: <CAE8MtZB-8Wc6cN090fwhW_dABfrmoGYMFLO3bXwVQV6-8bS10g@mail.gmail.com>
References: <CAE8MtZBFr5=kjkU4oUyPGsG07wzJ3an1miT3ohDGq75AzOMnNQ@mail.gmail.com>
 <5762A113.2050505@evolveum.com>
 <CAE8MtZB-8Wc6cN090fwhW_dABfrmoGYMFLO3bXwVQV6-8bS10g@mail.gmail.com>
Message-ID: <5783A8D4.6090100@evolveum.com>

Hi Oskar,

I have a bad feeling that I had this problem last week when doing some
experiments. We should explore that. Please create a new JIRA for the
$user (maybe also other) variable not visible in credentials mappings.

Regards,
Ivan

On 07/11/2016 04:06 PM, Oskar Butovič - AMI Praha a.s. wrote:
> Hi,
>
> I have been able to make it work. Setting implicit location of xsd
> solved the issue.
> <xsd:import
> namespace="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> schemaLocation="http://serverIp:8080/schema/common-3.xsd=http://midpoint.evolveum.com/xml/ns/public/common/common-3"/>
>
> But I have another issue with storing multiple passwords. When I try
> to write outbound mapping for password in credentials in resource
> handling I am unable to get to any other variables then the input.
> Following code throws
> "com.evolveum.midpoint.util.exception.SchemaException: No variable
> with name user in source definition in mapping in outbound password
> mapping in account type Discr(RSD(account (default)
> @AD-connector-resource))"
>
> <credentials>
>             <password>
>                <outbound>
>                   <source>
>                      <c:path>$user/extension/googleAppsPassword</c:path>
>                   </source>
>                   <expression>
>                      <script>
>                         <code>
>                             result = googleAppsPassword;
>                             return result;
>                         </code>
>                      </script>
>                   </expression>
>                </outbound>
>             </password>
>          </credentials>
>
> is there any way how to get to the user variable from the password
> mapping?
>
> Best regards
>
> Oskar Butovič
>
> 2016-06-16 14:52 GMT+02:00 Radovan Semancik
> <radovan.semancik at evolveum.com <mailto:radovan.semancik at evolveum.com>>:
>
>     Hi,
>
>     Congratulations. It looks like you have found a bug.
>
>     This should work exactly the way as you are trying to use it.
>     Please report that bug in the Jira. Also please specify the
>     operation that you are trying to do when you are getting the
>     exception so we can reproduce the issue easier. Thanks.
>
>     -- 
>     Radovan Semancik
>     Software Architect
>     evolveum.com <http://evolveum.com>
>
>
>
>     On 06/13/2016 10:17 AM, Oskar Butovič - AMI Praha a.s. wrote:
>>     Hello Everybody,
>>
>>     I am trying to add password for external application (google
>>     apps) as a new attribute for user because i need to store it and
>>     be able to edit it later. I tried to use ProtectedStringType in
>>     extension schema. But somehow this type doesnt work. Midpoint
>>     throws exception.
>>
>>     relevant configuration:
>>
>>     <xsd:schema elementFormDefault="qualified"
>>                 targetNamespace="http://avast.com/xml/ns/idmSchema"
>>                 xmlns:tns="http://avast.com/xml/ns/idmSchema"
>>                
>>     xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
>>                
>>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>     xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>>                 xmlns:xsd="http://www.w3.org/2001/XMLSchema">
>>      
>>         <xsd:complexType name="UserExtensionType">
>>             <xsd:annotation>
>>                 <xsd:appinfo>
>>                     <a:extension ref="c:UserType"/>
>>                 </xsd:appinfo>
>>             </xsd:annotation>
>>             <xsd:sequence>
>>     <xsd:element name="googleAppsPassword"
>>     type="t:ProtectedStringType" minOccurs="0" maxOccurs="unbounded">
>>                     <xsd:annotation>
>>                         <xsd:appinfo>
>>                             <a:displayName>Google Apps
>>     Password</a:displayName>
>>                             <a:displayOrder>110</a:displayOrder>
>>                             <a:help>Password for google apps
>>     account</a:help>
>>                         </xsd:appinfo>
>>                     </xsd:annotation>
>>                 </xsd:element>
>>
>>     exception:
>>
>>     Caused by: org.xml.sax.SAXParseException: undefined simple or
>>     complex type 't:ProtectedStringType'
>>             at
>>     com.sun.xml.xsom.impl.parser.ParserContext$1.reportError(ParserContext.java:180)
>>     ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>>             at
>>     com.sun.xml.xsom.impl.parser.NGCCRuntimeEx.reportError(NGCCRuntimeEx.java:175)
>>     ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>>             at
>>     com.sun.xml.xsom.impl.parser.DelayedRef.resolve(DelayedRef.java:110)
>>     ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>>             at
>>     com.sun.xml.xsom.impl.parser.DelayedRef.run(DelayedRef.java:85)
>>     ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>>             at
>>     com.sun.xml.xsom.impl.parser.ParserContext.getResult(ParserContext.java:135)
>>     ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>>             at
>>     com.sun.xml.xsom.parser.XSOMParser.getResult(XSOMParser.java:214)
>>     ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>>             at
>>     com.evolveum.midpoint.prism.schema.DomToSchemaProcessor.parseSchema(DomToSchemaProcessor.java:233)
>>     ~[prism-3.3.1.jar:na]
>>             ... 75 common frames omitted
>>
>>
>>     Is it a right approach for storing passwords for external
>>     applications? Should i use another type? 
>>
>>
>>     Thanks.
>>
>>     Regards,
>>
>>     Oskar Butovič
>>
>>     -- 
>>
>>     Oskar Butovič
>>     solution architect
>>
>>     gsm: [+420] 774 480 101 <tel:%5B%2B420%5D%20774%20480%20101>
>>     e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>>
>>     	    	    	
>>
>>     AMI Praha a.s.
>>     Pláničkova 11
>>     162 00 Praha 6
>>     tel.: [+420] 274 783 239 <tel:%5B%2B420%5D%20274%20783%20239>
>>     web: www.ami.cz <http://www.ami.cz/>
>>
>>     	    	    	
>>
>>     AMI Praha a.s.
>>
>>
>>     AMI Praha a.s.
>>     <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>
>>
>>     Textem tohoto e-mailu podepisující neslibuje uzavřít ani
>>     neuzavírá za společnost AMI Praha a.s.
>>     jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>     výhradně písemnou formu.
>>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> -- 
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>
> 	    	    	
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz/>
>
> 	    	    	
>
> AMI Praha a.s.
>
>
> AMI Praha a.s.
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160711/81421d57/attachment.htm>

From oskar.butovic at ami.cz  Mon Jul 11 16:21:48 2016
From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=)
Date: Mon, 11 Jul 2016 16:21:48 +0200
Subject: [midPoint] storing passwords for external applications
In-Reply-To: <5783A8D4.6090100@evolveum.com>
References: <CAE8MtZBFr5=kjkU4oUyPGsG07wzJ3an1miT3ohDGq75AzOMnNQ@mail.gmail.com>
 <5762A113.2050505@evolveum.com>
 <CAE8MtZB-8Wc6cN090fwhW_dABfrmoGYMFLO3bXwVQV6-8bS10g@mail.gmail.com>
 <5783A8D4.6090100@evolveum.com>
Message-ID: <CAE8MtZD6FgBeMZCucTY+BY7v3b23+-V9vHgTvFgpP11AY9VxxA@mail.gmail.com>

added as https://jira.evolveum.com/browse/MID-3283

2016-07-11 16:10 GMT+02:00 Ivan Noris <ivan.noris at evolveum.com>:

> Hi Oskar,
>
> I have a bad feeling that I had this problem last week when doing some
> experiments. We should explore that. Please create a new JIRA for the $user
> (maybe also other) variable not visible in credentials mappings.
>
> Regards,
> Ivan
>
>
> On 07/11/2016 04:06 PM, Oskar Butovič - AMI Praha a.s. wrote:
>
> Hi,
>
> I have been able to make it work. Setting implicit location of xsd solved
> the issue.
> <xsd:import namespace="
> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> schemaLocation="
> http://serverIp:8080/schema/common-3.xsd=http://midpoint.evolveum.com/xml/ns/public/common/common-3
> "/>
>
> But I have another issue with storing multiple passwords. When I try to
> write outbound mapping for password in credentials in resource handling I
> am unable to get to any other variables then the input. Following code
> throws "com.evolveum.midpoint.util.exception.SchemaException: No variable
> with name user in source definition in mapping in outbound password mapping
> in account type Discr(RSD(account (default) @AD-connector-resource))"
>
> <credentials>
>             <password>
>                <outbound>
>                   <source>
>                      <c:path>$user/extension/googleAppsPassword</c:path>
>                   </source>
>                   <expression>
>                      <script>
>                         <code>
>                             result = googleAppsPassword;
>                             return result;
>                         </code>
>                      </script>
>                   </expression>
>                </outbound>
>             </password>
>          </credentials>
>
> is there any way how to get to the user variable from the password mapping?
>
> Best regards
>
> Oskar Butovič
>
> 2016-06-16 14:52 GMT+02:00 Radovan Semancik <radovan.semancik at evolveum.com
> >:
>
>> Hi,
>>
>> Congratulations. It looks like you have found a bug.
>>
>> This should work exactly the way as you are trying to use it. Please
>> report that bug in the Jira. Also please specify the operation that you are
>> trying to do when you are getting the exception so we can reproduce the
>> issue easier. Thanks.
>>
>> --
>> Radovan Semancik
>> Software Architectevolveum.com
>>
>>
>>
>> On 06/13/2016 10:17 AM, Oskar Butovič - AMI Praha a.s. wrote:
>>
>> Hello Everybody,
>>
>> I am trying to add password for external application (google apps) as a
>> new attribute for user because i need to store it and be able to edit it
>> later. I tried to use ProtectedStringType in extension schema. But somehow
>> this type doesnt work. Midpoint throws exception.
>>
>> relevant configuration:
>>
>> <xsd:schema elementFormDefault="qualified"
>>             targetNamespace="http://avast.com/xml/ns/idmSchema"
>>             xmlns:tns="http://avast.com/xml/ns/idmSchema"
>>             xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3
>> "
>>             xmlns:c="
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:t=" <http://prism.evolveum.com/xml/ns/public/types-3>
>> http://prism.evolveum.com/xml/ns/public/types-3"
>>             xmlns:xsd="http://www.w3.org/2001/XMLSchema">
>>
>>     <xsd:complexType name="UserExtensionType">
>>         <xsd:annotation>
>>             <xsd:appinfo>
>>                 <a:extension ref="c:UserType"/>
>>             </xsd:appinfo>
>>         </xsd:annotation>
>>         <xsd:sequence>
>> <xsd:element name="googleAppsPassword" type="t:ProtectedStringType"
>> minOccurs="0" maxOccurs="unbounded">
>>                 <xsd:annotation>
>>                     <xsd:appinfo>
>>                         <a:displayName>Google Apps
>> Password</a:displayName>
>>                         <a:displayOrder>110</a:displayOrder>
>>                         <a:help>Password for google apps account</a:help>
>>                     </xsd:appinfo>
>>                 </xsd:annotation>
>>             </xsd:element>
>>
>> exception:
>>
>> Caused by: org.xml.sax.SAXParseException: undefined simple or complex
>> type 't:ProtectedStringType'
>>         at
>> com.sun.xml.xsom.impl.parser.ParserContext$1.reportError(ParserContext.java:180)
>> ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>>         at
>> com.sun.xml.xsom.impl.parser.NGCCRuntimeEx.reportError(NGCCRuntimeEx.java:175)
>> ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>>         at
>> com.sun.xml.xsom.impl.parser.DelayedRef.resolve(DelayedRef.java:110)
>> ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>>         at
>> com.sun.xml.xsom.impl.parser.DelayedRef.run(DelayedRef.java:85)
>> ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>>         at
>> com.sun.xml.xsom.impl.parser.ParserContext.getResult(ParserContext.java:135)
>> ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>>         at
>> com.sun.xml.xsom.parser.XSOMParser.getResult(XSOMParser.java:214)
>> ~[jaxb-xjc-2.2.10-b140310.1920.jar:2.2.10-b140310.1920]
>>         at
>> com.evolveum.midpoint.prism.schema.DomToSchemaProcessor.parseSchema(DomToSchemaProcessor.java:233)
>> ~[prism-3.3.1.jar:na]
>>         ... 75 common frames omitted
>>
>>
>> Is it a right approach for storing passwords for external applications?
>> Should i use another type?
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Oskar Butovič
>>
>> --
>>
>> Oskar Butovič
>> solution architect
>>
>> gsm: [+420] 774 480 101 <%5B%2B420%5D%20774%20480%20101>
>> e-mail:  <oskar.butovic at ami.cz>oskar.butovic at ami.cz
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239 <%5B%2B420%5D%20274%20783%20239>
>> web:  <http://www.ami.cz/>www.ami.cz
>>
>>
>> [image: AMI Praha a.s.]
>>
>> [image: AMI Praha a.s.]
>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer & IDM Architect
>   evolveum.com                     evolveum.com/blog/
>   ___________________________________________________
>   "Semper ID(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160711/0746b44f/attachment.htm>

From mmarchese at identicum.com  Mon Jul 11 21:48:31 2016
From: mmarchese at identicum.com (Martin Marchese)
Date: Mon, 11 Jul 2016 16:48:31 -0300
Subject: [midPoint] Custom Schema Attribute with type ObjectReferenceType
Message-ID: <CAG3rmdpRUymO7-KxkyFFjx+RdFrY_OZ5CS-A0VtQuA8_KMLkbA@mail.gmail.com>

Hi All,

I'm trying to add a custom attribute to my role objects and I wanted to be
a a reference to another object. I tried using the ObjectReferenceType like
this

*<?xml version="1.0" encoding="UTF-8" standalone="yes"?>*
*<xsd:schema elementFormDefault="qualified"*
*
targetNamespace="http://midpoint.identicum.com/xml/ns/metaPerson
<http://midpoint.identicum.com/xml/ns/metaPerson>"*
*            xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3
<http://prism.evolveum.com/xml/ns/public/annotation-3>"*
*
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
<http://midpoint.evolveum.com/xml/ns/public/common/common-3>"*
*
xmlns:tns="http://midpoint.evolveum.com/xml/ns/samples/extension-3
<http://midpoint.evolveum.com/xml/ns/samples/extension-3>"*
*            xmlns:xsd="http://www.w3.org/2001/XMLSchema
<http://www.w3.org/2001/XMLSchema>">*
* <xsd:complexType name="RoleExtensionType">*
* <xsd:annotation>*
* <xsd:appinfo>*
* <a:extension ref="c:RoleType"/>*
* </xsd:appinfo>*
* </xsd:annotation>*
* <xsd:sequence>*
* <xsd:element name="metaParent" type="xsd:ObjectReferenceType"
minOccurs="0" maxOccurs="1" />*
* </xsd:sequence>*
* </xsd:complexType>*
*</xsd:schema>*

But when restarting midPoint I receive the following error:

 XML error during XSD schema parsing: undefined simple or complex type
'xsd:ObjectReferenceType'

Is there a way to do this?

Thanks in Advance

*Ing. Martín Marchese*
Identicum S.A.
Anchorena 1357 PB
Tel: +54 (11) 3526.5509
mmarchese at identicum.com
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160711/ed55451c/attachment.htm>

From oskar.butovic at ami.cz  Tue Jul 12 09:08:02 2016
From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=)
Date: Tue, 12 Jul 2016 09:08:02 +0200
Subject: [midPoint] Custom Schema Attribute with type ObjectReferenceType
In-Reply-To: <CAG3rmdpRUymO7-KxkyFFjx+RdFrY_OZ5CS-A0VtQuA8_KMLkbA@mail.gmail.com>
References: <CAG3rmdpRUymO7-KxkyFFjx+RdFrY_OZ5CS-A0VtQuA8_KMLkbA@mail.gmail.com>
Message-ID: <CAE8MtZDwqqd0jxHRrtFrOGZHQazjP18hNMWFeczUcKBeBCShnQ@mail.gmail.com>

Hi Martin,

I had simillar problem recently.

1) it should be c:ObjectReferenceType
2) using explicit xsd location like <xsd:import namespace="
http://midpoint.evolveum.com/xml/ns/public/common/common-3" schemaLocation="
http://serverIp:8080/schema/common-3.xsd=http://midpoint.evolveum.com/xml/ns/public/common/common-3
<http://serverip:8080/schema/common-3.xsd=http://midpoint.evolveum.com/xml/ns/public/common/common-3>"/>
should help too. You have to publish xsd on your server in order for this
to work.

Regards

Oskar Butovič

2016-07-11 21:48 GMT+02:00 Martin Marchese <mmarchese at identicum.com>:

> Hi All,
>
> I'm trying to add a custom attribute to my role objects and I wanted to be
> a a reference to another object. I tried using the ObjectReferenceType like
> this
>
> *<?xml version="1.0" encoding="UTF-8" standalone="yes"?>*
> *<xsd:schema elementFormDefault="qualified"*
> *
> targetNamespace="http://midpoint.identicum.com/xml/ns/metaPerson
> <http://midpoint.identicum.com/xml/ns/metaPerson>"*
> *            xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3
> <http://prism.evolveum.com/xml/ns/public/annotation-3>"*
> *
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"*
> *
> xmlns:tns="http://midpoint.evolveum.com/xml/ns/samples/extension-3
> <http://midpoint.evolveum.com/xml/ns/samples/extension-3>"*
> *            xmlns:xsd="http://www.w3.org/2001/XMLSchema
> <http://www.w3.org/2001/XMLSchema>">*
> * <xsd:complexType name="RoleExtensionType">*
> * <xsd:annotation>*
> * <xsd:appinfo>*
> * <a:extension ref="c:RoleType"/>*
> * </xsd:appinfo>*
> * </xsd:annotation>*
> * <xsd:sequence>*
> * <xsd:element name="metaParent" type="xsd:ObjectReferenceType"
> minOccurs="0" maxOccurs="1" />*
> * </xsd:sequence>*
> * </xsd:complexType>*
> *</xsd:schema>*
>
> But when restarting midPoint I receive the following error:
>
>  XML error during XSD schema parsing: undefined simple or complex type
> 'xsd:ObjectReferenceType'
>
> Is there a way to do this?
>
> Thanks in Advance
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Anchorena 1357 PB
> Tel: +54 (11) 3526.5509
> mmarchese at identicum.com
> www.identicum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160712/bdc99666/attachment.htm>

From B.kazybayev at ktg.kz  Tue Jul 12 13:38:46 2016
From: B.kazybayev at ktg.kz (=?koi8-r?B?4s/MwdQg68Ha2cLBxdc=?=)
Date: Tue, 12 Jul 2016 11:38:46 +0000
Subject: [midPoint] Event driven notification with RESTful service
Message-ID: <76e9c1f58d694b818736e6b365e23255@exch-02.ktg.kz>

Hi there,

First of all, thank you midPoint development team, for a major update of midPoint. It looks amazing!

I have to integrate some information system with midPoint. Thus:

1)      I need to call some REST service when user will be created, modified, deleted using POST, PUT, DELETE method.

2)      I need REST service in order to be called by other information system. Actually I need getUsers and getUserById methods. This methods exist in SOAP web service interface.
I read about IDM Model web-service interface on wiki page https://wiki.evolveum.com/display/midPoint/IDM+Model+Web+Service+Interface, but it seems https://github.com/Evolveum/midpoint/blob/v3.4/infra/schema/src/main/resources/xml/ns/public/model/model-3.wsdl wsdl is broken, because I cannot generate client with SOAPUI. So my questions are:

1.       Where I can get valid wsdl file in order to generate web-service client with SOAPUI?

2.       Is it possible to implement event driven notification service in midPoint?

3.       What is a purpose of services section in GUI?

4.       How to create a service, http://localhost:8080/midpoint/wicket/bookmarkable/com.evolveum.midpoint.web.page.admin.services.PageService?4 , is there any example?
Thank you in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160712/d1e444e8/attachment.htm>

From oskar.butovic at ami.cz  Tue Jul 12 15:46:04 2016
From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=)
Date: Tue, 12 Jul 2016 15:46:04 +0200
Subject: [midPoint] template mapping how to get actual delta
Message-ID: <CAE8MtZDzT0Ch+KV4Qvyfr_oPH13Nx8cx+MCuPjLcyOsuNFb6Bg@mail.gmail.com>

Hello all,

is there any way how to get actual delta in template mapping? variable
operation seemd to be nonexistent in midpoint 3.3.1 .

i would like to execute certain mapping only if other certain user
attributes were changed.

Best Regards

Oskar Butovič

-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160712/411090cb/attachment.htm>

From mmarchese at identicum.com  Tue Jul 12 15:53:42 2016
From: mmarchese at identicum.com (Martin Marchese)
Date: Tue, 12 Jul 2016 10:53:42 -0300
Subject: [midPoint] Relationship userType - orgType
Message-ID: <CAG3rmdpwFPVKhH4i14ZSBTaLB98SiJRDWeco+xzA6zjA5LJv_g@mail.gmail.com>

Hi All,

We are facing a need in our MidPoint implementation. It's the case of an
educational system (made up of many schools).

We have ths schools modeled as orgTypes.

Users can be part of one or more orgTypes, and they can have 1 or more
positions in each school, for example:

user1 can be a teacher and principal in school A and teacher in school B

Is there a way to represent these kind of relationships between orgTypes
and userTypes?

We are looking for something like this (if it's possible):

http://www.internet2.edu/products-services/trust-identity/eduperson-eduorg/

Thanks

*Ing. Martín Marchese*
Identicum S.A.
Anchorena 1357 PB
Tel: +54 (11) 3526.5509
mmarchese at identicum.com
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160712/d26d99d5/attachment.htm>

From gustav.palos at evolveum.com  Wed Jul 13 15:15:12 2016
From: gustav.palos at evolveum.com (=?UTF-8?B?UMOhbG9zIEd1c3TDoXY=?=)
Date: Wed, 13 Jul 2016 15:15:12 +0200
Subject: [midPoint] Synchronizing organizational structure with
	DatabaseTableConnector
In-Reply-To: <CAPXQVkfBJYNS9DVxpajjU2YBN-=KR5v8BApN+p74S-xtb5HvZQ@mail.gmail.com>
References: <f0f1cd853fc84a2fa29744e77c9b4c36@exch-02.ktg.kz>
 <a97725c5-c8db-d782-077d-83888f22fb73@evolveum.com>
 <348dda4cee5f41d989a2cf27f36c1763@exch-02.ktg.kz>
 <CAPXQVkdPMFCAJc0D2Z9rBVvxw5s7KRnD+vRor5pUChT2ToQH0A@mail.gmail.com>
 <4cd827c0fad34f15a5ac56220a0cb034@exch-02.ktg.kz>
 <CAPXQVkfBJYNS9DVxpajjU2YBN-=KR5v8BApN+p74S-xtb5HvZQ@mail.gmail.com>
Message-ID: <CAPXQVkeYaYDR62-adFvcaE7UHiQ1752RXQLTBPxNjkTF3GJKxQ@mail.gmail.com>

2016-06-30 18:16 GMT+02:00 Pálos Gustáv <gustav.palos at evolveum.com>:

> Hi Bolat,
>
> sorry for the late answer, you need to set filter in this way:
>          <assignmentTargetSearch>
>             <targetType>c:OrgType</targetType>
>             <filter>
>                <q:equal>
>                   <q:path>*c:identifier*</q:path>
>                   <expression>
>                      <script>
>                         <code>
>
> return costCenter
> </code>
>                      </script>
>                   </expression>
>                </q:equal>
>             </filter>
> ...
>
> you need to find org with c:identifier what you have in costCenter in
> child org as parent_id and not his c:name.
>
> And sorry for my previous User-Org assignment sample, for Orgs-Orgs
> assignments you don't need to do this way. It's better to do this in your's
> way.
>
> Gustav
>
>
> 2016-06-15 7:30 GMT+02:00 Болат Казыбаев <B.kazybayev at ktg.kz>:
>
>> Hi Gustav,
>>
>>
>>
>> Thank you for your example. As I said before, in previous post: “I have, “name” property as org_id, and “costCenter” property as parent_id.” I made an assignment of root org, even though I am not sure if this a correct way.
>>
>>
>>
>> <populateItem>
>>
>>     <expression>
>>
>>         <assignmentTargetSearch>
>>
>>            <targetType>c:OrgType</targetType>
>>
>>            <filter>
>>
>>                <q:equal>
>>
>>                    <q:path>c:name</q:path>
>>
>>                    <expression>
>>
>>                       <script>
>>
>>
>> <code>
>>
>>
>>                             return costCenter
>>
>>                          </code>
>>
>>                       </script>
>>
>>                    </expression>
>>
>>                </q:equal>
>>
>>             </filter>
>>
>>          </assignmentTargetSearch>
>>
>>       </expression>
>>
>>       <target>
>>
>>           <c:path>assignment</c:path>
>>
>>        </target>
>>
>> </populateItem>
>>
>>
>>
>> *From:* midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On Behalf
>> Of *Palos Gustav
>> *Sent:* Tuesday, June 14, 2016 5:10 PM
>> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
>>
>> *Subject:* Re: [midPoint] Synchronizing organizational structure with
>> DatabaseTableConnector
>>
>>
>>
>> Hi Bolat,
>>
>>
>>
>> I have an example how can I assign user to existing org in midpoint
>> by midpoint.searchObjectByName in object template.
>>
>> The similar can work for you, but you need to run import in right order
>> (first root, next his childs, ...)
>>
>>
>>
>> <objectTemplate xmlns="
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>
>>                          xmlns:c="
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>
>>                          xmlns:q="
>> http://prism.evolveum.com/xml/ns/public/query-3"
>>
>>                          xmlns:icfc="
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3
>> "
>>
>>                          xmlns:icfs="
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>> "
>>
>>                          xmlns:t="
>> http://prism.evolveum.com/xml/ns/public/types-3"
>>
>>           xmlns:cap="
>> http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"
>>
>>           xmlns:apti="
>> http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
>>
>>           xmlns:ds="http://www.w3.org/2000/09/xmldsig#
>> <http://www.w3.org/2000/09/xmldsig>"
>>
>>           xmlns:enc="http://www.w3.org/2001/04/xmlenc#
>> <http://www.w3.org/2001/04/xmlenc>"
>>
>>           xmlns:ri="
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>>
>>           xmlns:cdoext="http://xml.uniba.sk/cdoext"
>>
>>           xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>>
>>           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>
>>           oid="10000000-0000-0000-0210-000000000101">
>>
>>    <name>User Template</name>
>>
>>
>>
>>
>>
>>
>>
>>             <mapping>
>>
>>       <name>User org mapping</name>
>>
>>       <authoritative>true</authoritative>
>>
>>       <source>
>>
>>          <c:path xmlns:ext="http://xxx">extension/namesOfOrgs</c:path>
>>
>>                         <c:name>namesOfOrg</c:name>
>>
>>       </source>
>>
>>       <expression>
>>
>>          <script>
>>
>>             <!-- <relativityMode>absolute</relativityMode> --><!-- FIX
>> for multivalue -->
>>
>>             <code>
>>
>>                           import
>> com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
>>
>>                           import
>> com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
>>
>>                           import
>> com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
>>
>>                           import java.util.*;
>>
>>
>>
>>                           log.info("XXX assigning from org {}" ,
>> namesOfOrg)
>>
>>                           if (namesOfOrg != null){
>>
>>
>>
>>                                        org =
>> midpoint.searchObjectByName(OrgType.class, namesOfOrg);
>>
>>                                        log.info("org {}" , org)
>>
>>                                        orgOrt = new ObjectReferenceType();
>>
>>                                       orgOrt.setOid(org.getOid());
>>
>>
>>  orgOrt.setType(OrgType.COMPLEX_TYPE);
>>
>>
>>
>>
>>                                       AssignmentType assignment = new
>> AssignmentType();
>>
>>                                       assignment.asPrismContainerValue()
>>
>>                                       assignment.setTargetRef(orgOrt);
>>
>>
>>
>>                                       return assignment
>>
>>                           }
>>
>>                           </code>
>>
>>          </script>
>>
>>       </expression>
>>
>>       <target>
>>
>>          <c:path>assignment</c:path>
>>
>>       </target>
>>
>>       <condition>
>>
>>          <script>
>>
>>             <code>
>>
>>                         return namesOfOrg != null
>>
>>             </code>
>>
>>          </script>
>>
>>       </condition>
>>
>>    </mapping>
>>
>>
>>
>> </objectTemplate>
>>
>>
>>
>> Gustav
>>
>>
>>
>> 2016-06-14 12:48 GMT+02:00 Болат Казыбаев <B.kazybayev at ktg.kz>:
>>
>> Hi Pavol,
>>
>>
>>
>> Thank you for your suggestion. I changed “Identifier” to lower-case and
>> it works.  J Now I need to make an organization tree using parent-child
>> reference. In fact now I have, “name” property as org_id, and “costCenter”
>> property as parent_id. Any suggestions how to make it?
>>
>>
>>
>> *From:* midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On Behalf
>> Of *Pavol Mederly
>> *Sent:* Tuesday, June 14, 2016 3:41 PM
>> *To:* midpoint at lists.evolveum.com
>> *Subject:* Re: [midPoint] Synchronizing organizational structure with
>> DatabaseTableConnector
>>
>>
>>
>> Hello Bolat,
>>
>> I would suggest replacing c:Identifier with c:identifier (lower-cased) -
>> in all paths referencing "identifier" property of the OrgType; including
>> the search filter used for correlation.
>>
>> Best regards,
>>
>> Pavol
>>
>> On 14.06.2016 11:32, Болат Казыбаев wrote:
>>
>> Hello all,
>>
>>
>>
>> I’m trying to sync my org data from database table to midpoint. I read
>> all previous topics about that and compose resource xml (in attachment).
>> There is an error: “Failed to import:
>> com.evolveum.midpoint.util.exception.SystemException: Error occurred during
>> resource object shadow owner lookup, reason: Couldn't search user”.
>>
>>
>>
>> Where am I wrong in xml configuration?
>>
>>
>>
>> _______________________________________________
>>
>> midPoint mailing list
>>
>> midPoint at lists.evolveum.com
>>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160713/d2d2c0c0/attachment.htm>

From radovan.semancik at evolveum.com  Thu Jul 14 16:00:00 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Thu, 14 Jul 2016 16:00:00 +0200
Subject: [midPoint] MidPoint 3.5 Development Plan
Message-ID: <57879AE0.6090406@evolveum.com>

Dear midPoint community,

MidPoint 3.4 is released. And I would like to thanks all the supporters 
and contributors once again. Now it is time ti focus on midPoint 3.5.

Some time ago the MidPoint project has switched to the roadmap and 
planing method based on sponsored features. For those of you that are 
not familiar with this method it works like this: Evolveum will invest 
in one or two major feature or architectural improvement in each 
midPoint release. But the rest of the features are chosen by midPoint 
subscribers and sponsors. Each midPoint subscriber has the privilege to 
influence a roadmap and to endorse specific features (reasonably 
proportional to their subscription price). Any member of midPoint 
community may sponsor a specific feature which basically means that he 
pays for the development cost. More than a half of each midPoint release 
plan is reserved for the sponsored features.

Evolveum will invest in development of JSON a YAML support in midPoint 
3.5. The rest of the midPoint 3.5 development plan is open for 
sponsoring and now it is the right time to get your feature into the 3.5 
development plan. Therefore any midPoint subscriber that wants to 
endorse and specific feature or anyone else who is willing to sponsor a 
feature please do not hesitate to contact us.

-- 
Radovan Semancik
Software Architect
evolveum.com



From radovan.semancik at evolveum.com  Thu Jul 14 16:41:17 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Thu, 14 Jul 2016 16:41:17 +0200
Subject: [midPoint] End-user "Change Password" custom web component
In-Reply-To: <CAA68kP8ZH8xU=2RDvB+LNTrphmO=hsrAfL6Yt2mh1hryP8a=3Q@mail.gmail.com>
References: <CAA68kP8ZH8xU=2RDvB+LNTrphmO=hsrAfL6Yt2mh1hryP8a=3Q@mail.gmail.com>
Message-ID: <5787A48D.20004@evolveum.com>

Hi Gustavo,

Yes, this is a correct approach. I'm am slightly concerned about the 
step 2, though. If the user has the ability to read it's own object 
("self") then that step should work. But I'm not sure if we have tested 
this. But I'm sure you are going to try it. So in case that it does not 
work please report a bug, because it is supposed to work.

Thinking about this ... I can see that this process might be a bit 
cumbersome and a bit inefficient. Especially considering that midPoint 
knows the identity of logged-in user (even in REST). So I can imagine 
having a resource something like 
http://xxxxx/midpoint/ws/rest/users/self that could return the object 
representing the logged-in user. This will make it all easier. However, 
this is not implemented now. If you want that please add that as a new 
feature in jira. However it will need sponsoring or subscriber 
endorsement to get implemented anytime soon.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 07/01/2016 07:50 PM, Gustavo J Gallardo wrote:
> Hi all,
> we are running midPoint 3.4 and our customer has an existing web 
> portal where they want to maintain all end-user interaction.
> They are building a component to allow end-users to change their 
> passwords. We would like them to use the REST API. From the portal, 
> they will have the username from the session and present a form to ask 
> the user's old_password and new_password.
>
> Our idea so far:
> 1) Grant our end-users a custom role with 
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all 
> authorization, in addition to the minimum requirements to change his 
> own credentials and it's shadow's credentials.
> 2) use http://xxxxx/midpoint/ws/rest/users/search, to find the user by 
> name and parsing the XML result to get his oid.
> 3) use http://xxxxxx/midpoint/ws/rest/users/{user_oid} 
> <http://xxxxxx/midpoint/ws/rest/users/%7Buser_oid%7D> to POST an 
> objectModification to set credentials/password
> (both REST calls would use username:old_password for authorization)
>
> Is this the correct approach? Is there any better/easier way to 
> achieve this?
>
>
> Thanks,
>
> GJG
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160714/a2ad4acb/attachment.htm>

From radovan.semancik at evolveum.com  Thu Jul 14 16:59:34 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Thu, 14 Jul 2016 16:59:34 +0200
Subject: [midPoint] Event driven notification with RESTful service
In-Reply-To: <76e9c1f58d694b818736e6b365e23255@exch-02.ktg.kz>
References: <76e9c1f58d694b818736e6b365e23255@exch-02.ktg.kz>
Message-ID: <5787A8D6.40105@evolveum.com>

Hi,

On 07/12/2016 01:38 PM, Болат Казыбаев wrote:
> First of all, thank you midPoint development team, for a major update 
> of midPoint. It looks amazing!

Thanks for your kind words.

> I read about IDM Model web-service interface on wiki page 
> https://wiki.evolveum.com/display/midPoint/IDM+Model+Web+Service+Interface, 
> but it seems 
> https://github.com/Evolveum/midpoint/blob/v3.4/infra/schema/src/main/resources/xml/ns/public/model/model-3.wsdl 
> wsdl is broken, because I cannot generate client with SOAPUI. So my 
> questions are:
>
> 1.Where I can get valid wsdl file in order to generate web-service 
> client with SOAPUI?
>

Short answer: look into the schema/ folder in midpoint distribution 
archive (midpoint-3.4.tar.gz). There are WSDL and XSD files with 
relative paths that are designed especially to be used with SoapUI and 
similar tools.

The long answer: it is all a bit complicated. The WSDL files in the 
midpoint source code is tuned to satisfy the JAXWS/JAXB compilation 
plugins and runtime and it required a lot of tweaking and hacking. This 
made them difficult to use in other projects. The WSDL/XSD generated at 
runtime also has some issues that are not always easy to solve. So some 
time ago my patience run out and I have created a maven plugin which is 
converting the files to a plain clean and nice relative paths. And this 
is included in the midpoint distribution.

> 2.Is it possible to implement event driven notification service in 
> midPoint?
>

I'm not entirely sure that I understand what you need. If you want 
midpoint to call a third-party web service when something is changed 
then it is certainly possible. But not necessarily easy. It will require 
some coding. One way is to use scripting hooks 
(https://wiki.evolveum.com/display/midPoint/Scripting+Hooks). Scripting 
hooks are called on every change in midPoint and you can use Groovy (or 
Python or JS code) to invoke the web service. You can also use similar 
approach with pure java hooks that you can register into midPoint code. 
But that requires custom build and the scripting hooks may be easier to 
use for you.

> 3.What is a purpose of services section in GUI?
>
> 4.How to create a service, 
> http://localhost:8080/midpoint/wicket/bookmarkable/com.evolveum.midpoint.web.page.admin.services.PageService?4 
> , is there any example?
>

This seems to be a common question :-) The short answer is that these 
are supposed to represent servers, mobile devices, printers, virtual 
machines, "things" (as in IoT) and other 
not-entirely-user-or-role-or-org objects. The long answer will come 
shortly when Katka will find the time to write the documentation ...

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160714/d75ac4af/attachment.htm>

From radovan.semancik at evolveum.com  Thu Jul 14 17:16:37 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Thu, 14 Jul 2016 17:16:37 +0200
Subject: [midPoint] Relationship userType - orgType
In-Reply-To: <CAG3rmdpwFPVKhH4i14ZSBTaLB98SiJRDWeco+xzA6zjA5LJv_g@mail.gmail.com>
References: <CAG3rmdpwFPVKhH4i14ZSBTaLB98SiJRDWeco+xzA6zjA5LJv_g@mail.gmail.com>
Message-ID: <5787ACD5.2000107@evolveum.com>

Hi,

Oh yes, there is a very nice way: just use assignments.

Users can have assignments for Orgs. They can have any number of 
assignments to any number of Orgs. A user can even have several 
assignments to the same org as long as there are different parameters 
(orgRef, tenantRef or any extension property). Assignments can have 
extension properties that define the type of the assignment if you need 
that (e.g. to differentiate teacher and student). Or you can use the 
"relation" feature in targetRef. We use that feature to distinguish 
organization managers from members, but it should be generic enough to 
also support other types (teacher, student). Assignments also have 
validity ("from" and "to" dates), so they are ideal to model relations 
with a fixed end date such as student affiliations to school that 
automatically end at the end of semester.

Assignments are designed from the day 1 to handle exactly the use case 
that you are describing.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 07/12/2016 03:53 PM, Martin Marchese wrote:
> Hi All,
>
> We are facing a need in our MidPoint implementation. It's the case of 
> an educational system (made up of many schools).
>
> We have ths schools modeled as orgTypes.
>
> Users can be part of one or more orgTypes, and they can have 1 or more 
> positions in each school, for example:
>
> user1 can be a teacher and principal in school A and teacher in school B
>
> Is there a way to represent these kind of relationships between 
> orgTypes and userTypes?
>
> We are looking for something like this (if it's possible):
>
> http://www.internet2.edu/products-services/trust-identity/eduperson-eduorg/
>
> Thanks
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Anchorena 1357 PB
> Tel: +54 (11) 3526.5509
> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
> www.identicum.com <http://www.identicum.com>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160714/0e30295b/attachment.htm>

From radovan.semancik at evolveum.com  Thu Jul 14 17:31:27 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Thu, 14 Jul 2016 17:31:27 +0200
Subject: [midPoint] template mapping how to get actual delta
In-Reply-To: <CAE8MtZDzT0Ch+KV4Qvyfr_oPH13Nx8cx+MCuPjLcyOsuNFb6Bg@mail.gmail.com>
References: <CAE8MtZDzT0Ch+KV4Qvyfr_oPH13Nx8cx+MCuPjLcyOsuNFb6Bg@mail.gmail.com>
Message-ID: <5787B04F.6060204@evolveum.com>

Hi,

Missing operation variable in the template seems to be a bug. Please 
file a bug report in our jira.

There is no variable that represents the delta now. And maybe there 
should be. I can see that this can be quite useful. Please add a feature 
request in jira. It should not be difficult to implement. However, it 
will need an endorsement from a midPoint subscriber (as usual).

Yet, there may be an indirect way how to get to the delta. You can get 
it from the model context 
(https://wiki.evolveum.com/display/midPoint/Model+Context). Now the 
question is how to get the model context in the expression. There seems 
to be no elegant way how to get it using MidPointFunctions library. That 
function seems to be omitted by mistake. But there is a less elegant way:

ctx = ModelExpressionThreadLocalHolder.getLensContext();

... that might work. Give it a try. Just please be aware that this is a 
bit of hacking and this method may disappear sometime in the future.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 07/12/2016 03:46 PM, Oskar Butovič - AMI Praha a.s. wrote:
> Hello all,
>
> is there any way how to get actual delta in template mapping? variable 
> operation seemd to be nonexistent in midpoint 3.3.1 .
>
> i would like to execute certain mapping only if other certain user 
> attributes were changed.
>
> Best Regards
>
> Oskar Butovič
>
> -- 
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>
> 			
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz/>
>
> 			
>
> AMI Praha a.s.
>
>
> AMI Praha a.s. 
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
> výhradně písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160714/e17e4fff/attachment.htm>

From katka.valalikova at evolveum.com  Thu Jul 14 17:56:19 2016
From: katka.valalikova at evolveum.com (Katka Valalikova)
Date: Thu, 14 Jul 2016 17:56:19 +0200 (CEST)
Subject: [midPoint] get extension attribute in a jasper report
In-Reply-To: <CAEYZk3T=2KFPM-owTc5e=QZCZpEuztHeEVPwh4jX8TF_ye==fw@mail.gmail.com>
References: <CAEYZk3T=2KFPM-owTc5e=QZCZpEuztHeEVPwh4jX8TF_ye==fw@mail.gmail.com>
Message-ID: <2078434021.1022142.1468511779160.JavaMail.zimbra@evolveum.com>

Hi Marco, 

yes, in the previous versions there wasn't possibility to work with complex path in reports. I just pushed the improvement to master (git version d4c0881) to support it. Now you can try to use: 

extension/myattriubte in "report field" and then textFieldExpression: <textFieldExpression><![CDATA[$F{/extension/myattribute}]]></textFieldExpression> 

Let me know if it works for you, 
Best regards, 
Katarina Valalikova 


----- Original Message -----

From: "Marco Benucci" <benucci.marco92 at gmail.com> 
To: midpoint at lists.evolveum.com 
Sent: Monday, June 13, 2016 11:27:34 AM 
Subject: [midPoint] get extension attribute in a jasper report 

Hi, 

I'd like to get some extension attributes from users when I make the "User in midPoint" report. 

I have tried in "report field": 
name: /extension/myattriubte 
Class: java.lang.String 
textFieldExpression: <textFieldExpression><![CDATA[$F{/extension/myattribute}]]></textFieldExpression> 

or 
name: Extension 
Class: "com.evolveum.midpoint.xml.ns._public.common.common_3.ExtensionType" 

textfieldExpression: <textFieldExpression><![CDATA[$F{Extension}.getAny().toString()]]></textFieldExpression> 


but without result.... 

_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160714/4f8b7136/attachment.htm>

From fstingaciu at mirantis.com  Fri Jul 15 21:03:42 2016
From: fstingaciu at mirantis.com (Florin. Stingaciu)
Date: Fri, 15 Jul 2016 12:03:42 -0700
Subject: [midPoint] SSO, passwords, and end users
Message-ID: <CAMQHPY0sur6eepkBPwUW=ACACoOguezK9--ATtndSFTqGsBuGw@mail.gmail.com>

Hello,

In our instance of midPoint, we're using SSO to authenticate users. There
are some issues that we've experienced in this set up and I wanted to let
you guys know.

*Users changing their password*
When using SSO, users no longer have a password associated with their
midPoint account. However, we'd still like to allow users to change their
passwords for their accounts on a resource. Unfortunately we can't utilize
the Credentials page as the page will request for your old password --
which doesn't exist. Right now, I had to resort to using the authorization
rules to allow end users to modify their password directly on the
Projection. This process is not very intuitive, especially when the user
doesn't have a password set up on the account at all (they have to click
the "show empty fields")

Ideally, the fact that SSO is enabled should generate a different
credentials page that lets you change your password on an account of your
choosing without asking for the old password.

*End Users *
Another issue we found was that when a user tries to access midPoint and
doesn't have the End User role while SSO is in place, the server spits back
a 500 error. Ideally, an error message should be generated letting the user
know that he lacks authorization to access the midPoint GUI.

Thanks,
-F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160715/46dc9d8b/attachment.htm>

From fstingaciu at mirantis.com  Fri Jul 15 22:31:31 2016
From: fstingaciu at mirantis.com (Florin. Stingaciu)
Date: Fri, 15 Jul 2016 13:31:31 -0700
Subject: [midPoint] Password policy not applied when changing password from
	projection
Message-ID: <CAMQHPY3KCtXwN=dbO5q5kwsZeLa3MRSPh-dB5f3Gi=sGBnDyfA@mail.gmail.com>

Hello,

I defined a password policy, and referenced it in the credentials section
of the accounts on a particular resource. If I change the password by
directly editing the password field on the projection, the password policy
does not apply. Not even the global password policy applies to that field.

I'm using version 3.4.

Thanks,
-F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160715/046f11ea/attachment.htm>

From ggallard at identicum.com  Sun Jul 17 18:19:20 2016
From: ggallard at identicum.com (Gustavo J Gallardo)
Date: Sun, 17 Jul 2016 13:19:20 -0300
Subject: [midPoint] DB error starting midPoint 3.4
Message-ID: <CAA68kP9NRyoQKZV=36c5VLLhWXNBHqvwsWO+25RcbBMYSK1ZUw@mail.gmail.com>

Hi,
we are running midPoint 3.4 with database PostgreSQL 9.2, and getting this
error:
*2016-07-17 13:00:49,887 [] [midPointScheduler_Worker-2] ERROR
(org.hibernate.engine.jdbc.spi.SqlExceptionHelper): Batch entry 0 update
m_object set booleansCount=0,
createChannel='http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init
<http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init>',
createTimestamp='2016-06-02 17:23:48.969000 -03:00:00',
creatorRef_relation=NULL, creatorRef_targetOid=NULL, creatorRef_type=NULL,
datesCount=1, fullObject=?, longsCount=0, modifierRef_relation=NULL,
modifierRef_targetOid=NULL, modifierRef_type=NULL, modifyChannel=NULL,
modifyTimestamp=NULL, name_norm='validity scanner', name_orig='Validity
Scanner', objectTypeClass='9', polysCount=0, referencesCount=0,
stringsCount=0, tenantRef_relation=NULL, tenantRef_targetOid=NULL,
tenantRef_type=NULL, version=13637 where
oid='00000000-0000-0000-0000-000000000006' was aborted.  Call
getNextException to see the cause.*
*2016-07-17 13:00:49,887 [] [midPointScheduler_Worker-2] ERROR
(org.hibernate.engine.jdbc.spi.SqlExceptionHelper): ERROR: could not
serialize access due to read/write dependencies among transactions*
*  Detail: Reason code: Canceled on identification as a pivot, during
write.*
*  Hint: The transaction might succeed if retried.*
*2016-07-17 13:00:49,892 [] [midPointScheduler_Worker-2] ERROR
(org.hibernate.engine.jdbc.batch.internal.BatchingBatch): HHH000315:
Exception executing batch [could not execute batch]*


Any ideas?

Attached is complete idm.log trying to start the server.

Thanks,

GJG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160717/650f0637/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: idm.log
Type: application/octet-stream
Size: 11995 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160717/650f0637/attachment.obj>

From ggallard at identicum.com  Sun Jul 17 20:15:11 2016
From: ggallard at identicum.com (Gustavo J Gallardo)
Date: Sun, 17 Jul 2016 15:15:11 -0300
Subject: [midPoint] End-user "Change Password" custom web component
In-Reply-To: <5787A48D.20004@evolveum.com>
References: <CAA68kP8ZH8xU=2RDvB+LNTrphmO=hsrAfL6Yt2mh1hryP8a=3Q@mail.gmail.com>
 <5787A48D.20004@evolveum.com>
Message-ID: <CAA68kP_pdak-9kkSxsrG==exsYRzYfaGhhAMd0Znna-aanD9yQ@mail.gmail.com>

Hi Radovan,
thanks for your response.

Yes, we tested it and it works, but as you mentioned it is not very
efficient.
The approach you mention is the one I was hoping it existed, that's why I
entered the question to the list. I'll try to get our customer to subscribe
and endorse it.


Thanks,

GJG

On Thu, Jul 14, 2016 at 11:41 AM, Radovan Semancik <
radovan.semancik at evolveum.com> wrote:

> Hi Gustavo,
>
> Yes, this is a correct approach. I'm am slightly concerned about the step
> 2, though. If the user has the ability to read it's own object ("self")
> then that step should work. But I'm not sure if we have tested this. But
> I'm sure you are going to try it. So in case that it does not work please
> report a bug, because it is supposed to work.
>
> Thinking about this ... I can see that this process might be a bit
> cumbersome and a bit inefficient. Especially considering that midPoint
> knows the identity of logged-in user (even in REST). So I can imagine
> having a resource something like http://xxxxx/midpoint/ws/rest/users/self
> that could return the object representing the logged-in user. This will
> make it all easier. However, this is not implemented now. If you want that
> please add that as a new feature in jira. However it will need sponsoring
> or subscriber endorsement to get implemented anytime soon.
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
>
> On 07/01/2016 07:50 PM, Gustavo J Gallardo wrote:
>
> Hi all,
> we are running midPoint 3.4 and our customer has an existing web portal
> where they want to maintain all end-user interaction.
> They are building a component to allow end-users to change their
> passwords. We would like them to use the REST API. From the portal, they
> will have the username from the session and present a form to ask the
> user's old_password and new_password.
>
> Our idea so far:
> 1) Grant our end-users a custom role with
> <http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all>
> http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all
> authorization, in addition to the minimum requirements to change his own
> credentials and it's shadow's credentials.
> 2) use http://xxxxx/midpoint/ws/rest/users/search, to find the user by
> name and parsing the XML result to get his oid.
> 3) use http://xxxxxx/midpoint/ws/rest/users/{user_oid} to POST an
> objectModification to set credentials/password
> (both REST calls would use username:old_password for authorization)
>
> Is this the correct approach? Is there any better/easier way to achieve
> this?
>
>
> Thanks,
>
> GJG
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160717/55cb4259/attachment.htm>

From radovan.semancik at evolveum.com  Mon Jul 18 09:42:52 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Mon, 18 Jul 2016 09:42:52 +0200
Subject: [midPoint] End-user "Change Password" custom web component
In-Reply-To: <CAA68kP_pdak-9kkSxsrG==exsYRzYfaGhhAMd0Znna-aanD9yQ@mail.gmail.com>
References: <CAA68kP8ZH8xU=2RDvB+LNTrphmO=hsrAfL6Yt2mh1hryP8a=3Q@mail.gmail.com>
 <5787A48D.20004@evolveum.com>
 <CAA68kP_pdak-9kkSxsrG==exsYRzYfaGhhAMd0Znna-aanD9yQ@mail.gmail.com>
Message-ID: <578C887C.6000900@evolveum.com>

Hi,

Thanks a lot, sponsoring/endorsement would really help here. I have 
created issue in Jira to track this: 
https://jira.evolveum.com/browse/MID-3298

-- 
Radovan Semancik
Software Architect
evolveum.com



On 07/17/2016 08:15 PM, Gustavo J Gallardo wrote:
> Hi Radovan,
> thanks for your response.
>
> Yes, we tested it and it works, but as you mentioned it is not very 
> efficient.
> The approach you mention is the one I was hoping it existed, that's 
> why I entered the question to the list. I'll try to get our customer 
> to subscribe and endorse it.
>
>
> Thanks,
>
> GJG
>
> On Thu, Jul 14, 2016 at 11:41 AM, Radovan Semancik 
> <radovan.semancik at evolveum.com <mailto:radovan.semancik at evolveum.com>> 
> wrote:
>
>     Hi Gustavo,
>
>     Yes, this is a correct approach. I'm am slightly concerned about
>     the step 2, though. If the user has the ability to read it's own
>     object ("self") then that step should work. But I'm not sure if we
>     have tested this. But I'm sure you are going to try it. So in case
>     that it does not work please report a bug, because it is supposed
>     to work.
>
>     Thinking about this ... I can see that this process might be a bit
>     cumbersome and a bit inefficient. Especially considering that
>     midPoint knows the identity of logged-in user (even in REST). So I
>     can imagine having a resource something like
>     http://xxxxx/midpoint/ws/rest/users/self that could return the
>     object representing the logged-in user. This will make it all
>     easier. However, this is not implemented now. If you want that
>     please add that as a new feature in jira. However it will need
>     sponsoring or subscriber endorsement to get implemented anytime soon.
>
>     -- 
>     Radovan Semancik
>     Software Architect
>     evolveum.com <http://evolveum.com>
>
>
>
>     On 07/01/2016 07:50 PM, Gustavo J Gallardo wrote:
>>     Hi all,
>>     we are running midPoint 3.4 and our customer has an existing web
>>     portal where they want to maintain all end-user interaction.
>>     They are building a component to allow end-users to change their
>>     passwords. We would like them to use the REST API. From the
>>     portal, they will have the username from the session and present
>>     a form to ask the user's old_password and new_password.
>>
>>     Our idea so far:
>>     1) Grant our end-users a custom role with
>>     http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#all
>>     authorization, in addition to the minimum requirements to change
>>     his own credentials and it's shadow's credentials.
>>     2) use http://xxxxx/midpoint/ws/rest/users/search, to find the
>>     user by name and parsing the XML result to get his oid.
>>     3) use http://xxxxxx/midpoint/ws/rest/users/{user_oid}
>>     <http://xxxxxx/midpoint/ws/rest/users/%7Buser_oid%7D> to POST an
>>     objectModification to set credentials/password
>>     (both REST calls would use username:old_password for authorization)
>>
>>     Is this the correct approach? Is there any better/easier way to
>>     achieve this?
>>
>>
>>     Thanks,
>>
>>     GJG
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160718/14e628c7/attachment.htm>

From radovan.semancik at evolveum.com  Mon Jul 18 09:53:04 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Mon, 18 Jul 2016 09:53:04 +0200
Subject: [midPoint] SSO, passwords, and end users
In-Reply-To: <CAMQHPY0sur6eepkBPwUW=ACACoOguezK9--ATtndSFTqGsBuGw@mail.gmail.com>
References: <CAMQHPY0sur6eepkBPwUW=ACACoOguezK9--ATtndSFTqGsBuGw@mail.gmail.com>
Message-ID: <578C8AE0.3060801@evolveum.com>

Hi,

On 07/15/2016 09:03 PM, Florin. Stingaciu wrote:
> *Users changing their password*
> When using SSO, users no longer have a password associated with their 
> midPoint account. However, we'd still like to allow users to change 
> their passwords for their accounts on a resource. Unfortunately we 
> can't utilize the Credentials page as the page will request for your 
> old password -- which doesn't exist. Right now, I had to resort to 
> using the authorization rules to allow end users to modify their 
> password directly on the Projection. This process is not very 
> intuitive, especially when the user doesn't have a password set up on 
> the account at all (they have to click the "show empty fields")
>
> Ideally, the fact that SSO is enabled should generate a different 
> credentials page that lets you change your password on an account of 
> your choosing without asking for the old password.

We already have setting for that:

https://github.com/Evolveum/midpoint/blob/master/samples/objects/security-policy-password.xml

see passwordChangeSecurity

Unfortunately, it is currently documented only in the schema 
(common-core-3.xsd).

> *End Users *
> Another issue we found was that when a user tries to access midPoint 
> and doesn't have the End User role while SSO is in place, the server 
> spits back a 500 error. Ideally, an error message should be generated 
> letting the user know that he lacks authorization to access the 
> midPoint GUI.

Yes, it should be 401 and not 500. Please file a bug report for that.

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160718/84b31187/attachment.htm>

From radovan.semancik at evolveum.com  Mon Jul 18 10:01:27 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Mon, 18 Jul 2016 10:01:27 +0200
Subject: [midPoint] Password policy not applied when changing password
 from projection
In-Reply-To: <CAMQHPY3KCtXwN=dbO5q5kwsZeLa3MRSPh-dB5f3Gi=sGBnDyfA@mail.gmail.com>
References: <CAMQHPY3KCtXwN=dbO5q5kwsZeLa3MRSPh-dB5f3Gi=sGBnDyfA@mail.gmail.com>
Message-ID: <578C8CD7.9010207@evolveum.com>

Hi,

This seems like a bug. Or a missing feature. The primary purpose of the 
password policy definition here is to generate new passwords, not so 
much about checking the password. The resource will check the password 
anyway (or at least it should). But you are right. We want to properly 
implement resource password policies also in midPoint - for cases of 
resources not checking the policies and for nicer error messages.

Anyway, please file a bug report. I'll take care of handling and 
re-categorizing that as necessary.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 07/15/2016 10:31 PM, Florin. Stingaciu wrote:
> Hello,
>
> I defined a password policy, and referenced it in the credentials 
> section of the accounts on a particular resource. If I change the 
> password by directly editing the password field on the projection, the 
> password policy does not apply. Not even the global password policy 
> applies to that field.
>
> I'm using version 3.4.
>
> Thanks,
> -F
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160718/1773631b/attachment.htm>

From vilo.repan at evolveum.com  Mon Jul 18 13:18:29 2016
From: vilo.repan at evolveum.com (Viliam Repan)
Date: Mon, 18 Jul 2016 13:18:29 +0200
Subject: [midPoint] DB error starting midPoint 3.4
In-Reply-To: <CAA68kP9NRyoQKZV=36c5VLLhWXNBHqvwsWO+25RcbBMYSK1ZUw@mail.gmail.com>
References: <CAA68kP9NRyoQKZV=36c5VLLhWXNBHqvwsWO+25RcbBMYSK1ZUw@mail.gmail.com>
Message-ID: <578CBB05.30503@evolveum.com>

Hi Gustavo,

I've tried to run clean installation of midpoint 3.4 against postgresql 
9.2 on ubuntu 14.04 and I can't replicate this behavior - does it happen 
after restart?.
Do you have clean installation any other environment specific stuff?
I've tested it on ubuntu 14.04 (64bit) with postgres 9.2.17, tomcat 8, 
oracle java 8

*00000000-0000-0000-0000-000000000006* is validity task so I'm not sure 
what happened

v

On 17.07.2016 18:19, Gustavo J Gallardo wrote:
> Hi,
> we are running midPoint 3.4 with database PostgreSQL 9.2, and getting 
> this error:
> *2016-07-17 13:00:49,887 [] [midPointScheduler_Worker-2] ERROR 
> (org.hibernate.engine.jdbc.spi.SqlExceptionHelper): Batch entry 0 
> update m_object set booleansCount=0, 
> createChannel='http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init', 
> createTimestamp='2016-06-02 17:23:48.969000 -03:00:00', 
> creatorRef_relation=NULL, creatorRef_targetOid=NULL, 
> creatorRef_type=NULL, datesCount=1, fullObject=?, longsCount=0, 
> modifierRef_relation=NULL, modifierRef_targetOid=NULL, 
> modifierRef_type=NULL, modifyChannel=NULL, modifyTimestamp=NULL, 
> name_norm='validity scanner', name_orig='Validity Scanner', 
> objectTypeClass='9', polysCount=0, referencesCount=0, stringsCount=0, 
> tenantRef_relation=NULL, tenantRef_targetOid=NULL, 
> tenantRef_type=NULL, version=13637 where 
> oid='00000000-0000-0000-0000-000000000006' was aborted. Call 
> getNextException to see the cause.*
> *2016-07-17 13:00:49,887 [] [midPointScheduler_Worker-2] ERROR 
> (org.hibernate.engine.jdbc.spi.SqlExceptionHelper): ERROR: could not 
> serialize access due to read/write dependencies among transactions*
> *  Detail: Reason code: Canceled on identification as a pivot, during 
> write.*
> *  Hint: The transaction might succeed if retried.*
> *2016-07-17 13:00:49,892 [] [midPointScheduler_Worker-2] ERROR 
> (org.hibernate.engine.jdbc.batch.internal.BatchingBatch): HHH000315: 
> Exception executing batch [could not execute batch]*
>
>
> Any ideas?
>
> Attached is complete idm.log trying to start the server.
>
> Thanks,
>
> GJG
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ing. Viliam Repáň
Evolveum, s.r.o.

tel: +421 910 797978
mail: vilo.repan at evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160718/be5ec079/attachment.htm>

From jeverling at bshp.edu  Mon Jul 18 17:46:33 2016
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 18 Jul 2016 10:46:33 -0500
Subject: [midPoint] Using create on demand for org units,
	create under specific root
Message-ID: <CAFkZXY47qnmZKiMLbmV1GK_8URgr4Od2DyFvL7ftgJdg3sX9zw@mail.gmail.com>

I was starting to try out the createondemand feature for org units but from
all the samples and docs I could not figure out a way to have the system
create the org units under a specific root, like "Another Org Unit"?

Lets say I have

Root Org
  - Sub Org Unit
  - Another Org Unit

The createondemand would either put a new org unit under either of the 2
based on the name of the unit to be created or some other identifier or
regex

I am sure this is probably a simple answer but I have not came across it.

JASON

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160718/06db41b7/attachment.htm>

From ivan.noris at evolveum.com  Mon Jul 18 18:07:43 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 18 Jul 2016 18:07:43 +0200
Subject: [midPoint] Using create on demand for org units,
 create under specific root
In-Reply-To: <CAFkZXY47qnmZKiMLbmV1GK_8URgr4Od2DyFvL7ftgJdg3sX9zw@mail.gmail.com>
References: <CAFkZXY47qnmZKiMLbmV1GK_8URgr4Od2DyFvL7ftgJdg3sX9zw@mail.gmail.com>
Message-ID: <578CFECF.5070707@evolveum.com>

Hi Jason,

for example in
midpoint/testing/story/src/test/resources/orgsync/object-template-org.xml,
see line 46:

that's the "fixed org root" returning in the search/query if we do not
wish to recurse any further. In this case we are only creating the
structure based on the tokenized orgpath attribute. So when we are done,
we will return fixed root instead.

The "TOP" is the name of the organization defined in org-top.xml file.

So I believe you can do what you need there...

Regards,
Ivan

On 07/18/2016 05:46 PM, Jason Everling wrote:
> I was starting to try out the createondemand feature for org units but
> from all the samples and docs I could not figure out a way to have the
> system create the org units under a specific root, like "Another Org
> Unit"?
>
> Lets say I have
>
> Root Org
>   - Sub Org Unit
>   - Another Org Unit
>
> The createondemand would either put a new org unit under either of the
> 2 based on the name of the unit to be created or some other identifier
> or regex
>
> I am sure this is probably a simple answer but I have not came across it.
>
> JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160718/5b7b2bbf/attachment.htm>

From jeverling at bshp.edu  Mon Jul 18 18:38:42 2016
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 18 Jul 2016 11:38:42 -0500
Subject: [midPoint] Using create on demand for org units,
 create under specific root
In-Reply-To: <578CFECF.5070707@evolveum.com>
References: <CAFkZXY47qnmZKiMLbmV1GK_8URgr4Od2DyFvL7ftgJdg3sX9zw@mail.gmail.com>
 <578CFECF.5070707@evolveum.com>
Message-ID: <CAFkZXY7z2bhLF8hj+gWxpohMT7QLzGDtR_MxeRn7O8p3hZPDfw@mail.gmail.com>

See, I said it would be simple. I looked that over and a few others like it
a few times and it just did not register with me that "orgpath" was an
extension which it should have. So I just need to create an extension and
then base it off that. I am sure I can create a path within my scriptedsql
to populate it.

Thanks!

JASON

On Mon, Jul 18, 2016 at 11:07 AM, Ivan Noris <ivan.noris at evolveum.com>
wrote:

> Hi Jason,
>
> for example in
> midpoint/testing/story/src/test/resources/orgsync/object-template-org.xml,
> see line 46:
>
> that's the "fixed org root" returning in the search/query if we do not
> wish to recurse any further. In this case we are only creating the
> structure based on the tokenized orgpath attribute. So when we are done, we
> will return fixed root instead.
>
> The "TOP" is the name of the organization defined in org-top.xml file.
>
> So I believe you can do what you need there...
>
> Regards,
> Ivan
>
>
> On 07/18/2016 05:46 PM, Jason Everling wrote:
>
> I was starting to try out the createondemand feature for org units but
> from all the samples and docs I could not figure out a way to have the
> system create the org units under a specific root, like "Another Org Unit"?
>
> Lets say I have
>
> Root Org
>   - Sub Org Unit
>   - Another Org Unit
>
> The createondemand would either put a new org unit under either of the 2
> based on the name of the unit to be created or some other identifier or
> regex
>
> I am sure this is probably a simple answer but I have not came across it.
>
> JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer & IDM Architect
>   evolveum.com                     evolveum.com/blog/
>   ___________________________________________________
>   "Semper ID(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160718/c6c6f15c/attachment.htm>

From fstingaciu at mirantis.com  Mon Jul 18 18:54:10 2016
From: fstingaciu at mirantis.com (Florin. Stingaciu)
Date: Mon, 18 Jul 2016 09:54:10 -0700
Subject: [midPoint] SSO, passwords, and end users
In-Reply-To: <578C8AE0.3060801@evolveum.com>
References: <CAMQHPY0sur6eepkBPwUW=ACACoOguezK9--ATtndSFTqGsBuGw@mail.gmail.com>
 <578C8AE0.3060801@evolveum.com>
Message-ID: <CAMQHPY2Vcot4Vd8qt9sgbkyQVibNV+o+zV2VQwBa=RS7VNW6hA@mail.gmail.com>

Hey Radovan,

So I managed to resolve the "Old Password" input field on the credentials
page, however the password propagation for the midPoint repository resource
is enabled by default. Is there anyway to specify one particular resource
to be enabled by default? We want to avoid storing any passwords on the
midPoint DB at all costs.

In total we have three repositories. One for the midPOint repository, an
LDAP server (which is where we want to change passwords by default) and
lastly there's a read only Active Directory. Is there any way (either via
security policies, or the authorization model) to only show and allow
password changes on the LDAP server?

Thanks,
-F

On Mon, Jul 18, 2016 at 12:53 AM, Radovan Semancik <
radovan.semancik at evolveum.com> wrote:

> Hi,
>
> On 07/15/2016 09:03 PM, Florin. Stingaciu wrote:
>
> *Users changing their password*
> When using SSO, users no longer have a password associated with their
> midPoint account. However, we'd still like to allow users to change their
> passwords for their accounts on a resource. Unfortunately we can't utilize
> the Credentials page as the page will request for your old password --
> which doesn't exist. Right now, I had to resort to using the authorization
> rules to allow end users to modify their password directly on the
> Projection. This process is not very intuitive, especially when the user
> doesn't have a password set up on the account at all (they have to click
> the "show empty fields")
>
> Ideally, the fact that SSO is enabled should generate a different
> credentials page that lets you change your password on an account of your
> choosing without asking for the old password.
>
>
> We already have setting for that:
>
>
> https://github.com/Evolveum/midpoint/blob/master/samples/objects/security-policy-password.xml
>
> see passwordChangeSecurity
>
> Unfortunately, it is currently documented only in the schema
> (common-core-3.xsd).
>
> *End Users *
> Another issue we found was that when a user tries to access midPoint and
> doesn't have the End User role while SSO is in place, the server spits back
> a 500 error. Ideally, an error message should be generated letting the user
> know that he lacks authorization to access the midPoint GUI.
>
>
> Yes, it should be 401 and not 500. Please file a bug report for that.
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160718/a68b9063/attachment.htm>

From fstingaciu at mirantis.com  Mon Jul 18 19:34:48 2016
From: fstingaciu at mirantis.com (Florin. Stingaciu)
Date: Mon, 18 Jul 2016 10:34:48 -0700
Subject: [midPoint] Password policy not applied when changing password
 from projection
In-Reply-To: <578C8CD7.9010207@evolveum.com>
References: <CAMQHPY3KCtXwN=dbO5q5kwsZeLa3MRSPh-dB5f3Gi=sGBnDyfA@mail.gmail.com>
 <578C8CD7.9010207@evolveum.com>
Message-ID: <CAMQHPY0mvhnFkXqpay_QbTOM2C9yz1N6yA0Ln7Pr-KVv2hGsdA@mail.gmail.com>

I filed a bug for this here: https://jira.evolveum.com/browse/MID-3301

Also found that the password policy also doesn't apply if the user uses the
credentials page and only chooses that particular resource, without
choosing the midPoint repository.

Thanks,
-F

On Mon, Jul 18, 2016 at 1:01 AM, Radovan Semancik <
radovan.semancik at evolveum.com> wrote:

> Hi,
>
> This seems like a bug. Or a missing feature. The primary purpose of the
> password policy definition here is to generate new passwords, not so much
> about checking the password. The resource will check the password anyway
> (or at least it should). But you are right. We want to properly implement
> resource password policies also in midPoint - for cases of resources not
> checking the policies and for nicer error messages.
>
> Anyway, please file a bug report. I'll take care of handling and
> re-categorizing that as necessary.
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
>
> On 07/15/2016 10:31 PM, Florin. Stingaciu wrote:
>
> Hello,
>
> I defined a password policy, and referenced it in the credentials section
> of the accounts on a particular resource. If I change the password by
> directly editing the password field on the projection, the password policy
> does not apply. Not even the global password policy applies to that field.
>
> I'm using version 3.4.
>
> Thanks,
> -F
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160718/80a54d61/attachment.htm>

From radovan.semancik at evolveum.com  Mon Jul 18 19:35:37 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Mon, 18 Jul 2016 19:35:37 +0200
Subject: [midPoint] SSO, passwords, and end users
In-Reply-To: <CAMQHPY2Vcot4Vd8qt9sgbkyQVibNV+o+zV2VQwBa=RS7VNW6hA@mail.gmail.com>
References: <CAMQHPY0sur6eepkBPwUW=ACACoOguezK9--ATtndSFTqGsBuGw@mail.gmail.com>
 <578C8AE0.3060801@evolveum.com>
 <CAMQHPY2Vcot4Vd8qt9sgbkyQVibNV+o+zV2VQwBa=RS7VNW6hA@mail.gmail.com>
Message-ID: <578D1369.6080007@evolveum.com>

Hi,

On 07/18/2016 06:54 PM, Florin. Stingaciu wrote:
> So I managed to resolve the "Old Password" input field on the 
> credentials page, however the password propagation for the midPoint 
> repository resource is enabled by default. Is there anyway to specify 
> one particular resource to be enabled by default? We want to avoid 
> storing any passwords on the midPoint DB at all costs.

I think there is a way to hide the password propagation dialog. Use the 
propagationUserControl setting (see the XSD schema or maybe one of my 
colleagues can provide an example).
Then simply use password outbound mappings to propagate the password 
just to one resource.

However, currently it is not easy to avoid storing password in midpoint 
database. MidPoint philosophy is to always synchronize between focus 
(user) and projection (account) and never between projections directly. 
So, the password needs to be present in midPoint user. And for now 
complete user is stored in the database.

There was some discussion about the setting to store passwords in hashed 
form (as opposed to encrypted form as it is now). Or even to handle 
password only in memory and not to store it at all. I would really like 
to implement that - and I was expecting this flexibility during midPoint 
design, so the implmenetation should not be that difficult. But 
obviously this feature haven't attracted attention of any midPoint 
subscriber or sponsor. Therefore it is not implemented.

If you want to avoid storing the password you can do some magic with 
scripting hook and remove the password from the user and user deltas at 
the right moment in the request processing "clockwork": just after it 
was propagated to projection context but before the user is stored. I 
believe that this is possible, but it will require very clever 
manipulation of model context.

... or you can get a subscription or sponsor this feature.

> In total we have three repositories. One for the midPOint repository, 
> an LDAP server (which is where we want to change passwords by default) 
> and lastly there's a read only Active Directory. Is there any way 
> (either via security policies, or the authorization model) to only 
> show and allow password changes on the LDAP server?

Yes. If you set up authorizations in a proper way then the GUI should 
adapt. But easier way would be to set up fixed (strong) mappings for 
password propagation and completely disallow account changes.

However, currently the GUI is designed to conveniently change only the 
user password. And we have no plans to extend that to account passwords 
as the common use case is to change user password and propagate the 
change to the resources. We do not want to confuse end user too much ... 
and in fact many users find the password propagation dialog too 
confusing, hence the option to disable it. So just one entry for the 
password should be enough. The way forward is to control the way how 
user password is stored in midpoint repository. I'm sorry that we do not 
have that yet. But anyone can help with funding of this feature.

It could work like this:

User changes his password in midPoint (already implemented)
MidPoint will propagate the password to the resources using the mappings 
(already implemented)
MidPoint consults the password storage policy and forgets the password 
(not implemented)

So, just a little piece is missing.

-- 
Radovan Semancik
Software Architect
evolveum.com



From fstingaciu at mirantis.com  Mon Jul 18 19:56:18 2016
From: fstingaciu at mirantis.com (Florin. Stingaciu)
Date: Mon, 18 Jul 2016 10:56:18 -0700
Subject: [midPoint] SSO, passwords, and end users
In-Reply-To: <578D1369.6080007@evolveum.com>
References: <CAMQHPY0sur6eepkBPwUW=ACACoOguezK9--ATtndSFTqGsBuGw@mail.gmail.com>
 <578C8AE0.3060801@evolveum.com>
 <CAMQHPY2Vcot4Vd8qt9sgbkyQVibNV+o+zV2VQwBa=RS7VNW6hA@mail.gmail.com>
 <578D1369.6080007@evolveum.com>
Message-ID: <CAMQHPY2WHaR4U0EJqwVsjVfy=vduTKBop_oC8YVwfoo42YE8fw@mail.gmail.com>

>
> Yes. If you set up authorizations in a proper way then the GUI should
> adapt.


I'll try looking into this, however I'm not really sure how to set GUI
authorization rules for the midPoint repository. Also, I'd only wanna hide
these two resources for the GUI credentials page only.


> But easier way would be to set up fixed (strong) mappings for password
> propagation and completely disallow account changes.


I agree, however currently we don't story any passwords in the midPoint
repository as per the security standards of this department. So
unfortunately this is not an option for us.

Thanks for the thorough explanation. In the near future, I'll attempt to
craft a feature request for this particular issue.

As an alternative to this whole situation, we've built a separate custom
web component that directly edits the LDAP attribute for a particular user.
It would be ideal to integrate this web component directly in midPoint. Are
there any instructions (besides just hacking it) on how to add a custom web
component to midPoint such that it respects authentication and such?

Thanks,
-F

On Mon, Jul 18, 2016 at 10:35 AM, Radovan Semancik <
radovan.semancik at evolveum.com> wrote:

> Hi,
>
> On 07/18/2016 06:54 PM, Florin. Stingaciu wrote:
>
>> So I managed to resolve the "Old Password" input field on the credentials
>> page, however the password propagation for the midPoint repository resource
>> is enabled by default. Is there anyway to specify one particular resource
>> to be enabled by default? We want to avoid storing any passwords on the
>> midPoint DB at all costs.
>>
>
> I think there is a way to hide the password propagation dialog. Use the
> propagationUserControl setting (see the XSD schema or maybe one of my
> colleagues can provide an example).
> Then simply use password outbound mappings to propagate the password just
> to one resource.
>
> However, currently it is not easy to avoid storing password in midpoint
> database. MidPoint philosophy is to always synchronize between focus (user)
> and projection (account) and never between projections directly. So, the
> password needs to be present in midPoint user. And for now complete user is
> stored in the database.
>
> There was some discussion about the setting to store passwords in hashed
> form (as opposed to encrypted form as it is now). Or even to handle
> password only in memory and not to store it at all. I would really like to
> implement that - and I was expecting this flexibility during midPoint
> design, so the implmenetation should not be that difficult. But obviously
> this feature haven't attracted attention of any midPoint subscriber or
> sponsor. Therefore it is not implemented.
>
> If you want to avoid storing the password you can do some magic with
> scripting hook and remove the password from the user and user deltas at the
> right moment in the request processing "clockwork": just after it was
> propagated to projection context but before the user is stored. I believe
> that this is possible, but it will require very clever manipulation of
> model context.
>
> ... or you can get a subscription or sponsor this feature.
>
> In total we have three repositories. One for the midPOint repository, an
>> LDAP server (which is where we want to change passwords by default) and
>> lastly there's a read only Active Directory. Is there any way (either via
>> security policies, or the authorization model) to only show and allow
>> password changes on the LDAP server?
>>
>
> Yes. If you set up authorizations in a proper way then the GUI should
> adapt. But easier way would be to set up fixed (strong) mappings for
> password propagation and completely disallow account changes.
>
> However, currently the GUI is designed to conveniently change only the
> user password. And we have no plans to extend that to account passwords as
> the common use case is to change user password and propagate the change to
> the resources. We do not want to confuse end user too much ... and in fact
> many users find the password propagation dialog too confusing, hence the
> option to disable it. So just one entry for the password should be enough.
> The way forward is to control the way how user password is stored in
> midpoint repository. I'm sorry that we do not have that yet. But anyone can
> help with funding of this feature.
>
> It could work like this:
>
> User changes his password in midPoint (already implemented)
> MidPoint will propagate the password to the resources using the mappings
> (already implemented)
> MidPoint consults the password storage policy and forgets the password
> (not implemented)
>
> So, just a little piece is missing.
>
>
> --
> Radovan Semancik
> Software Architect
> evolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160718/165fd251/attachment.htm>

From radovan.semancik at evolveum.com  Mon Jul 18 20:31:43 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Mon, 18 Jul 2016 20:31:43 +0200
Subject: [midPoint] SSO, passwords, and end users
In-Reply-To: <CAMQHPY2WHaR4U0EJqwVsjVfy=vduTKBop_oC8YVwfoo42YE8fw@mail.gmail.com>
References: <CAMQHPY0sur6eepkBPwUW=ACACoOguezK9--ATtndSFTqGsBuGw@mail.gmail.com>
 <578C8AE0.3060801@evolveum.com>
 <CAMQHPY2Vcot4Vd8qt9sgbkyQVibNV+o+zV2VQwBa=RS7VNW6hA@mail.gmail.com>
 <578D1369.6080007@evolveum.com>
 <CAMQHPY2WHaR4U0EJqwVsjVfy=vduTKBop_oC8YVwfoo42YE8fw@mail.gmail.com>
Message-ID: <578D208F.7050102@evolveum.com>

Hi,

On 07/18/2016 07:56 PM, Florin. Stingaciu wrote:
> As an alternative to this whole situation, we've built a separate 
> custom web component that directly edits the LDAP attribute for a 
> particular user. It would be ideal to integrate this web component 
> directly in midPoint. Are there any instructions (besides just hacking 
> it) on how to add a custom web component to midPoint such that it 
> respects authentication and such?

There is new feature in midPoint 3.4 that can be used to add custom 
forms to user details (and other) pages. Example is here: 
https://github.com/Evolveum/midpoint-overlay-example. But I do not think 
this is what you are looking for.

There is yet no clean and nice way to add a complete new page. But all 
is not lost:
Adding a page is not difficult. Just create a new Apache Wicket page, 
ideally as a subclass of our PageBase class. And that's it. You can use 
overlay project for that.
If the page has the URL that falls behind the URLs protected by spring 
security then the authentication will work.
Even authorizations should be quite OK. We have annotation for that. 
E.g. have a look at PageSelfCredentials as an example.
The trouble is to get this page into the menu. Currently the menu is 
more or less hardcoded as list of all the pages that we have created. 
Individual items are hidden according to authorizations. But there is 
way to extend the menu in runtime. You can use additionalMenuLink in 
AdminGuiConfigurationType which can be defined either in global system 
config or in any role. However ... hic sunt liones ... this feature is 
not well tested.

Ability to easily add new GUI pages is on my personal nice-to-have list 
for a loooong time. I'm just looking for some motivation (or at least an 
excuse) to implement it.

-- 
Radovan Semancik
Software Architect
evolveum.com



From ggallard at identicum.com  Wed Jul 20 20:44:15 2016
From: ggallard at identicum.com (Gustavo J Gallardo)
Date: Wed, 20 Jul 2016 15:44:15 -0300
Subject: [midPoint] DB error starting midPoint 3.4
In-Reply-To: <578CBB05.30503@evolveum.com>
References: <CAA68kP9NRyoQKZV=36c5VLLhWXNBHqvwsWO+25RcbBMYSK1ZUw@mail.gmail.com>
 <578CBB05.30503@evolveum.com>
Message-ID: <CAA68kP9o+00Q8h_4dHTttLAF84moETTmk8OC0CbcExjtHiXLaQ@mail.gmail.com>

Hi Viliam,
it happened (twice) in our production environment, but eventually
dissapeared after a reboot.
We could not replicate the issue in our testing environment.

We are in the process to import the accounts (~450000) and provisioning to
3 resources (eDirectory LDAP, Google Apps and Office 365).
We are also checking if we need to do some additional tuning on the
PostgreSQL database.

I'll let you know if we can isolate anything.


Regards,

GJG

On Mon, Jul 18, 2016 at 8:18 AM, Viliam Repan <vilo.repan at evolveum.com>
wrote:

> Hi Gustavo,
>
> I've tried to run clean installation of midpoint 3.4 against postgresql
> 9.2 on ubuntu 14.04 and I can't replicate this behavior - does it happen
> after restart?.
> Do you have clean installation any other environment specific stuff?
> I've tested it on ubuntu 14.04 (64bit) with postgres 9.2.17, tomcat 8,
> oracle java 8
>
> *00000000-0000-0000-0000-000000000006* is validity task so I'm not sure
> what happened
>
> v
>
>
> On 17.07.2016 18:19, Gustavo J Gallardo wrote:
>
> Hi,
> we are running midPoint 3.4 with database PostgreSQL 9.2, and getting this
> error:
> *2016-07-17 13:00:49,887 [] [midPointScheduler_Worker-2] ERROR
> (org.hibernate.engine.jdbc.spi.SqlExceptionHelper): Batch entry 0 update
> m_object set booleansCount=0,
> createChannel='http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init
> <http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init>',
> createTimestamp='2016-06-02 17:23:48.969000 -03:00:00',
> creatorRef_relation=NULL, creatorRef_targetOid=NULL, creatorRef_type=NULL,
> datesCount=1, fullObject=?, longsCount=0, modifierRef_relation=NULL,
> modifierRef_targetOid=NULL, modifierRef_type=NULL, modifyChannel=NULL,
> modifyTimestamp=NULL, name_norm='validity scanner', name_orig='Validity
> Scanner', objectTypeClass='9', polysCount=0, referencesCount=0,
> stringsCount=0, tenantRef_relation=NULL, tenantRef_targetOid=NULL,
> tenantRef_type=NULL, version=13637 where
> oid='00000000-0000-0000-0000-000000000006' was aborted.  Call
> getNextException to see the cause.*
> *2016-07-17 13:00:49,887 [] [midPointScheduler_Worker-2] ERROR
> (org.hibernate.engine.jdbc.spi.SqlExceptionHelper): ERROR: could not
> serialize access due to read/write dependencies among transactions*
> *  Detail: Reason code: Canceled on identification as a pivot, during
> write.*
> *  Hint: The transaction might succeed if retried.*
> *2016-07-17 13:00:49,892 [] [midPointScheduler_Worker-2] ERROR
> (org.hibernate.engine.jdbc.batch.internal.BatchingBatch): HHH000315:
> Exception executing batch [could not execute batch]*
>
>
> Any ideas?
>
> Attached is complete idm.log trying to start the server.
>
> Thanks,
>
> GJG
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ing. Viliam Repáň
> Evolveum, s.r.o.
>
> tel: +421 910 797978
> mail: vilo.repan at evolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160720/dd58ccba/attachment.htm>

From mmarchese at identicum.com  Wed Jul 20 22:50:22 2016
From: mmarchese at identicum.com (Martin Marchese)
Date: Wed, 20 Jul 2016 17:50:22 -0300
Subject: [midPoint] MidPoint Multiple Nodes
Message-ID: <CAG3rmdq6ZQfaSoMi5xnF6bWja-5V3M7qLF4KWSqBqA=Z37T2Eg@mail.gmail.com>

Hi All,

We are trying to add multiple nodes using 1 DB to our MidPoint
implementation. For this we are reading:

https://wiki.evolveum.com/pages/viewpage.action?pageId=11075783

But we are still confused on how to handle keystores, more specifically,
the key that MidPoint uses to encrypt data in the DB.

As far as we understand, this key is store within the keystore, so our
question is which is the right set up in order for the second node to use
the correct key while getting encrypted information from the database?

Also, will the connectors run in both nodes? Is it possible to select in
which node does each connector run?

Thanks in Advance

*Ing. Martín Marchese*
Identicum S.A.
Anchorena 1357 PB
Tel: +54 (11) 3526.5509
mmarchese at identicum.com
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160720/55d2fe0e/attachment.htm>

From radovan.semancik at evolveum.com  Thu Jul 21 10:35:26 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Thu, 21 Jul 2016 10:35:26 +0200
Subject: [midPoint] MidPoint Multiple Nodes
In-Reply-To: <CAG3rmdq6ZQfaSoMi5xnF6bWja-5V3M7qLF4KWSqBqA=Z37T2Eg@mail.gmail.com>
References: <CAG3rmdq6ZQfaSoMi5xnF6bWja-5V3M7qLF4KWSqBqA=Z37T2Eg@mail.gmail.com>
Message-ID: <5790894E.6010102@evolveum.com>

Hi,

On 07/20/2016 10:50 PM, Martin Marchese wrote:
>
> But we are still confused on how to handle keystores, more 
> specifically, the key that MidPoint uses to encrypt data in the DB.
>
> As far as we understand, this key is store within the keystore, so our 
> question is which is the right set up in order for the second node to 
> use the correct key while getting encrypted information from the database?

The keys are not stored in the database by design (e.g. to protect 
passwords in the database backups, to avoid leak of the password by use 
of database tools, etc.). Therefore the keystores are not shared between 
nodes. They have to be manually copied between nodes. Or you may want to 
set up a network file system. However that may be an security issue and 
copying the keystores at initial setup and then installing new keys to 
each of them is usually no big trouble.

> Also, will the connectors run in both nodes? Is it possible to select 
> in which node does each connector run?

Currently the connectors will run on all nodes. There is even a 
limitation that each connector must be installed on all the nodes. The 
limitation of the per-node connector usage was considered in the 
midPoint design, but it was not yet implemented. This may look simple, 
but it is no easy feature. E.g. a user change operation that started on 
one node must be switched to a different node if the original node does 
not have the connector to finish the operation. This is possible to do, 
but it requires much deeper degree of asynchronism in operations. 
Realistically it is only possible after we implement fully async 
provisionig (https://jira.evolveum.com/browse/MID-2457). But thanks for 
pointing that out. The feature request for that was missing in our jira. 
So I have created it: https://jira.evolveum.com/browse/MID-3310

-- 
Radovan Semancik
Software Architect
evolveum.com



From martin.lizner at ami.cz  Fri Jul 22 16:32:13 2016
From: martin.lizner at ami.cz (=?UTF-8?Q?Martin_L=C3=ADzner_=2D_AMI_Praha_a=2Es=2E?=)
Date: Fri, 22 Jul 2016 16:32:13 +0200
Subject: [midPoint] Siebel CRM
Message-ID: <CALOh8eMkm8ubVNzZOCxuJCw+xd8zmmqe7KVm0dcfJLPYSDOWUQ@mail.gmail.com>

Hi, anybody in the midPoint community has coded Siebel connector? Thanks, M.

Martin Lízner
solution architect

gsm: [+420] 737 745 571
e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz



[image: AMI Praha a.s.] <http://www.skyidentity.com/>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160722/1d57dffd/attachment.htm>

From fstingaciu at mirantis.com  Fri Jul 22 22:10:56 2016
From: fstingaciu at mirantis.com (Florin. Stingaciu)
Date: Fri, 22 Jul 2016 13:10:56 -0700
Subject: [midPoint]  Case sensitivity on correlation attribute
Message-ID: <CAMQHPY2pwVurq8Nt_7ooR2ookx2esFG7gze8EmwFFPyF9F+S1Q@mail.gmail.com>

Hello,

I'm running into this issue when importing accounts. I have a user that
already has an account and the import task should find user and link it to
the account. Instead an unmatched situation is found and the object fails
to be processed with the following error:

2016-07-22 19:47:44,429 [] [midPointScheduler_Worker-2] ERROR
(com.evolveum.midpoint.model.impl.sync.SynchronizationServiceImpl):
SYNCHRONIZATION: Error in synchronization on
resource:7ac978b7-3eed-4fa8-8f24-2cf8e10f79ee(Corporate Active Directory)
for situation UNMATCHED: ObjectAlreadyExistsException: Error processing
focus(user:null(aditya_kuppa)): constraint violation: Found conflicting
existing object with property name =
PP({.../common/common-3}name):[PPV(PolyString:user_name)]:
user:83e5be67-9e12-4bdf-a001-be88251a14c3(user_name). Change was
ResourceObjectShadowChangeDescription(objectDelta=ObjectDelta(ShadowType:2975901f-e9de-4079-b2e2-f7a615684a12,ADD:
shadow:2975901f-e9de-4079-b2e2-f7a615684a12(CN=User
Name,OU=People,DC=SYMC,DC=EXAMPLE,DC=COM)),
currentShadow=shadow:2975901f-e9de-4079-b2e2-f7a615684a12(CN=User
Name,OU=People,DC=SYMC,DC=EXAMPLE,DC=COM), oldShadow=null, sourceChannel=
http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import,
resource=resource:7ac978b7-3eed-4fa8-8f24-2cf8e10f79ee(Corporate Active
Directory))

com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException: Error
processing focus(user:null(user_name)): constraint violation: Found
conflicting existing object with property name =
PP({.../common/common-3}name):[PPV(PolyString:user_name)]:
user:83e5be67-9e12-4bdf-a001-be88251a14c3(user_name)

I believe this is due to a case sensitivity issue. Here's my entry for my
ri:user attribute: http://pastebin.com/sBkddsZn

As you can tell, I convert everything to lower case on the inbound rule and
I believe the correlation attribute is case sensitive. Is there any way to
specify that the correlation attribute should be case insensitive?

Here's my correlation entry: http://pastebin.com/NW0dgsiv

Thanks,
-F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160722/6165e639/attachment.htm>

From ivan.noris at evolveum.com  Mon Jul 25 08:45:12 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 25 Jul 2016 08:45:12 +0200
Subject: [midPoint] Case sensitivity on correlation attribute
In-Reply-To: <CAMQHPY2pwVurq8Nt_7ooR2ookx2esFG7gze8EmwFFPyF9F+S1Q@mail.gmail.com>
References: <CAMQHPY2pwVurq8Nt_7ooR2ookx2esFG7gze8EmwFFPyF9F+S1Q@mail.gmail.com>
Message-ID: <fbbca830-1e00-8568-73a7-9b543dec9d27@evolveum.com>

Hi Florin,

midPoint uses case sensitive matching by default.

Try to use e.g. this:

...

                    <correlation>
                        <q:equal>
*                          <q:matching>polyStringNorm</q:matching>**
*                                <q:path>c:name</q:path>
                                <expression>
                                        <description>Matches using
sAMAccountName.</description>
                                        <path>
                                                declare namespace
ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
                                               
$account/attributes/ri:sAMAccountName
                                        </path>
                                </expression>
                        </q:equal>
                    </correlation>
...

For polyString attributes (such as user/name) use that; for string
attributes use
<q:matching>stringIgnoreCase</q:matching>

Hope this helps.
Regards,
Ivan

On 07/22/2016 10:10 PM, Florin. Stingaciu wrote:
> Hello, 
>
> I'm running into this issue when importing accounts. I have a user
> that already has an account and the import task should find user and
> link it to the account. Instead an unmatched situation is found and
> the object fails to be processed with the following error:
>
> 2016-07-22 19:47:44,429 [] [midPointScheduler_Worker-2] ERROR
> (com.evolveum.midpoint.model.impl.sync.SynchronizationServiceImpl):
> SYNCHRONIZATION: Error in synchronization on
> resource:7ac978b7-3eed-4fa8-8f24-2cf8e10f79ee(Corporate Active
> Directory) for situation UNMATCHED: ObjectAlreadyExistsException:
> Error processing focus(user:null(aditya_kuppa)): constraint violation:
> Found conflicting existing object with property name =
> PP({.../common/common-3}name):[PPV(PolyString:user_name)]:
> user:83e5be67-9e12-4bdf-a001-be88251a14c3(user_name). Change was
> ResourceObjectShadowChangeDescription(objectDelta=ObjectDelta(ShadowType:2975901f-e9de-4079-b2e2-f7a615684a12,ADD:
> shadow:2975901f-e9de-4079-b2e2-f7a615684a12(CN=User
> Name,OU=People,DC=SYMC,DC=EXAMPLE,DC=COM)),
> currentShadow=shadow:2975901f-e9de-4079-b2e2-f7a615684a12(CN=User
> Name,OU=People,DC=SYMC,DC=EXAMPLE,DC=COM), oldShadow=null,
> sourceChannel=http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import,
> resource=resource:7ac978b7-3eed-4fa8-8f24-2cf8e10f79ee(Corporate
> Active Directory))
>
> com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException:
> Error processing focus(user:null(user_name)): constraint violation:
> Found conflicting existing object with property name =
> PP({.../common/common-3}name):[PPV(PolyString:user_name)]:
> user:83e5be67-9e12-4bdf-a001-be88251a14c3(user_name)
>
> I believe this is due to a case sensitivity issue. Here's my entry for
> my ri:user attribute: http://pastebin.com/sBkddsZn
>
> As you can tell, I convert everything to lower case on the inbound
> rule and I believe the correlation attribute is case sensitive. Is
> there any way to specify that the correlation attribute should be case
> insensitive? 
>
> Here's my correlation entry: http://pastebin.com/NW0dgsiv 
>
> Thanks, 
> -F 
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160725/038ae0e6/attachment.htm>

From mederly at evolveum.com  Mon Jul 25 11:39:54 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Mon, 25 Jul 2016 11:39:54 +0200
Subject: [midPoint] DB error starting midPoint 3.4
In-Reply-To: <CAA68kP9o+00Q8h_4dHTttLAF84moETTmk8OC0CbcExjtHiXLaQ@mail.gmail.com>
References: <CAA68kP9NRyoQKZV=36c5VLLhWXNBHqvwsWO+25RcbBMYSK1ZUw@mail.gmail.com>
 <578CBB05.30503@evolveum.com>
 <CAA68kP9o+00Q8h_4dHTttLAF84moETTmk8OC0CbcExjtHiXLaQ@mail.gmail.com>
Message-ID: <d8a1f979-a3df-3210-70fc-1d3914805736@evolveum.com>

Hello Gustavo,

conflict situations like "ERROR: could not serialize access due to 
read/write dependencies among transactions" are normal in midPoint. They 
are automatically resolved by retrying the failed transaction (up to a 
limit of 40 attempts, which indicates either extremely high level of db 
contention, or some other unexpected problem).

What is different, in your case, is that these exceptions are logged to 
your log. By default, the following loggers are turned off - exactly not 
to issue a lot of false warnings:

org.hibernate.engine.jdbc.batch.internal.BatchingBatch
org.hibernate.engine.jdbc.spi.SqlExceptionHelper

Best regards,
Pavol


On 20.07.2016 20:44, Gustavo J Gallardo wrote:
> Hi Viliam,
> it happened (twice) in our production environment, but eventually 
> dissapeared after a reboot.
> We could not replicate the issue in our testing environment.
>
> We are in the process to import the accounts (~450000) and 
> provisioning to 3 resources (eDirectory LDAP, Google Apps and Office 365).
> We are also checking if we need to do some additional tuning on the 
> PostgreSQL database.
>
> I'll let you know if we can isolate anything.
>
>
> Regards,
>
> GJG
>
> On Mon, Jul 18, 2016 at 8:18 AM, Viliam Repan <vilo.repan at evolveum.com 
> <mailto:vilo.repan at evolveum.com>> wrote:
>
>     Hi Gustavo,
>
>     I've tried to run clean installation of midpoint 3.4 against
>     postgresql 9.2 on ubuntu 14.04 and I can't replicate this behavior
>     - does it happen after restart?.
>     Do you have clean installation any other environment specific stuff?
>     I've tested it on ubuntu 14.04 (64bit) with postgres 9.2.17,
>     tomcat 8, oracle java 8
>
>     *00000000-0000-0000-0000-000000000006* is validity task so I'm not
>     sure what happened
>
>     v
>
>
>     On 17.07.2016 18:19, Gustavo J Gallardo wrote:
>>     Hi,
>>     we are running midPoint 3.4 with database PostgreSQL 9.2, and
>>     getting this error:
>>     *2016-07-17 13:00:49,887 [] [midPointScheduler_Worker-2] ERROR
>>     (org.hibernate.engine.jdbc.spi.SqlExceptionHelper): Batch entry 0
>>     update m_object set booleansCount=0,
>>     createChannel='http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init',
>>     createTimestamp='2016-06-02 17:23:48.969000 -03:00:00',
>>     creatorRef_relation=NULL, creatorRef_targetOid=NULL,
>>     creatorRef_type=NULL, datesCount=1, fullObject=?, longsCount=0,
>>     modifierRef_relation=NULL, modifierRef_targetOid=NULL,
>>     modifierRef_type=NULL, modifyChannel=NULL, modifyTimestamp=NULL,
>>     name_norm='validity scanner', name_orig='Validity Scanner',
>>     objectTypeClass='9', polysCount=0, referencesCount=0,
>>     stringsCount=0, tenantRef_relation=NULL,
>>     tenantRef_targetOid=NULL, tenantRef_type=NULL, version=13637
>>     where oid='00000000-0000-0000-0000-000000000006' was aborted. 
>>     Call getNextException to see the cause.*
>>     *2016-07-17 13:00:49,887 [] [midPointScheduler_Worker-2] ERROR
>>     (org.hibernate.engine.jdbc.spi.SqlExceptionHelper): ERROR: could
>>     not serialize access due to read/write dependencies among
>>     transactions*
>>     *  Detail: Reason code: Canceled on identification as a pivot,
>>     during write.*
>>     *  Hint: The transaction might succeed if retried.*
>>     *2016-07-17 13:00:49,892 [] [midPointScheduler_Worker-2] ERROR
>>     (org.hibernate.engine.jdbc.batch.internal.BatchingBatch):
>>     HHH000315: Exception executing batch [could not execute batch]*
>>
>>
>>     Any ideas?
>>
>>     Attached is complete idm.log trying to start the server.
>>
>>     Thanks,
>>
>>     GJG
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>     Ing. Viliam Repáň
>     Evolveum, s.r.o.
>
>     tel: +421 910 797978
>     mail:vilo.repan at evolveum.com <mailto:vilo.repan at evolveum.com>
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160725/8467b21a/attachment.htm>

From mederly at evolveum.com  Mon Jul 25 11:56:01 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Mon, 25 Jul 2016 11:56:01 +0200
Subject: [midPoint] DB error starting midPoint 3.4
In-Reply-To: <d8a1f979-a3df-3210-70fc-1d3914805736@evolveum.com>
References: <CAA68kP9NRyoQKZV=36c5VLLhWXNBHqvwsWO+25RcbBMYSK1ZUw@mail.gmail.com>
 <578CBB05.30503@evolveum.com>
 <CAA68kP9o+00Q8h_4dHTttLAF84moETTmk8OC0CbcExjtHiXLaQ@mail.gmail.com>
 <d8a1f979-a3df-3210-70fc-1d3914805736@evolveum.com>
Message-ID: <f4ec7fe3-dece-e96a-2399-66f518649bce@evolveum.com>

After looking at your log more thoroughly:

It is possible that the errors were logged just in the moment when 
logging configuration from SystemConfiguration object was applied.

That way or another, you can safely ignore them. If it would be 
something serious, it would manifest itself as a midPoint-level 
exception (com.evolveum.midpoint...).

Best regards,

Pavol



On 25.07.2016 11:39, Pavol Mederly wrote:
>
> Hello Gustavo,
>
> conflict situations like "ERROR: could not serialize access due to 
> read/write dependencies among transactions" are normal in midPoint. 
> They are automatically resolved by retrying the failed transaction (up 
> to a limit of 40 attempts, which indicates either extremely high level 
> of db contention, or some other unexpected problem).
>
> What is different, in your case, is that these exceptions are logged 
> to your log. By default, the following loggers are turned off - 
> exactly not to issue a lot of false warnings:
>
> org.hibernate.engine.jdbc.batch.internal.BatchingBatch
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper
>
> Best regards,
> Pavol
>
>
> On 20.07.2016 20:44, Gustavo J Gallardo wrote:
>> Hi Viliam,
>> it happened (twice) in our production environment, but eventually 
>> dissapeared after a reboot.
>> We could not replicate the issue in our testing environment.
>>
>> We are in the process to import the accounts (~450000) and 
>> provisioning to 3 resources (eDirectory LDAP, Google Apps and Office 
>> 365).
>> We are also checking if we need to do some additional tuning on the 
>> PostgreSQL database.
>>
>> I'll let you know if we can isolate anything.
>>
>>
>> Regards,
>>
>> GJG
>>
>> On Mon, Jul 18, 2016 at 8:18 AM, Viliam Repan 
>> <vilo.repan at evolveum.com <mailto:vilo.repan at evolveum.com>> wrote:
>>
>>     Hi Gustavo,
>>
>>     I've tried to run clean installation of midpoint 3.4 against
>>     postgresql 9.2 on ubuntu 14.04 and I can't replicate this
>>     behavior - does it happen after restart?.
>>     Do you have clean installation any other environment specific stuff?
>>     I've tested it on ubuntu 14.04 (64bit) with postgres 9.2.17,
>>     tomcat 8, oracle java 8
>>
>>     *00000000-0000-0000-0000-000000000006* is validity task so I'm
>>     not sure what happened
>>
>>     v
>>
>>
>>     On 17.07.2016 18:19, Gustavo J Gallardo wrote:
>>>     Hi,
>>>     we are running midPoint 3.4 with database PostgreSQL 9.2, and
>>>     getting this error:
>>>     *2016-07-17 13:00:49,887 [] [midPointScheduler_Worker-2] ERROR
>>>     (org.hibernate.engine.jdbc.spi.SqlExceptionHelper): Batch entry
>>>     0 update m_object set booleansCount=0,
>>>     createChannel='http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init',
>>>     createTimestamp='2016-06-02 17:23:48.969000 -03:00:00',
>>>     creatorRef_relation=NULL, creatorRef_targetOid=NULL,
>>>     creatorRef_type=NULL, datesCount=1, fullObject=?, longsCount=0,
>>>     modifierRef_relation=NULL, modifierRef_targetOid=NULL,
>>>     modifierRef_type=NULL, modifyChannel=NULL, modifyTimestamp=NULL,
>>>     name_norm='validity scanner', name_orig='Validity Scanner',
>>>     objectTypeClass='9', polysCount=0, referencesCount=0,
>>>     stringsCount=0, tenantRef_relation=NULL,
>>>     tenantRef_targetOid=NULL, tenantRef_type=NULL, version=13637
>>>     where oid='00000000-0000-0000-0000-000000000006' was aborted. 
>>>     Call getNextException to see the cause.*
>>>     *2016-07-17 13:00:49,887 [] [midPointScheduler_Worker-2] ERROR
>>>     (org.hibernate.engine.jdbc.spi.SqlExceptionHelper): ERROR: could
>>>     not serialize access due to read/write dependencies among
>>>     transactions*
>>>     *  Detail: Reason code: Canceled on identification as a pivot,
>>>     during write.*
>>>     *  Hint: The transaction might succeed if retried.*
>>>     *2016-07-17 13:00:49,892 [] [midPointScheduler_Worker-2] ERROR
>>>     (org.hibernate.engine.jdbc.batch.internal.BatchingBatch):
>>>     HHH000315: Exception executing batch [could not execute batch]*
>>>
>>>
>>>     Any ideas?
>>>
>>>     Attached is complete idm.log trying to start the server.
>>>
>>>     Thanks,
>>>
>>>     GJG
>>>
>>>
>>>     _______________________________________________
>>>     midPoint mailing list
>>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>     -- 
>>     Ing. Viliam Repáň
>>     Evolveum, s.r.o.
>>
>>     tel: +421 910 797978
>>     mail:vilo.repan at evolveum.com <mailto:vilo.repan at evolveum.com>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160725/f02fb1d2/attachment.htm>

From mmarchese at identicum.com  Tue Jul 26 21:13:50 2016
From: mmarchese at identicum.com (Martin Marchese)
Date: Tue, 26 Jul 2016 16:13:50 -0300
Subject: [midPoint] Slow Performance on Bulk Load Using Rest
Message-ID: <CAG3rmdqdG3H2D0UgNE5XD_083h98TiV-1istoYG-NHJh8xKBCA@mail.gmail.com>

Hi,

We have a large database (aprox. 400000-500000 users, most of them linked
with 2 platforms).

We are using PostgreSQL and still loading users with some python scripts we
developed to consume data from files and execute REST services to create
and/or recompute users.

With this sizing, we are experiencing a very slow performance in the bulk
load. Is there a way to troubleshoot this or tune the database to increase
performance?

Thanks

*Ing. Martín Marchese*
Identicum S.A.
Anchorena 1357 PB
Tel: +54 (11) 3526.5509
mmarchese at identicum.com
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160726/e40355a7/attachment.htm>

From radovan.semancik at evolveum.com  Tue Jul 26 22:01:16 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Tue, 26 Jul 2016 22:01:16 +0200
Subject: [midPoint] Slow Performance on Bulk Load Using Rest
In-Reply-To: <CAG3rmdqdG3H2D0UgNE5XD_083h98TiV-1istoYG-NHJh8xKBCA@mail.gmail.com>
References: <CAG3rmdqdG3H2D0UgNE5XD_083h98TiV-1istoYG-NHJh8xKBCA@mail.gmail.com>
Message-ID: <5797C18C.90108@evolveum.com>

Hi,

You can use midPoint logging to get stats about performance of 
individual midPoint components. And then you can figure out where 
exactly is the problem.

But I think the root of this issue is in the architecture. REST 
interfaces are strictly object-oriented (or web-resource-oriented to be 
precise). Each REST operation can operate only on a single web resource. 
When translated to midPoint design this means (at least) one operation 
for each object. Which means network latencies, authentication (REST 
explicitly prohibits sessions), request processing, authorizations, 
executing the operation, response processing and latencies again. This 
happens for every object. The overhead is simply too high. In other 
words: RESTful services are absolutely terrible for any kind of bulk 
operations. And this is more-or-less given by the principles of REST 
architectural style. It is not easy to do anything about it without 
bending or openly violating the REST principles.

Theoretically there is a way around this: we could create a specialized 
web resource for bulk operations. But it is complex, ugly and difficult 
to use. And it will actually mean doing RPC and disguising that as REST. 
Therefore currently we do not plan to do this. We will do that only if 
there is someone explicitly sponsoring that feature. And even then I 
will personally put big red stickers all over it saying that "this may 
work, but it is not REST".

I would suggest that the right way to do bulk operations is not to use 
REST at all. It makes no sense to transport water in bottles when you 
need water for entire city, does it? You should use the right tool for 
the job.

MidPoint has a very good built-in features that support bulk operations. 
Simply use the synchronization features of midPoint. These are designed 
to handle bulk data. Connect the database as midPoint resource and pull 
in the data using import or reconciliation task. If this is a one-off 
data load you can delete the resource afterwards. But actually there is 
usually a good benefit of keeping the resource around for a longer time 
in case that the migration needs to be retried or objects need to be 
updated.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 07/26/2016 09:13 PM, Martin Marchese wrote:
> Hi,
>
> We have a large database (aprox. 400000-500000 users, most of them 
> linked with 2 platforms).
>
> We are using PostgreSQL and still loading users with some python 
> scripts we developed to consume data from files and execute REST 
> services to create and/or recompute users.
>
> With this sizing, we are experiencing a very slow performance in the 
> bulk load. Is there a way to troubleshoot this or tune the database to 
> increase performance?
>
> Thanks
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Anchorena 1357 PB
> Tel: +54 (11) 3526.5509
> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
> www.identicum.com <http://www.identicum.com>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160726/1b53051e/attachment.htm>

From Andrew.Brock at sahmri.com  Thu Jul 28 08:38:35 2016
From: Andrew.Brock at sahmri.com (Andrew Brock)
Date: Thu, 28 Jul 2016 06:38:35 +0000
Subject: [midPoint] Populating parentOrgRef in an Org from a database
	resource
Message-ID: <11eb3d2ce24942c3a77b9018e97e40a5@shmprdmbx02.sahmri.internal>

Hi,

I have a database resource that gives me the following organisation info in its columns:


1.)    An ID (an integer)

2.)    A Name (a string)

3.)    The ID of the parent organisation in a column called parent_id (an integer). This value is present for all organisations except for the top parent one.

This resource can be considered the definitive authority for this data (i.e. it's not present in LDAP).

I currently have a schemaHandling like so:

<schemaHandling>
      <objectType>
         <kind>account</kind>
         <intent>HRM</intent>
         <default>true</default>
         <objectClass>ri:AccountObjectClass</objectClass>
         <attribute>
            <c:ref>icfs:uid</c:ref>
            <tolerant>true</tolerant>
            <exclusiveStrong>false</exclusiveStrong>
            <inbound>
               <authoritative>true</authoritative>
               <exclusive>false</exclusive>
               <strength>normal</strength>
               <target>
                  <c:path>identifier</c:path>
               </target>
            </inbound>
         </attribute>
         <attribute>
            <c:ref>ri:name</c:ref>
            <tolerant>true</tolerant>
            <exclusiveStrong>false</exclusiveStrong>
            <inbound>
               <authoritative>true</authoritative>
               <exclusive>false</exclusive>
               <strength>normal</strength>
               <target>
                  <c:path>name</c:path>
               </target>
            </inbound>
         </attribute>
      </objectType>
   </schemaHandling>



The current behaviour when I sync from this resource is all the Organisations are being created with the correct name and unique ID that is copied to the OrgType "Identifier" field, but they are all at the same (top) level in the Org. structure.
I now want to put them into their proper hierarchy!

My understanding is that an org-to-org relationship shouldn't be an assignment, but a population of the parentOrgRef (see https://wiki.evolveum.com/display/midPoint/Organizational+Structure) and then midpoint handles the rest. What do I need to do to my current configuration to populate the parentOrgRef property using the value of the parent_id column from my database? I can't assign the parent_id value directly to parentOrgRef as it's an integer, so I need to get a reference to the parent organisation.

I've seen some references to a referenceSearch expression on Github, which I think may be what I need, but I haven't seen an example of this in action. This is what I've got so far (which goes just above the </objectType> tag in my first example), but it doesn't appear to do anything when I sync:

         <attribute>
            <c:ref>ri:parent_id</c:ref>
            <matchingRule xmlns:gen426="http://prism.evolveum.com/xml/ns/public/matching-rule-3">gen426:default</matchingRule>
            <tolerant>true</tolerant>
            <exclusiveStrong>false</exclusiveStrong>
            <fetchStrategy>implicit</fetchStrategy>
            <inbound>
               <authoritative>true</authoritative>
               <exclusive>false</exclusive>
               <strength>normal</strength>
               <expression>
                  <referenceSearch>
                     <targetType>c:OrgType</targetType>
                     <filter>
                        <q:equal>
                         <!-- Property from OrgType -->
                           <q:path>identifier</q:path>
                           <expression>
                              <!-- database column -->
                              <c:path>$c:account/c:attributes/parent_id</c:path>
                           </expression>
                        </q:equal>
                     </filter>
                  </referenceSearch>
               </expression>
               <target>
                  <!-- Field on the organisation that is being created -->
                  <c:path>parentOrgRef</c:path>
               </target>
            </inbound>
         </attribute>

The database table is sorted in such a way that the organisations at level 1 are first, then level 2, then level 3, etc. so I don't think it's trying to create or update organisations before their parent organisation has already been created.

Any clues?

Thanks,
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160728/77c73399/attachment.htm>

From mederly at evolveum.com  Thu Jul 28 10:38:02 2016
From: mederly at evolveum.com (Pavol Mederly)
Date: Thu, 28 Jul 2016 10:38:02 +0200
Subject: [midPoint] Populating parentOrgRef in an Org from a database
 resource
In-Reply-To: <11eb3d2ce24942c3a77b9018e97e40a5@shmprdmbx02.sahmri.internal>
References: <11eb3d2ce24942c3a77b9018e97e40a5@shmprdmbx02.sahmri.internal>
Message-ID: <a9c3a097-e335-843d-b4b6-9c9610522133@evolveum.com>

Hello Andrew,

> My understanding is that an org-to-org relationship shouldn’t be an 
> assignment, but a population of the parentOrgRef (see 
> https://wiki.evolveum.com/display/midPoint/Organizational+Structure) 
> and then midpoint handles the rest.
Actually, that wiki article is a bit out-of-date in this respect. 
Currently, the preferred way of linking any focal objects (users, roles, 
orgs, services) to organization structure is via assignments.

One possibility is to map parent_id column to an extension attribute of 
the org object, and then use an object template to create appropriate 
assignment for a given Org object. Something like this: 
https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-org.xml. 
<https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-org.xml>

(But maybe someone would propose a better solution.)

Best regards,

-- 
Pavol Mederly
Software developer
evolveum.com


On 28.07.2016 8:38, Andrew Brock wrote:
>
> Hi,
>
> I have a database resource that gives me the following organisation 
> info in its columns:
>
> 1.)An ID (an integer)
>
> 2.)A Name (a string)
>
> 3.)The ID of the parent organisation in a column called parent_id (an 
> integer). This value is present for all organisations except for the 
> top parent one.
>
> This resource can be considered the definitive authority for this data 
> (i.e. it’s not present in LDAP).
>
> I currently have a schemaHandling like so:
>
> <schemaHandling>
>
>       <objectType>
>
>          <kind>account</kind>
>
>          <intent>HRM</intent>
>
> <default>true</default>
>
> <objectClass>ri:AccountObjectClass</objectClass>
>
>          <attribute>
>
> <c:ref>icfs:uid</c:ref>
>
> <tolerant>true</tolerant>
>
> <exclusiveStrong>false</exclusiveStrong>
>
>             <inbound>
>
> <authoritative>true</authoritative>
>
> <exclusive>false</exclusive>
>
> <strength>normal</strength>
>
>                <target>
>
> <c:path>identifier</c:path>
>
>                </target>
>
>             </inbound>
>
>          </attribute>
>
>          <attribute>
>
> <c:ref>ri:name</c:ref>
>
> <tolerant>true</tolerant>
>
> <exclusiveStrong>false</exclusiveStrong>
>
>             <inbound>
>
> <authoritative>true</authoritative>
>
> <exclusive>false</exclusive>
>
> <strength>normal</strength>
>
>                <target>
>
> <c:path>name</c:path>
>
>                </target>
>
>             </inbound>
>
>          </attribute>
>
>       </objectType>
>
>    </schemaHandling>
>
> The current behaviour when I sync from this resource is all the 
> Organisations are being created with the correct name and unique ID 
> that is copied to the OrgType “Identifier” field, but they are all at 
> the same (top) level in the Org. structure.
>
> I now want to put them into their proper hierarchy!
>
> My understanding is that an org-to-org relationship shouldn’t be an 
> assignment, but a population of the parentOrgRef (see 
> https://wiki.evolveum.com/display/midPoint/Organizational+Structure) 
> and then midpoint handles the rest. What do I need to do to my current 
> configuration to populate the parentOrgRef property using the value of 
> the parent_id column from my database? I can’t assign the parent_id 
> value directly to parentOrgRef as it’s an integer, so I need to get a 
> reference to the parent organisation.
>
> I’ve seen some references to a referenceSearch expression on Github, 
> which I think may be what I need, but I haven’t seen an example of 
> this in action. This is what I’ve got so far (which goes just above 
> the </objectType> tag in my first example), but it doesn’t appear to 
> do anything when I sync:
>
>          <attribute>
>
> <c:ref>ri:parent_id</c:ref>
>
>             <matchingRule 
> xmlns:gen426="http://prism.evolveum.com/xml/ns/public/matching-rule-3">gen426:default</matchingRule>
>
> <tolerant>true</tolerant>
>
> <exclusiveStrong>false</exclusiveStrong>
>
> <fetchStrategy>implicit</fetchStrategy>
>
>             <inbound>
>
> <authoritative>true</authoritative>
>
> <exclusive>false</exclusive>
>
> <strength>normal</strength>
>
>                <expression>
>
>                   <referenceSearch>
>
>    <targetType>c:OrgType</targetType>
>
>                      <filter>
>
>                         <q:equal>
>
>                          <!-- Property from OrgType -->
>
>                            <q:path>identifier</q:path>
>
> <expression>
>
>                               <!-- database column -->
>
> <c:path>$c:account/c:attributes/parent_id</c:path>
>
> </expression>
>
>                         </q:equal>
>
>                      </filter>
>
>                   </referenceSearch>
>
>                </expression>
>
>                <target>
>
>                   <!-- Field on the organisation that is being created -->
>
> <c:path>parentOrgRef</c:path>
>
>                </target>
>
>             </inbound>
>
>          </attribute>
>
> The database table is sorted in such a way that the organisations at 
> level 1 are first, then level 2, then level 3, etc. so I don’t think 
> it’s trying to create or update organisations before their parent 
> organisation has already been created.
>
> Any clues?
>
> Thanks,
>
> Andrew
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160728/2baeeeda/attachment.htm>

From mmarchese at identicum.com  Thu Jul 28 16:54:26 2016
From: mmarchese at identicum.com (Martin Marchese)
Date: Thu, 28 Jul 2016 11:54:26 -0300
Subject: [midPoint] Template - Build fullname only when changing givenName
	or familyName
Message-ID: <CAG3rmdp1BxYZacbfNnvDfDAD=QqLu3kwaWh307S=notGr2jATQ@mail.gmail.com>

Hi,

We have an objectTemplate that builds email and fullname using givenName
and familyName.

But we are not able to make it do this ONLY when the givenName or
familyName is changing. For example, we change the user costCenter and the
template still tries to build the fullname and email even if the givename
and familyname are not changing.

Which will be the best way to fix this?

Thanks
*Ing. Martín Marchese*
Identicum S.A.
Anchorena 1357 PB
Tel: +54 (11) 3526.5509
mmarchese at identicum.com
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160728/a55a8f1a/attachment.htm>

From ivan.noris at evolveum.com  Thu Jul 28 17:39:32 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Thu, 28 Jul 2016 17:39:32 +0200
Subject: [midPoint] Template - Build fullname only when changing
 givenName or familyName
In-Reply-To: <CAG3rmdp1BxYZacbfNnvDfDAD=QqLu3kwaWh307S=notGr2jATQ@mail.gmail.com>
References: <CAG3rmdp1BxYZacbfNnvDfDAD=QqLu3kwaWh307S=notGr2jATQ@mail.gmail.com>
Message-ID: <ac39510c-ca64-2967-002e-ccc25afee641@evolveum.com>

Hi Martin,

can you share the mapping? Which midPoint version are you using?

Ivan

On 07/28/2016 04:54 PM, Martin Marchese wrote:
> Hi,
>
> We have an objectTemplate that builds email and fullname using
> givenName and familyName.
>
> But we are not able to make it do this ONLY when the givenName or
> familyName is changing. For example, we change the user costCenter and
> the template still tries to build the fullname and email even if the
> givename and familyname are not changing.
>
> Which will be the best way to fix this?
>
> Thanks
> *Ing. Martín Marchese*
> Identicum S.A.
> Anchorena 1357 PB
> Tel: +54 (11) 3526.5509
> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
> www.identicum.com <http://www.identicum.com>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160728/e5db08c3/attachment.htm>

From jeverling at bshp.edu  Thu Jul 28 21:02:12 2016
From: jeverling at bshp.edu (Jason Everling)
Date: Thu, 28 Jul 2016 14:02:12 -0500
Subject: [midPoint] Generate credentials through object template
Message-ID: <CAFkZXY78kK1zQMcy4dzad7G0btPR7KY-siFE-d4UeDYtG6d14w@mail.gmail.com>

I need to generate new temp credentials for returning users that have not
used their account for years, most of them do not remember their security
questions or they have changed mobile phone numbers so they cannot utilize
our forgotten password process.

I have tested the below and it seems to be working, but since I am not a
java guru I am not 100% confident it is correct. Can someone confirm?
Mainly the target path

   <!-- example josm5983 -->
   <mapping>
      <source>
         <name>tmpGivenName</name>
         <path>$user/givenName</path>
      </source>
      <source>
         <name>tmpFamilyName</name>
         <path>$user/familyName</path>
      </source>
      <source>
         <name>tmpUidnumber</name>
         <path>
declare namespace bshp='http://midpoint.bshp.edu/schema/bshp';
$c:user/c:extension/bshp:uidnumber
</path>
      </source>
      <expression>
         <script>
            <code>
                        tmpGivenNameInit =
basic.stringify(tmpGivenName)?.size() &gt; 0 ?
(basic.stringify(tmpGivenName)).substring(0,2) : ''
tmpFamilyNameInit = basic.stringify(tmpFamilyName)?.size() &gt; 0 ?
(basic.stringify(tmpFamilyName)).substring(0,2) : ''
     tmptmpUidnumberInit = basic.stringify(tmpUidnumber)?.size() &gt; 0 ?
(basic.stringify(tmpUidnumber)).substring(0,4) : ''

                        newPasswd = basic.norm(tmpGivenNameInit +
tmpFamilyNameInit + tmptmpUidnumberInit)

                        basic.encrypt(newPasswd)
</code>
         </script>
      </expression>
      <target>
         <path>credentials/password/value</path>
      </target>
   </mapping>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160728/1d9fdf14/attachment.htm>

From Andrew.Brock at sahmri.com  Fri Jul 29 07:19:10 2016
From: Andrew.Brock at sahmri.com (Andrew Brock)
Date: Fri, 29 Jul 2016 05:19:10 +0000
Subject: [midPoint] Populating parentOrgRef in an Org from a database
	resource
Message-ID: <ba1eecb20466445d9b4ae42dfc6ca265@shmprdmbx02.sahmri.internal>

Ok, so I've added an extension attribute to the OrgType that I map through like this:

         <attribute>
            <c:ref>ri:parent_id</c:ref>
            <tolerant>true</tolerant>
            <exclusiveStrong>false</exclusiveStrong>
            <inbound>
               <authoritative>true</authoritative>
               <exclusive>true</exclusive>
               <strength>strong</strength>
               <target>
                  <c:path>$user/extension/parentIdentifier</c:path>
               </target>
            </inbound>
         </attribute>


This works fine. I've then added an object template as suggested:

<objectTemplate oid="10000000-0000-0000-0000-000000000231"
   xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
   xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
   xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
   xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
   xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
   xmlns:ext="xmlns:tns=http://sahmri.com/xml/ns/organisation">
    <name>Org Template</name>
    
    <mapping>
    	<name>Org-org mapping</name>
    	<authoritative>true</authoritative>
		<strength>strong</strength>
    	<source>
    		<path>extension/ext:parentIdentifier</path>
    	</source>
		<expression>
			<assignmentTargetSearch>
				<targetType>c:OrgType</targetType>
				<filter>
					<q:equal>
						<q:path>c:identifier</q:path>
						<expression>
							<path>$parentIdentifier</path>
						</expression>
					</q:equal>
				</filter>
			</assignmentTargetSearch>
		</expression> 
    	<target>
    		<path>assignment</path>
    	</target>
    </mapping>
</objectTemplate>



...and I've added it to the system configuration like so:

 
   <defaultObjectPolicyConfiguration>
      <type>c:OrgType</type>
      <objectTemplateRef oid="10000000-0000-0000-0000-000000000231" type="c:ObjectTemplateType"><!-- Org Template --></objectTemplateRef>
   </defaultObjectPolicyConfiguration>


...but the template doesn't seem to be triggered when a new Organisation is created - i.e. I don't see an error message but the assignment isn't created either.


Thoughts?

Thanks,
Andrew


-----Original Message-----

Hello Andrew,

> My understanding is that an org-to-org relationship shouldn't be an 
> assignment, but a population of the parentOrgRef (see
> https://wiki.evolveum.com/display/midPoint/Organizational+Structure)
> and then midpoint handles the rest.
Actually, that wiki article is a bit out-of-date in this respect. 
Currently, the preferred way of linking any focal objects (users, roles, orgs, services) to organization structure is via assignments.

One possibility is to map parent_id column to an extension attribute of the org object, and then use an object template to create appropriate assignment for a given Org object. Something like this: 
https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-org.xml. 
<https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-org.xml>

(But maybe someone would propose a better solution.)

Best regards,

--
Pavol Mederly
Software developer
evolveum.com


On 28.07.2016 8:38, Andrew Brock wrote:
>
> Hi,
>
> I have a database resource that gives me the following organisation 
> info in its columns:
>
> 1.)An ID (an integer)
>
> 2.)A Name (a string)
>
> 3.)The ID of the parent organisation in a column called parent_id (an 
> integer). This value is present for all organisations except for the 
> top parent one.
>
> This resource can be considered the definitive authority for this data 
> (i.e. it's not present in LDAP).
>
> I currently have a schemaHandling like so:
>
> <schemaHandling>
>
>       <objectType>
>
>          <kind>account</kind>
>
>          <intent>HRM</intent>
>
> <default>true</default>
>
> <objectClass>ri:AccountObjectClass</objectClass>
>
>          <attribute>
>
> <c:ref>icfs:uid</c:ref>
>
> <tolerant>true</tolerant>
>
> <exclusiveStrong>false</exclusiveStrong>
>
>             <inbound>
>
> <authoritative>true</authoritative>
>
> <exclusive>false</exclusive>
>
> <strength>normal</strength>
>
>                <target>
>
> <c:path>identifier</c:path>
>
>                </target>
>
>             </inbound>
>
>          </attribute>
>
>          <attribute>
>
> <c:ref>ri:name</c:ref>
>
> <tolerant>true</tolerant>
>
> <exclusiveStrong>false</exclusiveStrong>
>
>             <inbound>
>
> <authoritative>true</authoritative>
>
> <exclusive>false</exclusive>
>
> <strength>normal</strength>
>
>                <target>
>
> <c:path>name</c:path>
>
>                </target>
>
>             </inbound>
>
>          </attribute>
>
>       </objectType>
>
>    </schemaHandling>
>
> The current behaviour when I sync from this resource is all the 
> Organisations are being created with the correct name and unique ID 
> that is copied to the OrgType "Identifier" field, but they are all at 
> the same (top) level in the Org. structure.
>
> I now want to put them into their proper hierarchy!
>
> My understanding is that an org-to-org relationship shouldn't be an 
> assignment, but a population of the parentOrgRef (see 
> https://wiki.evolveum.com/display/midPoint/Organizational+Structure) 
> and then midpoint handles the rest. What do I need to do to my current 
> configuration to populate the parentOrgRef property using the value of 
> the parent_id column from my database? I can't assign the parent_id 
> value directly to parentOrgRef as it's an integer, so I need to get a 
> reference to the parent organisation.
>
> I've seen some references to a referenceSearch expression on Github, 
> which I think may be what I need, but I haven't seen an example of 
> this in action. This is what I've got so far (which goes just above 
> the </objectType> tag in my first example), but it doesn't appear to 
> do anything when I sync:
>
>          <attribute>
>
> <c:ref>ri:parent_id</c:ref>
>
>             <matchingRule 
> xmlns:gen426="http://prism.evolveum.com/xml/ns/public/matching-rule-3">gen426:default</matchingRule>
>
> <tolerant>true</tolerant>
>
> <exclusiveStrong>false</exclusiveStrong>
>
> <fetchStrategy>implicit</fetchStrategy>
>
>             <inbound>
>
> <authoritative>true</authoritative>
>
> <exclusive>false</exclusive>
>
> <strength>normal</strength>
>
>                <expression>
>
>                   <referenceSearch>
>
>    <targetType>c:OrgType</targetType>
>
>                      <filter>
>
>                         <q:equal>
>
>                          <!-- Property from OrgType -->
>
>                            <q:path>identifier</q:path>
>
> <expression>
>
>                               <!-- database column -->
>
> <c:path>$c:account/c:attributes/parent_id</c:path>
>
> </expression>
>
>                         </q:equal>
>
>                      </filter>
>
>                   </referenceSearch>
>
>                </expression>
>
>                <target>
>
>                   <!-- Field on the organisation that is being created -->
>
> <c:path>parentOrgRef</c:path>
>
>                </target>
>
>             </inbound>
>
>          </attribute>
>
> The database table is sorted in such a way that the organisations at 
> level 1 are first, then level 2, then level 3, etc. so I don't think 
> it's trying to create or update organisations before their parent 
> organisation has already been created.
>
> Any clues?
>
> Thanks,
>
> Andrew
>
>
>
> _______________________________________________
> midPoint mailing list
> http://lists.evolveum.com/mailman/listinfo/midpoint
> http://lists.evolveum.com/mailman/listinfo/midpoint



From radovan.semancik at evolveum.com  Fri Jul 29 09:52:20 2016
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Fri, 29 Jul 2016 09:52:20 +0200
Subject: [midPoint] Template - Build fullname only when changing
 givenName or familyName
In-Reply-To: <ac39510c-ca64-2967-002e-ccc25afee641@evolveum.com>
References: <CAG3rmdp1BxYZacbfNnvDfDAD=QqLu3kwaWh307S=notGr2jATQ@mail.gmail.com>
 <ac39510c-ca64-2967-002e-ccc25afee641@evolveum.com>
Message-ID: <2e4cb4f8-e696-8fba-23bb-9ab2f0e6d0f7@evolveum.com>

Hi,

MidPoint version is important in this case. There was a bug that 
impacted normal mappings in object templates in midPoint versions prior 
to 3.4. This is from midPoint 3.4 release notes:

"*Object template and assignment focus mappings with normal strength* 
were fixed. Due to a bug in the code in previous midPoint versions these 
mappings behaved in a way which was very similar to strong mappings. In 
midPoint 3.4 these mappings behave as they should. However, this may 
break previous configurations that relied on the wrong behavior, 
especially when it comes to multi-value items such as assignments. The 
solution would be to change strength of these mappings to /strong/."

Also, midPoint currently evaluated all the mappings for all the changes. 
However some results are discarded later when we "consolidate" the 
values. So, you may see expressions evaluation in the logs even if the 
source was not changed. But the result of the expression should be 
discarded later and they should not appear in the final delta. 
Obviously, this can be optimized: https://jira.evolveum.com/browse/MID-3297

-- 
Radovan Semancik
Software Architect
evolveum.com




On 07/28/2016 05:39 PM, Ivan Noris wrote:
>
> Hi Martin,
>
> can you share the mapping? Which midPoint version are you using?
>
> Ivan
>
> On 07/28/2016 04:54 PM, Martin Marchese wrote:
>> Hi,
>>
>> We have an objectTemplate that builds email and fullname using 
>> givenName and familyName.
>>
>> But we are not able to make it do this ONLY when the givenName or 
>> familyName is changing. For example, we change the user costCenter 
>> and the template still tries to build the fullname and email even if 
>> the givename and familyname are not changing.
>>
>> Which will be the best way to fix this?
>>
>> Thanks
>> *Ing. Martín Marchese*
>> Identicum S.A.
>> Anchorena 1357 PB
>> Tel: +54 (11) 3526.5509
>> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
>> www.identicum.com <http://www.identicum.com>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> -- 
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160729/d2fc0ebb/attachment.htm>

From ivan.noris at evolveum.com  Fri Jul 29 10:10:09 2016
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 29 Jul 2016 10:10:09 +0200
Subject: [midPoint] Populating parentOrgRef in an Org from a database
 resource
In-Reply-To: <ba1eecb20466445d9b4ae42dfc6ca265@shmprdmbx02.sahmri.internal>
References: <ba1eecb20466445d9b4ae42dfc6ca265@shmprdmbx02.sahmri.internal>
Message-ID: <c392ce69-7d8a-c94b-52cf-fa52900ffc58@evolveum.com>

Hi Andrew,

now I'm a little confused.
You are doing synchronization, where, using inbound, you populare *user*
extension attribute parentIdentifier.
Then you have object template for *OrgType*, where you use this.

You are probably mixing things.

What I'd suppose you wish to create is:
1) synchronize users from your source
2) have external attribute for user, which should be used to
automatically assign the organization to user (based on the query
org/identifier == user/extension/parentId)

This means that the mapping should be in the user template, not org
template. Provided that the organizations already exist in midPoint.

I'm not sure if your source contains only users with org reference, or
only organizations with their parent reference or both...

If your source contains the organizations, you probably wish to have
inbounds to populate attributes of organizations, not users. Then the
object template which you have configured, will be executed.

Regards,
Ivan

On 07/29/2016 07:19 AM, Andrew Brock wrote:
> Ok, so I've added an extension attribute to the OrgType that I map through like this:
>
>          <attribute>
>             <c:ref>ri:parent_id</c:ref>
>             <tolerant>true</tolerant>
>             <exclusiveStrong>false</exclusiveStrong>
>             <inbound>
>                <authoritative>true</authoritative>
>                <exclusive>true</exclusive>
>                <strength>strong</strength>
>                <target>
>                   <c:path>$user/extension/parentIdentifier</c:path>
>                </target>
>             </inbound>
>          </attribute>
>
>
> This works fine. I've then added an object template as suggested:
>
> <objectTemplate oid="10000000-0000-0000-0000-000000000231"
>    xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
>    xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
>    xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
>    xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
>    xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>    xmlns:ext="xmlns:tns=http://sahmri.com/xml/ns/organisation">
>     <name>Org Template</name>
>     
>     <mapping>
>     	<name>Org-org mapping</name>
>     	<authoritative>true</authoritative>
> 		<strength>strong</strength>
>     	<source>
>     		<path>extension/ext:parentIdentifier</path>
>     	</source>
> 		<expression>
> 			<assignmentTargetSearch>
> 				<targetType>c:OrgType</targetType>
> 				<filter>
> 					<q:equal>
> 						<q:path>c:identifier</q:path>
> 						<expression>
> 							<path>$parentIdentifier</path>
> 						</expression>
> 					</q:equal>
> 				</filter>
> 			</assignmentTargetSearch>
> 		</expression> 
>     	<target>
>     		<path>assignment</path>
>     	</target>
>     </mapping>
> </objectTemplate>
>
>
>
> ...and I've added it to the system configuration like so:
>
>  
>    <defaultObjectPolicyConfiguration>
>       <type>c:OrgType</type>
>       <objectTemplateRef oid="10000000-0000-0000-0000-000000000231" type="c:ObjectTemplateType"><!-- Org Template --></objectTemplateRef>
>    </defaultObjectPolicyConfiguration>
>
>
> ...but the template doesn't seem to be triggered when a new Organisation is created - i.e. I don't see an error message but the assignment isn't created either.
>
>
> Thoughts?
>
> Thanks,
> Andrew
>
>
> -----Original Message-----
>
> Hello Andrew,
>
>> My understanding is that an org-to-org relationship shouldn't be an 
>> assignment, but a population of the parentOrgRef (see
>> https://wiki.evolveum.com/display/midPoint/Organizational+Structure)
>> and then midpoint handles the rest.
> Actually, that wiki article is a bit out-of-date in this respect. 
> Currently, the preferred way of linking any focal objects (users, roles, orgs, services) to organization structure is via assignments.
>
> One possibility is to map parent_id column to an extension attribute of the org object, and then use an object template to create appropriate assignment for a given Org object. Something like this: 
> https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-org.xml. 
> <https://github.com/Evolveum/midpoint/blob/master/samples/objects/object-template-org.xml>
>
> (But maybe someone would propose a better solution.)
>
> Best regards,
>
> --
> Pavol Mederly
> Software developer
> evolveum.com
>
>
> On 28.07.2016 8:38, Andrew Brock wrote:
>> Hi,
>>
>> I have a database resource that gives me the following organisation 
>> info in its columns:
>>
>> 1.)An ID (an integer)
>>
>> 2.)A Name (a string)
>>
>> 3.)The ID of the parent organisation in a column called parent_id (an 
>> integer). This value is present for all organisations except for the 
>> top parent one.
>>
>> This resource can be considered the definitive authority for this data 
>> (i.e. it's not present in LDAP).
>>
>> I currently have a schemaHandling like so:
>>
>> <schemaHandling>
>>
>>       <objectType>
>>
>>          <kind>account</kind>
>>
>>          <intent>HRM</intent>
>>
>> <default>true</default>
>>
>> <objectClass>ri:AccountObjectClass</objectClass>
>>
>>          <attribute>
>>
>> <c:ref>icfs:uid</c:ref>
>>
>> <tolerant>true</tolerant>
>>
>> <exclusiveStrong>false</exclusiveStrong>
>>
>>             <inbound>
>>
>> <authoritative>true</authoritative>
>>
>> <exclusive>false</exclusive>
>>
>> <strength>normal</strength>
>>
>>                <target>
>>
>> <c:path>identifier</c:path>
>>
>>                </target>
>>
>>             </inbound>
>>
>>          </attribute>
>>
>>          <attribute>
>>
>> <c:ref>ri:name</c:ref>
>>
>> <tolerant>true</tolerant>
>>
>> <exclusiveStrong>false</exclusiveStrong>
>>
>>             <inbound>
>>
>> <authoritative>true</authoritative>
>>
>> <exclusive>false</exclusive>
>>
>> <strength>normal</strength>
>>
>>                <target>
>>
>> <c:path>name</c:path>
>>
>>                </target>
>>
>>             </inbound>
>>
>>          </attribute>
>>
>>       </objectType>
>>
>>    </schemaHandling>
>>
>> The current behaviour when I sync from this resource is all the 
>> Organisations are being created with the correct name and unique ID 
>> that is copied to the OrgType "Identifier" field, but they are all at 
>> the same (top) level in the Org. structure.
>>
>> I now want to put them into their proper hierarchy!
>>
>> My understanding is that an org-to-org relationship shouldn't be an 
>> assignment, but a population of the parentOrgRef (see 
>> https://wiki.evolveum.com/display/midPoint/Organizational+Structure) 
>> and then midpoint handles the rest. What do I need to do to my current 
>> configuration to populate the parentOrgRef property using the value of 
>> the parent_id column from my database? I can't assign the parent_id 
>> value directly to parentOrgRef as it's an integer, so I need to get a 
>> reference to the parent organisation.
>>
>> I've seen some references to a referenceSearch expression on Github, 
>> which I think may be what I need, but I haven't seen an example of 
>> this in action. This is what I've got so far (which goes just above 
>> the </objectType> tag in my first example), but it doesn't appear to 
>> do anything when I sync:
>>
>>          <attribute>
>>
>> <c:ref>ri:parent_id</c:ref>
>>
>>             <matchingRule 
>> xmlns:gen426="http://prism.evolveum.com/xml/ns/public/matching-rule-3">gen426:default</matchingRule>
>>
>> <tolerant>true</tolerant>
>>
>> <exclusiveStrong>false</exclusiveStrong>
>>
>> <fetchStrategy>implicit</fetchStrategy>
>>
>>             <inbound>
>>
>> <authoritative>true</authoritative>
>>
>> <exclusive>false</exclusive>
>>
>> <strength>normal</strength>
>>
>>                <expression>
>>
>>                   <referenceSearch>
>>
>>    <targetType>c:OrgType</targetType>
>>
>>                      <filter>
>>
>>                         <q:equal>
>>
>>                          <!-- Property from OrgType -->
>>
>>                            <q:path>identifier</q:path>
>>
>> <expression>
>>
>>                               <!-- database column -->
>>
>> <c:path>$c:account/c:attributes/parent_id</c:path>
>>
>> </expression>
>>
>>                         </q:equal>
>>
>>                      </filter>
>>
>>                   </referenceSearch>
>>
>>                </expression>
>>
>>                <target>
>>
>>                   <!-- Field on the organisation that is being created -->
>>
>> <c:path>parentOrgRef</c:path>
>>
>>                </target>
>>
>>             </inbound>
>>
>>          </attribute>
>>
>> The database table is sorted in such a way that the organisations at 
>> level 1 are first, then level 2, then level 3, etc. so I don't think 
>> it's trying to create or update organisations before their parent 
>> organisation has already been created.
>>
>> Any clues?
>>
>> Thanks,
>>
>> Andrew
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> http://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160729/ea44df11/attachment.htm>