[midPoint] midpoint group membership

Oskar Butovič - AMI Praha a.s. oskar.butovic at ami.cz
Tue Nov 8 13:20:32 CET 2016 

Awesome! It worked like a charm.

Thanks a lot Rado.

2016-11-08 13:11 GMT+01:00 Radovan Semancik <radovan.semancik at evolveum.com>:

> Hi,
>
> AD is doing its own referential integrity. I.e. When account is renamed AD
> will automatically rename it in all the groups. That's the reason for the
> unwillingToPerform: midPoint tries to remove a value that is no longer
> there because AD has changed it already.
>
> You can switch off midPoint referential integrity behavior for the
> association by using explicitReferentialIntegrity property:
>
>             <association>
>                 .....
>                 <explicitReferentialIntegrity>false</
> explicitReferentialIntegrity>
>             </association>
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
>
> On 11/03/2016 02:51 PM, Oskar Butovič - AMI Praha a.s. wrote:
>
> little correction error was in modifying group so:
> Error modifying LDAP entry CN=All,DC=test,DC=com: [remove:member: CN=test
> user,OU=old org,DC=test,DC=com,]: unwillingToPerform: 00000561: SvcErr:
> DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0?? (53))
>
> 2016-11-03 14:44 GMT+01:00 Oskar Butovič - AMI Praha a.s. <
> oskar.butovic at ami.cz>:
>
>> Hello everybody,
>>
>> I have noticed weird behaviour related to provisioning group membership.
>> I am using version 3.4.2-SNAPSHOT from support branch.
>>
>> When I have configured this according to https://wiki.evolveum.com/d
>> isplay/midPoint/Active+Directory+Group+Synchronization+HOWTO .
>> Everything works fine until midpoint tries to move user to different OU in
>> AD.
>>
>> for ecample i have user:
>>    CN=test user,OU=old org,DC=test,DC=com
>> as member in group CN=All,DC=test,DC=com
>>
>> when idem tries to move user to:
>>    CN=test user,OU=new org,DC=test,DC=com
>> it should stay as a member of group CN=All,DC=test,DC=com
>>
>> but although all other AD related changes are executed correctly in this
>> transaction, AD returns error:
>> Error modifying LDAP entry CN=test user,OU=new org,DC=test,DC=com:
>> [remove:member: CN=test user,OU=old org,DC=test,DC=com,]:
>> unwillingToPerform: 00000561: SvcErr: DSID-031A12D2, problem 5003
>> (WILL_NOT_PERFORM), data 0?? (53))
>>
>> which is understandable because user is no longer in old org but why does
>> midpoint try to remove account from group only when account is moved within
>> organizational structure? Normal recompute or reconcilliation doesnt behave
>> this way and ends correctly.
>>
>> Best Regards
>>
>> Oskar Butovič
>>
>> --
>>
>> Oskar Butovič
>> solution architect
>>
>> gsm: [+420] 774 480 101 <%5B%2B420%5D%20774%20480%20101>
>> e-mail: oskar.butovic at ami.cz
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239 <%5B%2B420%5D%20274%20783%20239>
>> web: www.ami.cz
>>
>>
>> [image: AMI Praha a.s.]
>>
>> [image: AMI Praha a.s.]
>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161108/bdc67d0c/attachment.htm>

More information about the midPoint mailing list